iCopy-X / iCopy-XS — Card stock and the blank-card families: T5577, MIFARE Magic Gen1a / Gen2 / Gen3, iCLASS / SEOS blanks, FUID, and the Lab401 'Genuine' vs AliExpress question

1. What this volume covers

The iCopy-X reads a source card and writes the decoded identity to a blank. Every operating mode in Vol 7 and Vol 8 — Auto Clone, Write LF, Write HF, Emulate, Sniff-then-write — ends in the same place: the operator presses a card against the antenna and the device commits decoded data into the blank’s writable memory. Which blank is the right blank for a given source card is a question this series has deferred until now. This volume is the answer.

The question is harder than it looks. A “MIFARE Classic 1K blank” sounds like a single thing — but the term covers at least four mutually-incompatible product families (Magic Gen1a, Magic Gen2, Magic Gen3, Fudan FUID), each with its own write mechanism for block 0, each detectable in different ways by hardened readers, each priced differently, each with different batch-to-batch reliability depending on supplier. A “T5577” is a single Microchip part number and is genuinely uniform across suppliers — but the configuration word that turns a generic T5577 into an EM4100 clone is different from the one that turns it into an HID Prox clone, and the iCopy-X writes that config word transparently in Auto Clone but exposes it in Expert Mode for the cases where the default does not produce a reader-compatible output. An “iCLASS Legacy blank” is a small ecosystem of cards whose origins and supply chains shift over time, and the SE / SEOS-compatible stock available through Lab401 is a different population again with its own constraints on where and how it can be used.

This volume groups blanks by what they emulate — LF families first, then the MIFARE Magic ecosystem (the workhorse for MIFARE Classic cloning, and the longest section of this volume), then iCLASS / SEOS blanks, then the niche HF stock for ISO 15693 / NTAG / FeliCa / Legic. The Lab401 versus AliExpress question gets its own extended subsection because the cost difference matters operationally and the answer is not the same for every operator. The volume closes with a card-format-to-blank decision tree and a pre-flight pack-list for an engagement.

The series cross-references for this volume are dense: Vol 4 §4 for the T5577 config-word mechanics, Vol 5 for the MIFARE Classic key-recovery context that determines whether a Magic blank is even worth writing, Vol 6 for iCLASS Legacy / Elite / SE / SEOS technology and the iCS Decoder Tool that some SE / SEOS clones require, Vol 7 for Auto Clone’s blank-type detection behaviour. Read this volume after those; the blank choice is the last decision in the chain, not the first.

2. The LF blank ecosystem — and why T5577 dominates

The low-frequency (125 kHz) access-control world is technologically diverse — EM4100, HID Prox 26-bit, HID Prox 35-bit Corporate 1000, Indala 26-bit, Indala 27/28/29-bit variants, AWID 26-bit, AWID 34/50-bit, ioProx, FDX-B animal-ID, Viking, HITAG 1, HITAG 2, HITAG S, and a long tail of regional and OEM-specific formats. The blank-card ecosystem is, however, dominated by a single part: the Atmel / Microchip T5577. The other LF blanks exist but matter only at the edges.

2.1 T5577 — the universal LF blank

The T5577 (originally Atmel, now Microchip after the 2016 acquisition) is a 125 kHz transponder IC with 363 bits of EEPROM memory arranged as 7 pages of 32-bit blocks plus an additional configuration block. Block 0 of page 0 holds the configuration word that determines the on-air behaviour of the card — the data encoding (Manchester, Biphase, ASK, FSK, PSK), the bit rate, the number of data blocks transmitted, and whether the card uses sequence-terminator framing or fixed-length framing. By writing different configuration words and different data block contents, a single T5577 part can be programmed to behave on the air as an EM4100, an HID Prox 26-bit, an HID Prox 35-bit Corporate 1000 (firmware-dependent — see below), an Indala 26-bit, an AWID 26-bit, an ioProx, a Viking, an FDX-B, and most of the other LF formats listed in Vol 4 §2’s master table. The mechanics of the configuration word are covered in Vol 4 §4.2; the operational point for blank-card selection is that the same physical T5577 card SKU works for almost every LF source card the operator will encounter in the field.

Pricing in mid-2026 is approximately $0.50 per card wholesale (1000-card reels direct from Asian suppliers), $1 to $2 per card retail in 100-pack quantities through Lab401 or Hak5 or AliExpress, and $3 to $5 per card in single-card or 10-pack premium-channel sales. A practitioner doing routine pentest work goes through 10 to 50 T5577 cards per active month and is well-served by a 100-pack from a reputable supplier; the cost is trivial against the engagement value.

The T5577 has several physical form factors. The most common is the standard ISO 7810 ID-1 card (the credit-card-shaped 86 × 54 mm format), which is what virtually every physical access-control system reads. Less common but useful: T5577 keyfobs (small plastic keychain blanks), T5577 wristbands (silicone bands for amusement parks and gym use), and T5577 sticker tags (adhesive tags for affixing to objects). The iCopy-X writes any of these the same way; the operator’s choice of form factor is dictated by what the target environment uses, not by any limitation of the writer. For pentest engagements, plain ID-1 cards in white blank stock are the safe default — they accept printer overlays for visual matching to a target environment’s badge style.

T5577 limitations worth flagging up front. First, certain 35-bit and 50-bit HID Prox / AWID formats use bit-packing that the T5577 can technically emulate but that not every iCopy-X firmware revision handles in Auto Clone correctly — the 35-bit Corporate 1000 in particular sometimes requires manual configuration via Expert / Proxmark Mode (Vol 8) if Auto Clone produces a card the target reader rejects. Second, the T5577’s RF response is slightly different from a genuine EM4100 at the analog level — the modulation depth and the timing precision differ measurably, and a small number of high-end readers can distinguish the two on the air. In practice this matters approximately never for typical commercial-grade EM4100 readers but matters consistently for some military and high-security installations, where the operator’s options shrink to either sourcing genuine EM4100 stock (rare, hard to find) or using an EM4205 / EM4305 blank as the closer-fidelity alternative (next subsection).

