Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-07-14 09:48:18
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Differences in Magic Mifare 1K cards - Not sure whats wrong?
Hi,
Firstly I had a batch of Mifare 1k UID magic cards which work as expected:
proxmark3> hf 14a read
ATQA : 00 04
UID : 12 34 56 78
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
proxmark3> hf mf cload 12345678
Loaded from file: 12345678.eml
-----------------------------------------------------------------------------------------------
But then I got a new batch of Mifare 1K UID magic cards which don't seem to work:
proxmark3> hf 14a read
ATQA : 00 04
UID : d2 be 0d 00
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
proxmark3> hf mf cload 12345678
#db# halt error. response len: 1
#db# Halt error
Can't set magic card block: 63
proxmark3> hf mf csetuid 22222222
--wipe card:NO uid:22 22 22 22
#db# halt error. response len: 1
#db# Halt error
Couldn't get old data. Will write over the last bytes of Block 0.
new block 0: 22 22 22 22 00 00 00 00 00 00 00 00 00 00 00 00
#db# halt error. response len: 1
#db# Halt error
Can't set UID. error=2
Is this a problem because of different commands needed for v1 & v2 of magic cards? Or are the new cards faulty as they show a halt error just when reading them with hf 14a read ?
Thanks
Offline
#2 2015-07-14 10:17:27
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Your new batch of magic tags, is not generation1.
It could be generation2.. If so, you don't use the "cload/csave/csetuid" commands.
you only use the normal commands.
Offline
#3 2015-07-14 14:19:45
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
If so, you don't use the "cload/csave/csetuid" commands.
you only use the normal commands.
Thanks for your reply.
So its normal for the halt error when doing a "hf 14a read" ?
Is there a normal command to load a .eml dump file?
Offline
#4 2015-07-14 15:13:39
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
You can look into the "hf mf restore" command,.. It assumes that you have a dumpdata.bin file in the client folder.
if it needs keys, it will search for a dumpkeys.bin file.
You can convert your eml file with a luascript.. "script list" will give you a list of all scripts. "script run xxxx -h" usually prints a helptext.
About the "halt error", I'm not sure. Which version of the proxmark software are you running?
Offline
#5 2015-07-22 15:50:02
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
i have de same problem
not copied with acr122u nor proxmark
i tried loading proxmark eml file and dump file with acr122u, but no works
anyone have a solution ?
proxmark3> hf 14a reader
ATQA : 00 02
UID : 12 34 56 78
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-05-24 09:54:53
#db# os: /-suspect 2015-05-24 09:56:23
#db# HF FPGA image built on 2015/03/09 at 08:41:42
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Offline
#6 2015-07-22 17:22:39
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
its the same read for same cards, three times........in the proxmark
reading, changing uid card chinese
proxmark3> hf 14a reader
#db# Multiple tags detected. Collision after Bit 1
ATQA : 0f ff
UID : 03 00 00 00
SAK : 00 [2]
TYPE : NXP MIFARE Ultralight | Ultralight C
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
-----------------------------------------------------------
proxmark3> hf 14a reader
#db# Multiple tags detected. Collision after Bit 1
ATQA : 00 02
UID : 03 00 00 00
SAK : 01 [2]
TYPE : NXP TNP3xxx Activision Game Appliance
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
-----------------------------------------------------------
proxmark3> hf 14a reader
ATQA : 04 02
UID : 01 02 03 04 -----------> (changed)
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
----------------------------------------------------
firts : Ultraligh
second : NXP TNP3xxx Activision Game Appliance
next : Infineon MIFARE CLASSIC 1K
strain....
Offline
#7 2015-07-22 19:09:00
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
the halt error, indicates that the tag gave a response to the halt command, which normally it shouldn't. The tag is infineon, so this might be a behavior from this brand. If you run "hf list 14a" after you get it, and print it here, we can look what the tag responded with. my guess a ACK
the collision warning indicates that you don't get a clean read from your tag. Try holding yr tag 1cm above the antenna and different positions aswell.
