Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-12 10:05:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

[WIP] List of uid changeable cards

documentation

@doegox has converted this thread to a Note in the documentation at RRG/Iceman repo.  Its better structured than this post.
It also tries to unify the name conventions.
ref: 
https://github.com/RfidResearchGroup/pr … s_notes.md

This is an attempt to compile a list of the uid changeable cards out there.

There has been quite a few new uid changeable cards coming out on the market, you usually see them on ebay, taobao etc.
All of which says that they can do in some extent.

s50 - 4b uid
s50 - 7b uid

s70 - 4b uid
s70 - 7b uid
------------------------------------------------------------------------

Names that pop up.

Gen 1A / Gen 1B / Gen2
UID / CUID / FUID / UFUID / ZXUID / EUID / ICUID
Magic NTAG 21* / Magic ISO15693

-----------------------------------------------------------------------

UID
Seems to be Gen1A

CUID
Seems to be Gen2.
Some ads says "write once"  hinting that the card is not fused block0 from factory.  ie support one block0 change.

All blocks (including Block 0) can be re-written multiple times
Not easily detectable by a system with "anti-clone" feature
IMPORTANT: Card will die if an invalid Block 0 is written
Use normal commands. eg.
hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

FUID
Write Once card,   it doesn't say if this is a unfused geniune card for factory or if its a custom one.
Used to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.

Block 0 can only be written once.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

UFUID
Suggest one-time card, to counter the "anti-elevator" systems, command set to change uid

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a e0  00  39  f7
hf 14a raw -p -a e1  00  e1  ee
hf 14a raw -p -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47

http://www.proxmark.org/forum/viewtopic … 307#p32307

A second type of UFUID, apdu-based,

[cla, ins, p1, p2, len]
90  F0  CC  CC  10   - write block 0
90  FB  CC  CC  07   - write uid separated instead of block 0
90  FD  11  11  00    - lock uid

PM3 14a raw cmds:
hf 14 raw -s -c  -t 2000  90F0CCCC10041219c3219316984200e32000000000
hf 14 raw -s -c  -t 2000  90FBCCCC0711223344556677
hf 14 raw -s -c 90fd11100

You need timout -t 2000, for the card to execute and respond.

This Gen3 got native Pm3 client command implemented by @mceloff

-----------      ----------------------- magic gen3 -----------------------
gen3uid          Set UID without manufacturer block (magic gen3 card)
gen3blk          Overwrite full manufacturer block (magic gen 3 card)
gen3freez        Lock further UID changes (magic gen 3 card)


[usb] pm3 --> hm mf gen3uid
[usb] pm3 --> hm mf gen3blk
[usb] pm3 --> hm mf gen3freez

http://www.proxmark.org/forum/viewtopic … 843#p35843

Need info

ZXUID
  Need info

EUID
  Need info

ICUID
  Need info

-----------------------------------------------------------------------
So how does these chinese classifications map to the proxmark3 nomenclatur?

Gen 1A
Uses chinese backdoor command 40/41/43.   You find these one everywhere.  I have seen atleast four different chipset.
hf mf c* commands will dump/restore/wipe a card very easily

Gen 1B
Uses subset of chinese backdoor command 40/43.  Harder to find,
Used among others for parking garages, where it tricks some reader counter measures.

Gen 2
Block 0 is witeable without any extra commands. Simple to use with any kind of rfid writeable device like mobile phones.

Write Once
Unfused Mifare classic card from factory,  can write once to block 0,   
used among other for parking garages where the counter measures.

-----------------------------------------------------------------------
As of the last year I have seen a rise in uid changeable cards that is based on a cpu-card, where the commandset for changing uid is usually based on ISO7816.  You see ads saying special write software and that the card is not detectable as magic tag.
Since they are based on ISO7816 and don't follow old backdoor commandset that will make them non detectable.