Third — and this surfaces as a frustration for first-time users — a T5577 can be left in a “locked” state by a botched write that flips the OTP lock bit. The lock bit is not actually one-time programmable on the T5577 in the way the datasheet implies; there are reset sequences that recover most stuck cards. But “most” is not “all,” and 1 to 3 percent of cards in a typical 100-pack will end up bricked after enough write cycles. Plan blank-card budgets accordingly — pack 50 percent more than expected use for an engagement.

2.2 EM4205 / EM4305 — closer-fidelity LF programmable

The EM4205 and EM4305 are EM Microelectronic (Switzerland) parts that are the writable cousins of the read-only EM4100 / EM4200 (Vol 4 §3.3). They are closer in their on-air behaviour to a genuine EM4100 than the T5577 is — the modulation, timing, and protocol-stack response match the EM4100 family at a fidelity that defeats most distinguishability checks. For pentest work against installations with EM-specific high-fidelity readers, EM4205 / EM4305 are the right choice over T5577.

The trade-off is universality. The EM4205 / EM4305 can be programmed to emulate the EM4100 family well but is not a universal LF blank — it cannot do HID Prox or Indala or AWID. So in a kit where the operator is carrying multiple blank types, the EM4205 / EM4305 stock is the LF-specialist blank for EM-targeted engagements, while T5577 remains the catch-all.

Pricing for EM4205 / EM4305 is roughly comparable to T5577 — $1 to $3 per card retail, somewhat less common in supplier catalogs and therefore slightly higher in minimum-order quantities. Most operators carry a 10 to 20 card EM4305 reserve for the rare high-fidelity-EM engagement, alongside their main T5577 stock.

2.3 HITAG 2 / HITAG S blanks

HITAG 2 (Vol 4 §9.2) is the LF immobilizer chip from NXP (originally Philips) used in automotive key-fob systems and a smaller portion of access-control deployments. It has cryptographic challenge-response authentication that the T5577 cannot emulate — to clone a HITAG 2 card the operator needs a genuine HITAG 2 blank with writable memory and the recovered cryptographic key from the source card.

HITAG 2 writable blanks exist but are a specialty item. Lab401 stocks them; AliExpress carries them at varying quality. Pricing is $3 to $8 per card retail. HITAG S blanks are similar but rarer. For an engagement that involves HITAG cloning, pack 5 to 10 blanks; for engagements where HITAG is not in scope, none are needed. The HITAG ecosystem is small enough that most operators decide per-engagement rather than carrying standing stock.

2.4 Indala, AWID, ioProx specialty blanks — and why they barely exist

In principle, Indala-specific, AWID-specific, and ioProx-specific writable blanks exist. In practice, T5577 covers all three of these formats well enough that almost no one stocks the format-specific blanks. The supply is intermittent, the pricing is irregular, and the fidelity advantage over T5577 in these formats is small. The operational answer for Indala, AWID, and ioProx source cards is: write to T5577 and verify the target reader accepts it; in the rare case the reader rejects, escalate to manual configuration via Expert Mode rather than seeking specialty stock.

3. The MIFARE Magic ecosystem — the workhorse for MIFARE Classic cloning

MIFARE Classic (Vol 5) is the most-encountered HF technology in commercial physical access control, and a clone of a MIFARE Classic 1K or 4K is the second-most-common single deliverable from a physical pentest engagement (after HID Prox cloning). Cloning MIFARE Classic requires a writable block 0 — the manufacturer block that contains the card’s UID, BCC byte, manufacturer data, and historic-bytes field. A genuine factory MIFARE Classic card has block 0 locked read-only at manufacture; cloning requires either a card whose factory locked block 0 mechanism has been bypassed (the various “Magic” variants below) or a card whose UID happens to match the source by lucky coincidence (irrelevant for practical operations).

The Magic ecosystem grew up from 2010 onward as Chinese semiconductor suppliers built MIFARE Classic clones with backdoor write mechanisms for block 0. The variants are named, somewhat informally, by the mechanism their block-0 write uses — and the mechanisms are also what hardened readers use to detect Magic cards. The detection question matters: an installation that has hardened its readers against Magic Gen1a but not against Magic Gen3 will reject a Gen1a clone outright while accepting a Gen3 clone. Operators choose Magic variants by matching the source-installation hardening level to the variant’s detectability profile.

3.1 Magic Gen1a — the original “backdoor” variant

Gen1a (also called “UID-changeable v1” or “China Magic Card v1” in older literature) was the first generation of Magic MIFARE Classic clones. Its block-0 write mechanism is a special backdoor command sequence that the card responds to outside the normal MIFARE protocol: a 0x40 command (the “unlock” command, sent at 7-bit mode) followed by a 0x43 command (the “wipe / select-all” command). After this sequence, sector 0 — including block 0 with the UID — becomes writable through standard sector-0 write commands. The backdoor sequence is well-documented in the Proxmark3 community and in proxmark.org wiki entries on Magic cards.

Detectability of Gen1a is straightforward: a hardened reader sends the 0x40 / 0x43 sequence to any presented MIFARE Classic and checks whether the card responds. A genuine MIFARE Classic does not respond to these commands; a Gen1a card does. The detection is cheap, reliable, and has been implemented in the firmware of most enterprise-grade MIFARE readers since approximately 2018. As a result, Magic Gen1a clones present to modern hardened readers as detectably non-genuine and are rejected.

