Emulate salto NFC card

Hello guys,

I recently got my Flipper Zero and wanted to test it out with a Salto NFC access card. It reads all 32 keys in 16 sectors as Mifare Classic 1K NFC-A. When I emulate it, they access reader just blinks red and doesn’t open the door. Whats the reason for that? Any tips to make it work?

I have the same issue

To start bit would help to be able to WRITE to a blank card, and we can’t do this yet but there are many reasons like the reader checking if the card is original or emulated … Or some bug on flipper not reading the card correctly…

Can you explain that a bit more? How can the reader check that? Just curious :slight_smile:

I guess that it depend on the maker of the reader and how far they want to go to detect fake/cloned/emulated cards ?

Yeah, but I was wondering how a reader can determine if a card is emulated or not

i would guess it might try and write a card, then check if it was written? (i know that this is used to detect duplicated cards, which are often still writable, and flippers card emulation does not allow writes). It could be that the reader tries to write the card and expects it to be writable? idk tho, i don’t even know if you can
write mifare classic.
Potentially, the card is misidentified by flipper? Idk how likely that is, or if its even possible?
If you have an android phone you can use an app called nfc tools to get more info about the card.

All the information in this post is just my guess, i have no idea if any of it is actually relevant or not.

No … Writting a card would determine if the card is a copy or original ! This is in fact used by some readers to detect copy cards/fobs. It so used that clever guys invented cards that can be written only once to prevent this. Meaning you programm your mifare classic on this special card that once is written it will became read only so that readers can’t detect it as copy. example of cards - https://lab401.com/products/undetectable-mifare-compatible-1k-one-time-write-uid - just an example.

The way you detect emulation is simple as well. On normal RFID/NFC card use the reader send power, the card gets power as it doesn’t have battery and reply back with serial or data or whatever. On emulation for example with flipper the flipper send data with its power and it’s allways sending. On normal card if reader stop sending power the card can’t produce more data as is powered by the reader. So if reader issue power and attempt to read and then stop power and attempt to read and it still reads then it’s an emulation as flipper doesn’t know the reader is no longer sending power and continue to send data with it’s own power to the reader …

Hey! Some SALTO systems use something called “Data on-card”, which basically updates the keys on the keycard any time a user scans their card at a “hotspot”. The flipper would need to be able to update the virtual “card” in order to work with this system. Also, if you cloned someone’s card and used a hotspot reader before they were able to, the reader would try and update the key on the card, therefore invalidating their card.

Here is a marketing video explaining the Data On-Card concept: SALTO Virtual Network - Data on-card Access Control System - YouTube