Non Mifare Classic UID changeable

Magic UL  -   uid changeable Ultralight tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic UL-C  -   uid changeable Ultralight-C tag.  I have seen two versions.  (Gen1A and Gen2 styled)
Magic NTAG21* -  mimics NTAG213, 215, 216 and a heap of other UL/NTAG cards.  Uses lua-script to facility writing
Magic ISO15693  - ISO15693 uidchangeable. Uses lua-script to facility writing
Magic ISO14443b -  when ordered you say which uid you want. Seller doesn't say how to change uid yourself.
Magic Desfire - Set UID/SAK/ATQA to match Mifare Desfire,   isn't a UID card in that sense since it isn't a Desfire card.  Fools some UID based systems which uses desfire.

Rumour #1 Gen3  - restores data on card after use
Rumour #2  -


Magic ISO15693 tag,

  script run iso15_magic -u E004013344556677

systems with no UID changeable cards
Yet to this day I have not seen any Legic, FeliCa, Calypso, iClass uid changeable cards.
For iClass its really not that needed but I can see that some functions to get key and read/write memory would be great to have in a magic card.  If you ever hear of this, let me know.


------------------------------------------------------------------------------------------------------------------------
I did some videos demonstrating a few of these uid changeable tags.

https://www.youtube.com/watch?v=idtBV9w … dex=5&t=1s
https://www.youtube.com/watch?v=0U10Izv … dex=6&t=0s
https://www.youtube.com/watch?v=yzO08fN … dex=2&t=0s



Different ways implemented to deal with magic cards in the RRG/Iceman repo:

-- pm3 cmds

hf mf csetuid   
hf mf cwipe
hf mf csetblk
hf mf cgetblk
hf mf cgetsc
hf mf cload 
hf mf csave
hf mf cview
hf mf gen3uid
hf mf gen3blk
hf mf gen3freez

hf mfu setuid
hf 15 csetuid


-- lua scripts
script run mfu_magic -h
script run formatMifare -h
script run remagic -h
script run iso15_magic -h
script run mfc_gen3_writer -h
script run ul_uid -h

Offline

#2 2019-06-12 10:19:16

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: [WIP] List of uid changeable cards

Please cut and paste whats useful and delete the rest as needed to keep the thread clean.

I got a few of each for testing.  I have not used the GEN2 FUID yet, but the others worked as advertised.

My supplier Calls the GEN2 CUID as re-writable Block 0.

From their site.


UID Changeable M1 S50 Block 0 Changeable Writable CUID FUID GEN1 GEN2 Card

Type 1: Normal GEN1 UID Changeable Cards:

All blocks (including Block 0) can be re-written multiple times 
Use ProxMark3 (Magic Chinese Guy function) or libnfc to change UID. 
Uses "backdoor" technique to change/rewrite UID. 
UID can be changed multiple times. 
Not suitable for MCT on Android (Mifare Classic Tool)
Answers to Chinese magic backdoor commands (GEN 1a): YES 


Type 2: Special GEN2 CUID Cards:

All blocks (including Block 0) can be re-written multiple times 
Not easily detectable by a system with "anti-clone" feature 
IMPORTANT: Card will die if an invalid Block 0 is written 
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO 


Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once. 
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869 
Answers to Chinese magic backdoor commands: NO

Last edited by mwalker (2019-06-12 10:19:52)

Offline

#3 2019-06-12 11:08:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

I got a whole heap of cards.  Its getting hard to tell the difference,  which cards needs which commandset/luascript etc.
The proxmark3 client doesn't identify them, so its a mess.  Even for Gen2 there is only a partial identification but the other new ones.. nada.

