Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-02-16 07:18:08
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Anyone familiar with CUID and UFUID cards?
Hi guys I came across some websites and I found there are some "upgraded Chinese magic UID cards" out there", named CUID and UFUID, which claims it can crack through the authentication of few newer readers on the market.
However I've never heard of those cards on this forum and can hardly find any information about those cards.
Offline
#2 2017-02-16 10:37:21
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
Never heard of CUID,UFUID magic tags, but there is a super crack card which does the reader/card attack.
Could be one of those, you got some links to these new magic tags?
Offline
#3 2017-02-16 11:14:17
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Re: Anyone familiar with CUID and UFUID cards?
Never heard of CUID,UFUID magic tags, but there is a super crack card which does the reader/card attack.
Could be one of those, you got some links to these new magic tags?
Those cards could be ordered from Taobao(Chinese ebay), unfortunately all the information are in Chinese .
My rough understanding based on the description the seller provided: this is upgraded Chinese UID card. The standard Chinese UID card can be easily detected and blocked by some newer readers. CUID does not answer to Chinese magic door commands (?) so it can't be detected.
I don't really understand how it works but I ordered a few CUIDs and I will try out...
Offline
#4 2017-02-16 14:48:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
Curious new magic tags. Three different names pops up: CUID / FUID / UFUID
CUID
Some ads says "write once" hinting that the card is not fused block0 from factory. ie support one block0 change.
FUID
Also one-time card, to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.
UFUID
---
Whats more? Ads saying special write software. Not detectable magic tags, well, I've seen the newer magic tag models which doesn't follow old backdoor commandset. It fits in ad descriptions. So many questions, so few answers
Offline
#5 2017-02-16 16:41:25
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Re: Anyone familiar with CUID and UFUID cards?
Curious new magic tags. Three different names pops up: CUID / FUID / UFUID
CUID
Some ads says "write once" hinting that the card is not fused block0 from factory. ie support one block0 change.FUID
Also one-time card, to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.UFUID
---Whats more? Ads saying special write software. Not detectable magic tags, well, I've seen the newer magic tag models which doesn't follow old backdoor commandset. It fits in ad descriptions. So many questions, so few answers
Apparently based on their ADS: UFUID>>CUID>>FUID.
They all developed from the original Chinese magic UID card in order to counter the anti-elevator system.
FUID can only be write once due to there's no backdoor
Offline
#6 2017-02-16 19:28:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
ADS? funny name Anti-elevator-System... Still, it says nothing if its a unfused facility card (write block0 once) or if it is those new magic tags I've seen which uses a subset of backdoor commands.
The sentence about "no backdoor" just indicates its a generation2 tag. Which the AntiElevatorSystem wouldn't have any problems with bricking those cards.
Offline
#7 2017-02-18 11:56:42
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Re: Anyone familiar with CUID and UFUID cards?
ADS? funny name Anti-elevator-System... Still, it says nothing if its a unfused facility card (write block0 once) or if it is those new magic tags I've seen which uses a subset of backdoor commands.
The sentence about "no backdoor" just indicates its a generation2 tag. Which the AntiElevatorSystem wouldn't have any problems with bricking those cards.
Hey iceman I just got my CUID card and I immediately rewrite the data into this card and tried it on the elevator reader....and it works perfectly. The only difference is it does not answer to Chinese magic backdoor commands.
Offline
#8 2017-02-18 12:04:10
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
ok, so lets see what kind of tag it is.
Did you use the normal "hf mf wrbl" command when writing block0? and post tracelog from the normal commands
hf 14a read
hf 14a listOffline
#9 2017-02-20 07:06:20
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Re: Anyone familiar with CUID and UFUID cards?
yes I used "hf mf wrbl" command to write data.
proxmark3> hw ver
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 169916 bytes (65%). Free: 92228 bytes (35%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf 14a read
UID : d8 4d 2b 03
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Offline
#10 2017-02-20 07:11:26
- ltq1990
- Contributor
- Registered: 2017-01-12
- Posts: 25
Re: Anyone familiar with CUID and UFUID cards?
proxmark3> hf list 14a
Recorded Activity (TraceLen = 133 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2244 | 4612 | Tag | 04 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10692 | 16516 | Tag | d8 4d 2b 03 bd | |
18560 | 29088 | Rdr | 93 70 d8 4d 2b 03 bd 28 8f | ok | SELECT_UID
30276 | 33796 | Tag | 08 b6 dd | |
428160 | 432928 | Rdr | e0 80 31 73 | ok | RATS
434116 | 434756 | Tag | 04 | |
852224 | 853216 | Rdr | 40 | | MAGIC WUPC1
Offline
#11 2017-02-20 11:35:30
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
Using "hf mf wrbl" to Block0 means you have a magic tag Generation2 (s50, 1k, 4byte uid) .