Where does Gen1a still matter? On commercial installations that have not been updated since pre-2018, on small-business installations that have never updated their reader firmware at all, and as the test-bench fallback for an operator who needs a Magic card for lab work and doesn’t care about detectability. Gen1a is also the cheapest Magic variant in the market — $0.80 to $1.50 per card retail, lower in bulk — which makes it the right choice for high-volume training-environment use where many cards are being burned through and the detectability profile is irrelevant.

The iCopy-X Auto Clone will write to Gen1a cards using the backdoor sequence transparently; the operator does not need to specify the Magic generation. If the source card is a standard MIFARE Classic 1K and the blank is a Gen1a, Auto Clone completes without the operator selecting a write mode. The same applies to Gen2 and Gen3, with the device’s blank-detection logic choosing the correct write mechanism based on the blank’s response to a presence-and-capability probe.

3.2 Magic Gen2 — “CUID” / “direct write” with no backdoor

Gen2 (also called “CUID,” “UID-changeable v2,” or “Magic Card Direct Write” in supplier catalogs) addresses the Gen1a detectability problem by removing the backdoor sequence entirely. Block 0 is writable via standard MIFARE sector-0 write commands authenticated with the standard MIFARE Classic key A and key B — there is no special unlock sequence, the card simply accepts a write that a genuine MIFARE Classic would reject. From the reader’s perspective, a Gen2 card responds to all standard MIFARE Classic protocol exchanges identically to a genuine card; the distinguishing behaviour is only visible if the reader writes to block 0 (which most readers never do in normal operation).

Detection of Gen2 is harder but not impossible. Hardened readers can perform several checks:

• Signature inconsistencies: a genuine MIFARE Classic has a manufacturer’s signature field whose bytes follow specific patterns that some Gen2 batches do not reproduce correctly.
• Static encrypted nonce: certain Gen2 batches share the “static encrypted nonces” weakness — the card’s nonce-generation algorithm always produces the same nonces for the same authentication, which is detectable by a reader that performs back-to-back authentications and looks for nonce reuse.
• Backdoor probe: a hardened reader can send the Gen1a backdoor sequence (which Gen2 cards do not respond to, just like genuine cards), and then send a sector-0 write probe (which a Gen2 card may accept and a genuine card will reject — though this requires the reader to know the keys, which it typically does for an authorized environment).

In practice, Gen2 detection is implemented in some military and high-security installations and in a small number of enterprise installations using upgraded reader firmware released since approximately 2022. For commercial-grade and small-business installations, Gen2 reads as a genuine MIFARE Classic and is not detected. Pricing is $1 to $2 per card retail.

Gen2 is the most common Magic variant in the market as of 2026 and is the default that most blank-card suppliers ship when the customer orders “MIFARE Classic 1K Magic blanks.” Operators using Lab401’s “Genuine” packs will receive Gen2 stock unless they specifically request Gen3.

3.3 Magic Gen3 — premium-stealth direct write

Gen3 (also called “UID-changeable v3,” “Magic Card Gen3,” or “GTU” in supplier catalogs) is the current premium-stealth variant. Block 0 is writable through standard sector-0 writes, the same as Gen2, but the underlying chip is closer in its analog and protocol-stack behaviour to a genuine NXP MIFARE Classic than Gen2 is. Specifically, Gen3 batches reliably reproduce the manufacturer-signature byte patterns that Gen2 batches sometimes miss, and Gen3 nonce-generation does not exhibit the static-encrypted-nonce weakness. Some Gen3 stock additionally implements lock-bit handling that allows the operator to write block 0 once and then lock it, making the resulting card indistinguishable from a genuine MIFARE Classic from that point forward (the operator gives up the ability to re-clone, in exchange for higher detection-resistance).

Detection of Gen3 in the field is rare. Sophisticated installations with specialized detection equipment (laboratory-grade analyzers, not deployment-grade readers) can identify Gen3 through silicon-level analysis or through nonce-pattern analysis over many authentications. Standard hardened readers in 2026 do not reliably detect Gen3. For pentest work where stealth matters — engagements where the client is specifically testing detection capability, or red-team scenarios where the cloned card may be in possession of operators across multiple visits — Gen3 is the right choice.

Pricing is $2 to $4 per card retail. Stock availability is somewhat constrained — Gen3 is a smaller part of the supply than Gen2, and AliExpress listings claiming “Gen3” sometimes ship Gen2 in the box. Lab401’s “Genuine” channel is the most reliable Gen3 source.

3.4 FUID — the Fudan Microelectronics family

FUID (Fudan Microelectronics) is a Chinese MIFARE Classic clone family from Fudan Microelectronics in Shanghai, a major Chinese semiconductor supplier whose product line includes a range of MIFARE-compatible cards. The FUID label spans multiple variants — some FUID products are Magic-compatible (writable block 0 via Gen2-style direct writes), some are not (block 0 locked, identical-behaviour to genuine MIFARE Classic), and some are Magic Gen1a-style. The variants are not always clearly labeled by suppliers; the same SKU number from the same supplier may ship as different FUID variants in different batches.

The “static encrypted nonces” weakness (referenced in Vol 5’s coverage of MIFARE Classic key-recovery) affects a substantial fraction of FUID stock. A FUID card with static nonces will fail darkside / nested key-recovery attacks because the recovery algorithms depend on nonce variability — and an operator who has cloned an unknown card to a static-nonce FUID will find that the clone cannot be re-cloned through the standard recovery path. This is generally not a problem for the pentest deliverable (the clone of the source card works fine in the target reader) but is a problem for an operator who later wants to extract the keys from the clone for documentation purposes.

