WORLD’S FIRST DECODER FOR ICLASS® SE & SEOS

The iCS Decoder is cutting-edge accessory for the iCopy-X, which can clone iCLASS SE® and iCLASS SEOS®.

Most iCLASS® SE® & SEOS® systems still have legacy card acceptance enabled in their configuration. The iCS Decoder can decode iCLASS SEOS® IP / SE cards, and then generate an new card with legacy encoding.

Please note:

• The iCS Decoder will only work for target systems that are configured to accept legacy cards. This is the default configuration.
• This technique will not work on all iCLASS SE® readers. Coverage is approximate 85%.
• The iCS Decoder is an accessory – it requires an iCopy-X.

How to use

Step by step instructions

The iCS Decoder is a simple plug-and-play device. Setup is quick and easy:

1. Plug the iCS Decoder into the iCopy-X using the provided USB-C cable.
2. The iCopy-X will recognise the accessory within 5 seconds.
   If the device is not recognised, simply unplug and replug the device.
   
3. Place the target iCLASS SE® / iCLASS SEOS card® on the iCS Decoder.
4. The target card’s CSN, Facility Code and Card Number will be displayed.
5. Disconnect the iCS Decoder.
6. The iCopy-X will prompt for an iCS blank card.
7. Place the blank card on the device to write the card.

Technical Information

Shipping & Delivery Information

Each iCopy-X iCS Decoder is dispatched from our European warehouse. You will receive a tracking number upon item dispatch. The address used on your purchase is printed as a label – please double check your address to avoid mistakes.

For all European Union destinations, all shipments are DDP – Delivered Duty Paid. This means all applicable VAT/TVA, shipping costs and customs fees are pre-paid.
You will not be charged by the courier service / post office or customs.

For all destinations outside European Union, all shipments are DDU – Delivered Duty Unpaid. This means that your country’s custom service impose a VAT/TVA/Import Duty on your shipment.

Getting to know the ultimate RFID Cloner

The ICopy-X is the next generation of RFID Cloning tool.

Whether you’re a pentester, researchers, locksmith, hobbiest or building manager, the iCopy-X makes cloning RFID tags rapid and easy.

Built around the powerful Proxmark 3, the ICopy-X is a portable device specialised in the rapid cloning of RFID badges, capable of automatically reading, cracking and writing the vast majority of Low Frequency (125KHz / 134KHz) and High Frequency (13.56MHz) RFID tags on the market.

100% portable and pocket-sized, the iCopy-X is built with simplicity in mind. No cables required, no external computers or antennas. With its built in battery, you just pull the device out of your pocket, and you’re ready to go.

Designed to be intuitive, users control the device via its screen and navigation buttons to place a badge and start the desired operation.

The iCopy-X comes in multiple models – the “X” (Basic model), “XR” (Intermediate model) and “XS” (Advanced Model).

This is the “XS” model – the most powerful available.

Capabilities

Basic functionality

Auto-Clone: The flagship feature of the iCopy-X is its powerful “Auto Clone” function: place a badge of any type, and the iCopy-X does the rest: Detecting tag frequency & type, and then reading the badge contents – even if it is encrypted or password protected.

Perfect copies of the source badge can then be written to new blank badge.

Badge Information: Users can rapidly scan a badge to determine it’s frequency, type and unique identifier (UID).

Read / Write: Additional copies can be easily made from previously read badges – the iCopy-X saves all badges for rapid retrieval. Saved badges can also be exported / imported if required.

Intermediate functionality

Sniff: The iCopy-X can perform the “Reader Attack” (MFKey32/64)- providing real-time sniffing of MIFARE Classic keys from a reader, to export or to add to the internal key list.

Emulate: Badges of all types can be emulated directly from the device. In emulation mode, the iCopy-X acts like a badge, and can be used to rapidly simulate RFID tags. This function is especially useful for pentesting engagements.

Expert functionality

Proxmark Mode: The iCopy-X is built around a full Proxmark 3 device. Expert users can plug the device into their computer / smart-phone and interact directly with the Proxmark Client.

