Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-07-14 09:48:18

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Differences in Magic Mifare 1K cards - Not sure whats wrong?

Hi,

Firstly I had a batch of Mifare 1k UID magic cards which work as expected:

proxmark3> hf 14a read
ATQA : 00 04
UID : 12 34 56 78
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

proxmark3> hf mf cload  12345678
Loaded from file: 12345678.eml

-----------------------------------------------------------------------------------------------
But then I got a new batch of Mifare 1K UID magic cards which don't seem to work:

proxmark3> hf 14a read
ATQA : 00 04
UID : d2 be 0d 00
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

proxmark3> hf mf cload  12345678
#db# halt error. response len: 1
#db# Halt error
Can't set magic card block: 63

proxmark3> hf mf csetuid 22222222
--wipe card:NO  uid:22 22 22 22
#db# halt error. response len: 1
#db# Halt error
Couldn't get old data. Will write over the last bytes of Block 0.
new block 0:  22 22 22 22 00 00 00 00 00 00 00 00 00 00 00 00
#db# halt error. response len: 1
#db# Halt error
Can't set UID. error=2


Is this a problem because of different commands needed for v1 & v2 of magic cards?  Or are the new cards faulty as they show a halt error just when reading them with  hf 14a read  ?

Thanks

Offline

#2 2015-07-14 10:17:27

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Your new batch of magic tags, is not generation1. 

It could be generation2.. If so, you don't use the "cload/csave/csetuid" commands.
you only use the normal commands.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2015-07-14 14:19:45

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

iceman wrote:

If so, you don't use the "cload/csave/csetuid" commands.
you only use the normal commands.

Thanks for your reply.

So its normal for the halt error when doing a "hf 14a read" ?

Is there a normal command to load a .eml dump file?

Offline

#4 2015-07-14 15:13:39

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

You can look into the  "hf mf restore"  command,..   It assumes that you have a dumpdata.bin file in the client folder.
if it needs keys,  it will search for a dumpkeys.bin file. 
You can convert your eml file with a luascript.. "script list"  will give you a list of all scripts.  "script run xxxx -h"  usually prints a helptext.


About the "halt error", I'm not sure.  Which version of the proxmark software are you running?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2015-07-22 15:50:02

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

i have de same problem
not copied with acr122u nor proxmark
i tried loading proxmark eml file and dump file with acr122u, but no works
anyone have a solution ?

proxmark3> hf 14a reader
ATQA : 00 02         
UID : 12 34 56 78           
SAK : 88 [2]         
TYPE : Infineon MIFARE CLASSIC 1K         
proprietary non iso14443-4 card found, RATS not supported         
#db# halt error. response len: 1                 
Answers to chinese magic backdoor commands: NO

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-05-24 09:54:53                 
#db# os: /-suspect 2015-05-24 09:56:23                 
#db# HF FPGA image built on 2015/03/09 at 08:41:42                 
uC: AT91SAM7S256 Rev A         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 256K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory

Offline

#6 2015-07-22 17:22:39

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

its the same read for same cards, three times........in the proxmark
reading, changing uid card chinese

proxmark3> hf 14a reader
#db# Multiple tags detected. Collision after Bit 1                 
ATQA : 0f ff         
UID : 03 00 00 00           
SAK : 00 [2]         
TYPE : NXP MIFARE Ultralight | Ultralight C         
proprietary non iso14443-4 card found, RATS not supported         
#db# halt error. response len: 1                 
Answers to chinese magic backdoor commands: NO         
-----------------------------------------------------------
proxmark3> hf 14a reader
#db# Multiple tags detected. Collision after Bit 1                 
ATQA : 00 02         
UID : 03 00 00 00           
SAK : 01 [2]         
TYPE : NXP TNP3xxx Activision Game Appliance         
proprietary non iso14443-4 card found, RATS not supported         
#db# halt error. response len: 1                 
Answers to chinese magic backdoor commands: NO         
-----------------------------------------------------------
proxmark3> hf 14a reader
ATQA : 04 02         
UID : 01 02 03 04     ----------->    (changed)           
SAK : 88 [2]         
TYPE : Infineon MIFARE CLASSIC 1K         
proprietary non iso14443-4 card found, RATS not supported         
#db# halt error. response len: 1                 
Answers to chinese magic backdoor commands: NO
----------------------------------------------------
firts : Ultraligh
second : NXP TNP3xxx Activision Game Appliance
next : Infineon MIFARE CLASSIC 1K

strain....