Offline

#4 2019-06-12 22:23:27

ikarus
Contributor
Registered: 2012-09-20
Posts: 249
Website

Re: [WIP] List of uid changeable cards

I tried to do the same thing some time ago, if you remember wink
http://www.proxmark.org/forum/viewtopic.php?id=5318
Not much to see over there. Hopefully you are more successful
in creating a list of UID changeable cards. At least you have worked
with much more different types of tags then I did wink

Offline

#5 2019-06-13 16:25:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

Good one,  I remembered it when I read it again. Raises the question of somehow document the properties of the "magic" nature of the cards.
The naming convention is messed up so the need for an overview is larger now.

Offline

#6 2019-07-08 07:25:34

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

On top of what you mentioned, there are UFUID tags that can be fused using PN532/ACR122/PM3, at your will.

FUID vs UFUID: FUID blk 0 will be fused at the first time of write, while UFUID will not be fused unless instructed by special commands. The fuse is irreversible, as most of us expect.

UFUID details: UID M1 S50 Block 0 changeable card whose block 0 can be fused by special commands

  • Before you fuse block 0, it is just a regular UID (Chinese magic card GEN1) tag with Chinese magic backdoor, thus cannot penetrate the firewall.

  • You can fuse it by sending the raw special commands listed in this post:
    http://www.proxmark.org/forum/viewtopic … 307#p32307

  • After fusing block 0, it is just a regular M1 S50 card. Block 0 cannot be changed.

Raw UFUID block 0 locking command: (confirmed by 2 independent sources)

hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a -c e0 00 
hf 14a raw -p -a -c e1 00
hf 14a raw -p -a -c 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08
mwalker wrote:

Type 3: Special GEN2 FUID Write-Once Cards:

Block 0 can only be written once.
Even greater protection from a system with "anti-clone" feature.
Also provides protection from accidental future modification of Block 0.
Use normal commands. eg. hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
Answers to Chinese magic backdoor commands: NO

Last edited by hfmfsniff (2019-07-20 04:30:22)

Offline

#7 2019-07-08 09:59:28

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
Let me try to clarity a bit by a table below:

                "hf mf wrbl"            "hf mf wrbl"                   "hf mf cgetblk/csetblk"
                 write to block 0       write to other blocks       to all blocks including 0
M1(S50)             NO                               YES                           NO
UID                    NO                               YES                           YES  (an M1 with backdoor)
CUID                  YES                              YES                           NO   (an M1 with writable block 0)
FUID                  ONLY ONCE                   YES                            NO    (an M1 with one-time writable blk 0)
UFUID                NO                               YES                            YES before locking; NO after irreversible locking  (a UID tag before locking; an M1 after)

Offline

#8 2019-07-15 19:04:39

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: [WIP] List of uid changeable cards

Have the program from the china side loaded unfortunately in Chinese for all cards.

http://www.share-online.biz/dl/9OOH3PUP0KQ
http://www.share-online.biz/dl/W0ZI3PUPTL



b612f8-1563213596.jpg


aba0ea-1563213552.jpg


3c8ba4-1563213509.jpg


the commands are also in chinesich but maybe someone can start something with it

Last edited by 3dmann (2019-07-15 19:08:06)

Offline

#9 2019-07-15 20:09:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

I been too busy so I forgot to report back what I found out from that Chinese application.

Found APDU's

[cla, ins, p1, p2, len]
 90  F0  CC  CC  10   - write block 0

 90  FB  CC  CC  07   - write uid separated instead of block 0

 90  FD  11  11  00    - lock uid

PM3 14a raw cmds:
hf 14 raw -s -c  -t 2000  90F0CCCC10041219c3219316984200e32000000000
hf 14 raw -s -c  -t 2000  90FBCCCC0711223344556677
hf 14 raw -s -c 90fd11100

You need timout -t 2000, for the card to execute and respond.
  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

Offline

#10 2019-07-15 20:11:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

This kind of cards is really strange.  Hybrids of some sort. 

Don't use the lock uid since it does what it says and I haven't found any unlock.   Nor did ppl who chatted with the developers report.