FUID pricing varies widely depending on variant and supplier — $0.50 to $2 per card retail. The recommendation for operators sourcing FUID through non-Lab401 channels is: pre-test a sample of any batch before committing to use it in an engagement. The test is straightforward — write a known UID and verify the read-back; perform a nonce-collection over 20 authentications and verify the nonces vary. If the batch passes both tests, it is operationally equivalent to Magic Gen2 stock at a lower price point.

3.5 MIFARE Ultralight Magic blanks

The MIFARE Ultralight family (Vol 5) is the lower-cost sibling of MIFARE Classic, used for transit single-rides, event admission tickets, and disposable applications. Magic Ultralight blanks exist — the writable-UID variant of the standard Ultralight, with the same general idea as Magic Classic but applied to the Ultralight memory layout. Suppliers sell them as “UFUID,” “UMC,” or “Magic Ultralight” depending on the supplier’s nomenclature.

Pricing is $0.50 to $1.50 per card retail. Use case is limited to environments where Ultralight is the deployed technology — primarily transit and event-admission contexts, which sit on the edge of the legal envelope discussed in Vol 1 §6 and revisited in Vol 12. The operator’s pre-engagement legal review covers whether Ultralight cloning is in scope.

3.6 NTAG Magic blanks — rarer than they should be

The NTAG21x family (NTAG213, NTAG215, NTAG216) is NXP’s NFC-tag line used for NFC stickers, tap-to-pay-adjacent applications, and the consumer-NFC ecosystem broadly. NTAG factory cards have a fixed UID set at manufacture; the UID is read-only on a genuine card. Magic NTAG variants exist — cards that allow UID rewriting through Gen2-style direct writes — but they are a minority of the NTAG ecosystem.

The more common workflow for NTAG cloning is to source NTAG blanks pre-personalized with the desired UID. Several suppliers (including Lab401) offer NTAG21x stock where the operator specifies the UID at order time and the supplier programs the cards before shipment. For engagement-driven work where the source card’s UID is known in advance — which is common for NTAG, since NTAG cards are often programmed in batches with sequential UIDs — pre-personalized stock is the operational answer rather than Magic NTAG.

Magic NTAG, where used, costs $1 to $3 per card retail and is sourced through specialty suppliers. Most physical-pentest workflows do not encounter NTAG as a primary access-control technology and most operators do not carry standing NTAG stock.

4. iCLASS / SEOS blanks — the controlled supply chain

The iCLASS family (Vol 6) is the HID Global access-control line — iCLASS Legacy, iCLASS Elite, iCLASS SE, iCLASS SEOS — deployed in higher-security installations than MIFARE Classic typically reaches. The blank-card ecosystem for iCLASS is structurally different from the MIFARE Magic ecosystem in two ways. First, iCLASS blanks are not produced in the high-volume Chinese semiconductor market the way MIFARE Magic blanks are; the supply is smaller, the pricing higher, and the supplier base narrower. Second, HID Global is the original-equipment manufacturer for genuine iCLASS cards and controls distribution of “blank” iCLASS stock to its authorized resellers — which is to say, the only legitimate path to a genuinely-HID-branded blank iCLASS card is through HID’s enrollment-authorized reseller network, and those cards are not useful for unauthorized cloning by design.

What does exist in the practical supply chain are third-party iCLASS-compatible blank cards — cards manufactured by Chinese and Eastern European semiconductor suppliers that implement the iCLASS protocol stack and that allow programming through standard or community-extended write mechanisms. The terminology in the supply chain is inconsistent — “iCLASS Magic,” “iCLASS clone,” “iCLASS-compatible writable,” “PicoPass clone” — and operators learn to read past the marketing labels to the underlying capability.

4.1 iCLASS Legacy blanks

iCLASS Legacy is the original iCLASS technology with a per-batch shared key (the “standard key” or, for higher-security installations, the “Elite key”). Cloning an iCLASS Legacy card with a known key (either the standard key or a recovered Elite key — see Vol 6 for the key-recovery context) writes the card’s application area to a Legacy-compatible blank. The blank must support standard Legacy write commands and must allow application-area programming with the operator-supplied key.

Suppliers sell Legacy-compatible blanks at $3 to $8 per card retail. Stock is intermittent; Lab401 carries them with reasonable consistency, AliExpress carries them in batches whose quality varies. The same blank can be used for standard-key Legacy cloning and for recovered-Elite-key Legacy cloning — the key is the operator’s input, not a property of the blank.

Form-factor availability is narrower than MIFARE Magic — Legacy blanks are almost exclusively ID-1 cards, with occasional keyfob stock. Visual matching to a target environment’s badge style is more constrained as a result.

4.2 iCLASS Elite blanks — same hardware, different posture

For most purposes, an iCLASS Elite blank is physically identical to an iCLASS Legacy blank — the same chip family, the same write mechanisms, the same supply chain. The “Elite” designation refers to which key set the operator is using to write, not to a different physical card. An iCLASS Legacy blank programmed with a recovered Elite-key application area is operationally an “Elite clone.”

Some suppliers do market “iCLASS Elite blanks” as a distinct SKU — typically these are Legacy blanks bundled with documentation or tooling for Elite-key workflows, sold at a slight premium. The hardware is the same.

4.3 iCLASS SE blanks — supply scarcity and the iCS Decoder context

iCLASS SE is the more secure successor to iCLASS Legacy, with per-card unique keys derived from a customer-specific master key. The iCopy-X’s base firmware does not handle SE cards — the iCS Decoder Tool (Vol 6 §5, Vol 1 §5) is the add-on that adds SE / SEOS decoder capability. With the iCS Decoder attached, the iCopy-X can decode an SE card’s identity payload and write that payload to an SE-compatible blank.

