Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-05-20 20:54:41

atmel9077
Contributor
Registered: 2017-06-25
Posts: 39

Where do "UID writable" chips come from?

Hello

I'm asking this question because I received a few days ago some UID writeable chips that I ordered from Banggood here. (they were advertised as "Block writable" however they need the "magic command" to change the UID)

I'm wondering if a company created MIFARE chip clones specifically designed to be "UID writable", or if these are emulators based on some kind of microcontroller, or maybe a chip in which a backdoor was discovered but was only intended to be used during manufacturing.

I noticed that the block 0 ends with "bcdefghi" and by googling "mifare bcdefghi" and I found a paper from Nicolas Courtois where at page 99 he says that Kiev transport cards use Fudan microelectronics FM11RF08 and that the block 0 ends with "bcdefghi". Of course this does neither means that FM11RF08 chips are UID changeable nor that a chip which block 0 ends with "bcdefghi" is a Fudan FM11RF08, but this might be a clue concerning the source of these "UID changeable" chips. Maybe i'll order cards with FM11RF08 to see if they have the backdoor to change the UID

Last edited by atmel9077 (2018-05-20 23:47:25)


Those who forget the past are doomed to repeat it.

Offline

#2 2019-02-25 11:43:16

fraggersparks
Contributor
Registered: 2019-02-25
Posts: 2

Re: Where do "UID writable" chips come from?

I apologise for necroing this thread, but I have some insight on the source of these UID changeable chips. I went on a rather involved search for them in animal tag form factor, no mean feat. There happens to be no official name for the actual chip, and while I don't know for sure, I'd say they're modified Fudan chips (as I imagine they're easier to get than actual s50 chips). I definitely know it's not a manufacturing backdoor (excluding FUID gen2 chips, which are, from my understanding, just standard chips that haven't had a UID or manufacturing block written to them) as the standard chip is one-time writable at factory (and I believe NXP has agreements with factories that use their chips that they won't release chips with UID/manufacturing block unwritten).

I discussed at length the UID changeable chips with a sales rep for a large RFID manufacturer in China, and I was informed that the chips are considered at odds with Intellectual Property law and are very much grey market, which is why it took me a good week to find a supplier who had them at all, let alone was able to manufacture a sample batch for me. I've reached out to the sales rep who actually sold me these samples for some clarification, as I'm extremely interested in the origins of these chips. My particular chips show up with a standard 4-byte UID and the bcdefghi manufacturing information, until you load a dump on, after which it shows up as a proper Mifare S50 to the TagReader app.

Offline

#3 2019-02-25 11:58:50

iceman
Administrator
Registered: 2013-04-25
Posts: 5,204
Website

Re: Where do "UID writable" chips come from?

Don't expect too many answers,   the secrets with production of uid cards is rarely discussed since the manufacturers doesn't want to talk about them.  You must know chinese and be on location to get started.  Start asking questions and you get the standard stonewall face.
Ppl who do know more of this, has no reason to discuss it basically.   If someone manufactures them for you,  they don't have any upside with telling you where they sourced it from.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-02-25 11:59:28

atmel9077
Contributor
Registered: 2017-06-25
Posts: 39

Re: Where do "UID writable" chips come from?

Thank you very much for the info. I also noticed that my chips are very "crappy", and by "crappy" I mean they don't have the same write distance as their read distance. If they are not close enough to the reader they'll get corrupted (whatever reader I use). Part of the blocks will just not be written, get set to all 0 or have random data in them.

Also any MIFARE chip that does not originate from NXP/Infineon/Mikron is violating intellectual property laws. MIFARE clones are surprisingly numerous and are made by many different manufacturers, like Fudan, ISSI, Integral, Silicon craft, Belling, Unicore, Quanray, Angstrem, SHHIC etc. It's like it became an industry standard product.

Last edited by atmel9077 (2019-02-25 15:48:54)


Those who forget the past are doomed to repeat it.

Offline

Board footer

Powered by FluxBB