Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

nfcopy · 2015-11-23 06:40:13

Hey,

usually most magic cards are advertised as "uid changeable".

To my knowledge there are at least three types of "special" 1K cards available:

1. block0 is writeable with the normal write commands. If you mess up the access bits once on any other block, you cannot "repair" the card

2. all blocks are writeable with the normal write commands, key and access bits do not matter (are not enforced)

3. all blocks are read-/and writeable via the backdoor commands

My question is: Are there any cards of type 2 or 3 with 4K memory (S70) on the market? Any reliable sources? How to differentiate them?

Extra question: how to set the SAK on a type 2 or 3 card if you clone a 7 byte UID card? My 1K backdoor (type 3) card always returns the value of byte 6 in block0 as SAK response. From this thread (http://www.proxmark.org/forum/viewtopic.php?id=2175) I learned that some cards seem to respond with a SAK even if there is no corresponding data in block0. So maybe there is a "special" command to set this value?

iceman · 2015-11-23 11:14:49

The gen1 tags has some options to change atqa and sak. Which is good, downside you'll need to use the backdoor commands.
The gen2 s70 tag is a s70 tag, where you can change uid. Nothing states that it can change atqa or sak.

I never seen a gen2 s50 tag, some ppl states they have them.

kevinkm · 2015-11-30 12:23:19

I totally know what you mean, answer is no

kwx · 2015-12-08 21:36:26

I import a huge amount of Mifare tags through one business venture, which has allowed me to get Mifare 1k very cheaply.
More importantly, they're the 'good' type - type '2' as you described above - read / write anywhere.

I've got them up on my site, http://tagsource.eu

If you're interested in buying I can swing you a discount

Admins - please note - this isn't at all spam (at least I hope it isn't..)

nfcopy · 2015-12-12 02:15:07

kwx this thread is about the 4k aka S70 mifare classic cards. Can you provide a sample of such a card for further review? Your onlineshop is quite "Lorem ipsum" btw

kwx · 2015-12-22 21:00:03

Hi nfcopy
Samples can be purchased, I'll be happy to refund if it doesn't function as described.
Perhaps with enough purchases I can purchase a template less generic

iceman · 2015-12-23 08:35:33

Nfcopy's big question is here is not about existens of a "s70 gen2" but if there is a (s70 gen2) which can change its SAK and ATQA values.

kwx · 2016-01-14 15:39:37

iceman wrote:

Nfcopy's big question is here is not about existens of a "s70 gen2" but if there is a (s70 gen2) which can change its SAK and ATQA values.

Hi Iceman.
I've seen (and have on hand) some of the S50 'Gen 2' cards:

# /tmp $ nfc-list
nfc-list uses libnfc libnfc-1.7.1-28-gef74d81
NFC device: pn532_uart:/dev/ttyAMA0 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 00
UID (NFCID1): 00 00 00 00
SAK (SEL_RES): 00
# /tmp $ nfc-mfclassic W a 4k.dmp
NFC reader: pn532_uart:/dev/ttyAMA0 opened
Warning: tag is probably not a MFC!
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 00
UID (NFCID1): 00 00 00 00
SAK (SEL_RES): 00
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.
# /tmp $ nfc-list
nfc-list uses libnfc libnfc-1.7.1-28-gef74d81
NFC device: pn532_uart:/dev/ttyAMA0 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 02
UID (NFCID1): ec 6b 91 7f
SAK (SEL_RES): 98

With that said, I've not seen these cards in S70 / 4K; they're much harder to get hold of.

iceman · 2016-01-14 15:47:06

I don't want to be rude, but in your output it says:

 
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43
Received bits: 0a

That piece of information tells me it uses the chinese backdoor commands, AKA Gen1.

The output you are showing is not for a "S50 Gen2" tag.

kwx · 2016-01-16 08:33:03

iceman wrote:

I don't want to be rude, but in your output it says:
 
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43
Received bits: 0a
That piece of information tells me it uses the chinese backdoor commands, AKA Gen1.
The output you are showing is not for a "S50 Gen2" tag.

