Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

martinouyang · 2011-07-23 18:12:10

we supply the cards below:

Works exactly like the Mifare S50, with 16 Sectors and 4 Blocks each Sector, but the Sector 0 Block 0 known as Manufacturers Block where the Chip UID is stored, can be re programmed to any UID you wish.
It's advantage;
This is a perfect solution for a lost irreplaceable Mifare Cards ID, you don't need to re-enroll new cards. Just program this new Mifare 1K's UID to the UID of lost card then you have a new Exactly the same card.

Popular applications;
Loyalty
Ticketing
Identification
Access Control

if you need please contact us: ouyangweidaxian@live.cn

hat · 2011-08-02 23:03:56

Can somebody confirm this?

It's been long expected. However would still be interesting information for risk assesment.

Thanks.

vivat · 2011-08-06 06:56:06

http://www.facebook.com/nethemba/posts/235254083171750
1 minute at google

Pán ouyangweidaxian@live.cn z Číny mi práve ponúkol Changeable UID Mifare Classic 1K karty, jednu za $24. Pri odbere viac ako 100ks zľava.

translation:

Mr. ouyangweidaxian@live.cn from China just offered me Changeable UID Mifare Classic 1K card, one for $ 24 When you donate more than 100 pieces left.

miguegold · 2011-08-10 03:40:27

I've contacted this "seller" and it's most probably some kind of scam. Quoting, he asked for $24 per card, min 10 cards and I had to buy his reader and his software. Total, more than $300.
Anyway, when I asked for more specs, he said that after payment he would give me more info
=> Spam

rule · 2011-08-11 19:51:38

Hey people,

I have ordered three of these cards and can confirm it works. I was able to successfully change the UID and the rest of block 0 (using a few special rfid frames). These cards cost 24USD per piece, which is pretty expensive, but they are real and work fine.

For those who want to test them and have some budget laying around, I recommend to try ordering a sample for yourself. The seller will help you with "re-branding" your UID

Cheers,

Roel

vivat · 2011-08-12 11:45:32

That's very nice. Does they have ISO 15693 tags with changeable UID?

rule · 2011-08-12 19:05:33

I don't know. He told me they were working on a 4KB version, but I heard no plans for support of other ISO standards. I know the ATMEL CryptoRF cards already have programmable PUPI (UID) of ISO 14443B cards. For ISO 15693 I've not find any card yet that has a programmable UID. The proxmark could do this without any problems of course

moebius · 2011-08-13 01:49:00

I bought two cards and I'm now waiting for them...

Roel, What software are you using? Do you have some info so as soon as my cards are here, I can play with them?

Also, the UID is only one time changeable or you can change as many times as you want?

Thanks!

vivat · 2011-08-13 09:42:43

roel
Can you print here proxmark sniffed trace of this card?

rule · 2011-08-13 18:56:04

It seems to be modify able for as many as you can change the memory.

I changed the UID in zero's, this is the tx/rx result using nfc-anticol from libnfc and a tikitag reader.

Tx: 26 (7 bits)
Rx: 02 00
Tx: 93 20
Rx: 00 00 00 00 00
Tx: 93 70 00 00 00 00 00 9c d9
Rx: 18 37 cd

I could make a proxmark trace if you are interested (for timing info?).

vivat · 2011-08-13 19:43:55

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace

using a few special rfid frames

of changing card's UID?
Who is manufacturer?
Thanks

Last edited by vivat (2011-08-14 09:06:58)

moebius · 2011-08-16 23:17:42

Can anyone send some sample C code or some program in order to operate with these cards? I'm just waiting two of them. I'll tell you my results later

Thanks!

Last edited by moebius (2011-08-16 23:18:06)

vivat · 2011-08-27 16:40:39

vivat wrote:

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace
using a few special rfid frames
of changing card's UID?
Who is manufacturer?
Thanks

can anyone who has this cards make a simple dump????

moebius · 2011-08-27 17:42:51

vivat wrote:

vivat wrote:
>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace
using a few special rfid frames
of changing card's UID?
Who is manufacturer?
Thanks
can anyone who has this cards make a simple dump????

