Chinese UID card

roman921 · 2016-10-01 21:05:06

I'm looking for a shop where can buy mifare classic 7-byte Chinese card, which can be changed UID 7 bytes. Tell me, please, where such cards have and where to buy?
I am looking at aliekspress and eBay, but there is not found.

cjbrigato · 2016-10-03 01:52:53

Hello

I'm not aware of manufacturer that is _Publicly_ advertising such product,
but I know that some of these are able to provide such needed product if they are _requested_
but then be prepared for price which can grow nowhere near the actual ridiculous price of the 4's ones.
If you find manufacturer proposing Chinese Magic's with specificity such as 4k instead of 1k cards publicly, these are good candidates to request for your need.

As I don't know their rules on this matter and that there might be a good reason of not advertising these publicly, you'll have to take this informations as enough to go through.

iceman · 2016-10-03 06:59:04

There are forum users who has posted that they gotten hold of 7byte uid magic 1k/s50 tags from aliexpress or taobao.
It would be nice to know which suppliers actually has these cards or not.

cjbrigato · 2016-10-03 07:21:48

Iceman1001, the informations I gaved are somehow a confident way of finding such supplyier, and since I don't think that not advertising these is just a little error , I don't really think that having such a list of supplyer is to be good.

Don't know about taobao, but aliexpresses supplyiers had been so reliable that even just the fact that these 7bite are not reliable enought (stock-wise or quality) is total argument on that.

Making such a list also can seem to any reader that this is of any sort of warranty, since these are rare on the market.

But since any supplyers having chinese card "less evident" as the 1k s50 4byte, (like a 4k one) is a good try for a short mail being enough to obtain, I would personnally not make such list.

---- Digression on real-world card appearance
Also, are the 7Byte Classic cards (not even CHinese) that often used ?
I think I've never seen one in real-world implementation. 4byte Mifare 1k is king, Ultralight is too for coffee-and-vending machines, with exception of the Plus replacing the ultralight after 10 years of stolen-coffee and Tomato Soup, the LF EMx being king of Big Companies old or historical infrastructures, and then again, Mifare's 1k with complex key-derivation scheme and a more or less better rng being deployed on the news systems... yes choosing Mifare S50 because LF are too easy to still. In 2016.
I've only seen Company like Telecom and Network or Internet providers using anything near Desfire and so on.

iceman · 2016-10-03 07:39:48

Lets see,

-ULTRALIGHT / ULTRALIGHT-C
7byte UL magic gen1
7byte UL magic gen2
7byte UL-C magic gen2

--s50
4byte uid, 1k / s50 magic gen1
4byte uid, 1k / s50 magic gen2
7byte uid, 1k / s50 magic ??
--s70
4byte uid 4k/s70 magic gen2

There has been a lot of question on magic tags, which generation, and last year the 7byte questions started to pop up on the forum.

Threads seem to say:
- that Mifare plustag in certain configuration can act like a 1k/s50 tag but with 7byte uid.
- Newer mifare 1k/s50 tags (with hardend prng) has been found with 7byte uid.

It comes down to in what scenarios should you use which magic tag and why. A short recap of them.
- magic tag generation 1, needs special chinese backdoor commands. These are 7bits cmds and NFC enabled phone can not use them.
- magic tag generation 2. Only need a normal write command to write to block0. NFC enabled phones can use this one, but some phones might not be able to write to block 0 because of software limits anyway.

Proxmark3 doesn't have these limits and can use both sorts of tags.

There are talks about creating a magic tag generation 3 among chip manufacturers. I'm not sure what this would imply.

I have seen Mifare UL/UL-C magic generation1 and 2 tags. The gen1 is a new strange thing.

cjbrigato · 2016-10-03 09:27:42

Iceman, I must correct the wording already seen everywhere about "Gen" of Magic UIDs, and what seems to be the state of such cards.

Also at the end of this : hints about what you seems to call "Gen3" wanabee.

Block0 writable Cards came to the market after the Backdoored ones, for sure, but this wording seems to imply that Gen2 are better.

