Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

martinouyang · 2011-07-23 18:12:10

we supply the cards below:

Works exactly like the Mifare S50, with 16 Sectors and 4 Blocks each Sector, but the Sector 0 Block 0 known as Manufacturers Block where the Chip UID is stored, can be re programmed to any UID you wish.
It's advantage;
This is a perfect solution for a lost irreplaceable Mifare Cards ID, you don't need to re-enroll new cards. Just program this new Mifare 1K's UID to the UID of lost card then you have a new Exactly the same card.

Popular applications;
Loyalty
Ticketing
Identification
Access Control

if you need please contact us: ouyangweidaxian@live.cn

hat · 2011-08-02 23:03:56

Can somebody confirm this?

It's been long expected. However would still be interesting information for risk assesment.

Thanks.

maxxh · 2011-08-03 12:23:58

I guess it is more likely to be spam.

vivat · 2011-08-06 06:56:06

http://www.facebook.com/nethemba/posts/235254083171750
1 minute at google

Pán ouyangweidaxian@live.cn z Číny mi práve ponúkol Changeable UID Mifare Classic 1K karty, jednu za $24. Pri odbere viac ako 100ks zľava.

translation:

Mr. ouyangweidaxian@live.cn from China just offered me Changeable UID Mifare Classic 1K card, one for $ 24 When you donate more than 100 pieces left.

miguegold · 2011-08-10 03:40:27

I've contacted this "seller" and it's most probably some kind of scam. Quoting, he asked for $24 per card, min 10 cards and I had to buy his reader and his software. Total, more than $300.
Anyway, when I asked for more specs, he said that after payment he would give me more info
=> Spam

roel · 2011-08-11 19:51:38

Hey people,

I have ordered three of these cards and can confirm it works. I was able to successfully change the UID and the rest of block 0 (using a few special rfid frames). These cards cost 24USD per piece, which is pretty expensive, but they are real and work fine.

For those who want to test them and have some budget laying around, I recommend to try ordering a sample for yourself. The seller will help you with "re-branding" your UID

Cheers,

Roel

vivat · 2011-08-12 11:45:32

That's very nice. Does they have ISO 15693 tags with changeable UID?

roel · 2011-08-12 19:05:33

I don't know. He told me they were working on a 4KB version, but I heard no plans for support of other ISO standards. I know the ATMEL CryptoRF cards already have programmable PUPI (UID) of ISO 14443B cards. For ISO 15693 I've not find any card yet that has a programmable UID. The proxmark could do this without any problems of course

moebius · 2011-08-13 01:49:00

I bought two cards and I'm now waiting for them...

Roel, What software are you using? Do you have some info so as soon as my cards are here, I can play with them?

Also, the UID is only one time changeable or you can change as many times as you want?

Thanks!

vivat · 2011-08-13 09:42:43

roel
Can you print here proxmark sniffed trace of this card?

roel · 2011-08-13 18:56:04

It seems to be modify able for as many as you can change the memory.

I changed the UID in zero's, this is the tx/rx result using nfc-anticol from libnfc and a tikitag reader.

Tx: 26 (7 bits)
Rx: 02 00
Tx: 93 20
Rx: 00 00 00 00 00
Tx: 93 70 00 00 00 00 00 9c d9
Rx: 18 37 cd

I could make a proxmark trace if you are interested (for timing info?).

vivat · 2011-08-13 19:43:55

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace

using a few special rfid frames

of changing card's UID?
Who is manufacturer?
Thanks

Last edited by vivat (2011-08-14 09:06:58)

moebius · 2011-08-16 23:17:42

Can anyone send some sample C code or some program in order to operate with these cards? I'm just waiting two of them. I'll tell you my results later

Thanks!

Last edited by moebius (2011-08-16 23:18:06)

vivat · 2011-08-27 16:40:39

vivat wrote:

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace
using a few special rfid frames
of changing card's UID?
Who is manufacturer?
Thanks

can anyone who has this cards make a simple dump????

moebius · 2011-08-27 17:42:51

vivat wrote:

vivat wrote:
>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace
using a few special rfid frames
of changing card's UID?
Who is manufacturer?
Thanks
can anyone who has this cards make a simple dump????

Hey @vivat! I own some of these cards. What do you exactly need? A simple dump of what? I can change one cards's uid and post the frames if you want.

cheers my friend.

vivat · 2011-08-27 18:32:18

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

moebius · 2011-08-28 02:47:31

vivat wrote:

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

Ok... here you are reading and writing with the software they provided to me.. (20usd :S but now I think some of you can write some code for pmark or using libnfc..) if not, in a couple of days i'll write some C code...

the uid checksum is really easy to calculate.. it's specified in the data sheet... I cloned one card and it's a success my friends. It's a little expensive but it worth it.

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

Hope that helps you @vivat !

vivat · 2011-08-28 17:16:03

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

I wanted a proxmark sniffed trace
So, it is a program that you have received with card, right?