The output from "hf list 14a" is missing some rows but it shouldnt reveal anything that contradics.
Offline
#12 2017-03-03 16:31:58
- angelsl
- Contributor
- Registered: 2017-02-13
- Posts: 16
Re: Anyone familiar with CUID and UFUID cards?
Curious new magic tags. Three different names pops up: CUID / FUID / UFUID
CUID
Some ads says "write once" hinting that the card is not fused block0 from factory. ie support one block0 change.FUID
Also one-time card, to counter the "anti-elevator" systems. Some posts on forum suggests broken tags after used on elevators.UFUID
---Whats more? Ads saying special write software. Not detectable magic tags, well, I've seen the newer magic tag models which doesn't follow old backdoor commandset. It fits in ad descriptions. So many questions, so few answers
Based on the Taobao listings I've seen, CUID refers to the card we know as the Gen 2 card. (U)FUID refers a one-time writable card.
I think UFUID and FUID differ in protocol, but I'm not sure. In effect they are the same though — they are write-once. (I'm not sure if that means block 0 or the whole card data.)
You can read this blogpost (which seems like an advertisement for CUID cards, actually).
Offline
#13 2017-03-04 12:07:48
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
Cuid is gen2, check.
(u)fuid is factory-unfused. ie one-time-change, check.
Offline
#14 2017-04-02 06:09:12
- slmann101
- Contributor
- Registered: 2017-03-30
- Posts: 33
Re: Anyone familiar with CUID and UFUID cards?
ltq1990
Please link me to these so I can check them out further.
Offline
#15 2017-08-14 13:59:47
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
*update*
Good to know when ordering from Chinese sellers.
CUID
magic card, generation 2, block0 writeable serveral times, with normal mifare commands.
Purpose: to be used with any rfid reader/writer which supports mifare (like a smartphone)
FUID
unfused card, or write-once card. Normal card but you can re-write UID once , with normal mifare commands.
Purpose: parking/elevator system with "anti-clone" feature where it "re-writes" block 0, effectivly making sure your clone doesn't work.
UFUID
Magic card, generation 1a, answers to backdoor commands
Offline
#16 2017-11-24 09:48:57
- trazodone
- Contributor
- Registered: 2015-11-25
- Posts: 50
Re: Anyone familiar with CUID and UFUID cards?
Good to know that if you really need to buy FUID please do not buy UFUID even though chinese seller claim it works same as FUID. I tried buying some UFUID from few of chinese seller but it actually works as Magic card, generation 1a
Offline
#17 2018-04-10 13:12:55
- rayway99
- Contributor
- Registered: 2018-04-08
- Posts: 20
Re: Anyone familiar with CUID and UFUID cards?
hi , i recently joined the PM3 community and purchase one PM3 Easy from Elechouse also a bunch of IC/ID cards from Chinese Ebay (Taobao..)
regarding the CUID, FUID and Gen1a I can see iceman has provided very detailed explanation over different threads.
Regarding the UFUID, I am sharing my findings ( information from words of seller also video clips available in Chinese only 
)
1 - seller claims that UFUID is a special card, which is like a Magic Card (Gen 1a), you can csetuid multiple times
BUT, [citing]*you need a special software to LOCK the UID* [/citing], once this is done, the card become a normal MiS50 (not response to backdoor command)
seller claims ACR122U can do it..or those 08CD machine(s)
2 - I also found a video clip from streaming website on the following link (in Chinese)
at 45 second, the voice was saying you can click the middle button to LOCK the UID , then it become a normal S50
https://v.qq.com/x/page/n0399sfd6p9.html
I am still trying to see if seller can provide me more info , or I can source a 08CD / 16CD to lock the UID somehow on my UFUID (which seemingly act like a Gen1a magic card, failing on my FDi reader , while a normal Gen2 CUID fixes my problem swiftly) , will report back if any findings available
In theory if those software/machine can do that, pm3 should be capable as well, am I correct?
Offline
#18 2018-04-10 13:23:09
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
you only need to sniff the traffic in order to know which commands the card is used to set UID, and you can use the 14a raw commands to send the same on pm3.
Just like the uluid.lua script works..
Offline
#19 2018-05-16 09:04:40
- 3312371568
- Contributor
- Registered: 2018-05-13
- Posts: 6
Re: Anyone familiar with CUID and UFUID cards?
I have some data about this card when locking UID, but I can't Understand it.