With Proxmark Mode, the full Proxmark platform and tools that you know and use are available.

Supported Badges

The ICopy-X supports the vast majority of low frequency (125KHz / 134KHz) and high frequency (13.56MHz) badges available on the market.

Please note: The iCopy-X does not support the following badges: MIFARE DESFire, iCLASS Elite with Custom Keys / EMV (Bank / Credit Cards).

Cloning iCLASS SE / iCLASS SEOS requires the iCS Decoder accessory.

Blank Tag Packs

The ICopy-X has three different Blank Tag Pack options: Basic, Intermediate and Advanced. You can chose which option you’d like your device to come with.

When you need more blanks, Genuine iCopy-X Blank Tag Packs can be purchased here.

Please note: The device only supports ICopy-X blank badges. Generic blanks are not supported on the device.

All supported Low-Frequency tags can be cloned onto “T5577” cards.

Hands on

Unboxing the iCopy-X

The iCopy-X is safely packed in a high-quality box containing everything you need to clone badges like a pro: the iCopy-X, a Basic Blank Pack, Instruction manual, lanyard and USB-C Cable.

Technical Information

The ChameleonUltra is built on a highly capable framework, making it a powerful RFID development platform. While the ChameleonUltra has been optimised for size, the ChameleonUltra Devkit has been optimised for development.

Flashing and debug break-out points are easily accessible; the PCBA and silkscreen are arranged in logical groups for easy access and development.

The Chameleon Ultra is the ultimate RFID emulation device : Low and high-frequency emulation, full read & write capabilities, bleeding-edge cracking, wireless control : all wrapped up in a key-chain sized, fully open-sourced device.

The Chameleon Ultra is the result of exceptional engineering ingenuity : the development team discovered that little-known RFID function in a popular Bluetooth controller could be pushed to provide high-performance, multi-frequency RFID reading, writing and cracking – and emulation performance almost identical to that of a physical card.

UNDERSTAND THE CHAMELEONULTRA

The Chameleon Ultra’s primary use is for RFID Emulation. Instead of needing physical cards, you can emulate multiple different types of chips and different frequencies with one device.

The Chameleon Ultra also has several other powerful features : cracking, reading, writing.

When working with RFID tags, there are typically five required functions:

1. Identification – identifying the badge : frequency, modulation, chipset, protocol, etc. Most tags can be easily identified. However, some tags need to be manually identified, requiring specialty hardware such as the Proxmark.
2. Cracking – many common chipsets (MIFARE Classic®, etc) require keys to read or write the contents of the badge. If the keys are unknown, they need to be cracked. The ChameleonUltra cracking capabilities equal to Proxmark.
3. Reading – Reading the data from a badge.
4. Emulation – Emulation allows for simulating a badge digitally. Instead of needing multiple physical cards, they can be replaced with an emulator. Further, emulated data and chipsets can be customised completely – something impossible with physical cards.
5. Writing – Writing data to an existing badge, or cloning data to a new badge.

The below table shows the coverage that the ChameleonUltra provides in each of these categories, and how it compares to other tools.

For users that don’t require advanced identification or rapid cloning, the ChameleonUltra could be the perfect match for your needs.

CHAMELEONULTRA COMMUNITY AND ECOSYSTEM

The Chameleon Ultra is fully open-source : all firmware, hardware, software and resources are available on the Chameleon Ultra Github page.

The frequent contributions from RFID superstars such as iceman and doegox ensure that the Chameleon Ultra is a well-supported, high-performance device.

CHAMELEONULTRA PRODUCT PRESENTATION

CHAMELEONULTRA UNBOXING

CHAMELEON ULTRA CHIPSET DATASHEETS

DEVICE COMPARISON

Summary of functionality across similar devices.

