Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-06-12 10:05:04

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

[WIP] List of uid changeable cards

This is an attempt to compile a list of the uid changeable cards out there.


There has been quite a few new uid changeable cards coming out on the market, you usually see them on ebay, taobao etc.
All of which says that they can do in some extent.

s50 - 4b uid
s50 - 7b uid

s70 - 4b uid
s70 - 7b uid
------------------------------------------------------------------------

Names that pop up.

Gen 1A / Gen 1B / Gen2
UID / CUID / FUID / UFUID / ZXUID / EUID / ICUID
Magic NTAG 21* / Magic ISO15693

-----------------------------------------------------------------------

UID
Seems to be Gen1A

CUID
Seems to be Gen2.
Some ads says "write once"  hinting that the card is not fused block0 from factory.  ie support one block0 change.

All blocks (including Block 0) can be re-written multiple times
Not easily detectable by a system with "anti-clone" feature
IMPORTANT: Card will die if an invalid Block 0 is written
Use normal commands. eg.
hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

FUID
Write Once card,   it doesn't say if this is a unfused geniune card for factory or if its a custom one.
Used to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.

Block 0 can only be written once.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

UFUID
Suggest one-time card, to counter the "anti-elevator" systems.
command set to change uid http://www.proxmark.org/forum/viewtopic … 307#p32307

Need info

ZXUID
  Need info

EUID
  Need info

ICUID
  Need info

-----------------------------------------------------------------------
So how does these chinese classifications map to the proxmark3 nomenclatur?

Gen 1A
Uses chinese backdoor command 40/41/43.   You find these one everywhere.  I have seen atleast four different chipset.
hf mf c* commands will dump/restore/wipe a card very easily

Gen 1B
Uses subset of chinese backdoor command 40/43.  Harder to find,
Used among others for parking garages, where it tricks some reader counter measures.

Gen 2
Block 0 is witeable without any extra commands. Simple to use with any kind of rfid writeable device like mobile phones.

Write Once
Unfused Mifare classic card from factory,  can write once to block 0,   
used among other for parking garages where the counter measures.

-----------------------------------------------------------------------
As of the last year I have seen a rise in uid changeable cards that is based on a cpu-card, where the commandset for changing uid is usually based on ISO7816.  You see ads saying special write software and that the card is not detectable as magic tag.
Since they are based on ISO7816 and don't follow old backdoor commandset that will make them non detectable.


Non Mifare Classic UID changeable

Magic UL  -   uid changeable Ultralight tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic UL-C  -   uid changeable Ultralight-C tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic NTAG21* -  mimics NTAG213, 215, 216 and a heap of other UL/NTAG cards.  Uses lua-script to facility writing
Magic ISO15693  - ISO15693 uidchangeable. Uses lua-script to facility writing
Magic ISO14443b -  when ordered you say which uid you want. Seller doesn't say how to change uid yourself.
Magic Desfire - Set UID/SAK/ATQA to match Mifare Desfire,   isn't a UID card in that sense since it isn't a Desfire card.  Fools some UID based systems which uses desfire.

Rumour #1 Gen3  - restores data on card after use
Rumour #2  -


systems with no UID changeable cards
Yet to this day I have not seen any Legic, FeliCa, Calypso, iClass uid changeable cards.
For iClass its really not that needed but I can see that some functions to get key and read/write memory would be great to have in a magic card.  If you ever hear of this, let me know.


-----------------------------------------------
I did some videos demonstrating a few of these uid changeable tags.
https://www.youtube.com/watch?v=idtBV9w … dex=5&t=1s
https://www.youtube.com/watch?v=0U10Izv … dex=6&t=0s
https://www.youtube.com/watch?v=yzO08fN … dex=2&t=0s


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2019-06-12 10:19:16

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: [WIP] List of uid changeable cards

Please cut and paste whats useful and delete the rest as needed to keep the thread clean.

I got a few of each for testing.  I have not used the GEN2 FUID yet, but the others worked as advertised.

My supplier Calls the GEN2 CUID as re-writable Block 0.

From their site.


UID Changeable M1 S50 Block 0 Changeable Writable CUID FUID GEN1 GEN2 Card

Type 1: Normal GEN1 UID Changeable Cards:

All blocks (including Block 0) can be re-written multiple times 
Use ProxMark3 (Magic Chinese Guy function) or libnfc to change UID. 
Uses "backdoor" technique to change/rewrite UID. 
UID can be changed multiple times. 
Not suitable for MCT on Android (Mifare Classic Tool)
Answers to Chinese magic backdoor commands (GEN 1a): YES 


Type 2: Special GEN2 CUID Cards:

All blocks (including Block 0) can be re-written multiple times 
Not easily detectable by a system with "anti-clone" feature 
IMPORTANT: Card will die if an invalid Block 0 is written 
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO 


Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once. 
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO

Last edited by mwalker (2019-06-12 10:19:52)

Offline

#3 2019-06-12 11:08:47

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [WIP] List of uid changeable cards