You're not being rude at all, you're by far the expert

I've had other cards (like some of the ones sold via clonemykey) where I'd had to manually use the 'backdoor' commands; these cards in question I can use directly w/ nfc-mfclassic, and change the SAK value - leading me to believe that they were of another ilk

What does the output of a Gen 2 tag resemble ?

iceman · 2016-01-17 14:54:28

A Generation 2 tag would not answer 0x0a to the chinese backdoor commands, it wouldn't answer at all. Like a normal tag.
The only way to see if it is a Generation 2 tag is to write to S0 B0 (manufacturing block) and see if it worked.

nfcopy · 2016-01-20 09:35:59

kwx wrote:

I've had other cards (like some of the ones sold via clonemykey) where I'd had to manually use the 'backdoor' commands;

the W in nfc-mfclassic W a 4k.dmp does just that, it uses the backdoor command to write to the card, so it's a Backdoor card.

kwx wrote:

these cards in question I can use directly w/ nfc-mfclassic, and change the SAK value

What command do you use to set the SAK value? And are they really S70 cards with 4K of storage?
I know that you can write 4K to a 1K card, however when reading back the data you'll see that it's not actually storing all 4K.

kwx wrote:

What does the output of a Gen 2 tag resemble ?

I don't understand the question.

How can I contact you via mail and in what country do you live?

iceman · 2016-01-20 09:59:36

fastest way to compare the different output, where with output you are refering to the output of "hf list 14a".

run these two commands on a magic s50/1k tag, and on a normal s50/1k tag. compare them to see it clear.

hf 14a reader
hf list 14a

A magic s50/1k Gen2 should generate a output like the normal s50 tag.

kwx · 2016-01-21 14:22:47

Hi iceman / nfcopy
I get a lot of these things over my desk, so I'm interested in feeling out the differences between them all.

This week I got 3 different Mifare 1K chipsets to play with - YP3 / ZJ1 / LUO 2.
The ZJ chipset seems to be the most common and reliable (I got 30k R/W cycles off it before killing it)
The Luo 2 and YP chipsets get 10k R/W cycles, but work just as fine with the nfc-mfclassic W command.

I'll check to see if I can modify the SAK values.

nfcopy: Native english speaker, spend my life travelling between Shenzen and Europe, working closely with a number of tag factories.

In regards to changing SAK on the 1k cards - I can change the SAK one some 1k cards so that they report that they're 4K (but they are obviously not). I should be getting some 4K magic chips over the next few weeks, can run tests and report back to you.

For the curious:

atkinchris · 2016-01-27 09:46:42

Do they work just as effectively out of the plastic housing?

nfcopy · 2016-01-29 22:06:31

kwx wrote:

In regards to changing SAK on the 1k cards - I can change the SAK one some 1k cards[...]

How do you do that? And thanks for the images!

I just checked taobao and aliexpress, here are the four cards I found:

http://world.taobao.com/item/25884820337.htm
http://world.taobao.com/item/38689234740.htm
http://www.aliexpress.com/store/product … 48234.html
http://www.aliexpress.com/store/product … 52478.html

Can someone identify what type each is? Maybe someone did order one of these already.

Something else: I would really like to know if the behaviour of these cards can be changed, my means of a firmware update. Or is the firmware section implemented in ROM and thus cannot be changed at all? Maybe kwx could shine some light into this by asking his factory contacts?

As a side note the ChameleonMini kickstarter campaign could be interesting, as there the firmware will be open source so anything can be done: https://www.kickstarter.com/projects/19 … tor-and-mo

Last edited by nfcopy (2016-01-29 22:07:55)

Proxmark3 community

Announcement

#1 2015-11-23 06:40:13

Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#2 2015-11-23 11:14:49

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#3 2015-11-30 12:23:19

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#4 2015-12-08 21:36:26

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#5 2015-12-12 02:15:07

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#6 2015-12-22 21:00:03

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#7 2015-12-23 08:35:33

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#8 2016-01-14 15:39:37

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#9 2016-01-14 15:47:06

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#10 2016-01-16 08:33:03

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#11 2016-01-17 14:54:28

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#12 2016-01-20 09:35:59

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#13 2016-01-20 09:59:36

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#14 2016-01-21 14:22:47

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#15 2016-01-27 09:46:42

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

#16 2016-01-29 22:06:31

Re: Mifare Classic 4k S70 "magic chinese card" aka "uid changeable"

Board footer