Offline

#7 2015-07-22 19:09:00

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

the halt error, indicates that the tag gave a response to the halt command, which normally it shouldn't. The tag is infineon, so this might be a behavior from this brand.  If you run "hf list 14a"  after you get it,  and print it here,  we can look what the tag responded with. my guess a ACK

the collision warning indicates that you don't get a clean read from your tag.  Try holding yr tag 1cm above the antenna and different positions aswell.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2015-07-23 15:52:54

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

iceman wrote:

If you run "hf list 14a"  after you get it,  and print it here,  we can look what the tag responded with. my guess a ACK

[== Undefined ==]
proxmark3> hf list 14a
Recorded Activity (TraceLen = 163 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)
               | CRC | Annotation         |
-----------|-----------|-----|--------------------------------------------------
---------------|-----|--------------------|
         0 |       992 | Rdr | 52
               |     | WUPA
      2228 |      4596 | Tag | 04  00
               |     |
      7040 |      9504 | Rdr | 93  20
               |     | ANTICOLL
     10676 |     16500 | Tag | 93  c0  0a  00  59
               |     |
     18688 |     29152 | Rdr | 93  70  93  c0  0a  00  59  a2  7d
               |     | SELECT_UID
     30388 |     33908 | Tag | 08  b6  dd
               |     |
    462592 |    467360 | Rdr | e0  80  31  73
               |     | RATS
    468532 |    469172 | Tag | 04
               |     |
    903680 |    904672 | Rdr | 40
               |     | MAGIC WUPC1
    905908 |    906484 | Tag | 0a!
               |     |
    910720 |    912032 | Rdr | 43
               |     | MAGIC WUPC2
    913204 |    913780 | Tag | 0a!
               |     |
    917760 |    922528 | Rdr | 50  00  57  cd
               |     | HALT
    923700 |    924340 | Tag | 04
               |     |
proxmark3>

Offline

#9 2015-07-23 16:05:24

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

If I do a "hf mf restore", it seems most of the blocks restore correctly but I get errors for block 0, 60, 61, 62 & 63

[== Undefined ==]
proxmark3> hf mf restore
Restoring dumpdata.bin to card
Writing to block   0: xx xx xx xx xx xx 04 xx xx xx 14 xx xx 00 xx xx

#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block   1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   3: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   7: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block   9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  11: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  15: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  19: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  23: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  24: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  25: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  26: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  27: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  29: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  31: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  33: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  35: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  37: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  39: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  41: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  42: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  43: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  44: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  45: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  46: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  47: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  49: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  51: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  52: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  53: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  54: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  55: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  56: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  57: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  58: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  59: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff

#db# WRITE BLOCK FINISHED
isOk:01
Writing to block  60: xx xx xx xx 40 00 00 00 00 00 00 00 00 00 00 00

#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block  61: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block  62: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block  63: xx xx xx xx xx xx xx xx xx 00 xx xx x2 xx c5 xx

#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
proxmark3>

Offline

#10 2015-07-24 00:34:52

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Block zero is not writeable if it is a normal mifare s50 tag.
block 60,61,62,63 seems like you didn't have the last key in the dumpkeys.bin file...

if you are sure your new tag is magic, then try using generation1 commands,   hf mf cset,  for the block 0.


edit:
looking at the trace, it seems you got magic tags generation 1.  which needs special commands to write to block 0.

Last edited by iceman (2015-07-24 00:44:07)


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2015-07-24 06:25:31

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

iceman wrote:

edit:
looking at the trace, it seems you got magic tags generation 1.  which needs special commands to write to block 0.

I am thinking the last batch of magic tags I got are either bad quality or some kind of generation between 1 & 2.

