Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-06-12 10:05:04

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

[WIP] List of uid changeable cards

documentation

@doegox has converted this thread to a Note in the documentation at RRG/Iceman repo.  Its better structured than this post.
It also tries to unify the name conventions.
ref: 
https://github.com/RfidResearchGroup/pr … s_notes.md

This is an attempt to compile a list of the uid changeable cards out there.

There has been quite a few new uid changeable cards coming out on the market, you usually see them on ebay, taobao etc.
All of which says that they can do in some extent.

s50 - 4b uid
s50 - 7b uid

s70 - 4b uid
s70 - 7b uid
------------------------------------------------------------------------

Names that pop up.

Gen 1A / Gen 1B / Gen2
UID / CUID / FUID / UFUID / ZXUID / EUID / ICUID
Magic NTAG 21* / Magic ISO15693

-----------------------------------------------------------------------

UID
Seems to be Gen1A

CUID
Seems to be Gen2.
Some ads says "write once"  hinting that the card is not fused block0 from factory.  ie support one block0 change.

All blocks (including Block 0) can be re-written multiple times
Not easily detectable by a system with "anti-clone" feature
IMPORTANT: Card will die if an invalid Block 0 is written
Use normal commands. eg.
hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

FUID
Write Once card,   it doesn't say if this is a unfused geniune card for factory or if its a custom one.
Used to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.

Block 0 can only be written once.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

UFUID
Suggest one-time card, to counter the "anti-elevator" systems, command set to change uid

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a e0  00  39  f7
hf 14a raw -p -a e1  00  e1  ee
hf 14a raw -p -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47

http://www.proxmark.org/forum/viewtopic … 307#p32307

A second type of UFUID, apdu-based,

[cla, ins, p1, p2, len]
90  F0  CC  CC  10   - write block 0
90  FB  CC  CC  07   - write uid separated instead of block 0
90  FD  11  11  00    - lock uid

PM3 14a raw cmds:
hf 14 raw -s -c  -t 2000  90F0CCCC10041219c3219316984200e32000000000
hf 14 raw -s -c  -t 2000  90FBCCCC0711223344556677
hf 14 raw -s -c 90fd11100

You need timout -t 2000, for the card to execute and respond.

This Gen3 got native Pm3 client command implemented by @mceloff

-----------      ----------------------- magic gen3 -----------------------
gen3uid          Set UID without manufacturer block (magic gen3 card)
gen3blk          Overwrite full manufacturer block (magic gen 3 card)
gen3freez        Lock further UID changes (magic gen 3 card)


[usb] pm3 --> hm mf gen3uid
[usb] pm3 --> hm mf gen3blk
[usb] pm3 --> hm mf gen3freez

http://www.proxmark.org/forum/viewtopic … 843#p35843

Need info

ZXUID
  Need info

EUID
  Need info

ICUID
  Need info

-----------------------------------------------------------------------
So how does these chinese classifications map to the proxmark3 nomenclatur?

Gen 1A
Uses chinese backdoor command 40/41/43.   You find these one everywhere.  I have seen atleast four different chipset.
hf mf c* commands will dump/restore/wipe a card very easily

Gen 1B
Uses subset of chinese backdoor command 40/43.  Harder to find,
Used among others for parking garages, where it tricks some reader counter measures.

Gen 2
Block 0 is witeable without any extra commands. Simple to use with any kind of rfid writeable device like mobile phones.

Write Once
Unfused Mifare classic card from factory,  can write once to block 0,   
used among other for parking garages where the counter measures.

-----------------------------------------------------------------------
As of the last year I have seen a rise in uid changeable cards that is based on a cpu-card, where the commandset for changing uid is usually based on ISO7816.  You see ads saying special write software and that the card is not detectable as magic tag.
Since they are based on ISO7816 and don't follow old backdoor commandset that will make them non detectable.


