Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-08-28 06:32:28

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Unable to change UID on s50

Hey everyone,

I have an s50 UID changeable card that comes with the ELECHOUSE Proxmark3 v2 kit and have been trying to change the UID but I keep getting the cmd error 4.

Sector 3's trailer seems correct.

proxmark3> hf mf rdsc 3 A FFFFFFFFFFFF
--sector no:3 key type:A key:ff ff ff ff ff ff            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 7f 07 88 00 00 00 00 00 00 00  

Key is correct since I can read

proxmark3> hf mf rdbl 0 B FFFFFFFFFFFF
--block no:0, key type:B, key:ff ff ff ff ff ff            
#db# READ BLOCK FINISHED          
isOk:01 data:aa da 85 ee 1b 08 04 00 01 98 8f b8 b1 0a c2 1d       

Writing produces the cmd error.

proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:A, key:ff ff ff ff ff ff           
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16           
#db# Cmd Error: 04          
#db# Write block error          
#db# WRITE BLOCK FINISHED          
isOk:00          

I've had a look through the forums but I can't seem to find anything works (a lua script was deleted).
Either my card's UID isn't changeable or I'm doing something wrong?

Offline

#2 2017-08-28 08:38:10

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: Unable to change UID on s50

If I remember correctly, the Elechouse package has 1) Type: M1 S50 and 2) Type: M1 UID.  Only the one that labels M1 UID card is changeable.

Offline

#3 2017-08-28 09:10:00

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Oh I see, still getting the same error on the M1 UID.

I ran the mifare access conditions calculator and got the the ff0780 code and wrote to block 3.

proxmark3> hf mf rdsc 3 a ffffffffffff
--sector no:3 key type:A key:ff ff ff ff ff ff            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff  

         
proxmark3> hf mf rdsc 0 a ffffffffffff
--sector no:0 key type:A key:ff ff ff ff ff ff            
           
#db# READ SECTOR FINISHED          
isOk:01          
data   : 44 6f af 10 94 08 04 00 62 63 64 65 66 67 68 69           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
trailer: 00 00 00 00 00 00 ff 07 80 ff ff ff ff ff ff ff

then attempted to write to block 0 getting the same error. Am I entering it wrong?

proxmark3> hf mf wrbl 0 a ffffffffffff AABBCCDD940804006263646566676869
--block no:0, key type:A, key:ff ff ff ff ff ff           
--data: aa bb cc dd 94 08 04 00 62 63 64 65 66 67 68 69           
#db# Cmd Error: 04          
#db# Write block error          
#db# WRITE BLOCK FINISHED          
isOk:00          

Offline

#4 2017-08-28 09:32:11

meter
Contributor
Registered: 2015-07-13
Posts: 78

Re: Unable to change UID on s50

You should be try to write with magic command.

hf mf csetblk 1 01020304050607080910111213141516

try also with

hf search

for understand which generation is your card.

proxmark3> hf search
          
 UID : 33 76 0d 00           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
#db# halt error. response len: 1          
Answers to chinese magic backdoor commands (GEN 1a): YES          

Valid ISO14443A Tag Found - Quiting Search

Offline

#5 2017-08-28 09:52:08

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Thanks meter, I'm avoiding the magic commands since the the tag I'm cloning is a FDi tag and their readers block/scramble the magic cards when read.

Offline

#6 2017-08-28 09:57:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Unable to change UID on s50

....well... 
Look at the output from hf 14a read,   if it says like @meter  "Answers to chinese magic backdoor commands (GEN 1a): YES"

then you will need to use magic commands to write block0 to it.  Elechouse usually sends Gen1 tag in their package, so ...

Your idea of avoiding using special commands to the card because of the reader you will use the card on later,  is wrong,  just stop it.  Re-read the wiki, documents and the forum to understand why.

Offline

#7 2017-08-28 10:08:35

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

iceman wrote:

....well... 
Look at the output from hf 14a read,   if it says like @meter  "Answers to chinese magic backdoor commands (GEN 1a): YES"

then you will need to use magic commands to write block0 to it.  Elechouse usually sends Gen1 tag in their package, so ...

Your idea of avoiding using special commands to the card because of the reader you will use the card on later,  is wrong,  just stop it.  Re-read the wiki, documents and the forum to understand why.

Hi Iceman, I think you misunderstood my purpose here as I'm not trying to change the UID on a magic chinese card.

I initially dumped a FDi tag and stored into a bin file, I then loaded that bin file into a magic UID card included within the Elechouse kit.
The FDi readers actually detect and reject the Magic UID cards as stated here: http://www.proxmark.org/forum/viewtopic … 270#p28270

So I have to resort to the changeable UID cards that don't answer to chinese commands. Initially I assumed the s50 was able to change it's UID, I was mistaken as pointed out by lohcm88 here: http://www.proxmark.org/forum/viewtopic … 175#p29175

SO, now I'm attempting to change the UID of the M1 UID card also provided by the Elechouse card. Using a chinese command on this card is incorrect.c

OR I could be totally wrong and in which case I apologise.