Hey @vivat! I own some of these cards. What do you exactly need? A simple dump of what? I can change one cards's uid and post the frames if you want.

cheers my friend.

vivat · 2011-08-27 18:32:18

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

moebius · 2011-08-28 02:47:31

vivat wrote:

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

Ok... here you are reading and writing with the software they provided to me.. (20usd :S but now I think some of you can write some code for pmark or using libnfc..) if not, in a couple of days i'll write some C code...

the uid checksum is really easy to calculate.. it's specified in the data sheet... I cloned one card and it's a success my friends. It's a little expensive but it worth it.

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

Hope that helps you @vivat !

vivat · 2011-08-28 17:16:03

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

I wanted a proxmark sniffed trace
So, it is a program that you have received with card, right?

Last edited by vivat (2011-08-28 17:17:17)

dreyercito · 2011-08-29 12:27:31

I've also some cards. Still waiting for an acs reader though (the software provided does not like my touchatag, anyone with success with a touchatag?).

Is that a complete dump of the conversation with the reader through the pc/sc api?
Correct me if I'm wrong but shouldn't we see there an authentication step?

WriteRegister -> PN53X_REG_CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
WriteRegister -> CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
InDataExchange (Mifare cmd - write sector)
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00

moebius · 2011-08-29 20:35:26

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.

Basically I want to undestand the comm process because their soft is compiled and always uses default FFFFFFFF key to access block 0 so if you have already cloned one card with other keys, if you want to change its uid again you need to reset its key change the uid and restore the cloned key.

Give me some time becase i'm a little busy with boring stuff. Thanx!

moebius · 2011-08-30 03:32:31

moebius wrote:

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.
Give me some time becase i'm a little busy with boring stuff. Thanx!

Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

dreyercito · 2011-08-30 09:09:24

moebius wrote:

moebius wrote:
It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.
Give me some time becase i'm a little busy with boring stuff. Thanx!
Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

Are you sure of that? I didn't have the same chance, unless I'm doing something wrong, I tried to write on block 0 and no auth without success.
...
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one: InListPassiveTarget
TX: ff 00 00 00 04 d4 4a 01 00
RX: d5 4b 01 01 00 04 08 04 ad 8f 0a 8a 90 00
Found MIFARE Classic card:
ATQA (SENS_RES): 00 04
UID (NFCID1): ad 8f 0a 8a
SAK (SEL_RES): 08
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one: InDataExchange
TX: ff 00 00 00 15 d4 40 01 a0 00 24 ba 8b 3c 29 88 04 00 47 c1 1d 58 a1 00 24 05
RX: d5 41 01 90 00
nfc_initiator_transceive_bytes: Timeout
Writing 1 blocks failed to write trailer block 0
(And of course after trying to read block 0 again it stays unchanged).

+1 For a Proxmark dump trace

dreyercito · 2011-08-30 12:29:54

Ok, it works, i'm happy man, you only have to precede the mifare cmd command by the rest that is shown in the logs. Then is true that you can write to block 0 without authenticating.

e.g.:
pn53x_transceive(pnd, "\x08\x63\x02\x00\x63\x03\x00", 7, NULL, NULL);
pn53x_transceive(pnd, "\x42\x50\x00\x57\xCD", 5, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x3D\x07",4, NULL, NULL);
pn53x_transceive(pnd, "\x42\x40",2, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x3D\x00",4, NULL, NULL);
pn53x_transceive(pnd, "\x42\x43",2, NULL, NULL);
pn53x_transceive(pnd, "\x08\x63\x02\x80\x63\x03\x80",7, NULL, NULL);
And then mifare cmd write... and done!

Now time to decode that... Everything fine and I only blew my proxmark bootloader with tests (I ordered a JTAG to recover, so I'll try to post a trace, but until then please if anyone can do it, go ahead)

moebius · 2011-08-30 13:44:54

Cool! Do you need all these commands in order to successfully write? Those are very Magic frames by now...

You see! No auth to change the first block. Magic Cards from Magic Chinese Guy! XD

Do you want to write a simple code to include within the PMark? like hf mf changeBlock0 [16 bytes]?

That would be a nice command...

moebius · 2011-09-02 01:55:50

OK, I screwed up one of my cards

I was playing around with block 0 and i changed it to: 04 8c 55 7b a6 b0 08 04 00 46 59 25 58 49 10 23

and now.. it's now being detected by my readers... only Pmark is able to read it...

