Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-02-06 21:58:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Mifare Classic 4k - magic generation 1b

Thanks to @kwx ,  he seems to gotten hold of new kind magic tags. 

MIfare Classic 4k  - magic generation 1b
4byte UID
UID/ATQA is changeable,   SAK seems to be locked somehow.

These tags doesn't use the full chinese magic backdoor commands, but gets triggered with only 7bit 0x40.
Like gen1,  which needs 0x43 aswell.  No need to authenticate when in backdoor mode.   So I call this Generation 1b.

Havn't test to write a bad sector trailer,  but like all generation 1 tags,  it doesn't need to run anticollision to be selected.

The tag is not compatible with Generation1 start (0x40, 0x43) sequence.  Hence hf mf c* commands will fail.
hf 14a raw works great.


In short-
send 7bit 40  to enter backdoor mode.
send 30nn + crc for reading block.
send A0mm + crc  for writing block. wait for response  0x0a, then send 16bytes + crc

steps:

hf 14a raw -a -p -b 7 40
hf 14a raw -p -c 3000       
hf 14a raw -p -c A000
hf 14a raw -p -c E94094211c18040041424344454647
hf 14a raw -p -c 3000
hf 14a raw -r 00
hf 14a read
hf 14a list 

--[ 3000 -> read block 00 ]
--[ A000 -> write block 00 ]

Offline

Board footer

Powered by FluxBB