I got a whole heap of cards.  Its getting hard to tell the difference,  which cards needs which commandset/luascript etc.
The proxmark3 client doesn't identify them, so its a mess.  Even for Gen2 there is only a partial identification but the other new ones.. nada.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-06-12 22:23:27

ikarus
Contributor
Registered: 2012-09-20
Posts: 242
Website

Re: [WIP] List of uid changeable cards

I tried to do the same thing some time ago, if you remember wink
http://www.proxmark.org/forum/viewtopic.php?id=5318
Not much to see over there. Hopefully you are more successful
in creating a list of UID changeable cards. At least you have worked
with much more different types of tags then I did wink

Offline

#5 2019-06-13 16:25:27

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [WIP] List of uid changeable cards

Good one,  I remembered it when I read it again. Raises the question of somehow document the properties of the "magic" nature of the cards.
The naming convention is messed up so the need for an overview is larger now.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2019-07-08 07:25:34

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 18

Re: [WIP] List of uid changeable cards

On top of what you mentioned, there are UFUID tags that can be fused using PN532/ACR122/PM3, at your will.

FUID vs UFUID: FUID blk 0 will be fused at the first time of write, while UFUID will not be fused unless instructed by special commands. The fuse is irreversible, as most of us expect.

UFUID details: UID M1 S50 Block 0 changeable card whose block 0 can be fused by special commands

  • Before you fuse block 0, it is just a regular UID (Chinese magic card GEN1) tag with Chinese magic backdoor, thus cannot penetrate the firewall.

  • You can fuse it by sending the raw special commands listed in this post:
    http://www.proxmark.org/forum/viewtopic … 307#p32307

  • After fusing block 0, it is just a regular M1 S50 card. Block 0 cannot be changed.

Raw UFUID block 0 locking command: (confirmed by 2 independent sources)

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a -c e0 00 
hf 14a raw -p -a -c e1 00
hf 14a raw -p -a -c 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08
mwalker wrote:

Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once.
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

Last edited by hfmfsniff (2019-07-20 04:30:22)

Offline

#7 2019-07-08 09:59:28

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 18

Re: [WIP] List of uid changeable cards

There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
Let me try to clarity a bit by a table below:

                "hf mf wrbl"            "hf mf wrbl"                   "hf mf cgetblk/csetblk"
                 write to block 0       write to other blocks       to all blocks including 0
M1(S50)             NO                               YES                           NO
UID                    NO                               YES                           YES  (an M1 with backdoor)
CUID                  YES                              YES                           NO   (an M1 with writable block 0)
FUID                  ONLY ONCE                   YES                            NO    (an M1 with one-time writable blk 0)
UFUID                NO                               YES                            YES before locking; NO after irreversible locking  (a UID tag before locking; an M1 after)

Offline

#8 2019-07-15 19:04:39

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 39

Re: [WIP] List of uid changeable cards

Have the program from the china side loaded unfortunately in Chinese for all cards.

http://www.share-online.biz/dl/9OOH3PUP0KQ
http://www.share-online.biz/dl/W0ZI3PUPTL



b612f8-1563213596.jpg


aba0ea-1563213552.jpg


3c8ba4-1563213509.jpg


the commands are also in chinesich but maybe someone can start something with it

Last edited by 3dmann (2019-07-15 19:08:06)

Offline

#9 2019-07-15 20:09:35

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [WIP] List of uid changeable cards

I been too busy so I forgot to report back what I found out from that Chinese application.

  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2019-07-15 20:11:52

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [WIP] List of uid changeable cards

This kind of cards is really strange.  Hybrids of some sort. 

Don't use the lock uid since it does what it says and I haven't found any unlock.   Nor did ppl who chatted with the developers report.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2019-07-19 20:34:31

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 18

Re: [WIP] List of uid changeable cards

iceman wrote:

I been too busy so I forgot to report back what I found out from that Chinese application.

  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

I got a copy of this software and can translate Chinese to English if you need.

Is it working with PM3 or other hardware? It seems it works with PN532 to provide similar cracking functions (nested, hardnested) as PM3 does.

Last edited by hfmfsniff (2019-07-21 22:28:04)

Offline

#12 2019-07-23 08:49:35

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [WIP] List of uid changeable cards

Nay,  you need a ACR122 or similar to use the software with.
You can translate all screens of the software and post here smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2019-07-26 09:10:54

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 18

Re: [WIP] List of uid changeable cards

OK I just bought a PN532/ACR122u and downloaded this software (called MifareOne Tool), went through all its buttons and understood what they mean.

It is amazing that PN532/ACR122 can perform nested, hardnested, darkside quite well, just slower (5x-30x slower, esp hardnested, takes 5 hours to finish), but the price in China (6-10 USD for PN532) is much cheapter than even the PM3 easy clone (38 USD).

Here is the translation:
Mind that it could be a bit confusing that "UID tags" are "Chinese magic card gen1" vs "UID" are the ID in block 0.
And I use "card" and "tag" interchangeably.

avd7h4.jpg

Ay0BEY.jpg

Last edited by hfmfsniff (2019-07-28 06:46:31)

Offline

Board footer

Powered by FluxBB