Offline
#8 2015-07-23 15:52:54
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
If you run "hf list 14a" after you get it, and print it here, we can look what the tag responded with. my guess a ACK
[== Undefined ==]
proxmark3> hf list 14a
Recorded Activity (TraceLen = 163 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transf
er
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error)
| CRC | Annotation |
-----------|-----------|-----|--------------------------------------------------
---------------|-----|--------------------|
0 | 992 | Rdr | 52
| | WUPA
2228 | 4596 | Tag | 04 00
| |
7040 | 9504 | Rdr | 93 20
| | ANTICOLL
10676 | 16500 | Tag | 93 c0 0a 00 59
| |
18688 | 29152 | Rdr | 93 70 93 c0 0a 00 59 a2 7d
| | SELECT_UID
30388 | 33908 | Tag | 08 b6 dd
| |
462592 | 467360 | Rdr | e0 80 31 73
| | RATS
468532 | 469172 | Tag | 04
| |
903680 | 904672 | Rdr | 40
| | MAGIC WUPC1
905908 | 906484 | Tag | 0a!
| |
910720 | 912032 | Rdr | 43
| | MAGIC WUPC2
913204 | 913780 | Tag | 0a!
| |
917760 | 922528 | Rdr | 50 00 57 cd
| | HALT
923700 | 924340 | Tag | 04
| |
proxmark3>Offline
#9 2015-07-23 16:05:24
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
If I do a "hf mf restore", it seems most of the blocks restore correctly but I get errors for block 0, 60, 61, 62 & 63
[== Undefined ==]
proxmark3> hf mf restore
Restoring dumpdata.bin to card
Writing to block 0: xx xx xx xx xx xx 04 xx xx xx 14 xx xx 00 xx xx
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 3: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 7: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 11: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 15: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 19: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 23: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 24: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 25: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 26: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 27: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 29: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 31: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 33: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 35: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 37: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 39: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 41: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 42: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 43: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 44: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 45: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 46: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 47: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 49: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 51: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 52: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 53: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 54: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 55: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 56: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 57: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 58: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 59: ff ff ff ff ff ff ff xx xx xx ff ff ff ff ff ff
#db# WRITE BLOCK FINISHED
isOk:01
Writing to block 60: xx xx xx xx 40 00 00 00 00 00 00 00 00 00 00 00
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 61: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 62: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
Writing to block 63: xx xx xx xx xx xx xx xx xx 00 xx xx x2 xx c5 xx
#db# Authentication failed. Card timeout.
#db# Auth error
#db# WRITE BLOCK FINISHED
isOk:00
proxmark3>Offline
#10 2015-07-24 00:34:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Block zero is not writeable if it is a normal mifare s50 tag.
block 60,61,62,63 seems like you didn't have the last key in the dumpkeys.bin file...
if you are sure your new tag is magic, then try using generation1 commands, hf mf cset, for the block 0.
edit:
looking at the trace, it seems you got magic tags generation 1. which needs special commands to write to block 0.
Last edited by iceman (2015-07-24 00:44:07)
Offline
#11 2015-07-24 06:25:31
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
edit:
looking at the trace, it seems you got magic tags generation 1. which needs special commands to write to block 0.
I am thinking the last batch of magic tags I got are either bad quality or some kind of generation between 1 & 2.
The first batch of tags act like generation 1 and work fine: eg
- Answers to chinese magic backdoor commands: YES
- If I use chinese special commands they work fine. eg. hf mf cload 12345678 > Loaded from file: 12345678.eml
But the second batch I got:
- Always have "#db# halt error. response len: 1" error for most commands
- Answers to chinese magic backdoor commands: NO
- Some chinese special commands will work, but some won't. eg.
- "hf mf csetuid" works OK to change the UID
- But if I try to write the full block 0, it won't work
- Also if I try hf mf cload, I always get errors in some blocks ...eg. Can't set magic card block: 63
Offline
#12 2015-07-24 11:03:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
If the trace aboce was from your second back,
the tag answers with a NACK 0x04 to the HALT command. Thats the "halt error". Normally a tag doesn't respond to HALT cmd.
that could be twist from Infineon. Its ok to ignore this db message, if you don't like it. (change the len check inside mifare_classic_halt in armsrc/mifareutil.c )
But was you first batch also from Infineon?
How does the trace looks like when you tried "hf mf csetblk 0 xxxx"?
Offline
#13 2015-07-28 04:14:58
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
testing cards, changing uid, s50, 2 generation.
I wrote the 64 blocks manually.
------------------------------------
proxmark3> hf mf wrbl 63 B c4edb80fc345 12345678901208778f00c4edb80fc345
--block no:63, key type:B, key:c4 ed b8 0f c3 45
--data: 12 34 56 78 90 12 08 77 8f 00 c4 ed b8 0f c3 45
#db# WRITE BLOCK FINISHED
isOk:01
------------------------------------
and all were written well, (with proxmark3), including block 0,60,61,62,63.
but the card still giving me error.
