Cloning Mifare Classic 1k 7-byte UID cards and the world of NFC magic cards for dummies

cloning-mfc-1k-7byte-uid-nfc-card.md

Cloning a 7-byte UID MFC (Mifare Classic) 1k card and more

This is a little blog about my trials of figuring out how to clone a 7-byte 1k MFC card and more I discovered. I'm not an expert, this is just what I found out. I'm writing it down because I couldn't find a single place where this info was grouped together.

A little while ago I bought a Flipper Zero because I was interested in the world of NFC/RFID tags and I wanted to figure out a way to clone my NFC card used to open the underground waste container in my neighbourhood.

Findings

• It turns out most of my NFC cards used for various services are so called MIFARE Classic (MFC) 1K cards. These appear to be the most common card used for semi-secure things. The tag used to enter my office is a MIFARE DESfire card, which as far as I know, isn't clonable unless you have the decryption keys.
  • There is also a MIFARE Classic 4K version which can store more data. I haven't encountered this one yet so nothing I can tell you about it.
• The MFC Classic cards come in two variants. A 4-byte and a 7-byte version.

Magic Cards

In order to 'clone' your NFC card you'll need something called a Magic card. It sounds fancy but it's just a (chinese) backdoored version of a regular card. There are many many version available. Normally a card as a unique ID (UID) that isn't changable. As owner of the system you could buy cards, which come with unique ids, and add them to your allowed database (system). These backdoored cards allow the UID (and block 0, which stores the UID and some other data) to be changed. Allowing you to 'clone' a card by writing the UID of your original card to it.

The versions:

• Gen1A

  • These are the most sold versions on Amazon, Aliexpress etc. Very cheap.
  • They are almost certainly 4-byte version. I haven't found a single 7-byte one.
  • Flipper Zero can write these cards/tags

• Gen2 (Also called CUID)

  • Widely available, cheap.
  • These can be written to using an Android phone and the MIFARE Classic Tool app
  • These can't be used with a Flipper Zero
  • They are also 4-byte

• Gen3 (They aren't usually called gen3 by the sellers)

  • These cards can be written to using the Flipper Zero but it requires you to use the CLI and APDU commands
    • To use the CLI connect Flipper using USB and visit lab.flipper.net
  • I was be able to find 4-byte and 7-byte versions of this card on Aliexpress. One of the sellers is the Piswords store, the other is called XCRFID Store. And that's about the only place I was be able to find them. They are about €5 a piece which is quite a lot more than the Gen1a and Gen2 versions.

Cloning the 7-byte card

So I bought a couple of the 7-byte cards and was ready to write the UID/Block0 to them using the Flipper Zero CLI. Using the APDU command I was be able to change the UID of the 7-byte card successfully. However writing block 0 wasn't a success. This proved to be enough for one card to work, but the other system didn't accept the card with a difference between the UID and the UID in block 0.

I found a couple of posts from different people having the same issue

The seller responded with little words and no help that I should use an ACR122U-A9 with the software he provided. I was already so far down this rabbit hole I might as well buy a ACR122U so I did.

• The software provided is partly in chinese
• It only works on Windows
• If your ACR122U isn't recognized when opening the software (PS/CS Mifare) it could be because you're running windows in a VM or from a remote desktop (which was my problem)
• I connected the ACR122U, followed the instructions as best as I could and it worked.
• I successfully changed the UID and Block0 of the 7-byte Gen3 Magic Card using an ACR122U

It works, partially

• The cloned tag is identical to the original however it doesn't work for the underground waste bin. The second one I cloned (my charging card for my EV) does work.
• The reader doesn't respond to the cloned tag. No error, nothing.
• I've tried locking the card/closing the backdoor, still not working
• I've tried swapping the SAK as explained by Equip. Still not working

@M11N0 A Gen4 is not a specific kind of card. It's a name given to a magic card that can pretend to be anything. Both 4 and 7 bytes. Ali has some cards if you search for ultimate card. They are around 40EU.

Funny, I just found this thread and randomly I also ordered the S50 and S70 tags from Piswords (Ali Express). I bought a bundle with the ACR122U device and a few tags. I think these tags can not be programmed with an Android mobile phone and the known apps, so I decided to buy the programming device, too. It costs 40 Euros, 5 or 6 different tags with 4 and 7 byte UID are included.

The reason why I jumped into this topic is, that I want to clone my own EV charging card (for the second BEV) and I am really curious, if this will work.

The stuff is just shipped and will take a while from China to Germany.

By the way: could someone share the link to the programming tool? 😇

@Schermbecker Cloning the 7b charging card is easy with the ACR122u and provided tags/cards. However on a rare occasion a charging station won't recognize the tag. Not sure why that is. The software can be requested from the seller.

Youycan download the tool on the pisswords site , they have a shop ..
I cloned our EV cards too, the ones that where 7 bytes , cloned them using the acr122u reader with the mifare windows tool...
The ones 4 byte, you can use the MFC tool on android ..
Although there is another mifare tool (paid versuon) , it can clone 7 bytes too, but didn't try yet

Youycan download the tool on the pisswords site , they have a shop .. I cloned our EV cards too, the ones that where 7 bytes , cloned them using the acr122u reader with the mifare windows tool... The ones 4 byte, you can use the MFC tool on android .. Although there is another mifare tool (paid versuon) , it can clone 7 bytes too, but didn't try yet

Good to know, thanks for the information!
I found the link in the shop but the archive requires a password, I will contact the seller. The bundle is shipped with a CD, but who has a CD ROM drive in 2025? 😂

Same tools you can also download from here:

https://shop.mtoolstec.com/product/7-byte-uid-s50-1k-magic-key-fob

Password: mtoolstec.com

Thank you! Now waiting for the device 😀

I believe the android version from mtools can copy gen3 too, but it's a paid version

I am fine using the ACR122U device but I wonder how much the app would cost. Have you tried it?

No, I used the windows tool , since it worked for the 7 bytes, I didn't buy it

@Schermbecker the same here . Trying it for my EV card. Just ordered the cards and let's see how far we reach. Keep me posted if you have any luck.

@Schermbecker the same here . Trying it for my EV card. Just ordered the cards and let's see how far we reach. Keep me posted if you have any luck.

Sure! What card is it in your case?

My English isn't the best, but have you tried cloning the cards with Proxmark V3 ?

@gabrielvaf Sadly no, too big of an investment

Got my stuff from China yesterday and tested the tags which were part of the bundle (together with the ACR122U device) I ordered. It is required to use the patched Tool provided by the seller.

I tried a S50 7 byte tag as second charging card. First test with a nearby charger - it worked. I will test it with other public chargers next time.

I also tried a S70 4 byte tag as backup for my gym card and tested it today. The door opened. 😀

Amazing stuff!

@Schermbecker Great, no surprise there. Keep in mind that the tag works on most chargers, but there are a few occasions where it doesn't work. The charger won't recognize the card, just like my underground waste bin problem.

@rickdoesburg do you have the same tags from Piswords? I could imagine that some readers check if the tag is a magic tag and deny service.