Is it possible to send APDU commands directly through the Pmark? Is anyone a very fast developer with SVN access to code something or even better, code this new function to change the block 0 of this Cards?

I think that if i get no answer, I'll work on it, so keep me in the loop if you like the idea..

Thanks!

moebius · 2011-09-02 03:37:46

phewww... I tricked my reader by putting one OK card in front of the broken one... as soon as It detects de OK one, I removed it, leaving the screwed up one, so the reader was now ready to send commands to it. Normal APDU commands were sent then.. and I save the 25usd card

Anyway, I'll try to code some function for PMark to change the block 0 of these cards...

In my first try I thought that by using iso14_apdu(CMD,SIZE, NULL); function between mifare_classic_auth and write block everything would work, but nope

Someone here with a little more knowledge of this maybe could help...

It's technically possible... as someone said in another post.

I can write some code with some guidance, I have some spare time.

Thanks a lot.

dreyercito · 2011-09-02 11:12:52

A proxmark snooped conversation for writing.

recorded activity:

          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:   0: TAG 04  00              
 +   1647:    :     93  70  44  66  70  3c  6e  72  f2              
 +     65:   0: TAG 88  be  59              
 + 189650:    :     52              
 +   4752:    :     52              
 +     64:   0: TAG 04  00              
 +   1646:    :     93  70  44  66  70  3c  6e  72  f2              
 +     66:   0: TAG 88  be  59              
 +  73474:    :     50  00  57  cd              
 +  57150:    :     40              
 +     81:   0: TAG 0a!             
 +  15717:    :     43              
 +     66:   0: TAG 0a!             
 +  20061:    :     a0  00  5f  b1              
 +     65:   0: TAG 0a!             
 +   2071:    :     44  66  70  3c  6e  88  04  00  47  c1  1d  58  a1  00  24  05  c2  40              
 +   2656:   0: TAG 0a!

For reading is similar. Basically sends some frames to activate the "backdoor", which allows from that point on to read or write on any sector without authenticating.

vivat · 2011-09-03 09:08:54

Thanks, dreyercito. I will try to comment this "magic frames" below. However, more proxmark snooped dumps of changing card's UID are welcome(since I don't have such card).

recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +   4752:    :     52              
 +     64:   0: TAG 04  00              
 +   1646:    :     93  70  44  66  70  3c  6e  72  f2   // UID is 44  66  70  3c
 +     66:   0: TAG 88  be  59 // SAK is 88, so the manufacturer is Infineon??? http://www.libnfc.org/documentation/hardware/tags/iso14443
 +  73474:    :     50  00  57  cd       //Halt       
 +  57150:    :     40              //maybe "magic frames"???
 +     81:   0: TAG 0a!             //backdoor???
 +  15717:    :     43              
 +     66:   0: TAG 0a!             
 +  20061:    :     a0  00  5f  b1              //WTF???
 +     65:   0: TAG 0a!             
 +   2071:    :     44  66  70  3c  6e  88  04  00  47  c1  1d  58  a1  00  24  05  c2  40         //Is it manufacturer block(block0, sector0) contents+CRC?
 +   2656:   0: TAG 0a!

dreyercito · 2011-09-03 16:40:30

Don't take into account manufacturer and uid, because that card was already written by some blank I had lying around.

I think is easier to help oneself with the log of the program, as there are some things that stay hidden from the mifare snoop
dump, I hope I didn't decode it wrongly:

1: Operation: WriteRegister -> PN53X_REG_CIU_TxMode (0x6302) and RxMode(0x6303)
Doc:
7 6 5 4 3 2 1 0
CRC-enable |TxSpeed | nu nu | TxFraming

Speed:
000: 106 kbps
001: 212 kbps
010: 424 kbps
011: 848 kbps

Framing:
00: Mifare
01: Active
10: Felica
11: 14443B

Write on register 02 = 00 ( TxSpeed = 106 kbps , TxFraming = Mifare, CRC disable)
Write on register 03 = 00 ( RxSpeed = 106 Kbps , RxFraming = Mifare, CRC disable )

