error writing uid to gen1a card.

sojourner · 2019-11-14 03:18:13

Hi, im using the provided card from my pm3 rdv kit.

searching gives this

proxmark3> hf sea u

UID : 72 10 53 3c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11
Chinese magic backdoor commands (GEN 1a) detected
old block 0: 72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d
new block 0: 11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d
#db# write block send command error
Can't set block 0. Error: 2
Can't set UID. Error=2

Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?

yukihama · 2019-11-14 08:47:14

sojourner wrote:

Hi, im using the provided card from my pm3 rdv kit.
searching gives this
proxmark3> hf sea u

UID : 72 10 53 3c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11
Chinese magic backdoor commands (GEN 1a) detected
old block 0: 72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d
new block 0: 11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d
#db# write block send command error
Can't set block 0. Error: 2
Can't set UID. Error=2
Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?

I dont think so, please get a genuine Gen1 card please!!!

sojourner · 2019-11-14 09:49:35

yukihama wrote:

sojourner wrote:
Hi, im using the provided card from my pm3 rdv kit.
searching gives this
proxmark3> hf sea u

UID : 72 10 53 3c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11
Chinese magic backdoor commands (GEN 1a) detected
old block 0: 72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d
new block 0: 11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d
#db# write block send command error
Can't set block 0. Error: 2
Can't set UID. Error=2
Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?

I dont think so, please get a genuine Gen1 card please!!!

Hi, this was the one provided with the pm3 kit. Is there a reliable source of these cards? It seems like a hit and miss affair on aliexpress and ebay.

iceman · 2019-11-14 20:33:05

could be access rights set for block0.. but that shouldn't be considered when using the backdoor commands

mwalker · 2019-11-14 21:20:34

What happens if you try with the card a little futher away from the reader?

sojourner · 2019-11-15 03:10:35

iceman wrote:

could be access rights set for block0.. but that shouldn't be considered when using the backdoor commands

is there any way to turn that off?

sojourner · 2019-11-15 04:02:00

mwalker wrote:

What happens if you try with the card a little futher away from the reader?

raised the card abt 10 cm above, no difference.

mwalker · 2019-11-15 05:33:18

Is this the original repo (not the rrg) ?
A quick look at the code, seem to show this line as the "fail point".

if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != CARD_ACK)) {
if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");

mifare_sendcmd_short return code looks like it returns the number of bytes back from the card.

So, if this is correct, it seems the error will be the card is returning more then 1 byte
OR
the answer from the card is not the CARD_ACK

Do normal card/mifare reads and writes work on that card ?

e.g. (and linking back to @icemans comment)
can you do a normal read of block 3 ?

If you can write FFFFFFFFFFFFFF078069FFFFFFFFFFFF
to block 3, that should set the permissions for sector 0 back to default with A and B key set to FFFFFFFFFFFF

Last edited by mwalker (2019-11-15 05:42:38)

sojourner · 2019-11-15 06:45:47

mwalker wrote:

Is this the original repo (not the rrg) ?
A quick look at the code, seem to show this line as the "fail point".
if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != CARD_ACK)) {
if (MF_DBGLEVEL >= 1) Dbprintf("write block send command error");
mifare_sendcmd_short return code looks like it returns the number of bytes back from the card.
So, if this is correct, it seems the error will be the card is returning more then 1 byte
OR
the answer from the card is not the CARD_ACK
Do normal card/mifare reads and writes work on that card ?
e.g. (and linking back to @icemans comment)
can you do a normal read of block 3 ?
If you can write FFFFFFFFFFFFFF078069FFFFFFFFFFFF
to block 3, that should set the permissions for sector 0 back to default with A and B key set to FFFFFFFFFFFF

proxmark3> hf mf rdbl 3 a ffffffffffff
--block no:3, key type:A, key:ff ff ff ff ff ff
#db# auth uid: 7210533c | nr: 0020fc18 | nt: 01200145
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Trailer decoded:
Access block 0: read AB; write AB; increment AB; decrement transfer restore AB
Access block 1: read AB; write AB; increment AB; decrement transfer restore AB
Access block 2: read AB; write AB; increment AB; decrement transfer restore AB
Access block 3: write A by A; read ACCESS by A write ACCESS by A; read B by A; write B by A
UserData: 69

was this what u meant by reading block 3 normally?