Device	Chameleon Ultra	Flipper Zero	Keysy	Proxmark
High-Frequency
ISO14443A Emulation
Full MIFARE® Emulation
ISO14443A Reading

Low-Frequency
LF Emulation
LF Reading

Cracking
Darkside
Nested
StaticNested
HardNested
Relay attack

HIGH FREQUENCY CRACKING SUPPORT

Current support levels (hardware / firmware / application) support for High-Frequency Chipsets. Sniffing is not supported.

Attack	Chipset	Hardware Support	Firmware Support	Application Support
MFKEY32 V2	MIFARE Classic®
Darkside	MIFARE Classic®
Nested	MIFARE Classic®
StaticNested	MIFARE Classic®
HardNested	MIFARE Classic®
Relay attack	ISO14443A

HIGH FREQUENCY READING SUPPORT

Current support levels (hardware / firmware / application) support for High-Frequency Chipsets. Only ISO14443A chipsets are supported,

Chipset	Encoding	Hardware Support	Software Support	Application Support
NTAG® 21x (210-218)	ISO14443A/106 kbit/s
Mifare® Ultralight	ISO14443A/106 kbit/s
Mifare® Ultralight Ev1	ISO14443A/106 kbit/s
Mifare® Ultralight C	ISO14443A/106 kbit/s
Mifare® Classic 1K/2K/4K : 4b/7b	ISO14443A/106 kbit/s
Mifare® DESFire®	ISO14443A High Rate	Low bitrate only	Low bitrate only
Mifare® DESFire® EV1	ISO14443A High rate	Low bitrate only	Low bitrate only
Mifare DESFire EV2	ISO14443A High rate	Low bitrate only	Low bitrate only
Mifare® PLUS	ISO14443A High rate	Low bitrate only	Low bitrate only

LOW FREQUENCY SUPPORT

Current support levels (hardware / firmware / application) support for LowFrequency Chipsets. Only ASK/PSK/FSK modulation is supported.

Card Type	Chipset	Hardware Support	Firmware Support	Application Support
EM410x	ASK
T5577	ASK
HID Prox	FSK
Indala	PSK
FDX-B	ASK
Paradox	FSK
Keri	PSK
AWD	FSK
ioProx	FSK
securakey	ASK
gallagher	ASK
PAC/Stanley	ASK
Presco	ASK
Visa2000	ASK
Viking	ASK
Noralsy	ASK
NexWatch	PSK
Jablotron	ASK

Super Sniffer Card 4k 7 Byte

Product Introduction

The Super Sniffer card is a kind of card similar to the ChameleonMini that reads the random number in the process of M1 card interaction twice or more. After grabbing, the random number is read out by other software, supplemented by the UID of the card and the MFKey32 algorithm, and the key of the detected card can be recovered. The Super Sniffer card has some storage space inside, which can store up to 7 random numbers of reading head interactions and can modify the card number at any time. The detection card supports 1K & 4K, 4 byte & 7 byte type of M1 card key capture, in the capture key only set a card number, and then put the card on the reading head brush 2~3 times through the other software

Specifications

Protocol: ISO14443-A/B 13.56MHz
Package: White card
UID Byte length: 4 or 7 Byte
Card capacity: 1K &  4k

Once you place the super sniffer card to the RFID reader, the card would copy the sector keys to the card with the UID identified.

Instructions for use

Set desired UID to Super Sniffer Card via Android App or Proxmark3.

Go to the RFID reader and tap the card.

The reader will respond to the card and walk away.

Instructions for using the PM3

Modify the Super Sniffer card UID

Modify the card UID command is:

hf 14a raw -sc -t 1000 cf00000000cd00<UID>

For example, to modify the UID  to ‘04825461’, you should enter a command on the command line:

hf 14a raw-sc-t 1000 cf00000000cd0004825461

Return 90 00 [FD 07] is modified successfully.

Swipe the Super Sniffer card at the header or simulate a “swipe card” with PM3

[If you have a reader, return the detection card 2 to 3 times and continue on PM3.]