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
---------------------------
2: Operation: InCommunicateThru
Send to the card this raw data: 50 00 57 CD
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
---------------------------
3: Operation: WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
TxFraming = 14443B
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
----------------------------
4: Operation: InCommunicateThru
Send to the card this raw data: 40
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
----------------------------
5: Operation: WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
TxFraming = Mifare
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
-----------------------------
6: Operation: InCommunicateThru
Send to the card this raw data: 43
InCommunicateThru
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
-----------------------------
7: WriteRegister -> CIU_TxMode (0x6302) RxMode(0x6303)
CRC-Enable = yes , Speed = 106 kbps , Framing = Mifare
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
-----------------------------
8: InDataExchange (Mifare cmd - write block 0)
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00

moebius · 2011-09-04 00:25:27

@Vivat, what are you exactly trying to do? Do you think we can put this functionality inside proxmark? I'm trying to do so but with no luck yet.

Thanks.

vivat · 2011-09-04 12:27:42

dreyercito wrote:

2: Operation: InCommunicateThru
Send to the card this raw data: 50 00 57 CD

50 00 57 CD means 'Halt' command, prooflink:
http://www.proxmark.org/files/index.php … Manual.pdf
This datasheet explains mifare frames. I can't understand your dump you have posted here using nfc-list.
moebius
I want to understand how this backdoor works and maybe code something...Anyway, everybody can post here dumps, upload this software you've bought from chinese guys, share your ideas.

dreyercito · 2011-09-04 16:36:20

vivat wrote:

50 00 57 CD means 'Halt' command, prooflink:
http://www.proxmark.org/files/index.php … Manual.pdf
This datasheet explains mifare frames. I can't understand your dump you have posted here using nfc-list.

I believe you I have also have read specs where the 50 00 is the halt command, but I prefer not to associate to the frames sent any meaning yet (what about the 57 CD?), anyway we don't really know what they have implemented in the card. What it matters is that these are the series of frames to be sent.

What I posted is not a dump with nfc-list, but the commented communication with the reader.

http://www.nfc-reader.com/NFC-smart-car … ACR122.pdf
http://www.nxp.com/documents/user_manual/141520.pdf
lib-nfc sources

vivat · 2011-09-04 18:01:32

what about the 57 CD?

Parity bit+CRC
http://www.google.com/search?q=site%3Ap … 0+00+57+cd
BTW I don't have any libnfc device. I have pm3 instead. Maybe I'll buy SCL3711.

moebius · 2011-09-04 19:07:09

@Vivat, I bought my SCL3711 from: http://www.javacardsdk.com/ (Futako)

Hope that helps.

thefkboss · 2011-09-04 21:57:07

I think you are making the things more difficult than they are.
If you send the halt, then 40 wait for the tag answere and then send 43 i think that is the Backdoor only 40 and 43

adam@algroup.co.uk · 2011-09-05 13:07:16

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).

Committed as rev 1124.

Note that this only works on the *special* Chinese clone cards discussed earlier in this thread.

cheers,
Adam

Last edited by adam@algroup.co.uk (2011-09-06 10:44:11)

moebius · 2011-09-06 00:07:32

adam@algroup.co.uk wrote:

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).
Unfortunately my commit status appears to have vaporised, so until I get that sorted out, you can pick it up here:
http://www.rfidiot.org/libnfc-r1123-setuid.diff
cheers,
Adam

wait.. ANY card? of just the special cards from this magic chinese?

adam@algroup.co.uk · 2011-09-06 10:44:53

moebius wrote:

adam@algroup.co.uk wrote:
I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).

wait.. ANY card? of just the special cards from this magic chinese?

I've amended my original post to make it clearer - this is just for the Chinese copies.

Last edited by adam@algroup.co.uk (2011-09-06 10:46:22)

moebius · 2011-09-06 15:14:03

Thanks!

Works like a charm and Out of the box

henry74918 · 2011-10-26 10:45:33

I've just buy a changeable UID mifare card
I have a proxmark3, but I don't have any other devices can access the card

I try to change UID using proxmark3 by command "hf mf wrbl 0 XXXX"
but it's was fail to change

is any one can help here?
I'm a new for his.
thank!

merlok · 2012-07-05 08:34:04

Hi,

Now it's possible to work with "magic Chinese" card.
http://code.google.com/p/proxmark3/source/detail?r=585

enjoy)

merlok · 2012-07-05 12:06:27

new release http://code.google.com/p/proxmark3/source/detail?r=588.
topic for release http://www.proxmark.org/forum/viewtopic … 5678#p5678

Last edited by merlok (2012-07-05 12:07:23)

merlok · 2012-07-06 10:57:04

I have tried to program some of block0 data.
As I see:
first 4 bytes - UID
1 byte - UID BCC
1 byte SAK
2 byte ATQA (as it in field - 0x40 0x00 - sample!)