The first batch of tags act like generation 1 and work fine: eg
- Answers to chinese magic backdoor commands: YES
- If I use chinese special commands they work fine. eg.  hf mf cload  12345678    >  Loaded from file: 12345678.eml

But the second batch I got:
- Always have "#db# halt error. response len: 1" error for most commands
- Answers to chinese magic backdoor commands: NO
- Some chinese special commands will work, but some won't. eg.
          - "hf mf csetuid" works OK to change the UID
          - But if I try to write the full block 0, it won't work
          - Also if I try hf mf cload, I always get errors in some blocks ...eg. Can't set magic card block: 63

Offline

#12 2015-07-24 11:03:40

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

If the trace aboce was from your second back,

the tag answers with a NACK 0x04  to the HALT command.  Thats the "halt error".  Normally a tag doesn't respond to HALT cmd.
that could be twist from Infineon. Its ok to ignore this db message,  if you don't like it. (change the len check inside mifare_classic_halt in armsrc/mifareutil.c )

But was you first batch also from Infineon?


How does the trace looks like when you tried "hf mf csetblk 0 xxxx"?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2015-07-28 04:14:58

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

testing cards, changing uid, s50, 2 generation.
I wrote the 64 blocks manually.
------------------------------------
proxmark3> hf mf wrbl 63 B c4edb80fc345 12345678901208778f00c4edb80fc345
--block no:63, key type:B, key:c4 ed b8 0f c3 45           
--data: 12 34 56 78 90 12 08 77 8f 00 c4 ed b8 0f c3 45           
#db# WRITE BLOCK FINISHED
isOk:01
------------------------------------
and all were written well, (with proxmark3), including block 0,60,61,62,63.
but the card still giving me error.
I think the mistake is here  (#db# halt error. response len: 1)
------------------------------
proxmark3> hf 14a reader
ATQA : 00 02         
UID : d0 a5 e8 e7           
SAK : 88 [2]         
TYPE : Infineon MIFARE CLASSIC 1K         
proprietary non iso14443-4 card found, RATS not supported         
#db# halt error. response len: 1                 
Answers to chinese magic backdoor commands: NO         
proxmark3>
--------------------------
if someone has the solution.
or if anyone know of a store that sells the one generation.

publish the link where this product was purchased.

http://www.aliexpress.com/item/200PCS-Lot-13-56MHZ-Rewritable-Smart-IC-Chip-UID-Changeable-Card-With1K-Bytes-8K-Bits-Memory/1858507771.html

http://www.aliexpress.com/item/uid-changeable-card-1k-card-S50-card-proxmark3-libnfc-Chinese-Magic-card-backdoor-card/1735477211.html

proxmark3 and ACR122U was used.
none worked

Offline

#14 2015-07-28 09:53:14

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

How about you give the output from
-hw version
-hw tune

And the traceoutput from
-hf mf csetblk 0 xxxx 

It's near impossible to give answer without that information.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#15 2015-07-28 12:53:01

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

proxmark3> hw tune
Measuring antenna characteristics, please wait.........         
# LF antenna:  0.00 V @   125.00 kHz         
# LF antenna:  0.00 V @   134.00 kHz         
# LF optimal:  0.00 V @ 12000.00 kHz         
# HF antenna: 14.18 V @    13.56 MHz         
# Your LF antenna is unusable.         
proxmark3>
--------------------------------------------------------------

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-05-24 09:54:53                 
#db# os: /-suspect 2015-05-24 09:56:23                 
#db# HF FPGA image built on 2015/03/09 at 08:41:42                 
uC: AT91SAM7S256 Rev A         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 256K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3>
-------------------------------------------------

proxmark3> hf mf csetblk 0 d0a5e8e77a980200648f45915d101311
--block number: 0 data:d0 a5 e8 e7 7a 98 02 00 64 8f 45 91 5d 10 13 11           
#db# Can't select card                 
Can't write block. error=2         
proxmark3>

Offline

#16 2015-07-28 15:07:33

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

and how does the tracelog looks like after you ran the "hf mf csetblk"??