Non Mifare Classic UID changeable

Magic UL  -   uid changeable Ultralight tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic UL-C  -   uid changeable Ultralight-C tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic NTAG21* -  mimics NTAG213, 215, 216 and a heap of other UL/NTAG cards.  Uses lua-script to facility writing
Magic ISO15693  - ISO15693 uidchangeable. Uses lua-script to facility writing
Magic ISO14443b -  when ordered you say which uid you want. Seller doesn't say how to change uid yourself.
Magic Desfire - Set UID/SAK/ATQA to match Mifare Desfire,   isn't a UID card in that sense since it isn't a Desfire card.  Fools some UID based systems which uses desfire.

Rumour #1 Gen3  - restores data on card after use
Rumour #2  -


Magic ISO15693 tag,

  script run iso15_magic -u E004013344556677

systems with no UID changeable cards
Yet to this day I have not seen any Legic, FeliCa, Calypso, iClass uid changeable cards.
For iClass its really not that needed but I can see that some functions to get key and read/write memory would be great to have in a magic card.  If you ever hear of this, let me know.


------------------------------------------------------------------------------------------------------------------------
I did some videos demonstrating a few of these uid changeable tags.

https://www.youtube.com/watch?v=idtBV9w … dex=5&t=1s
https://www.youtube.com/watch?v=0U10Izv … dex=6&t=0s
https://www.youtube.com/watch?v=yzO08fN … dex=2&t=0s



Different ways implemented to deal with magic cards in the RRG/Iceman repo:

-- pm3 cmds

hf mf csetuid   
hf mf cwipe
hf mf csetblk
hf mf cgetblk
hf mf cgetsc
hf mf cload 
hf mf csave
hf mf cview
hf mf gen3uid
hf mf gen3blk
hf mf gen3freez

hf mfu setuid
hf 15 csetuid


-- lua scripts
script run mfu_magic -h
script run formatMifare -h
script run remagic -h
script run iso15_magic -h
script run mfc_gen3_writer -h
script run ul_uid -h

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2019-06-12 10:19:16

mwalker
Moderator
Registered: 2019-05-11
Posts: 302

Re: [WIP] List of uid changeable cards

Please cut and paste whats useful and delete the rest as needed to keep the thread clean.

I got a few of each for testing.  I have not used the GEN2 FUID yet, but the others worked as advertised.

My supplier Calls the GEN2 CUID as re-writable Block 0.

From their site.


UID Changeable M1 S50 Block 0 Changeable Writable CUID FUID GEN1 GEN2 Card

Type 1: Normal GEN1 UID Changeable Cards:

All blocks (including Block 0) can be re-written multiple times 
Use ProxMark3 (Magic Chinese Guy function) or libnfc to change UID. 
Uses "backdoor" technique to change/rewrite UID. 
UID can be changed multiple times. 
Not suitable for MCT on Android (Mifare Classic Tool)
Answers to Chinese magic backdoor commands (GEN 1a): YES 


Type 2: Special GEN2 CUID Cards:

All blocks (including Block 0) can be re-written multiple times 
Not easily detectable by a system with "anti-clone" feature 
IMPORTANT: Card will die if an invalid Block 0 is written 
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO 


Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once. 
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO

Last edited by mwalker (2019-06-12 10:19:52)

Offline

#3 2019-06-12 11:08:47

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

I got a whole heap of cards.  Its getting hard to tell the difference,  which cards needs which commandset/luascript etc.
The proxmark3 client doesn't identify them, so its a mess.  Even for Gen2 there is only a partial identification but the other new ones.. nada.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-06-12 22:23:27

ikarus
Contributor
Registered: 2012-09-20
Posts: 245
Website

Re: [WIP] List of uid changeable cards

I tried to do the same thing some time ago, if you remember wink
http://www.proxmark.org/forum/viewtopic.php?id=5318
Not much to see over there. Hopefully you are more successful
in creating a list of UID changeable cards. At least you have worked
with much more different types of tags then I did wink

Offline

#5 2019-06-13 16:25:27

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

Good one,  I remembered it when I read it again. Raises the question of somehow document the properties of the "magic" nature of the cards.
The naming convention is messed up so the need for an overview is larger now.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2019-07-08 07:25:34

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

On top of what you mentioned, there are UFUID tags that can be fused using PN532/ACR122/PM3, at your will.

