Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2014-12-21 12:34:14
- hx4u
- Contributor
- Registered: 2014-12-13
- Posts: 15
Magic card analysis
Hi all. To begin studying Mifare Classic 1K, I got few "UID writable" cards (tracked delivery from Italy): htt*://www.ebay.it/itm/UID-variabile-IC-Card-per-Mifare-1k-S50-13-56-/271652385706
I think these are too cheap to be UID writable.
I wasn't able to write a new UID, so as a noob I suspect I missed something, these are my tests. Any hint?
This is the card, on the chip there is something like an internal wiring.
Packaging:
$ nfc-list
nfc-list uses libnfc 1.7.1
NFC device: NXP / PN533 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): f0 6f de d9
SAK (SEL_RES): 08
$ nfc-mfsetuid 11223344
NFC reader: NXP / PN533 opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: f0 6f de d9 98
Sent bits: 93 70 f0 6f de d9 98 d1 62
Received bits: 08 b6 dd
Found tag with
UID: f06fded9
ATQA: 0004
SAK: 08
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Sent bits: 43
Sent bits: a0 00 5f b1
Sent bits: 11 22 33 44 44 08 04 00 46 59 25 58 49 10 23 02 aa d5
$ nfc-list
nfc-list uses libnfc 1.7.1
NFC device: NXP / PN533 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): f0 6f de d9
SAK (SEL_RES): 08 proxmark3> hf 14a reader
ATQA : 00 04
UID : f0 6f de d9
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
proxmark3> hf mf csetuid 12345678
--wipe card:00 uid:12 34 56 78
#db# Can't select card
Can't set UID. error=2 proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:f0 6f de d9 98 88 04 00 c2 05 00 00 00 00 00 13
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF f06fded998880400c205000000000013
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: f0 6f de d9 98 88 04 00 c2 05 00 00 00 00 00 13
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00 I can do further tests, and even risk to sacrifice some of the 5 cards I got.
To experiment with my Nexus NFC tablet I'm looking for new "not-backdoored" cards, but backdoored cards+PM3 should be also fine to begin.
Thank you.
Offline
#2 2014-12-21 23:52:16
- clayer
- Contributor
- Registered: 2013-12-22
- Posts: 45
Re: Magic card analysis
They cards have fixed uid, not writable.
Writable uid cards comes usually from china and they much expencive
Offline
#3 2014-12-22 03:00:21
- app_o1
- Contributor
- Registered: 2013-06-22
- Posts: 247
Re: Magic card analysis
Mango is a chinese manufacturer...
I got my magic card for less than 0.80 $ each.
Leave your email address if you want to know where to buy them
Last edited by app_o1 (2014-12-22 03:02:32)
Offline
#4 2014-12-22 12:20:33
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Magic card analysis
I'm always looking for verified good suppliers. I'd be grateful if you can drop me an email aswell. to iceman at iuse.se
Offline
#5 2014-12-22 17:17:00
- Minus8
- Contributor
- Registered: 2014-09-18
- Posts: 13
Re: Magic card analysis
Mango is a chinese manufacturer...
I got my magic card for less than 0.80 $ each.Leave your email address if you want to know where to buy them
hI appço1,
I'm interested too 
=> mifare@yopmail.com
Offline
#6 2014-12-22 20:46:10
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Magic card analysis
Which version of the firmware are you running?
(ie: hw ver)
Offline
#7 2014-12-26 19:46:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Magic card analysis
In regards with hx4u problem with the "hf mf csetuid" I digged around in the code and found that it doesn't work very well anymore. Read more here https://github.com/Proxmark/proxmark3/issues/35
I also suggested a patch.
I hope it will solve hx4u's problems.
Offline
#8 2014-12-28 08:06:31
- kevinkm
- Contributor
- Registered: 2014-11-07
- Posts: 20
Re: Magic card analysis
I come from china, never hear this brand MANGO, so be careful! Actually it's ok if chinese company manufacture this kind of card which can be changed at block 0, but no one dares to put a brand on production. BTW pm3 only MIFAREs or operates block 0 on magic s50, not magic s70.
Offline
#9 2014-12-28 10:38:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Magic card analysis
PM3's c-commands (csetuid, cgetblock etc) is to be used the magic card generation1, s50.
The s50 generation2 and s70 magic cards will work with the normal commands. (hf mf rdbl etc) . These cards can be used with other devices easliy, like a mobile and are sought after because of it.
Offline
#10 2015-01-09 03:37:29
- kevinkm
- Contributor
- Registered: 2014-11-07
- Posts: 20
Re: Magic card analysis
PM3's c-commands (csetuid, cgetblock etc) is to be used the magic card generation1, s50.
The s50 generation2 and s70 magic cards will work with the normal commands. (hf mf rdbl etc) . These cards can be used with other devices easliy, like a mobile and are sought after because of it.
hf mf mifare has been working on genuine s70, but not plus ver.
Offline
Pages: 1