The PM3 is used to test the card. The command is hf mf rdbl, reads one or more blocks twice continuously, and requires reads with the same password.The read fails, which is normal. After the read is completed, you can use the detection card read command to calculate the password.

For example:
analog read B584125A3011 read with password zone 00 block:

hf mf rdbl -blk 0 -k B584125A3011

Read the Super Sniffer card and calculate the password

When the detection card has been (simulated) after the credit card. Using the hf mf super command, you can automatically read the sniffing password data from the detection card (PM3 can only read the last key, to read multiple please use the phone APP). Note that before reading the password, make sure that your detection card type (1K & 4K) is in the block area that you read.

For example: Read the key,

hf mf super

Description of mobile phone use

Open the APP, enter the welcome interface, and touch “NEXT” to start using the detection card.

After clicking NEXT, enter the selection interface, and you can choose

☞ to read the key from the detection card: namely, read out the key in the detection card through the phone and display.
☞ starts a new sniffing process for an M1 card: sniffing a previously unsniffing card needs to set the number of the detection card to be the same as the card to be detected, and automatically guide you to swipe your card to sniff and read the key.

UID Reset

The detection card is specially designed, the data does not need to be cleared (erased, formatted, deleted), just modify the card number can start sniffing at any time, the new data will automatically cover the old data

Note:

• There are no versions of the software available for Apple series devices.
• Not all mobile phones support brush detection card reading key, it is recommended to use NXP series NFC chip (such as: PN80T, SN100T) mobile phones.If you do not respond to the detection card on the phone, please change the angle and brush a few times, or reopen the NFC.
• Some phones will leave a [A0A1A2A3A4A5] password in the detection card because the NFC HAL layer of these phones will automatically detect whether the card is a certain type of bus card, and try to read the balance of the card.
• Super Sniffer card stores multiple groups (up to 3 groups) of keys simultaneously. Therefore, an incomplete swipe card will not destroy the previously stored key data, so the card can be assured to swipe on the reader, without worrying about the loss of sniffing content, as long as the sniffing will be able to save the data, as far as possible the card close to the reader and change the angle, in order to improve the success rate of sniffing.

Super Sniffer Card 4k 4 Byte

Product Introduction

The Super Sniffer card is a kind of card similar to the ChameleonMini that reads the random number in the process of M1 card interaction twice or more. After grabbing, the random number is read out by other software, supplemented by the UID of the card and the MFKey32 algorithm, and the key of the detected card can be recovered. The Super Sniffer card has some storage space inside, which can store up to 7 random numbers of reading head interactions and can modify the card number at any time. The detection card supports 1K & 4K, 4 byte & 7 byte type of M1 card key capture, in the capture key only set a card number, and then put the card on the reading head brush 2~3 times through the other software

Specifications

Protocol: ISO14443-A/B 13.56MHz
Package: White card
UID Byte length: 4 or 7 Byte
Card capacity: 1K &  4k

Once you place the super sniffer card to the RFID reader, the card would copy the sector keys to the card with the UID identified.

Instructions for use

Set desired UID to Super Sniffer Card via Android App or Proxmark3.

Go to the RFID reader and tap the card.

The reader will respond to the card and walk away.

Instructions for using the PM3

Modify the Super Sniffer card UID

Modify the card UID command is:

hf 14a raw -sc -t 1000 cf00000000cd00<UID>

For example, to modify the UID  to ‘04825461’, you should enter a command on the command line:

hf 14a raw-sc-t 1000 cf00000000cd0004825461

Return 90 00 [FD 07] is modified successfully.

Swipe the Super Sniffer card at the header or simulate a “swipe card” with PM3

[If you have a reader, return the detection card 2 to 3 times and continue on PM3.]

The PM3 is used to test the card. The command is hf mf rdbl, reads one or more blocks twice continuously, and requires reads with the same password.The read fails, which is normal. After the read is completed, you can use the detection card read command to calculate the password.

