Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-14 03:18:13

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

error writing uid to gen1a card.

Hi, im using the provided card from my pm3 rdv kit.

searching gives this

proxmark3> hf sea u
         
UID : 72 10 53 3c           
ATQA : 00 04         
SAK : 08 [2]         
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1         
proprietary non iso14443-4 card found, RATS not supported         
Chinese magic backdoor commands (GEN 1a) detected         
Prng detection: WEAK 

however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11           
Chinese magic backdoor commands (GEN 1a) detected         
old block 0:  72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d           
new block 0:  11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d           
#db# write block send command error         
Can't set block 0. Error: 2         
Can't set UID. Error=2     

Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?

Offline

#2 2019-11-14 08:47:14

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: error writing uid to gen1a card.

sojourner wrote:

Hi, im using the provided card from my pm3 rdv kit.

searching gives this

proxmark3> hf sea u
         
UID : 72 10 53 3c           
ATQA : 00 04         
SAK : 08 [2]         
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1         
proprietary non iso14443-4 card found, RATS not supported         
Chinese magic backdoor commands (GEN 1a) detected         
Prng detection: WEAK 

however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11           
Chinese magic backdoor commands (GEN 1a) detected         
old block 0:  72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d           
new block 0:  11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d           
#db# write block send command error         
Can't set block 0. Error: 2         
Can't set UID. Error=2     

Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?


I dont think so, please get a genuine Gen1 card please!!!

Offline

#3 2019-11-14 09:49:35

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

yukihama wrote:
sojourner wrote:

Hi, im using the provided card from my pm3 rdv kit.

searching gives this

proxmark3> hf sea u
         
UID : 72 10 53 3c           
ATQA : 00 04         
SAK : 08 [2]         
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1         
proprietary non iso14443-4 card found, RATS not supported         
Chinese magic backdoor commands (GEN 1a) detected         
Prng detection: WEAK 

however when writing a uid,i get an error
proxmark3> hf mf csetuid 11111111
uid:11 11 11 11           
Chinese magic backdoor commands (GEN 1a) detected         
old block 0:  72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d           
new block 0:  11 11 11 11 00 08 04 00 01 6f 01 6d 45 68 f8 1d           
#db# write block send command error         
Can't set block 0. Error: 2         
Can't set UID. Error=2     

Is there a step i missed so far? Based on what i read, shouldnt the gen1a card be writeable using cetsuid?


I dont think so, please get a genuine Gen1 card please!!!

Hi, this was the one provided with the pm3 kit. Is there a reliable source of these cards? It seems like a hit and miss affair on aliexpress and ebay.

Offline

#4 2019-11-14 20:33:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

could be access rights set for block0..  but that shouldn't be considered when using the backdoor commands

Offline

#5 2019-11-14 21:20:34

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: error writing uid to gen1a card.

What happens if you try with the card a little futher away from the reader?

Offline

#6 2019-11-15 03:10:35

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

iceman wrote:

could be access rights set for block0..  but that shouldn't be considered when using the backdoor commands

is there any way to turn that off?

Offline

#7 2019-11-15 04:02:00

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

mwalker wrote:

What happens if you try with the card a little futher away from the reader?

raised the card abt 10 cm above, no difference.

Offline

#8 2019-11-15 05:33:18

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: error writing uid to gen1a card.

Is this the original repo (not the rrg) ?
A quick look at the code, seem to show this line as the "fail point".

if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != CARD_ACK)) {
            if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");

mifare_sendcmd_short return code looks like it returns the number of bytes back from the card.

So, if this is correct, it seems the error will be the card is returning more then 1 byte
OR
the answer from the card is not the CARD_ACK

Do normal card/mifare reads and writes work on that card ?

e.g. (and linking back to @icemans comment)
can you do a normal read of block 3 ?