I think the mistake is here (#db# halt error. response len: 1)
------------------------------
proxmark3> hf 14a reader
ATQA : 00 02
UID : d0 a5 e8 e7
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO
proxmark3>
--------------------------
if someone has the solution.
or if anyone know of a store that sells the one generation.
publish the link where this product was purchased.
http://www.aliexpress.com/item/200PCS-Lot-13-56MHZ-Rewritable-Smart-IC-Chip-UID-Changeable-Card-With1K-Bytes-8K-Bits-Memory/1858507771.html
http://www.aliexpress.com/item/uid-changeable-card-1k-card-S50-card-proxmark3-libnfc-Chinese-Magic-card-backdoor-card/1735477211.html
proxmark3 and ACR122U was used.
none worked
Offline
#14 2015-07-28 09:53:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
How about you give the output from
-hw version
-hw tune
And the traceoutput from
-hf mf csetblk 0 xxxx
It's near impossible to give answer without that information.
Offline
#15 2015-07-28 12:53:01
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 14.18 V @ 13.56 MHz
# Your LF antenna is unusable.
proxmark3>
--------------------------------------------------------------
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-05-24 09:54:53
#db# os: /-suspect 2015-05-24 09:56:23
#db# HF FPGA image built on 2015/03/09 at 08:41:42
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>
-------------------------------------------------
proxmark3> hf mf csetblk 0 d0a5e8e77a980200648f45915d101311
--block number: 0 data:d0 a5 e8 e7 7a 98 02 00 64 8f 45 91 5d 10 13 11
#db# Can't select card
Can't write block. error=2
proxmark3>
Offline
#16 2015-07-28 15:07:33
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
and how does the tracelog looks like after you ran the "hf mf csetblk"??
(e.g. hf list 14a)
Offline
#17 2015-07-29 10:10:35
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
proxmark3> hf list 14a
Recorded Activity (TraceLen = 0 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
Offline
#18 2015-07-29 10:13:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Would you please run first the "hf mf csetblk", then run "hf list 14a"?
Offline
#19 2015-07-29 11:03:27
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
proxmark3> hf mf csetblk 0 d0a5e8e77a980200648f45915d101311
--block number: 0 data:d0 a5 e8 e7 7a 98 02 00 64 8f 45 91 5d 10 13 11
#db# halt error. response len: 1
#db# Halt error
Can't write block. error=2
proxmark3>
proxmark3> hf list 14a
Recorded Activity (TraceLen = 215 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 02 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16564 | Tag | d0 a5 e8 e7 7a | |
18688 | 29216 | Rdr | 93 70 d0 a5 e8 e7 7a ee 5d | | SELECT_UID
30388 | 33908 | Tag | 88 be 59 | |
35456 | 40224 | Rdr | 50 00 57 cd | | HALT
175616 | 176608 | Rdr | 40 | | MAGIC WUPC1
177844 | 178420 | Tag | 0a! | |
182656 | 183968 | Rdr | 43 | | MAGIC WUPC2
185140 | 185716 | Tag | 0a! | |
189696 | 194400 | Rdr | a0 00 5f b1 | | WRITEBLOCK(0)
195636 | 196212 | Tag | 0a! | |
199552 | 220448 | Rdr | d0 a5 e8 e7 7a 98 02 00 64 8f 45 91 5d 10 13 11 | |
| | | c3 b5 | | ?
267060 | 267636 | Tag | 0a! | |
269056 | 273824 | Rdr | 50 00 57 cd | | HALT
274996 | 275636 | Tag | 04 | |
proxmark3>
Offline
#20 2015-07-29 11:18:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
So, good, its your version of tag that responds to the "HALT" command.
The actual write command works as it should.
It is as I wrote in post #12 earlier. This failed message can be altered.
Offline
#21 2015-07-29 11:41:16
- LaserByte
- Contributor
- Registered: 2014-05-18
- Posts: 46
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
the problem is the card, true ??
Offline
#22 2015-07-29 13:59:16
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Alternative mifare cards often respond to commands that true chips don't. But they usually function just fine in the real world. Consider the pm3 error just a warning.
Offline
#23 2015-07-29 14:37:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Almost, since it reports back a "2".. Which we might have a check for on the client side..
