Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I am a new registered user and I am trying out the PM3 starting of this week. I am facing some difficulty now and hope someone can advice me on this.
I have some china magic card and the card is being "locked" after I perform a"'hf mf cload". If I perform a "hf 14a read", I don't get a right response from it.
Offline
depends on the version, but if you wrote the wrong bytes to Block0, it usually becomes "un-selectable" via the normal commands.
try: hf mf cgetblk 0 and see if it answers.
Offline
I cant seems to insert my screen shot. Anyway, I will type my error message in my post.
My problem is that I cant write anything inside the Magic card. although I am able to read all the sectors. I am trying to see anyone of you could help to unlock" my magic card. I thank for any help.
1) hf 14a read. Messages received are as follows :
ATQA : 00 04
UID : 1c 31 9d 93
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
The message above is the response I obtained before I uses the cload command.
2)After invoking the cload command, the magic card is being locked. Cant write to the UID or any other blocks.
Find below the messages obtained after I invoke "hf 14a read".
"iso14443a card select failed"."
3) by reading the UID, "hf mf cgetsc 0", I obtained
--sector number:0
block 0 data:44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44
block 1 data:6f 01 51 90 51 90 00 00 00 00 00 00 00 00 00 00
block 2 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
block 3 data:a0 a1 a2 a3 a4 a5 78 77 88 c1 0d 25 8f e9 02 96
My observation is after I launch the "cload" command, I have written the 44 at the "4th byte" of block 0 which cause the error correction to be not correct. Hence, when writing to the UID, the CRC is the wrong one and causes no response from it.
let me know if there are something not clear.
Thank you
Offline
yeah, your block 0 is corrupt.
Try "hf mf csetuid"
to make a correct block, and your tag is back to normal again,
Offline
HI Iceman,
I have tried the "hf mf csetuid" but apparently it forbids me to write a new UID.
Beside the csetuid, is there any other possible ways or reasons that you can think of?
Thank u.
Offline
hm, no problem,
you can either wipe the whole tag.. (maybe not what you want) with the -w option
or you run the "hf 14a raw" commands to write a new good block 0.
or you can run the "remagic" script I wrote in lua..
Asper has written the command sequence for "raw" on this forum several times.
Offline
Here is the original post.
Offline
Hi guys, thanks a lot for your advice. I will try this out on Monday. Merci.
Offline
Hi Iceman,
Tried our the remagic script as well as using the "raw"command. Not able to write a good block 0 in.
proxmark3> script run remagic
--- Executing: ./scripts/remagic.lua, args''
hf 14a raw -p -a -b 7 40
received 0 octets
hf 14a raw -p -a 43
received 0 octets
hf 14a raw -c -p -a A000
received 0 octets
hf 14a raw -c -p -a 01 02 03 04 04 98 02 00 00 00 00 00 00 00 10 01
received 0 octets
-----Finished
Offline
Hi Asper,
The link in your original post has expired.
http://www.sendspace.com/file/x39brq
"precompiled modded r709"
I am trying the below mentioned for the time being. Do post the above link if you still have them with you.
file \armsrc\mifarecmd.c (r709 version)
- line 793
- delete the break instruction here (in that way client will send the special write command anyway)
- recompile
- reflash
- use the hf mf csetblk 0 01020304048804000000000000001001 command (you will receive an "#db# Can't select card" but don't worry) and the Magic Chinese Card return to be "Magic" ! It is now recognized by all readers again !
Offline
Can you do a tune command to see how good is your antenna?
Offline
the remagic should have fixed it, it uses the same commands as Aspers "hf 14a raw" in the link.
Offline
Hi Asper,
Without Card is as follow :
proxmark3> hw tune
Measuring antenna characteristics, please wait.......
# LF antenna: 13.16 V @ 125.00 kHz
# LF antenna: 24.71 V @ 134.00 kHz
# LF optimal: 26.18 V @ 131.87 kHz
# HF antenna: 7.19 V @ 13.56 MHz
Done! Divisor 89 is 134khz, 95 is 125khz.
With Card is :
proxmark3> hw tune
Measuring antenna characteristics, please wait.......
# LF antenna: 13.29 V @ 125.00 kHz
# LF antenna: 24.57 V @ 134.00 kHz
# LF optimal: 26.18 V @ 131.87 kHz
# HF antenna: 3.87 V @ 13.56 MHz
# Your HF antenna is marginal.
Done! Divisor 89 is 134khz, 95 is 125khz.
Do you see something fishy?
Offline
Hi Asper and Iceman,
I modify the mifarecmd.c by removing the "break" at line 793.
I did a make all and flash the 3 files, "FLASH - fullimage", "FLASH - FPGA ", FLASH - Bootrom".
With the 3 flashes done, when I sent a "hf 14a read" to a good MIFARE 1K card, apparently the system "hang".
Fyi, I am using the "Proxmark Client by El Gaucho De La Livida Palude". The directory that I am using is the "pm3-bin-0.0.7".
Really need your advice on this.
Offline
Your hf antenna has a really low voltage; your read but mainly write problems are surely related to this. You need a better antenna (even if you bought it already made).
Anyway latest release is 2.0.0, 0.0.7 is really old.
Offline
The antenna is quite weak, I had issues with a weak antenna and Piwi's remake from January.
Swapped to a better antenna and the issues went away.
Download a newer version, check Aspers latest release out.
You should only flash
1) bootrom.elf
2) osimage.elf
in that order.
And as Asper mention earlier on different threads, only use the GUI from the same release.
Last edited by iceman (2015-05-25 08:53:16)
Offline
Thanks for the advice, Asper & Iceman,
I will download the latest release of 2.0.0 and try it out.
I notice the voltage reported in other thread is around 14-16V wo card and 10-12V with card and indeed mine is on the lower end.
On the other hand, before block 0 is corrupted, I am able to write to the magic card in a block manner, Ie, hf mf csetblk 0 01020304048804000000000000001001. Hence, the low voltage should not be a problem to write to the card. Let me know what u think about this? I just trying to think what can be the cause of it.
Offline
To be clear with your question,
You started the the thread with asking what happend to your magic tag. Answer, you wrote a wrong block 0 to it.
case closed,
Next question, how can I fix my corrupt magic tag? Answer, you can do that, plenty of options.
That is another question, and you can start a new thread about .
Next question, why can I write to tag with a weak antenna? Answer, It works, and sometimes it doesn't, the weak signal doesn't allow the tag the correct power which could lead to datacorruption on tag side when writing.
That is another question, and you can start a new thread about .
Offline
Thanks for pointing out. I will create a separate thread on that.
Offline
My trouble is solved after flashing with the pm3-bin-2.0.0. After running the "remagic" script, the Chinese magic cards were revived and I can used them again. Thanks for your advices.
Offline
Good to hear that from you. Remember that a weak antenna can corrupt the data inside the signal. I recommend you to make/buy a better one because 7v without antenna is not on the lower end, is really really weak!
Offline
and of course, I'm glad that you solved your problem.
Offline
Pages: 1