Offline

#8 2017-08-28 10:30:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Unable to change UID on s50

... back to magic cards information again...   it's like ppl never listen to me.  I even did two videos on youtube explaining it.
First of all,  understand there is several different kinds of magic tags.  Sadly they have all kinds of names.
In China they like to call them uid, cuid, fuid, ufuid,   which is hard to understand difference and easy to write wrong in descriptions.

In this forum and other ones,  we started calling the first magic card with backdoor commands, Generation1 (gen1).    The next generation or revision, is called generation2.  Gen2 cards doesn't use backdoor commands. 
Now to make things more complicated there are another revision of gen1 tags.  I use the nomenclature Gen1a ,  Gen1b.   
In "hf 14a read"  you can see which your tag is.   Currently it only tests for Gen1* tags.

So,  in the ref-thread, FDi tags,  they talk about Gen2 card working  or the write-once (which is a card where you can change UID ONCE. then it fuses and stay the same) ..    I wrote that you should know what kind of magic tag you have.  Which you at the moment doesnt seem to know. I'm convince you have a Gen1a tag (m1 uid from elechouse is that) which is useless as stated in the threads you reference to.

Offline

#9 2017-08-28 11:32:58

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

iceman wrote:

... back to magic cards information again...   it's like ppl never listen to me.  I even did two videos on youtube explaining it.
First of all,  understand there is several different kinds of magic tags.  Sadly they have all kinds of names.
In China they like to call them uid, cuid, fuid, ufuid,   which is hard to understand difference and easy to write wrong in descriptions.

In this forum and other ones,  we started calling the first magic card with backdoor commands, Generation1 (gen1).    The next generation or revision, is called generation2.  Gen2 cards doesn't use backdoor commands. 
Now to make things more complicated there are another revision of gen1 tags.  I use the nomenclature Gen1a ,  Gen1b.   
In "hf 14a read"  you can see which your tag is.   Currently it only tests for Gen1* tags.

So,  in the ref-thread, FDi tags,  they talk about Gen2 card working  or the write-once (which is a card where you can change UID ONCE. then it fuses and stay the same) ..    I wrote that you should know what kind of magic tag you have.  Which you at the moment doesnt seem to know. I'm convince you have a Gen1a tag (m1 uid from elechouse is that) which is useless as stated in the threads you reference to.

Understood, mate we're all just trying to learn and contribute.. If you find that multiple people never listen to you it might be because the way you express it isn't clear or confusing..at least it wasn't for me.

Results for running "hf 14a read" on the M1 UID elechouse card would appear that it is a gen 2 tag. (iceman fork)

pm3 --> hf 14a read
 UID : 44 6F AF 10           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands: NO          
Prng detection: WEAK       

   
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr |52                                                               |     | WUPA          
       2228 |       4596 | Tag |04  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL          
      10676 |      16564 | Tag |44  6f  af  10  94                                               |     |           
      18944 |      29472 | Rdr |93  70  44  6f  af  10  94  9f  1c                               |  ok | SELECT_UID          
      30644 |      34164 | Tag |08  b6  dd                                                       |     |           
      48256 |      52960 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)          
      54580 |      59316 | Tag |1b  d9  b6  02                                                   |     |           
pm3 --> 

Results for the s50 just for good measure. Would appear that this is also gen 2 (iceman fork)

pm3 --> hf 14a read
 UID : AA DA 85 EE           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands: NO          
Prng detection: WEAK      

    
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr |52                                                               |     | WUPA          
       2228 |       4596 | Tag |04  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL          
      10676 |      16500 | Tag |aa  da  85  ee  1b                                               |     |           
      18944 |      29472 | Rdr |93  70  aa  da  85  ee  1b  ac  b3                               |  ok | SELECT_UID          
      30644 |      34164 | Tag |08  b6  dd                                                       |     |           
      47232 |      51936 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)          
      53556 |      58228 | Tag |9c  4b  54  72                                                   |     |           
pm3 --> 

Results for the Magic UID again for good measure. Of course this shows gen1a. (iceman fork)

pm3 --> hf 14a read
 UID : 01 02 03 04           
ATQA : 00 02          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands (GEN 1a): YES          
Prng detection: WEAK      
    
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr |52                                                               |     | WUPA          
       2244 |       4612 | Tag |02  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL          
      10692 |      16580 | Tag |01  02  03  04  04                                               |     |           
      19072 |      29600 | Rdr |93  70  01  02  03  04  04  8e  25                               |  ok | SELECT_UID          
      30772 |      34292 | Tag |08  b6  dd                                                       |     |           
      47232 |      51936 | Rdr |60  00  f5  7b                                                   |  ok | AUTH-A(0)          
      53940 |      58676 | Tag |01  20  01  45                                                   |     |           
pm3 --> 

I appreciate the time you take to explain and help.

