Behaviour has been observered where some system using Mifare Classic credentials will identify with one SAK (0x08/18) on a basic search (Wake up) but when the block 0 is dumped, the SAK appears to be different (0x88)
This is because the SAK reported on a Wake up is not coming from Block 0 but is instead burned into the card, The SAK in Block 0 is merely a Vanity SAK.
If the dump is loaded onto a Magic Mifare Classic that Mirrors the vanity SAK as the actual SAK on Wake up it will tell the system that the credential is a duplicate & to deny access.
In the dump file for the Mifare Classic in question, changing 88 in the block 0 of your dump to the appropriate SAK value for your chip (08/18 for 1/4k) and re-loading the file onto your Magic Mifare Classic / restarting your emulator with the new file should resolve the problem.
Some systems may also cross reference the SAK found on Wake Up against the vanity SAK to ensure they are different. This is a problem in magic chips where the Real SAK is mirrored from the Vanity SAK.
To resolve this situation you would need to purchase Gen4 "Ultimate" chips or similar that allow you to control the Real SAK while leaving the Vanity SAK in block 0.
If using an emulator you'd need to enable the ability to control the Real SAK while leaving the vanity SAK in block 0
NOTE: The double cross is a rare potentiality and has not been observed in the vast majority of cases
- Schlage
- VingCard
- FDI Access
Contributions are always welcome!
If you have encountered a system implementing SAK Swapping please leave a comment regarding:
- Brand of system
- Chipset Used
- What behaviour you experienced / what did or did not work for you
Message me on discord at Equip or leave a if you need any assistance!
I Also have a buymeacoffee if you feel so inclined, i greatly appreciate any donations!