Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#51 2012-10-22 12:37:44

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Sorry to resume this thread but, for what I understood, the correct "magic" sequence is this:

50 00 57 CD (halt command+crc) and no answer from the TAG
40 (TAG answer 0A)
43 (TAG answer 0A)

from now on I can send read-write commands without authenticating ? For example:

A0 00 + 16bytes-manufacturer block (to write block0)

and

30 00 (to read block0)

both withouth a 2 bytes CRC ?

Offline

#52 2012-11-06 17:31:08

merlok
Contributor
Registered: 2011-05-16
Posts: 131

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

both with crc according iso 14443

Offline

#53 2013-01-10 20:03:01

littlejohn
Member
Registered: 2013-01-10
Posts: 1

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Does anyone know *any* reliable source for such cards these days? Tried xfpga.com but there has been no replies from the e-mail. I'd prefer a web-shop over some ebay style source.

Regards,
John

Offline

#54 2013-01-13 15:18:36

kxn
Member
Registered: 2012-12-12
Posts: 5

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

http://www.aliexpress.com/wholesale?SearchText=uid&catId=0&manual=y

Aliexpress is the ebay alike website for non-China users to buy stuff manufactured in China. You can choose a supplier there, all suppliers there can ship internationally. 

But, if you have friends in China, ask them to buy the cards for you, the price in aliexpress is MUCH expensive than it is in China local market.....

littlejohn wrote:

Does anyone know *any* reliable source for such cards these days? Tried xfpga.com but there has been no replies from the e-mail. I'd prefer a web-shop over some ebay style source.

Regards,
John

Offline

#55 2013-02-11 17:07:17

alain
Member
Registered: 2011-02-18
Posts: 4

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi all,
I ordered four of "magic chinese" two months ago, and I havent't received anything yet
Is  it a scam ?
Have some  of you received anything ? (besides the top guns  :-)      )
what is the delay ?

Thanks

Offline

#56 2013-02-12 03:57:17

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

It's not a scam. We all ordered from him. Those cards work just fine.

Nevertheless, ask rfidshop.com.hk, they have cheaper cards... I'm waiting some of them...

good luck!

Offline

#57 2013-02-12 23:54:36

deff
Member
Registered: 2013-02-12
Posts: 1

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi, I m a bit new to the scene; i run on bt2 with both nfclib 1.4.2 and 1.6.0rc;
got the card from the same shop as you moebius  rfidshop.com.hk.
I m from france and the rfid i got the hand on have a 88 SAK but behave like 1K mifare chip (same 0400) ;
http://www.nxp.com/documents/application_note/AN10833.pdf don t mention that SAK possibility at all.
I wonder if patching block 0 of the 1k card to match the img i have of 88 SAK chip will dmg the card and if it s feasable or just the uid can be wrote (nfc-mfsetuid need modif to write the whole block i guess)
I wonder if someone has a bit more knowledge on the topic before i get to edit mfsetuid to try to patch the whole block 0 or if it s a feature of a newer libnfc version( can t use newer, not compatible with touchatag verison i have).
Any info is welcome.

Try harder

Offline

#58 2013-03-12 02:50:40

martinouyang
Member
Registered: 2011-07-23
Posts: 9

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hellow Everybody, this is the chinese guy from China, we are so happy to let so many development persons take part in dicuss the changeable UID Mifare 1K cards,and then so many people will know to make their system safe.That what we want to see.

Now the cards are popular in the market, thanks for your interest,in order to make more people can touch the cards,we decide to make the price low to touch your affort ,and send software to you free to research the cards.

Please contact with our always email: ouyangweidaxian@live.cn

Thanks

Offline

#59 2013-03-13 07:41:38

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

and send software to you free to research the cards.

Where can I download it?

Offline

#60 2013-04-15 14:22:29

MnBadger
Contributor
Registered: 2013-03-09
Posts: 19

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hello Everyone,

Our website is now offering UID Changeable Cards and FOBS from a U.S based supply. Free shipping (1-3) and 30-day return policy with very competitive pricing. These cards work with the Magic Chinese Guy function on PM3. Please visit supplies section at www.clonemykey.com. Limit stock available, more arriving soon.

