"All blocks (including Block 0) can be re-written multiple times
IMPORTANT: Card will die if an invalid Block 0 is written
Use normal commands. eg.
hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
"
Ok, so I do not want to write an invalid block, nor do I understand what all of a473f601200804006263646566676869 is - if I wish to change UID,ATQA,SAK
anyway: I proceed carefully:
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 001 | ffffffffffff | 1 | ffffffffffff | 1 |
[+] | 002 | ffffffffffff | 1 | ffffffffffff | 1 |
I can even do an autopwn and see
[=] ----+-------------------------------------------------+-----------------
[=] blk | data | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | C4 D9 BB 4E E8 08 04 00 62 63 64 65 66 67 68 69 | ...N....bcdefghi
it is clear that UID are the first bytes, but ATQA and SAK is a mystery
[+] UID: C4 D9 BB 4E
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
so changing the four first bytes could be risky as well?
...
[usb] pm3 --> hf mf rdbl -k ffffffff --blk 0
[#] Auth error
- why can't I even read the block?
- and how do I know which of the bytes are safe to fiddle with? - is E8 a checksum?
OK, going back to some really old version it seems that -p has been renamed to -k (to get the options as "-hack3rs" ??
I can confirm that the UFUID tags sold by "ranelei intelligent world" on Ali Express (ca. USD 30 for 50 tags) can be successfully "locked" using:
hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -k -a e0 00 39 f7
hf 14a raw -k -a e1 00 e1 ee
hf 14a raw -k -a 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47Locking means for these cards that the Gen1a command set is not accepted by the card any further, i.e. csetuid, cwipe, cview, ... cease to work.
This could be a useful lua script for everyone.
I tested whether a tag is still modifiable after locking it. The result:
-the chinese backdoor commands are gone, so you cannot use them to write the UID
-block 0 is not writable (normal behavior for Gen1a)
-all other blocks are writable, if you a have a dump with suitable access bits in all trailers you may also restore the dump several times (so just normal behavior)
I tried to see if after locking a UFUID Gen1a card I could still write to the other blocks. What I tried was to restore a dump, but that failed. However, this also fails on other card types if I do it again, so it is probably not an issue with the UFUID card.
What would be a simple command to write to any block (not block 0) on an already locked mf classic s50?
As i restored a dump to that card i am not sure whether I messed something up with that card.
I easiest would be taking a new UFUID, change the uid, write some block, lock the chinese backdoor, write the same block again with different values.
I am just not sure how to do it as there are keys and access privileges and stuff.
I also tried to reinitialize another UFID using cwipe after having restored a dump. no matter if I issue cwipe or not, it does not let me restore the same dump to that card. What would be a reason for that?
]]>There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
Let me try to clarity a bit by a table below:"hf mf wrbl" "hf mf wrbl" "hf mf cgetblk/csetblk"
write to block 0 write to other blocks to all blocks including 0
M1(S50) NO YES NO
UID NO YES YES (an M1 with backdoor)
CUID YES YES NO (an M1 with writable block 0)
FUID ONLY ONCE YES NO (an M1 with one-time writable blk 0)
UFUID NO YES YES before locking; NO after irreversible locking (a UID tag before locking; an M1 after)
The UFUID decribed here is a Gen1a card until locked, then the chinese backdoor commands stop working.
The UFUID tags described here (https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-directwrite-ufuid-version) are described as Gen2 where block0 can only be written once: MIFARE Classic DirectWrite, UFUID version - Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
I found the Gen1a lockable UFUID variant so far. Does the Gen2 Write Once UFUID variant actually exist as described in the web page? Where can it be bought?
What happens if I use the raw commands for the Gen2 UFUID tag with a Gen1a UFUID tag?
]]>I can confirm that the UFUID tags sold by "ranelei intelligent world" on Ali Express (ca. USD 30 for 50 tags) can be successfully "locked" using:
hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -k -a e0 00 39 f7
hf 14a raw -k -a e1 00 e1 ee
hf 14a raw -k -a 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47
Locking means for these cards that the Gen1a command set is not accepted by the card any further, i.e. csetuid, cwipe, cview, ... cease to work.
This could be a useful lua script for everyone.
]]>Now I am trying to lock a card block 0, but the command options seem to have changed in the meanwhile. I started with "hf 14a raw -p -a -b 7 40" and the option "-p" seams to have been renamed.
What is the new name for the option "-p"?
]]>There are three commands, that known me:
90 f0 cc cc 10 - write block 0
90 fb cc cc 07 - write uid separated instead of block 0
90 fd 11 11 00 - lock uid
But I could not reset my card back to 7-bytes uid. I know, that programming of uid/sak/atqa by manufacturer is separated, not by block 0 rewriting.
Any Ideas?
use your proxmark to sniff...
But I asked thise becouse it's working only whith ACR122U and I don't have it.
]]>Yeah, the creators of uid cards really loves their bundled software. Which is only natural. They tend to not like the Proxmark3 client.
Could you please sniff the application for the RAW or give some tools with one you did these upper?
]]>Will be grateful to obtain an RAW commands from thise Chinese soft. Maybe we can do some an script or integrate it to software at the repo.
This command working as well with bought cards where there this soft has been as tool for UID changing:
hf 14a raw -s -c -t 2000 90f0cccc10
Equals this is working for a lot of cards
The program in attachment:
https://we.tl/t-0OOx62ZeJk
Many Thanks
]]>very interesting article about UID/CUID/FUID/UFUID :
Chinese :
http://pn532.com/portal.php?mod=view&aid=2
Translated in English :
https://translate.google.ch/translate?h … %26aid%3D2
Regards
]]>