Strange MF Classic 1K card

Hello everyone!

I would appreciate if anyone can explain what is happening and if I am doing something wrong.

I have MF Classic 1K card for house entrance which I was able to fully read using “Read” + “Detect reader + Mfkey32” (obtained key A for sector 5) + “Flipper Nested”. I am able to emulate it using flipper to open door but I can’t write it to MF Zero blank card (it becomes unresponsive/unreadable but I still can wipe it).

Question 1:
Why flipper report UID EF001495 when it different in sector 0 block 0? All of UID/BCC/ATQA/SAK reported by flipper are different from dump content. If I fix BCC/ATQA/SAK manually in dump flipper start reporting different UID.

Question 2:
Is it even possible to duplicate this key (using only flipper/MCT android app/PC)? I tried to change S0B0 to EF…95 UID with correct BCC but entrance reader don’t recognize (I mean it won’t open lock) key in that case.

original.nfc (4.0 KB)
modified.nfc (4.0 KB)

I have a possible explanation for that. Some cards go halfway from specification and have UID in anticollision different from UID in S0B0. Simple magic cards do not handle this case well. Gen3 or Gen4 may work.

It might be a unwanted answer :sweat_smile: But look at proxmark3/proxygrind etc, next to the FZ it is a nice addition for LF and HF tags. Also the new proxygrind with lf and hf support make it a cool addition for the rfid toy collection.

The FZ is a prefect tool if you are mostly looking into UID cloning or LF tags, but if you want to dump/brute some other rfid implementations the pm3 might be a level-up for rfid specific applications.