The blank itself is harder to source. SE-compatible writable blanks — cards whose protocol stack implements the SE wire format and that allow application-area writes with operator-supplied keys — exist in the supply chain but are a controlled minority. Lab401 is the most reliable source, with stock available in 10-card and 25-card packs at €8 to €15 per card. AliExpress carries SE-compatible stock intermittently and at varying quality; the failure rate of AliExpress SE blanks is meaningfully higher than for Magic MIFARE Classic stock, and the consequences of a failed SE clone in a pentest setting are larger because the client engagement value is correspondingly larger.

The operational reality is that SE cloning is a less-frequent deliverable than MIFARE Classic or HID Prox cloning, and the engagements where it appears are higher-value engagements with longer planning cycles. Pre-ordering SE blanks from Lab401 for a specific engagement, with delivery timed to the engagement, is the standard workflow rather than carrying standing stock.

4.4 iCLASS SEOS blanks — and why most SEOS clones aren’t practical

iCLASS SEOS is the successor to SE, with the Secure Object Service architecture that provides per-application encrypted storage with HID-cloud-managed keys. The iCS Decoder Tool can decode SEOS application payloads under specific conditions — primarily, when the operator has the necessary application keys (which generally requires either being the facility’s credentialing authority or having obtained them through a separately-scoped key-recovery effort). In a typical pentest engagement against an SEOS-deployed installation, the operator does not have the application keys and SEOS cloning is not practical.

SEOS-compatible blanks exist for the cases where SEOS cloning is practical. The supply is even narrower than SE — Lab401 stocks them in small quantities, the pricing is €15 to €30 per card retail, and the operator’s pre-engagement planning includes verifying the iCS Decoder is in the bag and that the key material is available. AliExpress SEOS stock is essentially nonexistent — a listing labelled “iCLASS SEOS” on AliExpress almost certainly ships an iCLASS Legacy card with misleading labelling.

The operational guidance is straightforward: do not pack SEOS blanks unless the engagement scope explicitly calls for SEOS cloning AND the operator has confirmed possession of the necessary application keys. For engagements where SEOS is in the deployed-technology mix but not in the scope, the absence of SEOS blanks in the bag is the correct posture — the operator avoids being put in a position where the temptation to attempt unauthorized SEOS work is present.

4.5 HID original “blank” cards — and why they don’t help

HID Global sells unprogrammed iCLASS cards through its enrollment-authorized reseller network. These are “blank” in the sense that they have not been provisioned with application data, but they are designed to be programmed only through an HID-authorized enrollment workflow that requires the customer’s master key and HID-supplied programming tools.

An operator who somehow obtains HID-original blank stock — through a reseller relationship, through purchase from a credentialing authority, through whatever means — cannot use those blanks for unauthorized cloning. The cards do not respond to community write mechanisms; they respond only to HID’s authorized enrollment protocol. For the operator’s purposes, HID-original blanks are inert.

The relevance of mentioning HID-original blanks at all is that occasionally an operator will be offered “HID iCLASS blank cards” through some channel and assume they are getting genuine HID blank stock at a discount. They are getting either third-party iCLASS-compatible blanks (which is what the operator actually wants), or genuine HID-original blanks that cannot be used (which is a wasted purchase). The terminology to clarify before purchase is “iCLASS-compatible writable blanks suitable for community cloning workflows,” not just “iCLASS blank cards.”

5. Other HF blanks — ISO 15693, NTAG NDEF, FeliCa, Legic

The HF technologies outside the MIFARE and iCLASS families are encountered less frequently in physical-pentest work but have their own small blank-card ecosystems.

ISO 15693 (Vol 6) is the standard underlying iCODE SLI / SLIX (NXP), Tag-it (Texas Instruments), and various library and inventory tagging systems. Writable ISO 15693 blanks are available — iCODE SLI / SLIX blanks at $1 to $3 per card, ISO 15693 generic blanks at $1 to $2 per card. The protocol allows UID rewriting on some variants and not others; SLIX with privacy mode enabled requires additional configuration. For engagements where ISO 15693 is in scope (library systems, some hospital deployments, some inventory environments), 10 to 20 blanks is reasonable standing stock.

NTAG NDEF blanks are the consumer-NFC blanks — NTAG213, NTAG215, NTAG216 cards with empty user memory available for NDEF (NFC Data Exchange Format) content. The use case for the iCopy-X with NTAG NDEF blanks is occasional — most NTAG cloning targets specific UIDs rather than NDEF content, so the workflow more often uses pre-personalized NTAG stock (§3.6 above) than blank NDEF stock. Pricing for NDEF blanks is $0.30 to $1 per card.

FeliCa blanks are the Sony FeliCa-family blanks used for Japanese transit cards (Suica, Pasmo), Hong Kong Octopus, and the Singapore EZ-Link family. The iCopy-X has limited FeliCa support — the base firmware reads UIDs and some basic application data but does not handle the full FeliCa security model. FeliCa blanks are available at $3 to $8 per card retail; the use case is narrow and is dominated by engagements in Japan, Hong Kong, and Singapore. Most Western operators do not carry FeliCa stock.

Legic blanks are the Legic-family blanks (Legic Prime, Legic Advant) used predominantly in European DACH-region access-control. Legic Prime cloning is technically possible with community blanks and the iCopy-X’s Legic support, but the supply is intermittent and the deployment is regional. Pricing is €4 to €10 per card retail. Operators working primarily in DACH-region engagements stock Legic; others do not.

Topaz blanks (Innovision Topaz / Broadcom BCM20203) are an older NFC technology now largely replaced by NTAG. The iCopy-X has Topaz read support; writable Topaz blanks are essentially unavailable in 2026 in the open supply chain. Topaz cloning in 2026 is generally not practical and not a planning concern for most engagements.