mwalker · 2019-11-15 07:04:49

Yes and the access bits look like defaults which clears that up.
So the puzzle continues.

iceman · 2019-11-15 07:57:46

try using the c readcommand.

hf mf cgetblk 3
hf 14a list

sojourner · 2019-11-15 10:18:43

iceman wrote:

try using the c readcommand.
hf mf cgetblk 3
hf 14a list

hi, output below

proxmark3> hf mf cgetblk 3
Chinese magic backdoor commands (GEN 1a) detected
--block number: 3
block data:72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d
Trailer decoded:
Key A: 7210533c0d08
Key B: 016d4568f81d
Access block 0: read AB
Access block 1: read AB; write AB; increment AB; decrement transfer restore AB
Access block 2: read AB; write AB; increment AB; decrement transfer restore AB
Access block 3: read A by A; read ACCESS by A; read B by A; write B by A
UserData: 6f
proxmark3> hf 14a list
Deprecated command, use 'hf list 14a' instead
proxmark3> hf list 14a
Recorded Activity (TraceLen = 95 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate

Start | End | Src | Data (! denotes parity error, ' denotes short bytes) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 40' | | MAGIC WUPC1
2500 | 3076 | Tag | 0a' | |
7040 | 8352 | Rdr | 43 | | MAGIC WUPC2
9540 | 10116 | Tag | 0a' | |
14080 | 18848 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
20036 | 40900 | Tag | 72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d | |
| | | 5b e0 | ok |
42624 | 47392 | Rdr | 50 00 57 cd

iceman · 2019-11-15 17:36:53

Very strange that the uid part failes. It could be one of those UFUID cards, which can write block0 but become locked and then is a Gen1A but without block 0 writes. Bizarr hybrid..

sojourner · 2019-11-16 01:19:01

iceman wrote:

Very strange that the uid part failes. It could be one of those UFUID cards, which can write block0 but become locked and then is a Gen1A but without block 0 writes. Bizarr hybrid..

In that case what can i do? i ordered some more cards from ebay but they won't be arriving for a while. Kinda puzzled why the provided card had problems.

iceman · 2019-11-16 08:32:52

You have to ask your seller what kind and if the card has special other commands or need special software to use.
Or you could also have gotten a bad card... How knows? The market is filled with strange behaving magic cards nowdays.

sojourner · 2019-11-18 03:55:10

hi, i got this from a friend who bought from the kickstarter. Ill wait for the ebay cards to arrive to do another test.

iceman · 2019-11-18 16:25:02

Hm, those tags shouldn't be problematic at all. Lets see what happens with you get yr new cards.

oaktree · 2019-11-22 22:01:06

I've actually experienced the same issue as the OP with two different cards. The first came with my Proxmark3 RDV2 and the second card, I managed to ruin was from lab401

https://lab401.com/collections/rfid-bad … -write-uid

I have two screenshots from my earlier failed attempt. I'm sorry for the links I took these screenshots earlier and do not have access to the terminal prompt.

Reading of card data prior to attempt to clone
https://imgur.com/nOpHCyb

Setting of UID
https://imgur.com/gccrwOH

This is very much just in time learning, so I'm sure there is a lot I may have missed.

lastly, confirming what I read in this forum earlier. I was able to read the magic card with most reliability when I held it slightly above the the proxmark3.

So in closing, any idea what I did wrong and how to recover the two cards I have bricked?