Not at all, and reputable vendors makes strong distinction betweend "UID Writable", "Block 0 Writable" and so on refering to what you call "Gen2 card" and "Backdoored" / "Magic Backdoor / Magic Special" and some other naming refering to what you call Gen1 card.

Gen1 card are nowhere near the same process in production than Gen2 card, and depending on the vendor, might have strong difference in prices, as these have not at all the same quality or reliability.
Gen2 cards have so much problems I can't remember them all, from suddenly being nothing but Classic S50 to being "Just block 0 writable", the last one being the most absurd, since it means that if you loose key for the Sector 0, then you won't be able to write on block0 because even if writable, it _NEEDS_ authentification in same way as normal S50.
But as it will for sure not be vulnerable to darkside or even nested i've seen, then you got nothing but a plastic card with fixed UID now.

It seems that some "Gen2" are only "S50" which where made available before the One time programmable bits where consumed, and that from these you can only program the manufacturer block yourself and then it is nothing more than a classic S50.
Some Gen2 will be "writable on any block whatever the condition".

Gen2 where made because it had market, and where made to be as simple as possible, thus not needing backdoor, easy to use, script-kiddies intended, with no quality control at all.

What is sure is that Gen1 is only one reliable in both term of quality, behavior, and come from a totally different process. This S50 Chinese card is at least as good as a real one in every aspect, and nothing comparable.

Also, I'm now in possession of some "New-Gen1" cards (well, not cards but nude wireloop+chip) which more than ever have clear aims as being _IMPERSONATOR_ :
- It needs same backdoor commands as usual, but it will respond to it in the sameway as a real S50 would, something I've seen only when the "hf search" ensure me these were not compatible with Gen1 Magic Commands, or depending on build, were "are provoking halt errors'
- Will not permit a write of the block0 if not being done immediately after the backdoor sequence
- the backdoor sequence opens full no-auth write permission if only subsequents write are ordered and immediately done after the block0, which in fact mean that you rewrite the whole thing ordered or you don't, so no block63 only un-authed rewrite
- Can act as 1k or more depending on other pre-configuration made with new backdoor commands I still struggle to get the whole list or understanding, since it will never respond to them in any way the Mifare's original won't
- Is Vulnerable to Darkside attack If Configured to, which is the case when first delivered !!

And so on.
As I understand, as very-quick fix into detecting such Chinese clone, some readers started implementing the backdoor-sequence then write on known block values un-authed to detect chinese clones, report to PC-securite about the Stolen UID, etc etc etc,
Which is quite a good response at near no cost.
I'm keeping an eye on the new buildings coming here and there for any new VIGIK approved central which may show this behaviour, as it would be important news which should be known.

Just for the record, any recent vigik reader here are now made so strict on timings that it totally impossible to get the PM3 working with them in Emulation mode.

So there are a lot more here than just making distinction on "Gen 1 / Gen 2", but a whole complex market of different Quality and manufacturer of these.

cjbrigato · 2016-10-03 09:54:27

Oh, and it would be useful into identifying such difference between chip to list :
- Their identifiable printing on the chip flat-side (you may have to dissolve one in acetone if only have the tag)
- The notable differnce on the chip , and also regarding the loop.
As an exemple, ElecHouse give a "combo stickers" with a T55x nude tag and a S50 UID tag in the same sticker. The best "Gen1" s50 chinese tag I had are, funnily, really near the T55x given by EH, whereas and have nothing in common with the chip we can see nor the copper-wire fragilty of the S50 tag.

iceman · 2016-10-03 10:17:00

I agree with you. Gen1 / Gen2 is to be seen as a classification. Within these there are differences among the chipsets. Not many endusers understand those anyway, hence we fall back to the generalised classifications.
A Gen2 tag can be bricked quite easily and Gen1 tags is easily identified as magic so countermeasures in valid readers exists.

It might be a good lua-script to test which quirks / chipset ones magic tag has/is. With the sending of ACKS,NACKS, block0 writeable, can run darkside attack on it etc etc.

cjbrigato · 2016-10-03 11:06:25

Did I missed anything here that might lead to lua-scripting it ?
It seems that everything needed already exists in firwmare and client ?