6. Lab401 “Genuine” packs versus AliExpress — the operational economics

The question of where to buy blank cards has two clean answers and a messy middle. The clean answers are: Lab401 for the production-pentest practitioner, AliExpress for the lab researcher iterating on stock. The messy middle is everyone in between, who is buying for some engagements through Lab401 and for others through AliExpress and trying to understand when the difference matters.

The cost ratio is roughly 2x to 5x — Lab401’s Genuine packs cost on the order of two to five times what comparable AliExpress stock costs, with the multiple varying by card type. Magic Gen2 cards are perhaps 2x to 3x; iCLASS SE blanks are closer to 3x to 5x. Across a typical engagement-month with 30 to 50 blank cards consumed, the absolute cost difference between Lab401 and AliExpress is on the order of $100 to $300. That is meaningful to a hobbyist budget and trivial to a professional pentest practice’s engagement-value calculus.

6.1 What you get for the Lab401 premium

The premium pays for several things, each of which has a different value to different operators:

Predictable batch behaviour. Lab401 buys from a small set of validated suppliers, tests samples from each batch, and rejects batches that fail their internal QA. The result is that two Lab401 packs purchased six months apart will behave the same way under the iCopy-X — same write timing, same response to backdoor probes, same OTP / lock-bit handling. AliExpress is a mixed bag where one batch of “Magic Gen2” cards may have static nonces, the next batch may have rewritable lock bits, the third batch may not be Magic at all. For a practitioner who has trained their operational workflow against specific blank behaviours, the consistency itself is valuable.

Tested against the iCopy-X firmware. Lab401 is the EU/global distributor for the iCopy-X and (Vol 1 §3) the channel through which the device’s per-device firmware updates flow. Their blank-card stock is verified against the iCopy-X firmware in their internal QA before it ships — a Lab401 Magic Gen2 card is known to be written reliably by the current iCopy-X firmware revision. AliExpress stock has no such verification; a particular batch may interact poorly with the current iCopy-X firmware revision, producing failures the operator has to diagnose.

OTP and lock-bit reliability. Magic Gen2 and Gen3 cards have multiple block-0-write mechanisms, multiple lock-bit handling variations, and edge cases around OTP behaviour. Lab401’s stock is selected for consistent handling — write completes, verify reads back the correct data, the card is in a known state afterward. AliExpress stock has higher rates of partial-write failures, lock-bit confusion, and “bricked” intermediate states where the card is partially written and cannot complete the write but also cannot be re-attempted from scratch. The failure rate for AliExpress Magic Gen2 stock is on the order of 2 to 5 percent in typical batches; for Lab401’s verified stock it is well under 1 percent.

Return policy. Lab401 takes returns on failed stock — if a 100-card pack ships with 5 cards that fail to write, the operator can return them and get replacement stock. AliExpress generally does not — a failed card is a sunk cost, and the supplier’s response to a complaint is typically “buy more.” For a practitioner who depends on predictable inventory, the return policy is itself worth a fraction of the price difference.

Customer support relationship. Lab401 has technical support that can answer questions about specific blank behaviours, batch issues, and iCopy-X interactions. The support relationship is structural — Lab401 is the EU distributor and the support channel for the device, and that relationship extends to the blank-card stock. AliExpress support is a customer-service script that does not have engineers behind it.

6.2 When Lab401 wins, when AliExpress wins

Lab401 wins when:

• The engagement value is high enough that a single failed clone in front of a client is a serious problem. A $5,000 to $50,000 engagement cannot tolerate the operator producing a clone that doesn’t work — the client perceives unprofessionalism, the deliverable timeline slips, and the operator’s reputation is damaged. The Lab401 premium against an engagement of this size is rounding error.
• The operator’s workflow has been trained against specific blank behaviours and the consistency itself is part of the workflow’s reliability. Switching to a different supplier mid-engagement introduces variables the operator does not want.
• The blank type is high-stakes (iCLASS SE, SEOS) where alternative supply is unreliable to the point of being non-functional.
• The operator is in the EU and is subject to VAT-and-customs considerations that make Lab401’s EU-warehouse shipping operationally simpler than AliExpress’s customs-clearance variability.

AliExpress wins when:

• The work is lab-bench research where the operator is iterating on attack development, building training materials, or experimenting with blank-card behaviour. Failure rates of 5 percent in a research context are fine — the operator just grabs another card.
• The engagement is internal, no-client, or training-environment. The cost of a failed clone is the operator’s own time, not a client relationship.
• The volume is high — bulk training environments running 500 cards through demonstration workflows where the per-card cost dominates and a 5 percent failure rate is irrelevant because the cost-per-success is still very low.
• The blank type is well-supplied and the variability in AliExpress stock is small — T5577 cards in particular are nearly uniform across suppliers and there is little reason to pay the Lab401 premium for standard T5577 stock at 100-pack quantities.

6.3 The middle path — pre-testing AliExpress batches

For operators who want to source through AliExpress for cost reasons but who do client-facing engagements where reliability matters, the operational answer is pre-testing. Every AliExpress batch is sampled — 5 to 10 cards from a 100-card pack — and run through a test workflow on the iCopy-X before the batch is committed to engagement stock. The test workflow is straightforward:

1. Write-verify: write a known UID and known sector data, read back, confirm match.
2. Magic-mechanism probe: confirm the cards respond to the expected write mechanism (Gen1a backdoor, Gen2 direct write, Gen3 stealth direct write) and not to other mechanisms.
3. Nonce-variability check: for Gen2 / Gen3 / FUID stock, perform 20 sequential authentications and confirm the nonces vary (catches static-encrypted-nonce batches).
4. Lock-bit handling: write block 0, write block 0 again with different data, confirm both writes succeed (catches batches with broken multiple-write handling).
5. Read-back stability: read the card immediately after write, then again 5 minutes later, then again from a different reader, confirm the data is stable across all reads.