If you can write FFFFFFFFFFFFFF078069FFFFFFFFFFFF
to block 3, that should set the permissions for sector 0 back to default with A and B key set to FFFFFFFFFFFF

Last edited by mwalker (2019-11-15 05:42:38)

Offline

#9 2019-11-15 06:45:47

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

mwalker wrote:

Is this the original repo (not the rrg) ?
A quick look at the code, seem to show this line as the "fail point".

if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != CARD_ACK)) {
            if (MF_DBGLEVEL >= 1)   Dbprintf("write block send command error");

mifare_sendcmd_short return code looks like it returns the number of bytes back from the card.

So, if this is correct, it seems the error will be the card is returning more then 1 byte
OR
the answer from the card is not the CARD_ACK

Do normal card/mifare reads and writes work on that card ?

e.g. (and linking back to @icemans comment)
can you do a normal read of block 3 ?

If you can write FFFFFFFFFFFFFF078069FFFFFFFFFFFF
to block 3, that should set the permissions for sector 0 back to default with A and B key set to FFFFFFFFFFFF

proxmark3> hf mf rdbl 3 a ffffffffffff
--block no:3, key type:A, key:ff ff ff ff ff ff           
#db# auth uid: 7210533c | nr: 0020fc18 | nt: 01200145         
#db# READ BLOCK FINISHED         
isOk:01 data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff           
Trailer decoded:         
Access block 0: read AB; write AB; increment AB; decrement transfer restore AB         
Access block 1: read AB; write AB; increment AB; decrement transfer restore AB         
Access block 2: read AB; write AB; increment AB; decrement transfer restore AB         
Access block 3: write A by A; read ACCESS by A write ACCESS by A; read B by A; write B by A         
UserData: 69         

was this what u meant by reading block 3 normally?

Offline

#10 2019-11-15 07:04:49

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: error writing uid to gen1a card.

Yes and the access bits look like defaults which clears that up.
So the puzzle continues.

Offline

#11 2019-11-15 07:57:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

try  using the c readcommand.

hf mf cgetblk 3
hf 14a list

Offline

#12 2019-11-15 10:18:43

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

iceman wrote:

try  using the c readcommand.

hf mf cgetblk 3
hf 14a list

hi, output below

proxmark3> hf mf cgetblk 3
Chinese magic backdoor commands (GEN 1a) detected         
--block number: 3           
block data:72 10 53 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d           
Trailer decoded:         
Key A: 7210533c0d08         
Key B: 016d4568f81d         
Access block 0: read AB         
Access block 1: read AB; write AB; increment AB; decrement transfer restore AB         
Access block 2: read AB; write AB; increment AB; decrement transfer restore AB         
Access block 3: read A by A; read ACCESS by A; read B by A; write B by A         
UserData: 6f         
proxmark3> hf 14a list
Deprecated command, use 'hf list 14a' instead         
proxmark3> hf list 14a
Recorded Activity (TraceLen = 95 bytes)         
         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
         
      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |         
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|         
          0 |        992 | Rdr | 40'                                                             |     | MAGIC WUPC1         
       2500 |       3076 | Tag | 0a'                                                             |     |           
       7040 |       8352 | Rdr | 43                                                              |     | MAGIC WUPC2         
       9540 |      10116 | Tag | 0a'                                                             |     |           
      14080 |      18848 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)         
      20036 |      40900 | Tag | 72  10  53  3c  0d  08  04  00  01  6f  01  6d  45  68  f8  1d  |     |           
            |            |     | 5b  e0                                                          |  ok |           
      42624 |      47392 | Rdr | 50  00  57  cd

Offline

#13 2019-11-15 17:36:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

Very strange that the uid part failes.  It could be one of those UFUID cards,  which can write block0 but become locked and then is a Gen1A but without block 0 writes.  Bizarr hybrid..

Offline

#14 2019-11-16 01:19:01

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

iceman wrote:

Very strange that the uid part failes.  It could be one of those UFUID cards,  which can write block0 but become locked and then is a Gen1A but without block 0 writes.  Bizarr hybrid..


In that case what can i do? i ordered some more cards from ebay but they won't be arriving for a while. Kinda puzzled why the provided card had problems.