Since you think (and when it comes about making anything short and usefull, I agree with you ) that we are to keep relying on Gen1/Gen2 classification, then it's just a matter of a little update of the "hf search" command ? But Gen1 is already identified, Gen2 would be by tring to write over a known block0 with same properties as ATQ/SAK/UID/BCC, with the "manufacturer info" being lost as consequence,
but still it would :
- make an "otp" Gen2 unusable anymore.
- "New Gen1" impersonator somehow undetected

Nothing usefull here more than a good old try of writing on it which is the ineluctable Fate of these Chinese Card ?

So, back to the list, I think that the "Gen2" could be subclassed quickly as an OTP Gen2 is strongly different than any other,
and that Gen1 could be annoted of "overall quality" of the tag, since Good Gen1 have really good antennas, no surprise in behavior, and an overall "feel" of quality being the same as MifeOne. I mean, a product which is * reliable * should be flagged as it is, if not there are no point of such list. I may precise I never used nor encountered any U-L Magic tag of sort.

Also, there are some "American Magic M1" at crazy price, somewhere between 25 or even 50$ I remember being advertised. What about them ?

cjbrigato · 2016-10-03 11:20:39

Identifying Gen1 cards seems to be as easy as looking to Product Photos :

https://fr.aliexpress.com/store/product/10pcs-RFID-card-UID-changeable-nfc-card-with-block-0-mutable-writable-for-mf1-1k-s50/915184_32637357438.html

A lot of vendor seems to give screenshots which show in a way or another it being or not a backdoored Gen1, and that we cannot rely on "marketed" description.

iceman · 2016-10-03 13:01:26

OneTimePad (OTP) ? I never seen a Gen2 which behavies like that.

And how on earth do you identify the card on the picture in the ad as Gen1? Its complete white.

cjbrigato · 2016-10-03 14:44:05

Iceman, I laugh so hard... on the 4rth photo is a screenshot of the TraceLog .... Where we clearly see Backdoors command.
I maybe a little special but still I can't identify Chinese Card by looking at pictures of white plastic card haha.

OTP Gen2 Is my name of abuse for "What could seem to be Gen2 but will only work ONE time" : these are in fact _real_ S50 which have been made available _Before_ the Block0 was programmed. Then as the normal implementation for making block 0 not writable is the tuse of "One Time Programmable" bits, as soon ah you write the block0 for the first time, it's then no writable anymore.

This has nothing to do, finally, with any kind of Chinese Magic UID, but I have seen batch of these on the market.

iceman · 2016-10-03 15:34:24

Aha, thank heavens for that. I was worried that I was missing very obvious.
A picture of a traceoutput doesn't really make me confortable of deciding if its showing the backdoor commands. its when I use the card I know.

This is the first I've heard of tags that are geniue and sold before block0 was programmed. Really hard to tell the difference and you can only use the once. Good clone if you have that purpose since a valid reader will not be able to tell the difference.

I will not call the OTP Gen2, I see how your thoughs go but still confusing.

The UL and UL-C magic tags has several ways of being identified as magic. Quite missbehaving tags.

cjbrigato · 2016-10-03 21:30:15

To close on the "otp gen2" case : this is not confusing, but only a way to not clearly state that there seems to be a circuit of Genuine not finalized MifeOne being on the market. I just wanted to state on such existance as they _would_ be compared as somehow "gen2"... but one time.

Anyway, for the Trace output as screenshot , these are clear clue of what is the real product and not at all made available for anything else but to inform the already informed
Backdoored Gen1 are near-never advertised as such but the "precision" is "hidden" in the obvious screenshot. Other screenshots of other vendor will, like this, clearly show a block0 direct write in some way, making it some way of saying it without doing so.
Just contact one of these vendor about a product with such screenshot, magically all is really, really more clear .
As for Aliexpress, two of them have so much reputation gotten from their Mifare's tag that they won't risk any lie on this. And they are of valuable knowledge to be privately discussed with, if you can go through their english limit.

phiber · 2016-10-11 10:11:01

I have got myself a 7byte UID card here..
FYI, this is a real-world implementation for a condominium gated access!

