Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-04-06 02:51:38

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Hey All,

I've spoken to a few people and also read here a number of times regarding a second generation of magic mifare cards on the market, but there haven't been any particularly clear answers on what all of the differences are between the first and second generation.

What are some of the advantages of the second generation card? Do the new cards still respond to the old "backdoor" commands?

I was sold a Very Large Number of cards that were supposedly "Gen 2" but I am almost positive they are in-fact "Gen 1".  I paid a significantly higher premium because they were claimed to be second generation but now I need proof that not only are these older cards, but that they are not worth the premium demanded as they were claimed to be the newer generation.

Edit: I have read here before that the newer cards may be used with mobile phones, but I haven't found any published commands or methods to verify if one has a gen 2 card.

Last edited by Omikron (2015-04-06 02:53:04)

Offline

#2 2015-04-06 08:14:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Its easy to detect a generation-1 tag nowdays since I implemented a check on the  "hf 14a read" command.  It will tell you if the tag answers the specific backdoor commands or not.

To verify a tag is generation2,  all you need is to write to block0 with the normal mf commands (hf mf wrbl 0) ,  if it works its a generation2.

The advantage with a generation2 is as you mentioned, that they can be used with a mobile phone.

Offline

#3 2015-04-06 08:25:11

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

iceman wrote:

Its easy to detect a generation-1 tag nowdays since I implemented a check on the  "hf 14a read" command.  It will tell you if the tag answers the specific backdoor commands or not.

To verify a tag is generation2,  all you need is to write to block0 with the normal mf commands (hf mf wrbl 0) ,  if it works its a generation2.

The advantage with a generation2 is as you mentioned, that they can be used with a mobile phone.

Yes, I saw that very nifty feature added into the 14a read command, but I wasn't sure if gen 2 still responds to those commands anyway.  Did they keep the commands as part of gen 2 for "backwards compatibility"?

To test wrbl 0 writing I've just been reading block 0 from a another mifare card and then attempting to write all 32 bytes at once:

hf mf wrbl 0 AABBCCDDEEFF00112233445566778899

Is this correct?

Offline

#4 2015-04-06 08:34:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

if you call "hf mf wrbl"  just like that, you will get a help text.  It will explain to you howto use the command.

And yes, its good to use a block0 from another working mifare card.

Last edited by iceman (2015-04-06 08:35:37)

Offline

#5 2015-04-07 02:01:05

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

iceman wrote:

if you call "hf mf wrbl"  just like that, you will get a help text.  It will explain to you howto use the command.

And yes, its good to use a block0 from another working mifare card.

Of course, and I apologize if my post implied that I didn't already do that.  I was writing the command from memory.  This is the format I am following:

hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F

The card appears to be rejecting the write so I am assuming that it is not Gen2, but I wanted to confirm that there wasn't something else I was missing.

Can you also confirm that second generation cards do not respond to magic commands from the first generation?

Offline

#6 2015-04-07 07:38:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

I actually never got my hands on a Magic Gen-2 tag, so I can't tell by my own experience how it reacts to among others the backdoor commands for Generation1.

However, if you write command fails,  it could be because you have the wrong password.

Can you test "hf mf cgetsc 0" ?   If it reacts to this, then we can confirm that generation2 tags responds to generation1 backdoor commands.

Offline

#7 2015-04-07 09:46:30

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

I have one that is "2nd gen" and possible to write block 0 as usual (A0 00 command). And not possible to act with a backdoor commands

proxmark3> hf mf csetuid 12345678 
--wipe card:00 uid:12 34 56 78           
#db# Can't select card                 
Can't set UID. error=2          
proxmark3> 

Offline

#8 2015-04-07 20:13:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Thanks for pointing that out J-Run. Can you tell us where you did you bought those 2nd generation cards ?

Offline

#9 2015-04-07 20:50:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Yes, I'm curious as well where you bought it.

Offline

#10 2015-04-08 01:12:23

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

J-Run wrote:

I have one that is "2nd gen" and possible to write block 0 as usual (A0 00 command). And not possible to act with a backdoor commands

proxmark3> hf mf csetuid 12345678 
--wipe card:00 uid:12 34 56 78           
#db# Can't select card                 
Can't set UID. error=2          
proxmark3> 

This is exactly what I wanted to know.  If I am successful in getting the inventory exchanged for Gen2 cards I'll let everyone here know.

Offline

#11 2015-04-08 01:55:29

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Asper, Iceman, sure!
I have ordered some cards from xfpga store a year ago and surprised that "UID changeable mifare 4K card S70 card" was "2nd gen".
I consider that all uid-changalbe cards in that store without any references to backdoor functionality in description are actually "2nd gen".

Offline

#12 2015-04-08 08:52:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Ok,  I also have  s70 (4k) generation2 tags and they work like yours.

I tought we were talking about s50 (1k) tags which I havn't found a gen2 yet.

Offline

#13 2015-04-08 12:21:45

J-Run
Contributor
Registered: 2014-11-13
Posts: 24

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Well, I thought question was about gen2 functionality at all  :-)
Anyway, I bet uid-changeable s50 ("UID changeable mifare 1k card block0 writable") from that store without backdoor works the same way as s70. Ofcourse this should be checked

Offline

#14 2015-04-08 16:39:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare "Magic Chinese Card" Generation 1 vs. Generation 2

Thats why we ask,  to see if someone knows.

Offline

Board footer

Powered by FluxBB