Offline

#11 2019-07-19 20:34:31

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

iceman wrote:

I been too busy so I forgot to report back what I found out from that Chinese application.

  block 0 data:  04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
  
  Software
  APDU cmd write block 0
  
  90 f0 cc cc,
  10 = len
  04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00 = block 0 data
  
  xx  xx  xx  xx  ll uu uu uu uu uu uu uu ss aa aa                  
  90  f0  cc  cc  10 04 12 19 c3 21 93 16 98 42 00 e3 20 00 00 00 00
  
 hf 14a apdu 90f0cccc10041219c3219316984200e32000000000
 hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011
 
FOUND APDUS

all include crc,  

-- cmd write block 0
90 f0  cc  cc  10  04  12  19  c3  21  93  16  98  42  00  e3  20  00 00  00  00
90 f0  cc  cc  10  04  12  19  c3  21  93  17  98  42  00  e3  20  00 00  00  00

hf 14a raw -s -c -t 2000 90f0cccc10041219c3219316984200e32000000011

-- lock uid
cmd : 90  fd  11  11  00 
resp: 90  00

hf 14 raw -s -c 90fd11100

-- reading,  doesn't need magic back door, nor authentication.
read block 0
cmd: 30 00

hf 14a raw -s c 3000

I got a copy of this software and can translate Chinese to English if you need.

Is it working with PM3 or other hardware? It seems it works with PN532 to provide similar cracking functions (nested, hardnested) as PM3 does.

Last edited by hfmfsniff (2019-07-21 22:28:04)

Offline

#12 2019-07-23 08:49:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

Nay,  you need a ACR122 or similar to use the software with.
You can translate all screens of the software and post here smile

Offline

#13 2019-07-26 09:10:54

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: [WIP] List of uid changeable cards

OK I just bought a PN532/ACR122u and downloaded this software (called MifareOne Tool), went through all its buttons and understood what they mean.

It is amazing that PN532/ACR122 can perform nested, hardnested, darkside quite well, just slower (5x-30x slower, esp hardnested, takes 5 hours to finish), but the price in China (6-10 USD for PN532) is much cheapter than even the PM3 easy clone (38 USD).

Here is the translation:
Mind that it could be a bit confusing that "UID tags" are "Chinese magic card gen1" vs "UID" are the ID in block 0.
And I use "card" and "tag" interchangeably.

avd7h4.jpg

Ay0BEY.jpg

Last edited by hfmfsniff (2019-07-28 06:46:31)

Offline

#14 2019-10-12 08:00:21

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: [WIP] List of uid changeable cards

iceman wrote:

This is an attempt to compile a list of the uid changeable cards out there.

Dear Iceman,
could you please explain more about s50 - 4b uid and s50 - 7b uid .

whey 4bit and 7bit difference and the special purpose?

Thanks for your kind help

Offline

#15 2020-01-09 13:59:52

botrem
Contributor
Registered: 2020-01-09
Posts: 2

Re: [WIP] List of uid changeable cards

Hi,

very interesting article about UID/CUID/FUID/UFUID :

Chinese :

http://pn532.com/portal.php?mod=view&aid=2

Translated in English :

https://translate.google.ch/translate?h … %26aid%3D2

Regards

Offline

#16 2020-01-29 13:26:43

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

PIC

Will be grateful to obtain an RAW commands from thise Chinese soft. Maybe we can do some an script or integrate it to software at the repo.

This command working as well with bought cards where there this soft has been as tool for UID changing:

hf 14a raw -s -c -t 2000 90f0cccc10

Equals this is working for a lot of cards


The program in attachment:
https://we.tl/t-0OOx62ZeJk

Many Thanks

Offline

#17 2020-01-29 14:01:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

Yeah,  the creators of uid cards really loves their bundled software.  Which is only natural. They tend to not like the Proxmark3 client.

Offline

#18 2020-01-29 14:52:09

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

iceman wrote:

Yeah,  the creators of uid cards really loves their bundled software.  Which is only natural. They tend to not like the Proxmark3 client.