However, as I already mentioned you can alter that check to skip looking for "0x0a". And the error/warning message goes away and the tag will work fine with the PM3 client. It should already work fine,
Offline
#24 2016-02-19 18:40:11
- drakospart
- Contributor
- Registered: 2016-02-11
- Posts: 67
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Hello
I am having the same halt message with a magic tag-
267188 | 267764 | Tag | 0a!
| |
269184 | 273952 | Rdr | 50 00 57 cd
| | HALT
275124 | 275764 | Tag | 04
Could you help me to fix it please ? I dont know how to modify the file you mentiones on #12
Offline
#25 2016-02-19 18:41:50
- drakospart
- Contributor
- Registered: 2016-02-11
- Posts: 67
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
proxmark3> hf mf csetblk 0
block data must include 32 HEX symbols
proxmark3> hf mf csetblk 0 00000000000000000000000000000000
--block number: 0 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# halt error. response len: 1
#db# Halt error
Can't write block. error=2
It looks that the HALT happens on the trailer blocks...
Offline
#26 2016-02-19 18:51:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
When you write all zeros to block zero you will render the tag unusable...
If you want to change uid, use the "hf mf csetuid", it will create a good block 0.
You have some reading to do.
Offline
#27 2016-02-19 20:59:21
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
me also
I have some UID-Changable
csetuid dit not work ...
proxmark3> hf mf csetuid 01020304 0004 08
--wipe card:NO uid:01 02 03 04
#db# wupC1 error
Couldn't get old data. Will write over the last bytes of Block 0.
new block 0: 01 02 03 04 04 08 04 00 00 00 00 00 00 00 00 00
#db# wupC1 error
Can't set UID. error=2
proxmark3>so I tried the example-block0 from the Chinese seller
proxmark3> hf search
UID : de 0f 2b 19
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF 19743C36670804000115C507E8A85B1D
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 19 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search
UID : 19 74 3c 36
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
proxmark3>then I thought ... I try to change the first number
big fault
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF 18743C36670804000115C507E8A85B1D
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 18 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search
no known/supported 13.56 MHz tags found
proxmark3>I have other magic cards which I could repair with your remagic-script
this not 
so I got 3 new ice-scraper for my car 
Offline
#28 2016-02-19 21:07:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
First,
the: [hf mf c** ] commands is for Magic tags Generation1. Uses special backdoor commands in protocol.
your: [ hf mf wrbl 0 A FFFFFFFFFFFF 19743C36670804000115C507E8A85B1D] shows a normal write on block 0,
this means Generation 2 tag. Congrats to have a S50 1k Generation2 tag. Its the first time I ever seen it in the wild.
There is a danger, writing Block 0, UID bytes has a BCC ( uid 0123, bcc4) .. that has to match otherwise the tag becomes dead...
I have no clue have to save/revive a Generation 2 tag... *yet*
Offline
#29 2016-02-19 21:17:16
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
they have being really cheap - first i thought I got fooled, because the act like ordinary S50
but then I recognized (the hard way) that they aren't ordinary at all 
ebay link
Last edited by mosci (2016-02-19 21:21:37)
Offline
#30 2016-02-19 21:26:58
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
Cool, and now we need to find out a way to revive your Gen2 tags...
I saw somewhere on the forum a user mentions he used "hf mf csetbl 0 19743C36670804000115C507E8A85B1D" a couple of times and it works again..
Offline
#31 2016-02-19 21:42:47
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
250 time (via lua-script) did not change anything
....
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: 19 74 3c 36 67 08 04 00 01 15 c5 07 e8 a8 5b 1d
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00
....but I'm gona keep same warm and dry ... maybe sometime I will be able to 'remagic' them 
Offline
#32 2016-02-19 21:46:41
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
the remagic uses chinese backdoor commands..
its the select card which spooks..
Offline
#33 2016-02-19 21:52:55
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
the TWN4 doesn't recognize them also - 'remagic' was just in meaning of 'getting it work again' in innuendo of your script of cause .
it doesn't matter - I still have 7 working of them and will be more careful with them
Last edited by mosci (2016-02-19 21:53:31)
Offline
#34 2016-02-19 22:28:39
- mosci
- Contributor
- Registered: 2016-01-09
- Posts: 94
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
there seems still to be some response coming
proxmark3> hf list 14a c
Recorded Activity (TraceLen = 0 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3> hf 14a reader
iso14443a card select failed
proxmark3> hf list 14a c
Recorded Activity (TraceLen = 65 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 04 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16564 | Tag | 18 74 3c 36 67 | |
18816 | 29280 | Rdr | 93 70 18 74 3c 36 66 [1a d8 ] | ok | SELECT_UID
proxmark3>18 74 3c 36 67 was the bad thing I have written
Offline
#35 2016-02-19 22:39:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Differences in Magic Mifare 1K cards - Not sure whats wrong?
that is the uid 
and your BCC is false, so... if you fiddle with the "iso_select_card" and flash, you should let the code ignore the faulty bcc...
Offline