Offline

#61 2013-05-06 10:58:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius wrote:

OK, I screwed up one of my cards tongue

I was playing around with block 0 and i changed it to: 04 8c 55 7b a6 b0 08 04 00 46 59 25 58 49 10 23

and now.. it's now being detected by my readers... only Pmark is able to read it...

Is it possible to send APDU commands directly through the Pmark? Is anyone a very fast developer with SVN access to code something or even better, code this new function to change the block 0 of this Cards?

I think that if i get no answer, I'll work on it, so keep me in the loop if you like the idea..

Thanks!


Did you managed to recover the "screwed" chinese card ? I think I have the same problem here... I am able to read it but no write seems to be possible using PM3... normal readers cannot read/write it.

Doing a "list" i see the problem:

hf 14a list
recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:    :     52              
 +    236:   0: TAG ef  e5              
 +      0:    :     93  20              
 +    452:   0: TAG fc  7b  23  cd  8e              
 +      0:    :     93  70  fc  7b  23  cd  8e  a1  50              
 +    308:   0: TAG f4  55  e0              
 +      0:    :     95  20              

My block0 is: fc 7b  23  cd  8e  f4  ef  e5  cc  cd  c3  65  53  c7  71  6b  da  79

PM3 try to request second part of the UID (95 20 = Anticollision CL2 = Cascade Level 2) but this card has a "short" uid so it doesn't answer and commands cannot be sent to write... is it possible to modify the source code for chinese mifare cards in order to use always and only CL1 anticollision ? Mifare standard uses the 5th byte after the UID as a BCC or as a CT (Cascade Tag); the Cascade Tag indicates that UID is not complete (it has a fixed value that is 88 but in my case is 8E so this must not be the case/problem); then 93 70 (Select CL1) is sent and card answer F4 (in your case, moebius, that byte has b0 value)... I don't know what F4 or B0 means to the PM3 but this is probably the problem; those values (F4 or B0) seem to request a second CL (CL2) and here the transaction halts...; it is my fault, I wrote random numbers to block0... can someone "save me" ? If I will be able to send raw commands I think I will solve that, a command that is able to set the 6th byte of block0 to 88 or better to 88 04 00 6th, 7th and 8th bytes ! In fact the problem is in manufacturer code, I read in this very detailed page that values between 81 and FE are not allowed (04 = NXP Semiconductors)!!!

In simple words the solution is this: after 93  70 xx xx xx xx xx xx xx, the card answer and whatever is the answer, PM3 must send a write command with data like those: 01 02 03 04 04 88 04 00 00 00 00 00 00 00 01 10 to sector0block0; this will probably "revive" the malfunctioning chinese card. Can someone please do this mod (add this new "revive" command) for me to see if it works ?
Another option can be modifying the chinese card write command to send the write without previous select just as read command do (in fact read command simply send 40, then 43 and then the read command, without select).

EDIT:
My theory was correct ! Well, in my big non-experience I managed to solve the problem modifying 1-line-only of the PM3 code; in particular:

- file \armsrc\mifarecmd.c (r709 version)
- line 793
- delete the break instruction here (in that way client will send the special write command anyway)
- recompile
- reflash
- use the hf mf csetblk 0 01020304048804000000000000001001 command (you will receive an "#db# Can't select card" but don't worry) and the Magic Chinese Card return to be "Magic" ! It is now recognized by all readers again !

Here is the modified file: http://www.sendspace.com/file/x39brq

This is the precompiled modded r709 - flash it and send the above command to have your card work again.

Last edited by asper (2013-07-13 09:42:55)

Offline

#62 2013-06-11 14:57:58

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hey Asper, yeap! I managed to restore its "magic" state by cheating the ACR122U reader... First I put a normal card and then but very quickly, I switched between it and the broken magic one. And voilà smile you'll see the green light in the ACR reader and by the use of libnfc or the software provided by the chinese, you'll be able to restore it tongue

just another hack, you know...