Could you please sniff the application for the RAW or give some tools with one you did these upper?

Offline

#19 2020-01-29 15:19:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

use your proxmark to sniff...

Offline

#20 2020-01-29 15:45:44

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: [WIP] List of uid changeable cards

iceman wrote:

use your proxmark to sniff...

But I asked thise becouse it's working only whith ACR122U and I don't have it.

Offline

#21 2020-02-26 12:52:20

Eloff
Contributor
Registered: 2019-02-08
Posts: 6

Re: [WIP] List of uid changeable cards

Is there commands set overview for gen3 magic cards?
I have classic 4k 7-bytes uid gen3 card (sak = 18, atqa = 0044). After unsuccessful writing of block 0 this card was resets to 4-bytes uid card (sak = 18, atqa = 0004). Uid not changed by chinese software more, but block 0 can be written only.

There are three commands, that known me:
90  f0  cc  cc  10 - write block 0
90  fb  cc  cc  07 - write uid separated instead of block 0
90  fd  11  11  00 - lock uid

But I could not reset my card back to 7-bytes uid. I know, that programming  of uid/sak/atqa by manufacturer is separated, not by block 0 rewriting.
Any Ideas?

Offline

#22 2020-05-25 17:38:44

accdigit
Contributor
Registered: 2019-09-04
Posts: 5

Re: [WIP] List of uid changeable cards

@Winds
please can You resent link for PCSC Mifare software?

Offline

#23 2021-04-06 18:44:57

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: [WIP] List of uid changeable cards

I bought a bunch of UFUID cards wih the following description: "13.56MHZ UFUID NFC Card Changeable Block 0 Writable 1k s50 UFUID Copy RFID For Access ,Elevator". Many of the cards are not recognized by my PM3! Some are shown as Gen1a, some are shown as iClass and Felicy tags. However, a SCL3711 always detect the cards and is able to set the uid using the Gen1a Chinese backdoor commands. For a card that works also with PM3 I am able to change the UID several times.

Now I am trying to lock a card block 0, but the command options seem to have changed in the meanwhile. I started with "hf 14a raw -p -a -b 7 40" and the option "-p" seams to have been renamed.

What is the new name for the option "-p"?

Offline

#24 2021-04-07 16:00:03

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: [WIP] List of uid changeable cards

OK, going back to some really old version it seems that -p has been renamed to -k (to get the options as "-hack3rs" ?? smile

I can confirm that the UFUID tags sold by "ranelei intelligent world" on Ali Express (ca. USD 30 for 50 tags) can be successfully "locked" using:

hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -k -a e0  00  39  f7
hf 14a raw -k -a e1  00  e1  ee
hf 14a raw -k -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47

Locking means for these cards that the Gen1a command set is not accepted by the card any further, i.e. csetuid, cwipe, cview, ... cease to work.

This could be a useful lua script for everyone.

Offline

#25 2021-04-07 16:28:05

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: [WIP] List of uid changeable cards

hfmfsniff wrote:

There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
Let me try to clarity a bit by a table below:

                "hf mf wrbl"            "hf mf wrbl"                   "hf mf cgetblk/csetblk"
                 write to block 0       write to other blocks       to all blocks including 0
M1(S50)             NO                               YES                           NO
UID                    NO                               YES                           YES  (an M1 with backdoor)
CUID                  YES                              YES                           NO   (an M1 with writable block 0)
FUID                  ONLY ONCE                   YES                            NO    (an M1 with one-time writable blk 0)
UFUID                NO                               YES                            YES before locking; NO after irreversible locking  (a UID tag before locking; an M1 after)

The UFUID decribed here is a Gen1a card until locked, then the chinese backdoor commands stop working.

The UFUID tags described here (https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-directwrite-ufuid-version) are described as Gen2 where block0 can only be written once: MIFARE Classic DirectWrite, UFUID version - Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.