FUID vs UFUID: FUID blk 0 will be fused at the first time of write, while UFUID will not be fused unless instructed by special commands. The fuse is irreversible, as most of us expect.

UFUID details: UID M1 S50 Block 0 changeable card whose block 0 can be fused by special commands

  • Before you fuse block 0, it is just a regular UID (Chinese magic card GEN1) tag with Chinese magic backdoor, thus cannot penetrate the firewall.

  • You can fuse it by sending the raw special commands listed in this post:
    http://www.proxmark.org/forum/viewtopic … 307#p32307

  • After fusing block 0, it is just a regular M1 S50 card. Block 0 cannot be changed.

Raw UFUID block 0 locking command: (confirmed by 2 independent sources)

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a -c e0 00 
hf 14a raw -p -a -c e1 00
hf 14a raw -p -a -c 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08
mwalker wrote:

Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once.
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

Last edited by hfmfsniff (2019-07-20 04:30:22)

Offline

#7 2019-07-08 09:59:28

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
Let me try to clarity a bit by a table below:

                "hf mf wrbl"            "hf mf wrbl"                   "hf mf cgetblk/csetblk"
                 write to block 0       write to other blocks       to all blocks including 0
M1(S50)             NO                               YES                           NO
UID                    NO                               YES                           YES  (an M1 with backdoor)
CUID                  YES                              YES                           NO   (an M1 with writable block 0)
FUID                  ONLY ONCE                   YES                            NO    (an M1 with one-time writable blk 0)
UFUID                NO                               YES                            YES before locking; NO after irreversible locking  (a UID tag before locking; an M1 after)

Offline

#8 2019-07-15 19:04:39

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 39

Re: [WIP] List of uid changeable cards

Have the program from the china side loaded unfortunately in Chinese for all cards.

http://www.share-online.biz/dl/9OOH3PUP0KQ
http://www.share-online.biz/dl/W0ZI3PUPTL



b612f8-1563213596.jpg


aba0ea-1563213552.jpg


3c8ba4-1563213509.jpg


the commands are also in chinesich but maybe someone can start something with it

Last edited by 3dmann (2019-07-15 19:08:06)

Offline

#9 2019-07-15 20:09:35

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

I been too busy so I forgot to report back what I found out from that Chinese application.

Found APDU's

[cla, ins, p1, p2, len]
 90  F0  CC  CC  10   - write block 0

 90  FB  CC  CC  07   - write uid separated instead of block 0

 90  FD  11  11  00    - lock uid

PM3 14a raw cmds:
hf 14 raw -s -c  -t 2000  90F0CCCC10041219c3219316984200e32000000000
hf 14 raw -s -c  -t 2000  90FBCCCC0711223344556677
hf 14 raw -s -c 90fd11100

You need timout -t 2000, for the card to execute and respond.
  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2019-07-15 20:11:52

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

This kind of cards is really strange.  Hybrids of some sort. 

Don't use the lock uid since it does what it says and I haven't found any unlock.   Nor did ppl who chatted with the developers report.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2019-07-19 20:34:31

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

iceman wrote:

I been too busy so I forgot to report back what I found out from that Chinese application.

  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

I got a copy of this software and can translate Chinese to English if you need.

Is it working with PM3 or other hardware? It seems it works with PN532 to provide similar cracking functions (nested, hardnested) as PM3 does.

Last edited by hfmfsniff (2019-07-21 22:28:04)

Offline

#12 2019-07-23 08:49:35

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

Nay,  you need a ACR122 or similar to use the software with.
You can translate all screens of the software and post here smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2019-07-26 09:10:54

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

OK I just bought a PN532/ACR122u and downloaded this software (called MifareOne Tool), went through all its buttons and understood what they mean.