For example:
analog read B584125A3011 read with password zone 00 block:

hf mf rdbl -blk 0 -k B584125A3011

Read the Super Sniffer card and calculate the password

When the detection card has been (simulated) after the credit card. Using the hf mf super command, you can automatically read the sniffing password data from the detection card (PM3 can only read the last key, to read multiple please use the phone APP). Note that before reading the password, make sure that your detection card type (1K & 4K) is in the block area that you read.

For example: Read the key,

hf mf super

Description of mobile phone use

Open the APP, enter the welcome interface, and touch “NEXT” to start using the detection card.

After clicking NEXT, enter the selection interface, and you can choose

☞ to read the key from the detection card: namely, read out the key in the detection card through the phone and display.
☞ starts a new sniffing process for an M1 card: sniffing a previously unsniffing card needs to set the number of the detection card to be the same as the card to be detected, and automatically guide you to swipe your card to sniff and read the key.

UID Reset

The detection card is specially designed, the data does not need to be cleared (erased, formatted, deleted), just modify the card number can start sniffing at any time, the new data will automatically cover the old data

Note:

• There are no versions of the software available for Apple series devices.
• Not all mobile phones support brush detection card reading key, it is recommended to use NXP series NFC chip (such as: PN80T, SN100T) mobile phones.If you do not respond to the detection card on the phone, please change the angle and brush a few times, or reopen the NFC.
• Some phones will leave a [A0A1A2A3A4A5] password in the detection card because the NFC HAL layer of these phones will automatically detect whether the card is a certain type of bus card, and try to read the balance of the card.
• Super Sniffer card stores multiple groups (up to 3 groups) of keys simultaneously. Therefore, an incomplete swipe card will not destroy the previously stored key data, so the card can be assured to swipe on the reader, without worrying about the loss of sniffing content, as long as the sniffing will be able to save the data, as far as possible the card close to the reader and change the angle, in order to improve the success rate of sniffing.

Super Sniffer Card 1k 7 Byte

Product Introduction

The Super Sniffer card is a kind of card similar to the ChameleonMini that reads the random number in the process of M1 card interaction twice or more. After grabbing, the random number is read out by other software, supplemented by the UID of the card and the MFKey32 algorithm, and the key of the detected card can be recovered. The Super Sniffer card has some storage space inside, which can store up to 7 random numbers of reading head interactions and can modify the card number at any time. The detection card supports 1K & 4K, 4 byte & 7 byte type of M1 card key capture, in the capture key only set a card number, and then put the card on the reading head brush 2~3 times through the other software

Specifications

Protocol: ISO14443-A/B 13.56MHz
Package: White card
UID Byte length: 4 or 7 Byte
Card capacity: 1K &  4k

Once you place the super sniffer card to the RFID reader, the card would copy the sector keys to the card with the UID identified.

Instructions for use

Set desired UID to Super Sniffer Card via Android App or Proxmark3.

Go to the RFID reader and tap the card.

The reader will respond to the card and walk away.

Instructions for using the PM3

Modify the Super Sniffer card UID

Modify the card UID command is:

hf 14a raw -sc -t 1000 cf00000000cd00<UID>

For example, to modify the UID  to ‘04825461’, you should enter a command on the command line:

hf 14a raw-sc-t 1000 cf00000000cd0004825461

Return 90 00 [FD 07] is modified successfully.

Swipe the Super Sniffer card at the header or simulate a “swipe card” with PM3

[If you have a reader, return the detection card 2 to 3 times and continue on PM3.]

The PM3 is used to test the card. The command is hf mf rdbl, reads one or more blocks twice continuously, and requires reads with the same password.The read fails, which is normal. After the read is completed, you can use the detection card read command to calculate the password.

For example:
analog read B584125A3011 read with password zone 00 block:

hf mf rdbl -blk 0 -k B584125A3011

Read the Super Sniffer card and calculate the password

When the detection card has been (simulated) after the credit card. Using the hf mf super command, you can automatically read the sniffing password data from the detection card (PM3 can only read the last key, to read multiple please use the phone APP). Note that before reading the password, make sure that your detection card type (1K & 4K) is in the block area that you read.