Any way to make a Chinese magic card report 7 bytes UID?

I tried copying the entire block 0 of this card into a magic card, that bricked the card since the BCC is invalid.. LOL

Would be nice if someone can hook me up with a 7byte changable UID seller.

I can read/write native Chinese as well as good English, so i am fine shopping on taobao.com too..

proxmark3> hf search
 UID : 04 8b 50 82 f4 38 80           
ATQA : 00 44          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
MANUFACTURER : NXP Semiconductors Germany          
SAK incorrectly claims that card doesn't support RATS          
 ATS : 0c 75 77 80 02 c1 05 2f 2f 01 bc d6 60 d3           
       -  TL : length is 12 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)          
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : c1 05 2f 2f 01 bc d6 -> MIFARE Plus X 2K or 4K          
               c1 -> Mifare or (multiple) virtual cards of various type          
                  05 -> Length is 5 bytes          
                     2x -> MIFARE Plus          
                        2x -> Released          
                           x1 -> VCS, VCSL, and SVC supported          
Answers to chinese magic backdoor commands: NO          
Valid ISO14443A Tag Found - Quiting Search
proxmark3> 

proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff            
#db# READ BLOCK FINISHED          
isOk:01 data:04 8b 50 82 f4 38 80 08 44 00 12 01 11 00 15 14

Is there still a BCC btye in the 7 byte UID?

Last edited by phiber (2016-10-11 10:27:11)

phiber · 2016-10-11 13:07:33

iceman wrote:

There are forum users who has posted that they gotten hold of 7byte uid magic 1k/s50 tags from aliexpress or taobao.
It would be nice to know which suppliers actually has these cards or not.

Would be great if i could get hooked up with these so-called suppliers so i can ask them.

spoke to a few suppliers on taobao.com, they said no such cards yet..
they have not cracked the 7 bytes UID cards and claimed that even the chips are not known (out yet)!

iceman · 2016-10-12 14:43:15

Looking at your output, the work needed to produce a magic 7byte uid, wouldn't be too hard but if no chipmakers is doing it then there is not much we can do.

app_o1 · 2016-10-14 05:21:04

It does exist. And BCC is "supported".
There is a guy on eBay who is posting ads when someone needs.
Leave your email here if you are interested.

phiber · 2016-10-14 07:42:05

app_o1 wrote:

It does exist. And BCC is "supported".
There is a guy on eBay who is posting ads when someone needs.
Leave your email here if you are interested.

Can you contact me at phiber@hostcalls.com? thanks!

i found a supplier too but claimed he did not test the card yet.
i will order a piece for testing.

Last edited by phiber (2016-10-14 07:43:19)

roman921 · 2016-10-14 23:14:04

I need supplier too about 7 byte chinese magic card.
My e-mail kotp29 @ yandex .ru
Please, write me.

phiber · 2016-10-19 04:36:47

app_o1 wrote:

It does exist. And BCC is "supported".
There is a guy on eBay who is posting ads when someone needs.
Leave your email here if you are interested.

Still waiting for your mail!

roman921 · 2016-10-19 20:06:40

phiber, do you know ebay link in your shop on uid 7 byte card mifarec classic 1k ?

phiber · 2016-10-20 03:21:51

roman921 wrote:

phiber, do you know ebay link in your shop on uid 7 byte card mifarec classic 1k ?

nope.. i'm still finding someone that sells 7 bytes uid changable card..

Danz · 2016-10-21 18:14:53

I have one supplier who provider those last year , I cloned ultralight sector by sectore though .. I think it costs around 20$ each if still needed I will send you the supplier link .

phiber · 2016-10-22 03:32:09

Danz wrote:

I have one supplier who provider those last year , I cloned ultralight sector by sectore though .. I think it costs around 20$ each if still needed I will send you the supplier link .