I dont understand what the next. Have anyone know what theese next bytes (8) do?

As I see this card cant work with 7 byte UID? I have tried to fill block 0 with one from mifare classic 7buid and i cant get it to work.

o0o0o0o · 2012-07-06 13:49:20

Thank you merlok for adding this feature to the Proxmark.

I am wondering (sorry if the manufacturer of those "magic cards" feels offended) :
How these "magic cards" are made ?
My guess is that there is physical modification of the chip (?)

And I am sure that there is some hard work behind this changeable UID because this kind of prices are always justified in China...

merlok · 2012-07-06 17:07:23

It is physical modification of the chip.
Added backdoor into it's chematics.

urkis · 2012-07-06 17:10:17

Why do you need a special reading command to this chinese cards? Can't regular mifare readers read them?

Is it posible to completely rewrite block 0 of these cards, or only the 4 byte UID?

I don't know what that last 8 bytes in block 0 is, but one of my cards i got with a simple reader from ebay have the values: 62 63 64 65 66 67 68 69. Very strange.

merlok · 2012-07-06 19:52:57

1 because there is a "special" card functionality. yes
2 complete block

Last edited by merlok (2012-07-07 08:31:32)

edo1 · 2012-07-06 21:27:04

urkis wrote:

Why do you need a special reading command to this chinese cards? Can't regular mifare readers read them?

AFAIK new commands allow reading and writing withouts specified key (you may read from card with unknown keys).

pyusk · 2012-08-22 15:43:44

Anyone know of a different place to buy these card where they are a bit cheaper?

vivat · 2012-08-23 16:03:04

pyusk wrote:

Anyone know of a different place to buy these card where they are a bit cheaper?

Try to search on chinese websites like aliexpress

asper · 2012-10-22 12:37:44

Sorry to resume this thread but, for what I understood, the correct "magic" sequence is this:

50 00 57 CD (halt command+crc) and no answer from the TAG
40 (TAG answer 0A)
43 (TAG answer 0A)

from now on I can send read-write commands without authenticating ? For example:

A0 00 + 16bytes-manufacturer block (to write block0)

and

30 00 (to read block0)

both withouth a 2 bytes CRC ?

Proxmark3 community

Announcement

#1 2011-07-23 18:12:10

Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#2 2011-08-02 23:03:56

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#3 2011-08-06 06:56:06

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#4 2011-08-10 03:40:27

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#5 2011-08-11 19:51:38

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#6 2011-08-12 11:45:32

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#7 2011-08-12 19:05:33

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#8 2011-08-13 01:49:00

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#9 2011-08-13 09:42:43

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#10 2011-08-13 18:56:04

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#11 2011-08-13 19:43:55

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#12 2011-08-16 23:17:42

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#13 2011-08-27 16:40:39

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#14 2011-08-27 17:42:51

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#15 2011-08-27 18:32:18

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#16 2011-08-28 02:47:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#17 2011-08-28 17:16:03

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#18 2011-08-29 12:27:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#19 2011-08-29 20:35:26

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#20 2011-08-30 03:32:31

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#21 2011-08-30 09:09:24

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#22 2011-08-30 12:29:54

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#23 2011-08-30 13:44:54

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#24 2011-09-02 01:55:50

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#25 2011-09-02 03:37:46

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#26 2011-09-02 11:12:52

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#27 2011-09-03 09:08:54

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#28 2011-09-03 16:40:30

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#29 2011-09-04 00:25:27

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#30 2011-09-04 12:27:42

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#31 2011-09-04 16:36:20

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#32 2011-09-04 18:01:32

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#33 2011-09-04 19:07:09

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#34 2011-09-04 21:57:07

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#35 2011-09-05 13:07:16

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#36 2011-09-06 00:07:32

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#37 2011-09-06 10:44:53

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#38 2011-09-06 15:14:03

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

#39 2011-10-26 10:45:33

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re