For example: Read the key,

hf mf super

Description of mobile phone use

Open the APP, enter the welcome interface, and touch “NEXT” to start using the detection card.

After clicking NEXT, enter the selection interface, and you can choose

☞ to read the key from the detection card: namely, read out the key in the detection card through the phone and display.
☞ starts a new sniffing process for an M1 card: sniffing a previously unsniffing card needs to set the number of the detection card to be the same as the card to be detected, and automatically guide you to swipe your card to sniff and read the key.

UID Reset

The detection card is specially designed, the data does not need to be cleared (erased, formatted, deleted), just modify the card number can start sniffing at any time, the new data will automatically cover the old data

Note:

• There are no versions of the software available for Apple series devices.
• Not all mobile phones support brush detection card reading key, it is recommended to use NXP series NFC chip (such as: PN80T, SN100T) mobile phones.If you do not respond to the detection card on the phone, please change the angle and brush a few times, or reopen the NFC.
• Some phones will leave a [A0A1A2A3A4A5] password in the detection card because the NFC HAL layer of these phones will automatically detect whether the card is a certain type of bus card, and try to read the balance of the card.
• Super Sniffer card stores multiple groups (up to 3 groups) of keys simultaneously. Therefore, an incomplete swipe card will not destroy the previously stored key data, so the card can be assured to swipe on the reader, without worrying about the loss of sniffing content, as long as the sniffing will be able to save the data, as far as possible the card close to the reader and change the angle, in order to improve the success rate of sniffing.

Super Sniffer Card 1k 4 Byte

Product Introduction

The Super Sniffer card is a kind of card similar to the ChameleonMini that reads the random number in the process of M1 card interaction twice or more. After grabbing, the random number is read out by other software, supplemented by the UID of the card and the MFKey32 algorithm, and the key of the detected card can be recovered. The Super Sniffer card has some storage space inside, which can store up to 7 random numbers of reading head interactions and can modify the card number at any time. The detection card supports 1K & 4K, 4 byte & 7 byte type of M1 card key capture, in the capture key only set a card number, and then put the card on the reading head brush 2~3 times through the other software

Specifications

Protocol: ISO14443-A/B 13.56MHz
Package: White card
UID Byte length: 4 or 7 Byte
Card capacity: 1K &  4k

Once you place the super sniffer card to the RFID reader, the card would copy the sector keys to the card with the UID identified.

Instructions for use

Set desired UID to Super Sniffer Card via Android App or Proxmark3.

Go to the RFID reader and tap the card.

The reader will respond to the card and walk away.

Instructions for using the PM3

Modify the Super Sniffer card UID

Modify the card UID command is:

hf 14a raw -sc -t 1000 cf00000000cd00<UID>

For example, to modify the UID  to ‘04825461’, you should enter a command on the command line:

hf 14a raw-sc-t 1000 cf00000000cd0004825461

Return 90 00 [FD 07] is modified successfully.

Swipe the Super Sniffer card at the header or simulate a “swipe card” with PM3

[If you have a reader, return the detection card 2 to 3 times and continue on PM3.]

The PM3 is used to test the card. The command is hf mf rdbl, reads one or more blocks twice continuously, and requires reads with the same password.The read fails, which is normal. After the read is completed, you can use the detection card read command to calculate the password.

For example:
analog read B584125A3011 read with password zone 00 block:

hf mf rdbl -blk 0 -k B584125A3011

Read the Super Sniffer card and calculate the password

When the detection card has been (simulated) after the credit card. Using the hf mf super command, you can automatically read the sniffing password data from the detection card (PM3 can only read the last key, to read multiple please use the phone APP). Note that before reading the password, make sure that your detection card type (1K & 4K) is in the block area that you read.

For example: Read the key,

hf mf super

Description of mobile phone use

Open the APP, enter the welcome interface, and touch “NEXT” to start using the detection card.