It is amazing that PN532/ACR122 can perform nested, hardnested, darkside quite well, just slower (5x-30x slower, esp hardnested, takes 5 hours to finish), but the price in China (6-10 USD for PN532) is much cheapter than even the PM3 easy clone (38 USD).

Here is the translation:
Mind that it could be a bit confusing that "UID tags" are "Chinese magic card gen1" vs "UID" are the ID in block 0.
And I use "card" and "tag" interchangeably.

avd7h4.jpg

Ay0BEY.jpg

Last edited by hfmfsniff (2019-07-28 06:46:31)

Offline

#14 2019-10-12 08:00:21

yukihama
Contributor
Registered: 2018-05-13
Posts: 105

Re: [WIP] List of uid changeable cards

iceman wrote:

This is an attempt to compile a list of the uid changeable cards out there.

Dear Iceman,
could you please explain more about s50 - 4b uid and s50 - 7b uid .

whey 4bit and 7bit difference and the special purpose?

Thanks for your kind help

Offline

#15 2020-01-09 13:59:52

botrem
Contributor
Registered: 2020-01-09
Posts: 2

Re: [WIP] List of uid changeable cards

Hi,

very interesting article about UID/CUID/FUID/UFUID :

Chinese :

http://pn532.com/portal.php?mod=view&aid=2

Translated in English :

https://translate.google.ch/translate?h … %26aid%3D2

Regards

Offline

#16 2020-01-29 13:26:43

Winds
Banned
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

PIC

Will be grateful to obtain an RAW commands from thise Chinese soft. Maybe we can do some an script or integrate it to software at the repo.

This command working as well with bought cards where there this soft has been as tool for UID changing:

hf 14a raw -s -c -t 2000 90f0cccc10

Equals this is working for a lot of cards


The program in attachment:
https://we.tl/t-0OOx62ZeJk

Many Thanks

Offline

#17 2020-01-29 14:01:08

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

Yeah,  the creators of uid cards really loves their bundled software.  Which is only natural. They tend to not like the Proxmark3 client.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2020-01-29 14:52:09

Winds
Banned
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

iceman wrote:

Yeah,  the creators of uid cards really loves their bundled software.  Which is only natural. They tend to not like the Proxmark3 client.

Could you please sniff the application for the RAW or give some tools with one you did these upper?

Offline

#19 2020-01-29 15:19:50

iceman
Administrator
Registered: 2013-04-25
Posts: 6,648
Website

Re: [WIP] List of uid changeable cards

use your proxmark to sniff...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2020-01-29 15:45:44

Winds
Banned
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

iceman wrote:

use your proxmark to sniff...

But I asked thise becouse it's working only whith ACR122U and I don't have it.

Offline

#21 2020-02-26 12:52:20

Eloff
Contributor
Registered: 2019-02-08
Posts: 6

Re: [WIP] List of uid changeable cards

Is there commands set overview for gen3 magic cards?
I have classic 4k 7-bytes uid gen3 card (sak = 18, atqa = 0044). After unsuccessful writing of block 0 this card was resets to 4-bytes uid card (sak = 18, atqa = 0004). Uid not changed by chinese software more, but block 0 can be written only.

There are three commands, that known me:
90  f0  cc  cc  10 - write block 0
90  fb  cc  cc  07 - write uid separated instead of block 0
90  fd  11  11  00 - lock uid

But I could not reset my card back to 7-bytes uid. I know, that programming  of uid/sak/atqa by manufacturer is separated, not by block 0 rewriting.
Any Ideas?

Offline

#22 2020-05-25 17:38:44

accdigit
Contributor
Registered: 2019-09-04
Posts: 5

Re: [WIP] List of uid changeable cards

@Winds
please can You resent link for PCSC Mifare software?

Offline

Board footer

Powered by FluxBB