Offline

#15 2019-11-16 08:32:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

You have to ask your seller what kind and if the card has special other commands or need special software to use.
Or you could also have gotten a bad card...  How knows?   The market is filled with strange behaving magic cards nowdays.

Offline

#16 2019-11-18 03:55:10

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

hi, i got this from a friend who bought from the kickstarter. Ill wait for the ebay cards to arrive to do another test.

Offline

#17 2019-11-18 16:25:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

Hm,  those tags shouldn't be problematic at all.  Lets see what happens with you get yr new cards.

Offline

#18 2019-11-22 22:01:06

oaktree
Contributor
Registered: 2019-11-22
Posts: 3

Re: error writing uid to gen1a card.

I've actually experienced the same issue as the OP with two different cards. The first came with my Proxmark3 RDV2 and the second card,  I managed to ruin was from lab401

https://lab401.com/collections/rfid-bad … -write-uid

I have two screenshots from my earlier failed attempt. I'm sorry for the links I took these screenshots earlier and do not have access to the terminal prompt. 

Reading of card data prior to attempt to clone
https://imgur.com/nOpHCyb

Setting of UID
https://imgur.com/gccrwOH

This is very much just in time learning, so I'm sure there is a lot I may have missed.

lastly, confirming what I read in this forum earlier. I was able to read the magic card with most reliability when I held it slightly above the the proxmark3.

So in closing, any idea what I did wrong and how to recover the two cards I have bricked?

Thank you!

Offline

#19 2019-11-24 12:50:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

You seem to have a fw/client missmatch.  Make sure you use same fw/client from the same compilation time or if you use pre-compiled binary distro by gator9600

Offline

#20 2019-12-07 03:41:56

oaktree
Contributor
Registered: 2019-11-22
Posts: 3

Re: error writing uid to gen1a card.

Thanks for the reply. How did you determine that my client is incorrect? I am not doubting it, but curious what led you to make that suggestion? 

Where would be the appropriate place to get the pre-compiled software? THe github page for Gator appears to be the source code.

output of HW Version --> Which absolutely shows RDV40 and I have an RDV3.

[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;

bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.1.0-158-gd3bcdbd-suspect 2019-11-13 18:42:18
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/10/15 at 18:34:30
SmartCard Slot: not available

Offline

#21 2019-12-08 15:19:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: error writing uid to gen1a card.

The latest RRG/Iceman repo client doesn't have that output. So you are not running latest source.
Your bootrom is way old compared with your fullimage, which indicate an older iceman fork v3.1.0 version.
Hence, you have a mixed setup.


You find the right links in the Windows client section.
http://www.proxmark.org/forum/viewtopic.php?id=3975

Offline

#22 2019-12-09 10:36:57

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

hi, just got a bundle of stuff from ebay to test. Firstly the card works. I tested it with a acr122u to confirm it was working. reinstalling pm3 and reflashing the firmware seem to solve the problem this time. The sad part was none of the new cards i got was working with the pm3 although advertised as cuid rewriteable (did have 1 batch compatible with Mifare classic tool).

Offline

#23 2019-12-10 05:54:43

sojourner
Contributor
Registered: 2019-11-13
Posts: 11

Re: error writing uid to gen1a card.

hi, i think i managed to get everything done. the steps i did was
1)  hf mf darkside - found 1 valid key
2)  hf mf fchk 1 key- found the key used in A sector zero and B 2 other sectors
3)  hf mf nested 1 0 A key - dumped out the key file
4)  hf mf dump - to dump the rest
5)  hf mf csetuid cloned-uid - set uid to the card being cloned
6)  hf mf restore 1 - write everything into the card with the uid

Did i missed anything? It worked successfully with the card that did not need a darkside attack but i can only test this one periodically.......

btw managed to receive a set of cards that works as gen1a. the only weird thing is it sometimes report itself as gen1b.

Offline

Board footer

Powered by FluxBB