After clicking NEXT, enter the selection interface, and you can choose

☞ to read the key from the detection card: namely, read out the key in the detection card through the phone and display.
☞ starts a new sniffing process for an M1 card: sniffing a previously unsniffing card needs to set the number of the detection card to be the same as the card to be detected, and automatically guide you to swipe your card to sniff and read the key.

UID Reset

The detection card is specially designed, the data does not need to be cleared (erased, formatted, deleted), just modify the card number can start sniffing at any time, the new data will automatically cover the old data

Note:

• There are no versions of the software available for Apple series devices.
• Not all mobile phones support brush detection card reading key, it is recommended to use NXP series NFC chip (such as: PN80T, SN100T) mobile phones.If you do not respond to the detection card on the phone, please change the angle and brush a few times, or reopen the NFC.
• Some phones will leave a [A0A1A2A3A4A5] password in the detection card because the NFC HAL layer of these phones will automatically detect whether the card is a certain type of bus card, and try to read the balance of the card.
• Super Sniffer card stores multiple groups (up to 3 groups) of keys simultaneously. Therefore, an incomplete swipe card will not destroy the previously stored key data, so the card can be assured to swipe on the reader, without worrying about the loss of sniffing content, as long as the sniffing will be able to save the data, as far as possible the card close to the reader and change the angle, in order to improve the success rate of sniffing.

Product Introduction

This card supports multiple functions. The ATQA/SAK/ATS/byte length/card number (UID)/M1 area size of any card can be modified at will without any restrictions. It can read and write any block like UID card without password. At the same time, it can also be transformed into an Ultralight card, and it also supports rolling code recovery card mode, and it supports rolling code recovery after key modification. At the same time, it is also a 14B card with a card number that can be modified at will. The card backdoor command supports setting a password. If the password is incorrect, the card configuration cannot be modified. It supports Recovery mode. If the card encounters abnormal interference, it will enter the recovery mode, which can be reconfigured, which greatly reduces the chance of your card being damaged.

Specifications

Protocol: ISO14443-A/B 13.56MHz
Package: white card
Byte length: 4 or 7 or 10 bytes
Card capacity: up to 4K bytes
ATS: Can be modified, or not used

Instructions for use

This card uses private commands to modify internal data. The data supported for modification are:

• ATQA modification

The user can customize ATQA with a length of two bytes, which is the opposite of the result read by Pm3. It should be noted that if the card byte length> 4 bytes, then it must be 004X (Pm3 order)

• SAK modification

Users can customize SAK, one byte

hf 14a raw -s -c -t 1000 cf0000000035<ATQA><SAK>

*ATQA may be reversed on Pm3

Example: hf 14a raw -s -c -t 1000 cf0000000035440028

Modify ATQA=00 44 SAK=28 (note that ATQA on Pm3 is reversed)

• ATS modification

The user can customize the ATS of any length, or not open the ATS. It should be noted that when SAK=20,28, ATS must be turned on, otherwise the card will not be recognized!

Set up ATS:

hf 14a raw -s -c -t 1000 cf0000000034<length><ATS>

*The length is set to 0, which means that ATS is not sent

*When SAK is 20 or 28, ATS must be set, otherwise the card cannot be read

*The last two digits of ATS are CRC and cannot be counted as length

Example: hf 14a raw -s -c -t 1000 cf000000003406067577810280

Modify ATS to 0606757781028002F0

• Byte length modification

Users can switch between 4, 7, and 10 byte lengths at will

hf 14a raw -s -c -t 1000 cf0000000068<Param>

Param=00: 4 bytes 01: 7 bytes 02: 10 bytes

Example: hf 14a raw -s -c -t 1000 cf000000006801

Modify the card number length to 7 bytes

• 14443A/B-UID modification

Modifying block 0 in area 0 means modifying the UID of the card. It should be noted that this area cannot be read and written by password, and must be written through backdoor instructions! See below for details: Read and write any block

• Ultralight protocol switch

Turning on this switch allows to read and write each block without a password. In this mode, if SAK=00 ATQA=0044 (Pm3 sequence), it can become an Ultralight card
Set Ultralight mode

hf 14a raw -s -c -t 1000 cf0000000069<00>

01: UL agreement opened

00: UL agreement closed

• Rolling code restore switch

This mode is divided into four states: off (pre-write), on (on restore), don’t care, and high-speed read and write. If you don’t need it, please set it to “don’t care” to avoid affecting performance. If you use it, please enter the pre-write mode first. At this time, write the full card data. After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results.