Thank you!

iceman · 2019-11-24 12:50:33

You seem to have a fw/client missmatch. Make sure you use same fw/client from the same compilation time or if you use pre-compiled binary distro by gator9600

oaktree · 2019-12-07 03:41:56

Thanks for the reply. How did you determine that my client is incorrect? I am not doubting it, but curious what led you to make that suggestion?

Where would be the appropriate place to get the pre-compiled software? THe github page for Gator appears to be the source code.

output of HW Version --> Which absolutely shows RDV40 and I have an RDV3.

[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;

bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.1.0-158-gd3bcdbd-suspect 2019-11-13 18:42:18
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/10/15 at 18:34:30
SmartCard Slot: not available

iceman · 2019-12-08 15:19:16

The latest RRG/Iceman repo client doesn't have that output. So you are not running latest source.
Your bootrom is way old compared with your fullimage, which indicate an older iceman fork v3.1.0 version.
Hence, you have a mixed setup.

You find the right links in the Windows client section.
http://www.proxmark.org/forum/viewtopic.php?id=3975

sojourner · 2019-12-09 10:36:57

hi, just got a bundle of stuff from ebay to test. Firstly the card works. I tested it with a acr122u to confirm it was working. reinstalling pm3 and reflashing the firmware seem to solve the problem this time. The sad part was none of the new cards i got was working with the pm3 although advertised as cuid rewriteable (did have 1 batch compatible with Mifare classic tool).

sojourner · 2019-12-10 05:54:43

hi, i think i managed to get everything done. the steps i did was
1) hf mf darkside - found 1 valid key
2) hf mf fchk 1 key- found the key used in A sector zero and B 2 other sectors
3) hf mf nested 1 0 A key - dumped out the key file
4) hf mf dump - to dump the rest
5) hf mf csetuid cloned-uid - set uid to the card being cloned
6) hf mf restore 1 - write everything into the card with the uid

Did i missed anything? It worked successfully with the card that did not need a darkside attack but i can only test this one periodically.......

btw managed to receive a set of cards that works as gen1a. the only weird thing is it sometimes report itself as gen1b.

Proxmark3 community

Announcement

#1 2019-11-14 03:18:13

error writing uid to gen1a card.

#2 2019-11-14 08:47:14

Re: error writing uid to gen1a card.

#3 2019-11-14 09:49:35

Re: error writing uid to gen1a card.

#4 2019-11-14 20:33:05

Re: error writing uid to gen1a card.

#5 2019-11-14 21:20:34

Re: error writing uid to gen1a card.

#6 2019-11-15 03:10:35

Re: error writing uid to gen1a card.

#7 2019-11-15 04:02:00

Re: error writing uid to gen1a card.

#8 2019-11-15 05:33:18

Re: error writing uid to gen1a card.

#9 2019-11-15 06:45:47

Re: error writing uid to gen1a card.

#10 2019-11-15 07:04:49

Re: error writing uid to gen1a card.

#11 2019-11-15 07:57:46

Re: error writing uid to gen1a card.

#12 2019-11-15 10:18:43

Re: error writing uid to gen1a card.

#13 2019-11-15 17:36:53

Re: error writing uid to gen1a card.

#14 2019-11-16 01:19:01

Re: error writing uid to gen1a card.

#15 2019-11-16 08:32:52

Re: error writing uid to gen1a card.

#16 2019-11-18 03:55:10

Re: error writing uid to gen1a card.

#17 2019-11-18 16:25:02

Re: error writing uid to gen1a card.

#18 2019-11-22 22:01:06

Re: error writing uid to gen1a card.

#19 2019-11-24 12:50:33

Re: error writing uid to gen1a card.

#20 2019-12-07 03:41:56

Re: error writing uid to gen1a card.

#21 2019-12-08 15:19:16

Re: error writing uid to gen1a card.

#22 2019-12-09 10:36:57

Re: error writing uid to gen1a card.

#23 2019-12-10 05:54:43

Re: error writing uid to gen1a card.

Board footer