That's too expensive to clone for a door access card.. thanks for the headsup danz!

phiber · 2016-10-22 03:38:25

https://www.aliexpress.com/item/20pcs-lot-Wholesale-ID-Thick-CARD-S50-reaction-13-56MHZ-UID-7-bytes-Card-Timecard-M1/32752483982.html?spm=2114.01010208.3.35.kIuqJX&ws_ab_test=searchweb0_0,searchweb201602_5_10065_10068_10069_10084_10083_10017_10080_10082_10081_10060_10061_10062_10056_10055_10054_10059_10078_10079_10073_10070_421_420_10052_10053_10050_10051,searchweb201603_8&btsid=bda532b9-18e1-40ce-830a-afe0d9f919aa

The seller claimed it is 7bytes UID changable.. but i did not order to test..

Dot.Com · 2016-10-22 04:24:41

I have the source for the s50 7 byte cards. Guarantee working as I tested it out just the day before.

ATAQ & SAK are fixed and only able to change the block UID. One card is $20 USD.

If you guys can collate more orders, I can try to negotiate with the seller.

On the other hand, the card above phiber posted is not true The supplier is my friend. He is selling non-changeable cards 7 byte cards.

If some of you don't mind the cost, I will open a payment gateway on my website and get it shipped out asap for you guys.

PS: Dennis here. Iceman.

phiber · 2016-10-23 02:59:52

Dot.Com wrote:

I have the source for the s50 7 byte cards. Guarantee working as I tested it out just the day before.
ATAQ & SAK are fixed and only able to change the block UID. One card is $20 USD.
If you guys can collate more orders, I can try to negotiate with the seller.
On the other hand, the card above phiber posted is not true The supplier is my friend. He is selling non-changeable cards 7 byte cards.
If some of you don't mind the cost, I will open a payment gateway on my website and get it shipped out asap for you guys.
PS: Dennis here. Iceman.

Like i said, $20 is overprice to clone a keycard, i might as well get one from the issuer..
unless i get really desperate. thanks!

Dot.Com · 2016-10-23 20:23:30

Those who are interested can email me @ spywificamera@gmail.com

I just get a rough gauge on how many you guys need so I can negotiate with the seller.

Thanks all.

Proxmark3 community

Announcement

#1 2016-10-01 21:05:06

Chinese UID card

#2 2016-10-03 01:52:53

Re: Chinese UID card

#3 2016-10-03 06:59:04

Re: Chinese UID card

#4 2016-10-03 07:21:48

Re: Chinese UID card

#5 2016-10-03 07:39:48

Re: Chinese UID card

#6 2016-10-03 09:27:42

Re: Chinese UID card

#7 2016-10-03 09:54:27

Re: Chinese UID card

#8 2016-10-03 10:17:00

Re: Chinese UID card

#9 2016-10-03 11:06:25

Re: Chinese UID card

#10 2016-10-03 11:20:39

Re: Chinese UID card

#11 2016-10-03 13:01:26

Re: Chinese UID card

#12 2016-10-03 14:44:05

Re: Chinese UID card

#13 2016-10-03 15:34:24

Re: Chinese UID card

#14 2016-10-03 21:30:15

Re: Chinese UID card

#15 2016-10-11 10:11:01

Re: Chinese UID card

#16 2016-10-11 13:07:33

Re: Chinese UID card

#17 2016-10-12 14:43:15

Re: Chinese UID card

#18 2016-10-14 05:21:04

Re: Chinese UID card

#19 2016-10-14 07:42:05

Re: Chinese UID card

#20 2016-10-14 23:14:04

Re: Chinese UID card

#21 2016-10-19 04:36:47

Re: Chinese UID card

#22 2016-10-19 20:06:40

Re: Chinese UID card

#23 2016-10-20 03:21:51

Re: Chinese UID card

#24 2016-10-21 18:14:53

Re: Chinese UID card

#25 2016-10-22 03:32:09

Re: Chinese UID card

#26 2016-10-22 03:38:25

Re: Chinese UID card

#27 2016-10-22 04:24:41

Re: Chinese UID card

#28 2016-10-23 02:59:52

Re: Chinese UID card

#29 2016-10-23 20:23:30

Re: Chinese UID card

Board footer