Offline

#10 2017-08-28 12:34:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Unable to change UID on s50

The only detection of a Gen2 card is to try writing to block0 with a normal writeblock cmd.  If it worked, its a gen2.  If it didn't work,  its not a gen2.

You got two s50/1k cards in your pm3 kit from Elechouse.

* s50/1k UID  gen1a
* normal s50/1k

So you are trying to write block0 on the normal s50/1k card?

Offline

#11 2017-08-28 12:52:03

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Correct. I purchased 2 different 1k cards that claim to be changeable on eBay, I'll report my findings when they arrive.

Offline

#12 2017-08-28 19:19:35

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Unable to change UID on s50

Gen1a - Chinese Backdoor command (csetuid uid 0004 08)
Gen1a - Another kind of Chinese backdoor Command (UFUID) Some claim to work with FDI
(csetuid command/if not you got to sniff the key out)
Gen2 - Till date we have 3 kinds of these tags around (hf mf wrbl b 0 d) All works with FDI
Perfect Gen2 that I am selling
FUID - One time fused
CUID - Uses the same command but easily bricks

I make it pretty clear cut so just try them.

To sum it up, we have 5 types of mifare 1k uid changeable now.

Hope now you understand better.

Last edited by Dot.Com (2017-08-30 15:53:34)

Offline

#13 2017-08-29 02:05:39

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Thanks mate

Offline

#14 2017-08-29 04:51:46

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Unable to change UID on s50

On the other hand, search for the FDI known key on the forum.

You probably need it if you want to do FDI.

Offline

#15 2017-08-29 05:05:05

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Dot.Com wrote:

On the other hand, search for the FDI known key on the forum.

You probably need it if you want to do FDI.

Yup, thanks to iceman... it's in his default_keys.dic file. I successfully dumped the FDi card smile

Offline

#16 2017-08-29 12:24:52

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Cards that I bought from eBay arrived today and they're Gen1a.. sigh.. another 2 weeks to wait for new cards from china.

Offline

#17 2017-08-29 14:22:10

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Unable to change UID on s50

You can always order from my side to make things simple smile

No need verification since I know my stuff well.

Good luck testing them.

Offline

#18 2017-08-29 14:46:05

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

Will keep in mind thanks.

Offline

#19 2017-09-28 05:13:59

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Unable to change UID on s50

UPDATE:

A local seller messaged me and asked me to try a new type of writeable Mifare card that wont show up as magic card and here are the results:

proxmark3> hf search
         
 UID : f0 00 00 c5          
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO          
 
Valid ISO14443A Tag Found - Quiting Search
         
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff          
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16          
#db# WRITE BLOCK FINISHED          
isOk:01          
proxmark3> hf search
         
 UID : d3 a2 85 9f          
ATQA : 00 04          
 SAK : 88 [2]          
TYPE : Infineon MIFARE CLASSIC 1K          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO          
 
Valid ISO14443A Tag Found - Quiting Search
         
proxmark3>
 
 
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d4a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff          
--data: d4 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16          
#db# WRITE BLOCK FINISHED          
isOk:01          
proxmark3> hf search
         
 
no known/supported 13.56 MHz tags found
         
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff          
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16          
#db# Can't select card          
#db# WRITE BLOCK FINISHED          
isOk:00          
proxmark3>

It was able to write successfully on the first attempt but it looks like I bricked the card after writing it the second time.
I've tried running the formatMifare lua script but returns "#db# Can't select card".
It would appear this is a one time write card like you said iceman.

proxmark3> hf list 14a
Recorded Activity (TraceLen = 65 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr | 52                                                              |     | WUPA          
       2228 |       4596 | Tag | 04  00                                                          |     |           
       7040 |       9504 | Rdr | 93  20                                                          |     | ANTICOLL          
      10676 |      16564 | Tag | d4  a2  85  9f  6b                                              |     |           
      18816 |      29280 | Rdr | 93  70  d4  a2  85  9f  6c  5e  96                              |  ok | SELECT_UID          

Anyone ever un bricked this?

Offline

#20 2017-09-29 06:58:48

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: Unable to change UID on s50

Dmanufacturer wrote:
Dot.Com wrote:

On the other hand, search for the FDI known key on the forum.

You probably need it if you want to do FDI.

Yup, thanks to iceman... it's in his default_keys.dic file. I successfully dumped the FDi card smile

Good job, I remember snooping that FDI key at a building, was so happy when I found it haha. Easier now days tongue

Offline

Board footer

Powered by FluxBB