Offline

#63 2013-06-18 09:01:41

cracking.mifare1k
Member
Registered: 2013-06-17
Posts: 8

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

we provide a backdoor to change the SAK value .  we provide changeable UID cards with a default SAK to 88 (instead of 08) for the Milfare Classic 1K

Offline

#64 2013-06-18 11:32:29

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

SAK is the 6th byte (starting from 1) of sector0block0 and is changeable also in other changeable UID mifare cards.

Offline

#65 2013-07-27 10:13:30

app_o1
Contributor
Registered: 2013-06-22
Posts: 244

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I am setting the UID of my Magic card to : 2B3B79 using command : "hf mf csetuid 23B79 w"
After that, sector 0 reading gives :

23B79D38804000000000000000000
B9000000000000000000000000000000
00000000000009380938093809380938
A0A1A2A3A4A561E789C1B0B1B2B3B4B5

But original card sector 0 is

23B79D388040047C129F9AD000407
B9000000000000000000000000000000
00000000000009380938093809380938
A0A1A2A3A4A561E789C1B0B1B2B3B4B5

Do I have to do "hf mf csetblk 0 B79D388040047C129F9AD000407" ?

Last edited by app_o1 (2015-06-06 10:13:38)

Offline

#66 2013-07-27 21:36:30

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Nope! In both cases, the reader will detect the card with the UID you want. In the case you need an EXACT copy (don't know why, buy maybe the backend system checks that...) yes, you have to copy the entire block, and you're also ok.

Good luck!

Offline

#67 2014-01-13 07:04:02

mysteryman86
Member
Registered: 2014-01-13
Posts: 1

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi to all community!
I'm new here. I'm interested in buying some of these magic cards.

There's a way to rewrite sector 0 with an ACR122U reader?
I don't have pm3 yet.

Thanks a lot.

Offline

#68 2014-03-20 16:16:29

yesil_kaya76
Member
Registered: 2014-02-04
Posts: 1

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi guys;

I want to ask a question about CLRC663.
Is 0x07(Tranceive) command just supports Mifare commands listed in the user manual(e.g. 0x30 read command)?
Is it possible to send other undefined commands (e.g. 0x43)?

I can send undefined commands with PN532. But I can't send undefined commands with CLRC663.
Does CLRC663 has any command to send 0x43 ?

Offline

#69 2014-08-16 03:32:24

geekngadgets
Member
Registered: 2014-08-16
Posts: 2

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi all,

Just to share with you, I have available some of these "Chinese Magic Cards" which sector 0 is programmable.
And it is guaranteed to work, as I have tested it myself for my own project. Let me know if any of you needs some of these special cards for your projects.
You can shoot me an email at geekngadgets@live.com

Cheers guys!  cool

Offline

#70 2014-09-20 16:56:52

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Are all these magical cards only readable via Key A?
I'm trying to read them with key B but it doesn't work even though the access condition is set to default.

Offline

#71 2016-05-14 19:15:17

roman921
Contributor
Registered: 2015-06-21
Posts: 48

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius wrote:

moebius

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

I try this comands with magic card that have direct comand change uid.
But i get errors.
[ACS ACR122U PICC Interface 0] : Running script
[1]                  > FF 00 00 00 08 D4 08 63 02 00 63 03 00
                     < D5 09 90 00

[2]                  > FF 00 00 00 06 D4 42 50 00 57 CD
                     < D5 43 01 90 00

[3]                  > FF 00 00 00 06 D4 08 63 3D 07
                     < D5 09 90 00

[4]                  > FF 00 00 00 03 D4 42 40
                     < D5 43 01 90 00

[5]                  > FF 00 00 00 06 D4 08 63 3D 00
                     < D5 09 90 00

[6]                  > FF 00 00 00 03 D4 42 43
                     < D5 43 01 90 00

[7]                  > FF 00 00 00 05 D4 08 63 03 80 63 02 80
                     < D5 09 90 00

[8]                  > FF 00 00 00 15 D4 40 01 A0 00 dc 0f 7a 6e c7 22 33 44 55 66 77 88 99 AA BB CC
                     < D5 41 01 90 00
UID don't change in this card.
Who can write comands for direct magic card for change uid ?

Offline

Board footer

Powered by FluxBB