Rdr |52 | | WUPA
675689536 | 675690528 | Rdr |52 | | WUPA
675691780 | 675694148 | Tag |04 00 | |
675719172 | 675722692 | Tag |08 b6 dd | |
675918640 | 675923408 | Rdr |50 00 57 cd | ok | HALT
676754096 | 676755088 | Rdr |40 | | MAGIC WUPC1
676756324 | 676756900 | Tag |0a! | |
676875680 | 676876992 | Rdr |43 | | MAGIC WUPC2
676878180 | 676878756 | Tag |0a! | |
677090004 | 677110804 | Tag |7a ff 00 00 00 00 00 00 ba fa 00 00 00 00 00 08 f1 69 | ok |
677220240 | 677224944 | Rdr |e1 00 e1 ee | ok |
677226196 | 677226772 | Tag |0a! | |
677322624 | 677343456 | Rdr |85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47 | ok |
677388228 | 677388804 | Tag |0a! | |
699334752 | 699335744 | Rdr |52 | | WUPA
699410784 | 699411776 | Rdr |52 | | WUPA
699413028 | 699415396 | Tag |04 00 | |
699428704 | 699439232 | Rdr |93 70 3b c2 b2 51 1a 00 02 | ok | SELECT_UID
699440436 | 699443956 | Tag |08 b6 dd | |
702473536 | 702474528 | Rdr |52 | | WUPA
702549568 | 702550560 | Rdr |52 | | WUPAOffline
#20 2018-05-27 17:36:58
- 3312371568
- Contributor
- Registered: 2018-05-13
- Posts: 6
Re: Anyone familiar with CUID and UFUID cards?
hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a e0 00 39 f7
hf 14a raw -p -a e1 00 e1 ee
hf 14a raw -p -a 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47
Offline
#21 2018-06-03 10:09:00
- rayway99
- Contributor
- Registered: 2018-04-08
- Posts: 20
Re: Anyone familiar with CUID and UFUID cards?
Hi "3312371568" , can you share the TAG UID and how to transform from the data to the raw command?
thanks ! i still have two UFUID card and hoping to use them somehow.. ( buying another ACR122U just for locking two cards seems a bit redundant, but I am thinking to get a iCopy3 tho Orz )
hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a e0 00 39 f7
hf 14a raw -p -a e1 00 e1 ee
hf 14a raw -p -a 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47
Offline
#22 2018-07-03 15:16:57
- 3312371568
- Contributor
- Registered: 2018-05-13
- Posts: 6
Re: Anyone familiar with CUID and UFUID cards?
My English is not very proficient, I think you can ask others to solve this problem. My way of contact
QQ:3312371568
Offline
#23 2019-03-19 19:20:42
- nulldev
- Contributor
- Registered: 2019-03-18
- Posts: 14
Re: Anyone familiar with CUID and UFUID cards?
So to clarify, CUID and UFUID are basically the same and their sector 0 and UID could be rewritten multiple times, just the gen1 tags are responding to backdoor commands, am I right? FUID tag's sector 0 could be written just once. Iceman mentioned these are used at parking/elevator systems and their block 0 is overwritten with user/authentication data every time tag is used, but their UID is permanent. Is that correct?
Is there any particular reason to use write-once tag instead of gen1 or gen2 rewritable? Sorry if this question has been asked before and if you could point me to a thread discussing this that will be great. And also where I could find more info related to chinese backdoor commands.
I have a lot to catch-up since I'm new to pm3, so please be patient 
Thank you!
Offline
#24 2019-07-07 21:33:25
- hfmfsniff
- Contributor
- Registered: 2019-07-07
- Posts: 19
Re: Anyone familiar with CUID and UFUID cards?
hf 14a raw -p -a -b 7 40
hf 14a raw -p -a 43
hf 14a raw -p -a e0 00 39 f7
hf 14a raw -p -a e1 00 e1 ee
hf 14a raw -p -a 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 18 47This segment of commands work for my UFUID card.
There has been lots of confusion about Chinese magic card (UID/CUID/FUID/UFUID).
I can clarify it a bit:
"hf mf wrbl" "hf mf wrbl" "hf mf cgetblk/csetblk"
write to block 0 write to other blocks to all blocks including 0
M1(S50) NO YES NO
UID NO YES YES (an M1 with backdoor)
CUID YES YES NO (an M1 with writable block 0)
FUID ONLY ONCE YES NO (an M1 with one-time writable blk 0)
UFUID NO YES YES before locking; NO after irreversible locking (a UID tag before locking; an M1 after)
Last edited by hfmfsniff (2019-07-19 20:51:42)
Offline
#25 2019-07-07 22:22:48
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Anyone familiar with CUID and UFUID cards?
try filling out the http://www.proxmark.org/forum/viewtopic.php?id=6545 sticky thread with any new information
Offline