A batch that passes all five tests is operationally equivalent to Lab401 stock at a lower price. A batch that fails any test goes back to AliExpress (with the usual “no return” caveat — the operator’s protection is the sample size of 5 to 10 cards, not the return policy).

The pre-testing workflow costs the operator 30 to 60 minutes per batch and a small amount of card material. For practitioners running multiple engagements per month, this is amortised across the engagement value and pays for itself easily. For practitioners running a few engagements per year, the pre-testing overhead is comparable to the price difference and the simpler answer is to buy Lab401.

6.4 The cost-per-engagement math, made explicit

For an operator considering Lab401 versus AliExpress for an upcoming engagement, the math looks like:

• Lab401 cost for a typical 50-card engagement pack: €100 to €150.
• AliExpress cost for the same composition: €30 to €60.
• Difference: €70 to €90.
• Engagement value: €3,000 to €30,000 depending on scope.
• Probability of a Lab401-stock failure causing client-visible engagement disruption: well under 1 percent per engagement.
• Probability of an untested-AliExpress-stock failure causing client-visible disruption: 5 to 15 percent per engagement, depending on the card-type mix.
• Expected-value cost of failure at €5,000 engagement value: Lab401 €50 (1% × €5,000), AliExpress €250-750 (5-15% × €5,000).

The expected-value math overwhelmingly favours Lab401 for client-facing engagements. The €70-90 price-difference savings is destroyed by the first expected-value failure cost. Pre-tested AliExpress narrows the gap considerably but does not close it — and pre-testing itself costs operator time at the operator’s billable rate, which is often higher than the price difference being saved.

The conclusion most professional pentest practices reach is to use Lab401 for client-facing engagements as a category, AliExpress for lab and training as a category, and to avoid the cognitive overhead of per-engagement sourcing decisions. The cost difference is the small price of operational simplicity.

7. Card-format-to-blank decision tree

The master table for the question “I have a source card of technology X — what blank do I write to?”:

Source card	Recommended blank	Notes
EM4100	T5577	Universal default. EM4205 / EM4305 if high-fidelity-EM reader is suspected.
EM4102, EM4200	T5577	Read-only sources cloned to writable T5577.
HID Prox 26-bit (H10301)	T5577	Standard Auto Clone target.
HID Prox 35-bit (Corporate 1000)	T5577	Verify reader compatibility; if rejected, escalate to manual config via Expert Mode (Vol 8).
Indala 26-bit	T5577	Standard Auto Clone target.
Indala 27/28/29-bit variants	T5577	Auto Clone usually completes; manual config rarely needed.
AWID 26-bit	T5577	Standard Auto Clone target.
AWID 34-bit, 50-bit	T5577	Auto Clone may need manual config for the longer formats.
ioProx	T5577	Standard Auto Clone target.
Viking	T5577	Standard Auto Clone target.
FDX-B	T5577	Animal-ID format, cloning legitimate for veterinary-context work.
HITAG 2 (crypto)	HITAG 2 blank	T5577 cannot handle the challenge-response auth; HITAG 2 specialty blank required.
HITAG S	HITAG S blank	Specialty stock; verify supplier.
MIFARE Classic 1K (default keys)	Magic Gen2 (default) or Gen3 (stealth)	Gen3 preferred for stealth-sensitive engagements.
MIFARE Classic 1K (recovered keys via Vol 5)	Magic Gen2 or Gen3	Same as default-key case; key source is irrelevant to blank choice.
MIFARE Classic 4K	Magic Gen2 or Gen3 4K variant	Verify supplier ships 4K not 1K when ordered.
MIFARE Ultralight	Magic Ultralight (UFUID / UMC)	Niche; usually transit / event applications.
MIFARE Ultralight C / EV1	Magic Ultralight with appropriate variant	Verify variant matches source-card EV.
MIFARE DESFire	(not practical to clone)	DESFire’s authenticated mutual-key architecture is not field-cloneable; see Vol 5.
NTAG213 / 215 / 216	Pre-personalized NTAG (preferred) or Magic NTAG	Pre-personalized stock is more reliable than Magic NTAG.
iCLASS Legacy (standard key)	iCLASS Legacy blank	Standard supplier stock; Lab401 most reliable.
iCLASS Legacy (recovered Elite key)	iCLASS Legacy blank	Same hardware as standard-key case; operator’s key is the input.
iCLASS SE	SE-compatible blank + iCS Decoder Tool	Lab401-sourced blanks strongly preferred; SE supply is narrow.
iCLASS SEOS	SEOS-compatible blank + iCS Decoder Tool + application keys	Only practical when operator has the application keys (rare).
ISO 15693 iCODE SLI	ISO 15693 blank (iCODE-compatible)	Privacy-mode SLIX requires additional configuration.
ISO 15693 generic	Generic ISO 15693 blank	Verify writable-UID variant.
FeliCa	FeliCa blank	Regional supply; mostly Japan / HK / Singapore use.
Legic Prime	Legic Prime blank	DACH-regional supply; verify before purchase.
Topaz	(not practical to clone)	Topaz writable blank supply is essentially nonexistent in 2026.

A reading of the table: T5577 dominates the LF column, Magic Gen2 / Gen3 dominate the MIFARE Classic rows, the iCLASS rows escalate in cost and supply-narrowness, and several rows are explicitly “not practical to clone” — a reminder that the iCopy-X is not a universal cloner and some technologies have genuinely successful security models the operator should respect.

