xM1 “magic” 1k
The xM1 is a “Magic” Mifare 1k chip emulator with a writable sector 0. This allows you to change the 4 byte ID (serial number) of the chip and overwrite all pages in every sector, including Sector 0. Available with gen1a “backdoor” or gen2 writable versions.
More DetailsWARNING This kit definitely contains dangerous things. While our x-series chip implants have undergone several quality checks during manufacture, and have been put through a battery of tests, they have not been certified by any government regulatory agency for implantation or use inside the human body. Use of this device is strictly at your own risk.
The xM1 kit contains the xM1 chip and all the sterile procedure materials required for a professional to perform installation. The xM1 chip is made with a 13.56MHz ISO14443-A compliant “Classic 1k” emulator chip, which is encased in a biologically safe 3x13mm cylindrical bioglass tube. The bioglass cylinder is laser sealed and the finished xM1 chip is tested for function before loading into the injector assembly, and the whole injector assembly with xM1 chip inside is EO gas sterilized.
What’s so great about the xM1 ?
For many years the Mifare MF1ICS50 1k chip was used for all kinds of applications as a “secure chip” for everything from access control to stored value cards, and used for making localized payments within closed systems like public transit and laundry services. However, it uses a security mechanism called “crypto1” which is a simple, proprietary encryption mechanism that hardly has anything to do with modern cryptography. It has been broken for many years now, but the sheer number of systems out there that still use it means the Mifare S50 1k will continue to be used by legacy systems around the world for years to come. So now, you can crack the security on those cards and clone their content (including the ID “serial number”) to your xM1!
What can this chip implant do?
What this chip implant can’t do
Important Things To Know
- 13.56MHz ISO14443A Mifare “magic” 1k emulator chip
- Emulates Mifare MF1ICS50 1k legacy chips
- 4 byte ID and all of sector 0 is writable
- 10 year data retention. Rated for 100k writes per memory block.
- Encased in 3mm by 13mm bioglass with non-toxic medical epoxy
- Pre-tested and pre-loaded in sterile injection assembly
- No “anti-migration” coating means easy removal/replacement
The xM1 kit contains the following products and materials, which are designed to enable you to bring the kit to a professional installation partner for installation.
- 1 sterile injector assembly, pre-loaded with xM1 chip implant
- 2 single use ChloraPrep antiseptic wipes
- 1 sterile gauze pad for post-installation wound care
- 1 sterile expandable-fabric adhesive bandage
- 1 pair of non-sterile, non-latex procedure gloves
The following accessories also come with the xM1 kit. These accessories are “field detection” tools designed to assist you with identifying the type of readers you may encounter, but also the best location and orientation to present your xM1 chip implant to any reader to get reliable performance.
- 1 RFID Diagnostic Card
- 1 13.56MHz X Field Detector
Our X Field Detectors (XFD) will show you the best position and orientation to present your chip implant to any readers of the same frequency, while our RFID Diagnostic Card will tell you all about the frequency and duty cycles of random readers you encounter in the wild.
Difference between gen1a and gen2
The basic differences between the gen1a and gen2 have to do with how each chip type enables sector 0 to be written to. Sector 0 is where the chip ID lives, as well as some other information like manufacturer details and the MAD or Mifare Application Directory data. Normally sector 0 on Mifare 1kB chips is read-only and cannot be changed. Cloning a “real” Mifare 1kB chip to a magic Mifare chip requires copying all of the sector 0 data from the source chip to the magic chip. A gen1a magic Mifare chip allows sector 0 to be written to only after sending a special command to it. A gen2 magic mifare chip uses the normal access bits and keys A and B to control access to sector 0, just like any other memory sector in the chip. This means normal write commands can work with sector 0 on a gen2 magic mifare chip. For an in-depth explanation, please check out this post on our community forum.
pros and cons
• gen1a pros; backdoor command disables all keys and access controls on all sectors. Every sector is writable regardless of key settings. Impossible to lock a sector out.
• gen1a cons; can’t send the backdoor command with android apps, must use special programmer like a proxmark3. some readers actively detect gen1a and reject reads.
• gen2 pros; can program in the field using android MCT app for easy changing or programming while on the go. much harder to detect by readers looking for magic chips.
• gen2 cons; it is possible to get locked out of sectors if improperly programmed.
How to clone cards to the xM1
The first thing you have to do is ensure your source card or fob is a 4 byte “Classic” 1k card, not a new 7 byte “Mifare 1k” card. With the discovery of Crypto1 vulnerabilities in the “Classic” Mifare S50 1k and S70 4k chips, NXP (the company who makes Mifare chips) released a number of different updated versions of Mifare chips. These include Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. The memory structures of these new chips are identical to the real “Classic” 1k chips but they have 7 byte UIDs not 4 byte IDs. While new attacks on these new chip types do exist, success is limited and you will not be able to copy the complete 7 byte ID number to the xM1 since it only supports 4 byte IDs. If you have a Mifare “Classic” S50 1k card or fob you want to clone to your xM1, there are a few tools you can use.
We’ve curated a couple tools from the internet (so, right there, you might want to consider skipping this option). It requires Windows and an ACR122U reader. You can download this toolset from here. Below is a video of how to use these tools.
By far the most powerful tool is the Proxmark3 – an RFID diagnostics and security research tool that is open source, so it comes in many flavors, shapes, an sizes. It’s flexibility and ability to update the firmware to support the latest security tactics and tools means it’s a great investment for anyone wanting to experiment with RFID. While we do not offer a guide for how to use the Proxmark3 to clone Mifare cards to your xM1, there are plenty of other guides already written that detail how it’s done.