If it is an Ultralight card, in order to improve the response speed, please set it to “High Speed Reading and Writing”.

hf 14a raw -s -c -t 1000 cf0000000032<parameter>

—- ———————————————

|Parameter|           Description                                        |

—- ———————————————

| 00 | Closed, shadow data can be written at this time    |

| 01 | Open, start restore                                             |

| 02 | Turn it off completely, as a normal card               |

| 03 | High-speed read and write mode                       |

—- ———————————————

• Any block read and write

Using the backdoor command can read and write any area without password, similar to UID card, it should be noted that this command must be used to modify UID.

Backdoor card reading:

hf 14a raw -s -c -t 1000 cf00000000CE<block number>

Backdoor write card:

hf 14a raw -s -c -t 1000 cf00000000CD<block number><single block data>

• Fast card issue

This operation can directly write all the configurations into the card (except the card number) with one instruction. It is valid in Recovery mode or when the card is issued by the machine.

<Refer to the attached code for this mode>

It is recommended that you use this mode.

• Backdoor password setting

All backdoor operations are protected by passwords. If the password is incorrect, the card will not reply to any information. The user can set the backdoor password to avoid possible card tracking. It should be noted that once the password is forgotten, the card will be scrapped and can only be returned to production again.

Modify the backdoor password

hf 14a raw -s -c -t 1000 cf00000000feaabbccdd

Modify the original password 00000000 to aabbccdd

 Attention

Description of Recovery Mode

The card number becomes: 01023304 and it enters Recovery mode. In this mode, you can only pass

Quick issue

To repair the card.

• Code

1. private string generateSendChangableData()

{

string bkdat = “CF00000000″+(cmb_fuse.Checked?”F1″:”F0”);

bkdat += chk_ul_en.Checked ? “01” : “00”;

if (rb_10b.Checked)

bkdat += “02”;

else if (rb_7b.Checked)

bkdat += “01”;

else

bkdat += “00”;

bkdat += txt_bk_pwd.Text;

this.Invoke(new Action(() =>

{

bkdat += “0” + cmb_shadow.SelectedIndex;

}));

this.Invoke(new Action(() =>

{

if (cmb_ats_len.Text == “No ATS”)

bkdat += “00”;

else

bkdat += cmb_ats_len.Text;

}));

bkdat += txt_ats_dat.Text;

bkdat += txt_atqa.Text.Substring(2, 2);

bkdat += txt_atqa.Text.Substring(0, 2);

bkdat += txt_sak.Text;

this.Invoke(new Action(() =>

{

bkdat += “0” + cmb_ul_mode.SelectedIndex;

}));

return bkdat;

}

Demo Program

1. FuseTool fast card issuance routine
2. Pm-Proxmark3 Python Write Sample Code

Card variant can change from:

• • UID Length
  • Card Type
  • SAK
  • ATQA
  • ATS
  • Shadow mode – Gen3 GTU (Card data will revert back to known data)
  • Bk Password – Custom Backdoor

Known Preset Change Available:

1. 1. MIFARE Mini
   2. MIFARE 1k S50 4 byte UID
   3. MIFARE 1k S50 7 byte UID
   4. MIFARE 1k S50 10 byte UID
   5. MIFARE 4k S70 4 byte UID
   6. MIFARE 4k S70 7 byte UID
   7. MIFARE 4k S70 10 byte UID
   8. Ultralight
   9. Ultralight-C
   10. Ultralight Ev1
   11. NTAG

• Software: Fuse Tool