(e.g.  hf list 14a)


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2015-07-29 10:10:35

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

proxmark3> hf list 14a 
Recorded Activity (TraceLen = 0 bytes)         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|         
proxmark3>

Offline

#18 2015-07-29 10:13:45

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Would you please run first the "hf mf csetblk",  then run "hf list 14a"?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2015-07-29 11:03:27

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

proxmark3> hf mf csetblk 0 d0a5e8e77a980200648f45915d101311
--block number: 0 data:d0 a5 e8 e7 7a 98 02 00 64 8f 45 91 5d 10 13 11           
#db# halt error. response len: 1                 
#db# Halt error                 
Can't write block. error=2         
proxmark3>

proxmark3> hf list 14a 
Recorded Activity (TraceLen = 215 bytes)         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|         
         0 |       992 | Rdr | 52                                                              |     | WUPA         
      2228 |      4596 | Tag | 02  00                                                          |     |           
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL         
     10676 |     16564 | Tag | d0  a5  e8  e7  7a                                              |     |           
     18688 |     29216 | Rdr | 93  70  d0  a5  e8  e7  7a  ee  5d                              |     | SELECT_UID         
     30388 |     33908 | Tag | 88  be  59                                                      |     |           
     35456 |     40224 | Rdr | 50  00  57  cd                                                  |     | HALT         
    175616 |    176608 | Rdr | 40                                                              |     | MAGIC WUPC1         
    177844 |    178420 | Tag | 0a!                                                             |     |           
    182656 |    183968 | Rdr | 43                                                              |     | MAGIC WUPC2         
    185140 |    185716 | Tag | 0a!                                                             |     |           
    189696 |    194400 | Rdr | a0  00  5f  b1                                                  |     | WRITEBLOCK(0)         
    195636 |    196212 | Tag | 0a!                                                             |     |           
    199552 |    220448 | Rdr | d0  a5  e8  e7  7a  98  02  00  64  8f  45  91  5d  10  13  11  |     |           
           |           |     | c3  b5                                                          |     | ?         
    267060 |    267636 | Tag | 0a!                                                             |     |           
    269056 |    273824 | Rdr | 50  00  57  cd                                                  |     | HALT         
    274996 |    275636 | Tag | 04                                                              |     |           
proxmark3>

Offline

#20 2015-07-29 11:18:18

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

So, good,  its your version of tag that responds to the "HALT" command.
The actual write command works as it should.

It is as I wrote in post #12 earlier.  This failed message can be altered.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#21 2015-07-29 11:41:16

LaserByte
Contributor
Registered: 2014-05-18
Posts: 43

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

the problem is the card, true ??

Offline

#22 2015-07-29 13:59:16

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Alternative mifare cards often respond to commands that true chips don't.  But they usually function just fine in the real world.  Consider the pm3 error just a warning.

Offline

#23 2015-07-29 14:37:01

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Almost,  since it reports back a "2"..  Which we might have a check for on the client side.. 
However, as I already mentioned you can alter that check to skip looking for "0x0a".   And the error/warning message goes away and the tag will work fine with the PM3 client.   It should already work fine,


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#24 2016-02-19 18:40:11

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Hello

I am having the same halt message with a magic tag-

267188 |    267764 | Tag | 0a!
            |     |
269184 |    273952 | Rdr | 50  00  57  cd
            |     | HALT
275124 |    275764 | Tag | 04

Could you help me to fix it please ? I dont know how to modify the file you mentiones on #12

Offline

#25 2016-02-19 18:41:50

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

proxmark3> hf mf csetblk 0
block data must include 32 HEX symbols
proxmark3> hf mf csetblk 0 00000000000000000000000000000000
--block number: 0 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

#db# halt error. response len: 1
#db# Halt error
Can't write block. error=2

It looks that the HALT happens on the trailer blocks...

Offline

#26 2016-02-19 18:51:45

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

When you write all zeros to block zero you will render the tag unusable... 

If you want to change uid, use the "hf mf csetuid",  it will create a good block 0.

