Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello everyone!
I'm looking for the right command to wipe chinese magic cards gen1.
It seems that commands exist (I saw old comments on the web like "hf mf cset" or "-wipe"), but i can't find in the last fork.
I use the proxmark RDV4.0 with the iceman fork.
Is there any solution?
Thank you all!
Last edited by Max13.56 (2019-07-04 16:24:46)
Offline
Is the w option what you are after ?
from the rrg rdv4
[usb] pm3 --> hf mf csetblk h
Set block data for magic Chinese card. Only works with magic cards
Usage: hf mf csetblk [ h ] <block number> <block data (32 hex symbols)> [w]
Options:
h this help
w wipe card before writing
<block> block number
<data> block data to write (32 hex symbols)
Examples:
hf mf csetblk 1 01020304050607080910111213141516
hf mf csetblk 1 01020304050607080910111213141516 w
Offline
remember the wipe sets everything to zero... everything... even sector trailers.
Offline
Ok, if I understand correctly, I have to write new hex symbols on every block (adding w as an argument to wipe the same block).
There isn't a generic command to wipe the whole card in one shot?
Thank you for your answer anyway guys!
Offline
Hello,
try to run the script "remagic.lua"!
By the way: What does "sector trailers" exactly mean?
Offline
Hello,
By the way: What does "sector trailers" exactly mean?
Sector Trailer is the last block in every sector. It stores the passwords A and B and the permissions for each key.
So in context, when Iceman said including the sector trailers, that means there are NO keys (or set to 000000000000) and NO valid permissions. for that sector. So you would need to put all those back.
In a magic card where it supports the magic commands, thats OK as you can use the magic commands to do that.
If it was a real card and you managed to write all 0's to the sector trailer, you would brick that sector.
Offline
Thank you very much!
How can i change/manage the permissions in the sector trailer?
Offline
With care!
Start with reading : https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
Around Section 8
Its a bit tricky at first has the permissions are in there twice and if you get it wrong you can brick the sector.
I would suggest playing with a magic card as you can then recover when it goes wrong.
The idea is
1. work out the permissions you want.
2. build the 3 byte (6 hex digit) - 24 bit permissions.
3. know the current (or new) A/B keys and write that data like any other block write <A key><6 hex digit permission><single byte><B key> to the sector for which you want those keys and permissions applied to.
Offline
Okay, but i think, this is a little bit to hard for my brain...:-(
In my case its the following sector 7 i can't write on a Mifare Classic 1k-card:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
81 C0 BB CE 32 E9 70 F7 88 00 E1 08 EA 39 7A 9A
Can you see, what i have to setup?
So, without the A/B-keys, "70 F7 88 00" is left!
Offline
That looks like you need to write with key B
Access block 0: read AB; writeB
Access block 1: read AB; writeB
Access block 2: read AB; writeB
Access block 3: read ACCESS by AB
But it seems that the sector trailer is read only.
Offline
So there is no way to write the sector trailer (except with magic-card)?
But what does it take the manufacturer out of it to lock the sector trailer?
Last edited by Ollibolli (2019-07-02 18:07:28)
Offline
Thanks for your answer guys!
The remagic script is ok!
I Will try later To write new data on it
!
Offline
Hi everyone!
Come back after testing!
Finally i used 2 scripts from the fork to wipe and clean cards
script run remagic.lua
script run formatMifare.lua
I noticed the script changes UID and sometimes SAK (from 08 to 88 or 98) so i just had to do :
hf mf csetuid 01020304 0004 08 to achieve an original configuration.
Final test : restore data from another tag on my "new" magic card and it worked perfectly!
Thank you again for the help and the scripts!
Offline
Pages: 1