I found the Gen1a lockable UFUID variant so far. Does the Gen2 Write Once UFUID variant actually exist as described in the web page? Where can it be bought?

What happens if I use the raw commands for the Gen2 UFUID tag with a Gen1a UFUID tag?

Offline

#26 2021-04-07 16:36:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [WIP] List of uid changeable cards

messy messy,   
the note on RRG/iceman repo is the most up-to-date,   looking forward to get a PR with your card findings.

Offline

#27 2021-04-07 17:15:15

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: [WIP] List of uid changeable cards

What is a PR?

I tried to see if after locking a UFUID Gen1a card I could still write to the other blocks. What I tried was to restore a dump, but that failed. However, this also fails on other card types if I do it again, so it is probably not an issue with the UFUID card.

What would be a simple command to write to any block (not block 0) on an already locked mf classic s50?

As i restored a dump to that card i am not sure whether I messed something up with that card.

I easiest would be taking a new UFUID, change the uid, write some block, lock the chinese backdoor, write the same block again with different values.

I am just not sure how to do it as there are keys and access privileges and stuff.

I also tried to reinitialize another UFID using cwipe after having restored a dump. no matter if I issue cwipe or not, it does not let me restore the same dump to that card. What would be a reason for that?

Offline

#28 2021-04-11 15:35:42

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: [WIP] List of uid changeable cards

zeppi wrote:

OK, going back to some really old version it seems that -p has been renamed to -k (to get the options as "-hack3rs" ?? smile

I can confirm that the UFUID tags sold by "ranelei intelligent world" on Ali Express (ca. USD 30 for 50 tags) can be successfully "locked" using:

hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -k -a e0  00  39  f7
hf 14a raw -k -a e1  00  e1  ee
hf 14a raw -k -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47

Locking means for these cards that the Gen1a command set is not accepted by the card any further, i.e. csetuid, cwipe, cview, ... cease to work.

This could be a useful lua script for everyone.

I tested whether a tag is still modifiable after locking it. The result:
-the chinese backdoor commands are gone, so you cannot use them to write the UID
-block 0 is not writable (normal behavior for Gen1a)
-all other blocks are writable, if you a have a dump with suitable access bits in all trailers you may also restore the dump several times (so just normal behavior)

Last edited by zeppi (2021-04-11 15:36:09)

Offline

#29 2021-10-14 21:45:42

Akerw
Contributor
Registered: 2021-10-12
Posts: 8

Re: [WIP] List of uid changeable cards

Among other's I hgot a CUID marked Mifare 1K card.
The first post says:

"All blocks (including Block 0) can be re-written multiple times
IMPORTANT: Card will die if an invalid Block 0 is written
Use normal commands. eg.
hf mf wrbl 0 B FFFFFFFFFFFF a473f601200804006263646566676869
"

Ok, so I do not want to write an invalid block, nor do I understand what all of a473f601200804006263646566676869 is - if I wish to change UID,ATQA,SAK 

anyway: I proceed carefully:

[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 001 | ffffffffffff   | 1 | ffffffffffff   | 1 |
[+] | 002 | ffffffffffff   | 1 | ffffffffffff   | 1 |

I can even do an autopwn and see

[=] ----+-------------------------------------------------+-----------------
[=] blk | data                                            | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | C4 D9 BB 4E E8 08 04 00 62 63 64 65 66 67 68 69 | ...N....bcdefghi


it is clear that UID are the first bytes, but ATQA and SAK is a mystery
[+]  UID: C4 D9 BB 4E
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:

so changing the four first bytes could be risky as well?

...
[usb] pm3 --> hf mf rdbl -k ffffffff --blk 0
[#] Auth error

- why can't I even read the block?
- and how do I know which of the bytes are safe to fiddle with?  - is E8 a checksum?

Last edited by Akerw (2021-10-14 22:03:47)

Offline

Board footer

Powered by FluxBB