You have some reading to do.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#27 2016-02-19 20:59:21

mosci
Contributor
Registered: 2016-01-09
Posts: 83
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

yikes me also
I have some UID-Changable
csetuid dit not work ...

proxmark3> hf mf csetuid 01020304 0004 08
--wipe card:NO  uid:01 02 03 04
#db# wupC1 error
Couldn't get old data. Will write over the last bytes of Block 0.
new block 0:  01 02 03 04 04 08 04 00 00 00 00 00 00 00 00 00
#db# wupC1 error
Can't set UID. error=2
proxmark3>

so I tried the example-block0 from the Chinese seller

proxmark3> hf search

 UID : de 0f 2b 19
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search

proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF 19743C36670804000115C507E8A85B1D
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 19 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search

 UID : 19 74 3c 36
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

Valid ISO14443A Tag Found - Quiting Search
proxmark3>

then I thought ... I try to change the first number
big fault

proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF 18743C36670804000115C507E8A85B1D
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 18 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search


no known/supported 13.56 MHz tags found

proxmark3>

I have other magic cards which I could repair with your remagic-script
this not   roll
so I got 3 new ice-scraper for my car  big_smile


modhex(hkheiehvhtfchihtijduhfhg)

Offline

#28 2016-02-19 21:07:40

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

First,

the:   [hf mf c** ] commands  is for Magic tags Generation1.  Uses special backdoor commands in protocol.

your:  [ hf mf wrbl 0 A FFFFFFFFFFFF 19743C36670804000115C507E8A85B1D]   shows a normal write on block 0, 
this means Generation 2 tag.     Congrats to have a S50 1k Generation2 tag.  Its the first time I ever seen it in the wild.


There is a danger,  writing Block 0,   UID bytes has a BCC ( uid 0123, bcc4) ..  that has to match otherwise the tag becomes dead...

I have no clue have to save/revive a Generation 2 tag...    *yet*


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#29 2016-02-19 21:17:16

mosci
Contributor
Registered: 2016-01-09
Posts: 83
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

they have being really cheap - first i thought I got fooled, because the act like ordinary S50
but then I recognized (the hard way) that they aren't ordinary at all  lol
ebay link

Last edited by mosci (2016-02-19 21:21:37)


modhex(hkheiehvhtfchihtijduhfhg)

Offline

#30 2016-02-19 21:26:58

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

Cool,  and now we need to find out a way to revive your Gen2 tags... 

I saw somewhere on the forum a user mentions he used  "hf mf csetbl 0 19743C36670804000115C507E8A85B1D"  a couple of times and it works again..


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#31 2016-02-19 21:42:47

mosci
Contributor
Registered: 2016-01-09
Posts: 83
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

250 time (via lua-script) did not change anything

....
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 19 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00
....

but I'm gona keep same warm and dry ... maybe sometime I will be able to 'remagic' them  wink


modhex(hkheiehvhtfchihtijduhfhg)

Offline

#32 2016-02-19 21:46:41

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

the remagic uses chinese backdoor commands..
its the select card which spooks..


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#33 2016-02-19 21:52:55

mosci
Contributor
Registered: 2016-01-09
Posts: 83
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

the TWN4 doesn't recognize them also - 'remagic' was just in meaning of 'getting it work again' in innuendo of your script of cause .
it doesn't matter - I still have 7 working of them and will be more careful with them  wink

Last edited by mosci (2016-02-19 21:53:31)


modhex(hkheiehvhtfchihtijduhfhg)

Offline

#34 2016-02-19 22:28:39

mosci
Contributor
Registered: 2016-01-09
Posts: 83
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

there seems still to be some response coming

proxmark3> hf list 14a c
Recorded Activity (TraceLen = 0 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3> hf 14a reader
iso14443a card select failed
proxmark3> hf list 14a c
Recorded Activity (TraceLen = 65 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 52                                                              |     | WUPA
       2228 |       4596 | Tag | 04  00                                                          |     |
       7040 |       9504 | Rdr | 93  20                                                          |     | ANTICOLL
      10676 |      16564 | Tag | 18  74  3c  36  67                                              |     |
      18816 |      29280 | Rdr | 93  70  18  74  3c  36  66 [1a  d8 ]                            |  ok | SELECT_UID
proxmark3>

18  74  3c  36  67  was the bad thing I have written


modhex(hkheiehvhtfchihtijduhfhg)

Offline

#35 2016-02-19 22:39:20

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?

that is the uid smile  and your BCC is false,  so...  if you fiddle with the "iso_select_card"  and flash,  you should let the code ignore the faulty bcc...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB