Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-12-21 12:34:14

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Magic card analysis

Hi all. To begin studying Mifare Classic 1K, I got few "UID writable" cards (tracked delivery from Italy): htt*://www.ebay.it/itm/UID-variabile-IC-Card-per-Mifare-1k-S50-13-56-/271652385706
I think these are too cheap to be UID writable.
I wasn't able to write a new UID, so as a noob I suspect I missed something, these are my tests. Any hint?

This is the card, on the chip there is something like an internal wiring.
1419160057_dscn2385s.jpg

Packaging:
1419161473_dscn2386s.jpg

$ nfc-list 
nfc-list uses libnfc 1.7.1
NFC device: NXP / PN533 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): f0  6f  de  d9  
      SAK (SEL_RES): 08  

$ nfc-mfsetuid 11223344
NFC reader: NXP / PN533 opened
Sent bits:     26 (7 bits)
Received bits: 04  00  
Sent bits:     93  20  
Received bits: f0  6f  de  d9  98  
Sent bits:     93  70  f0  6f  de  d9  98  d1  62  
Received bits: 08  b6  dd  

Found tag with
 UID: f06fded9
ATQA: 0004
 SAK: 08

Sent bits:     50  00  57  cd  
Sent bits:     40 (7 bits)
Sent bits:     43  
Sent bits:     a0  00  5f  b1  
Sent bits:     11  22  33  44  44  08  04  00  46  59  25  58  49  10  23  02  aa  d5  

$ nfc-list 
nfc-list uses libnfc 1.7.1
NFC device: NXP / PN533 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): f0  6f  de  d9  
      SAK (SEL_RES): 08  
proxmark3> hf 14a reader
ATQA : 00 04          
 UID : f0 6f de d9           
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
proxmark3> hf mf csetuid 12345678
--wipe card:00 uid:12 34 56 78           
#db# Can't select card                 
Can't set UID. error=2          
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff            
#db# READ BLOCK FINISHED                 
isOk:01 data:f0 6f de d9 98 88 04 00 c2 05 00 00 00 00 00 13           
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF f06fded998880400c205000000000013
--block no:0, key type:A, key:ff ff ff ff ff ff           
--data: f0 6f de d9 98 88 04 00 c2 05 00 00 00 00 00 13           
#db# Cmd Error: 04                 
#db# Write block error                 
#db# WRITE BLOCK FINISHED                 
isOk:00          

I can do further tests, and even risk to sacrifice some of the 5 cards I got.
To experiment with my Nexus NFC tablet I'm looking for new "not-backdoored" cards, but backdoored cards+PM3 should be also fine to begin.
Thank you.

Offline

#2 2014-12-21 23:52:16

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: Magic card analysis

They cards have fixed uid, not writable.

Writable uid cards comes usually from china and they much expencive

Offline

#3 2014-12-22 03:00:21

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Magic card analysis

Mango is a chinese manufacturer...
I got my magic card for less than 0.80 $ each.


Leave your email address if you want to know where to buy them

Last edited by app_o1 (2014-12-22 03:02:32)

Offline

#4 2014-12-22 12:20:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Magic card analysis

I'm always looking for verified good suppliers. I'd be grateful if you can drop me an email aswell.   to iceman at iuse.se

Offline

#5 2014-12-22 17:17:00

Minus8
Contributor
Registered: 2014-09-18
Posts: 13

Re: Magic card analysis

app_o1 wrote:

Mango is a chinese manufacturer...
I got my magic card for less than 0.80 $ each.


Leave your email address if you want to know where to buy them

hI appço1,
I'm interested too smile

=> mifare@yopmail.com

Offline

#6 2014-12-22 20:46:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Magic card analysis

Which version of the firmware are you running?
(ie:   hw ver)

Offline

#7 2014-12-26 19:46:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Magic card analysis

In regards with hx4u problem with the "hf mf csetuid"  I digged around in the code and found that it doesn't work very well anymore.  Read more here https://github.com/Proxmark/proxmark3/issues/35
I also suggested a patch.

I hope it will solve hx4u's problems.

Offline

#8 2014-12-28 08:06:31

kevinkm
Contributor
Registered: 2014-11-07
Posts: 20

Re: Magic card analysis

I come from china, never hear this brand MANGO, so be careful! Actually it's ok if chinese company manufacture this kind of card which can be changed at block 0, but no one dares to put a brand on production. BTW pm3 only MIFAREs or operates block 0 on magic s50, not magic s70.

Offline

#9 2014-12-28 10:38:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Magic card analysis

PM3's c-commands (csetuid, cgetblock etc) is to be used the magic card generation1, s50.   
The s50 generation2  and s70 magic cards will work with the normal commands. (hf mf rdbl etc) .  These cards can be used with other devices easliy, like a mobile and are sought after because of it.

Offline

#10 2015-01-09 03:37:29

kevinkm
Contributor
Registered: 2014-11-07
Posts: 20

Re: Magic card analysis

iceman wrote:

PM3's c-commands (csetuid, cgetblock etc) is to be used the magic card generation1, s50.   
The s50 generation2  and s70 magic cards will work with the normal commands. (hf mf rdbl etc) .  These cards can be used with other devices easliy, like a mobile and are sought after because of it.


hf mf mifare has been working on genuine s70, but not plus ver.

Offline

Board footer

Powered by FluxBB