8. The blank-card pre-flight pack-list for an engagement

For a typical physical-pentest engagement against a corporate environment whose technology mix is partially known in advance, the pack-list math is:

LF stock — pack 5 to 10 T5577 cards per expected LF clone. For an engagement expecting 5 LF clones, pack 25 to 50 T5577 cards. The 5x to 10x ratio is the failure-margin (botched writes, OTP issues, occasional reader-rejection requiring re-attempt on a fresh card). For engagements with expected EM-specific high-fidelity readers, add 10 to 20 EM4305 cards.

HF MIFARE Classic stock — pack 5 to 10 Magic Gen2 or Gen3 cards per expected Classic clone. Same 5x to 10x failure-margin reasoning. For stealth-sensitive engagements pack Gen3 exclusively; for general-purpose engagements pack Gen2 with a small Gen3 reserve.

iCLASS Legacy stock — pack 2 to 5 Legacy blanks per expected iCLASS clone. Lower ratio because iCLASS blanks are more expensive and the engagement-time iteration on a failed clone is less common (the operator typically has fewer attempts in the field for iCLASS).

SE / SEOS stock — pack zero unless the engagement specifically calls for SE / SEOS clones AND the iCS Decoder is in the bag AND the operator has confirmed the key material is available. Standing SE / SEOS stock in a kit not driven by a specific engagement need is the wrong posture — the cost is high, the temptation to attempt unauthorized work is increased, and the stock is unlikely to be used.

Specialty stock as needed by scope. HITAG 2 for automotive-fleet engagements, ISO 15693 for library / hospital / inventory engagements, FeliCa for Japan / HK / Singapore engagements, Legic for DACH engagements. The pre-engagement scope review identifies which specialty stock is needed.

Extras — a 50 percent margin on expected blank count is reasonable for first-time deployment to a new client. The operator does not know the client environment yet; the first engagement against any new environment has higher iteration cost than subsequent engagements. After the first engagement, the operator has calibrated their pack ratios against the specific environment and can tune downward.

Form factor matching. White blank ID-1 cards for environments that issue printed badges; pre-printed branded-stock cards for environments where the operator has reverse-engineered the badge design through prior reconnaissance and wants the clone to visually pass casual inspection. Visual matching is a separate workflow — printing the badge surface — that is outside this volume’s scope but worth noting at pack-list time.

Transport and storage. Blank cards travel in clear plastic sleeves or in stack-style card holders, not loose in a bag where they can be physically damaged. Magnetic exposure is not a concern for RFID / NFC cards (they have no magnetic stripe to corrupt), but physical bending and surface scratches affect long-term durability. For engagements where the clone will be carried by a client representative for ongoing use after the engagement (rare but possible in some red-team scopes), the operator brings the clone to the client in a fresh plastic sleeve.

Inventory tracking. Operators running multiple engagements per month typically maintain a per-engagement inventory log — which blank-card SKUs went into which engagement, how many were consumed, what the failure rate was, which supplier the stock came from. The log feeds back into pack-list calibration and into the Lab401-versus-AliExpress decision on future stock purchases. The iCopy-X itself does not provide this log; it is operator-maintained, typically in a notebook or a per-engagement folder (Vol 12 covers engagement-folder discipline).

9. Sources and provenance

The factual content in this volume draws on the following sources, each verified during authoring:

• T5577 datasheet — Microchip / Atmel ATA5577C datasheet for the configuration word structure, memory layout, and write timing. Atmel’s original AT5577 documentation predates the Microchip acquisition and remains the canonical reference for the configuration-word bit fields.
• Proxmark3 community wiki — proxmark.org and the Magic Cards page for the Magic Gen1a backdoor sequence, the Gen2 direct-write mechanism, the Gen3 stealth-write mechanism, and the FUID variant analysis.
• Lab401 product catalog — lab401.com blank-card listings for current EU pricing, stock variants, and the “Genuine” pack composition for the iCopy-X tiers.
• iCopy-X firmware behaviour — the iCopy-X 2.0 firmware family’s blank-card detection logic, as documented in the Lab401 user manual (05-resources/) and observed in operation.
• HID Global iCLASS documentation — public-facing HID documentation on the Legacy / Elite / SE / SEOS technology stack, distinguishing genuine HID blank distribution from third-party iCLASS-compatible blank supply.
• Community FUID analysis — Proxmark3 forum threads and the Iceman fork commit history for the static-encrypted-nonce weakness in specific FUID batches.

The pricing figures in this volume are approximate mid-2026 values and are intended for operator pack-list math, not for purchase decisions — confirm current pricing through the supplier of choice at engagement-planning time. The supply-chain availability information reflects the state of the market as of authoring; the iCLASS SE / SEOS supply in particular is volatile and the operator should expect supplier consolidation or variation over multi-year planning horizons.

10. Where this fits in the series

This volume is the operational bridge between the technology volumes (Vols 4, 5, 6) and the operating-mode volumes (Vols 7, 8). The technology volumes describe what the source cards are; the operating-mode volumes describe what the iCopy-X does; this volume describes what physical artifact the operation produces. An operator who understands the source-card technology and the operating-mode workflow but who has not chosen the right blank will fail in the field even with everything else correct.

The next volume, Vol 10, covers the firmware update workflow — the per-device .ipk packaging mechanism, the upstream open-source repositories, and the operational implications of the vendor-tied update pipeline. After that, Vol 11 is the cross-tool comparison and Vol 12 is the legal envelope and the laminate cheatsheet. The blank-card content in this volume reappears in Vol 12’s cheatsheet in compressed form — a single laminate card showing the decision-tree table from §7 and the pre-flight pack-list math from §8 — which is the volume the operator typically carries in the engagement folder rather than this full volume.