Last edited by vivat (2011-08-28 17:17:17)

dreyercito · 2011-08-29 12:27:31

I've also some cards. Still waiting for an acs reader though (the software provided does not like my touchatag, anyone with success with a touchatag?).

Is that a complete dump of the conversation with the reader through the pc/sc api?
Correct me if I'm wrong but shouldn't we see there an authentication step?

WriteRegister -> PN53X_REG_CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
WriteRegister -> CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
InDataExchange (Mifare cmd - write sector)
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00

moebius · 2011-08-29 20:35:26

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.

Basically I want to undestand the comm process because their soft is compiled and always uses default FFFFFFFF key to access block 0 so if you have already cloned one card with other keys, if you want to change its uid again you need to reset its key change the uid and restore the cloned key.

Give me some time becase i'm a little busy with boring stuff. Thanx!

moebius · 2011-08-30 03:32:31

moebius wrote:

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.
Give me some time becase i'm a little busy with boring stuff. Thanx!

Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

dreyercito · 2011-08-30 09:09:24

moebius wrote:

moebius wrote:
It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.
Give me some time becase i'm a little busy with boring stuff. Thanx!
Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

Are you sure of that? I didn't have the same chance, unless I'm doing something wrong, I tried to write on block 0 and no auth without success.
...
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one: InListPassiveTarget
TX: ff 00 00 00 04 d4 4a 01 00
RX: d5 4b 01 01 00 04 08 04 ad 8f 0a 8a 90 00
Found MIFARE Classic card:
ATQA (SENS_RES): 00 04
UID (NFCID1): ad 8f 0a 8a
SAK (SEL_RES): 08
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one: InDataExchange
TX: ff 00 00 00 15 d4 40 01 a0 00 24 ba 8b 3c 29 88 04 00 47 c1 1d 58 a1 00 24 05
RX: d5 41 01 90 00
nfc_initiator_transceive_bytes: Timeout
Writing 1 blocks failed to write trailer block 0
(And of course after trying to read block 0 again it stays unchanged).

+1 For a Proxmark dump trace

dreyercito · 2011-08-30 12:29:54

Ok, it works, i'm happy man, you only have to precede the mifare cmd command by the rest that is shown in the logs. Then is true that you can write to block 0 without authenticating.

e.g.:
pn53x_transceive(pnd, "\x08\x63\x02\x00\x63\x03\x00", 7, NULL, NULL);
pn53x_transceive(pnd, "\x42\x50\x00\x57\xCD", 5, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x3D\x07",4, NULL, NULL);
pn53x_transceive(pnd, "\x42\x40",2, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x3D\x00",4, NULL, NULL);
pn53x_transceive(pnd, "\x42\x43",2, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x02\x80\x63\x03\x80",7, NULL, NULL);
And then mifare cmd write... and done!

Now time to decode that... Everything fine and I only blew my proxmark bootloader with tests (I ordered a JTAG to recover, so I'll try to post a trace, but until then please if anyone can do it, go ahead)

moebius · 2011-08-30 13:44:54

Cool! Do you need all these commands in order to successfully write? Those are very Magic frames by now...

You see! No auth to change the first block. Magic Cards from Magic Chinese Guy! XD

Do you want to write a simple code to include within the PMark? like hf mf changeBlock0 [16 bytes]?

That would be a nice command...

moebius · 2011-09-02 01:55:50

OK, I screwed up one of my cards

I was playing around with block 0 and i changed it to: 04 8c 55 7b a6 b0 08 04 00 46 59 25 58 49 10 23

and now.. it's now being detected by my readers... only Pmark is able to read it...

Is it possible to send APDU commands directly through the Pmark? Is anyone a very fast developer with SVN access to code something or even better, code this new function to change the block 0 of this Cards?

I think that if i get no answer, I'll work on it, so keep me in the loop if you like the idea..

Thanks!

Proxmark developers community

#1 2011-07-23 18:12:10

Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#2 2011-08-02 23:03:56

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#3 2011-08-03 12:23:58

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#4 2011-08-06 06:56:06

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#5 2011-08-10 03:40:27

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#6 2011-08-11 19:51:38

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#7 2011-08-12 11:45:32

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#8 2011-08-12 19:05:33

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#9 2011-08-13 01:49:00

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#10 2011-08-13 09:42:43

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#11 2011-08-13 18:56:04

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#12 2011-08-13 19:43:55

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#13 2011-08-16 23:17:42

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#14 2011-08-27 16:40:39

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#15 2011-08-27 17:42:51

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#16 2011-08-27 18:32:18

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#17 2011-08-28 02:47:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#18 2011-08-28 17:16:03

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#19 2011-08-29 12:27:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#20 2011-08-29 20:35:26

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#21 2011-08-30 03:32:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#22 2011-08-30 09:09:24

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#23 2011-08-30 12:29:54

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#24 2011-08-30 13:44:54

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#25 2011-09-02 01:55:50

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Board footer