Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-08-28 06:32:28
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Unable to change UID on s50
Hey everyone,
I have an s50 UID changeable card that comes with the ELECHOUSE Proxmark3 v2 kit and have been trying to change the UID but I keep getting the cmd error 4.
Sector 3's trailer seems correct.
proxmark3> hf mf rdsc 3 A FFFFFFFFFFFF
--sector no:3 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 7f 07 88 00 00 00 00 00 00 00 Key is correct since I can read
proxmark3> hf mf rdbl 0 B FFFFFFFFFFFF
--block no:0, key type:B, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:aa da 85 ee 1b 08 04 00 01 98 8f b8 b1 0a c2 1d Writing produces the cmd error.
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00 I've had a look through the forums but I can't seem to find anything works (a lua script was deleted).
Either my card's UID isn't changeable or I'm doing something wrong?
Offline
#2 2017-08-28 08:38:10
- lohcm88
- Contributor
- Registered: 2016-02-05
- Posts: 59
Re: Unable to change UID on s50
If I remember correctly, the Elechouse package has 1) Type: M1 S50 and 2) Type: M1 UID. Only the one that labels M1 UID card is changeable.
Offline
#3 2017-08-28 09:10:00
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Oh I see, still getting the same error on the M1 UID.
I ran the mifare access conditions calculator and got the the ff0780 code and wrote to block 3.
proxmark3> hf mf rdsc 3 a ffffffffffff
--sector no:3 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3> hf mf rdsc 0 a ffffffffffff
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 44 6f af 10 94 08 04 00 62 63 64 65 66 67 68 69
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 ff ff ff ff ff ff ffthen attempted to write to block 0 getting the same error. Am I entering it wrong?
proxmark3> hf mf wrbl 0 a ffffffffffff AABBCCDD940804006263646566676869
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: aa bb cc dd 94 08 04 00 62 63 64 65 66 67 68 69
#db# Cmd Error: 04
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00 Offline
#4 2017-08-28 09:32:11
- meter
- Contributor
- Registered: 2015-07-13
- Posts: 78
Re: Unable to change UID on s50
You should be try to write with magic command.
hf mf csetblk 1 01020304050607080910111213141516try also with
hf searchfor understand which generation is your card.
proxmark3> hf search
UID : 33 76 0d 00
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands (GEN 1a): YES
Valid ISO14443A Tag Found - Quiting SearchOffline
#5 2017-08-28 09:52:08
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Thanks meter, I'm avoiding the magic commands since the the tag I'm cloning is a FDi tag and their readers block/scramble the magic cards when read.
Offline
#6 2017-08-28 09:57:35
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Unable to change UID on s50
....well...
Look at the output from hf 14a read, if it says like @meter "Answers to chinese magic backdoor commands (GEN 1a): YES"
then you will need to use magic commands to write block0 to it. Elechouse usually sends Gen1 tag in their package, so ...
Your idea of avoiding using special commands to the card because of the reader you will use the card on later, is wrong, just stop it. Re-read the wiki, documents and the forum to understand why.
Offline
#7 2017-08-28 10:08:35
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
....well...
Look at the output from hf 14a read, if it says like @meter "Answers to chinese magic backdoor commands (GEN 1a): YES"then you will need to use magic commands to write block0 to it. Elechouse usually sends Gen1 tag in their package, so ...
Your idea of avoiding using special commands to the card because of the reader you will use the card on later, is wrong, just stop it. Re-read the wiki, documents and the forum to understand why.
Hi Iceman, I think you misunderstood my purpose here as I'm not trying to change the UID on a magic chinese card.
I initially dumped a FDi tag and stored into a bin file, I then loaded that bin file into a magic UID card included within the Elechouse kit.
The FDi readers actually detect and reject the Magic UID cards as stated here: http://www.proxmark.org/forum/viewtopic … 270#p28270
So I have to resort to the changeable UID cards that don't answer to chinese commands. Initially I assumed the s50 was able to change it's UID, I was mistaken as pointed out by lohcm88 here: http://www.proxmark.org/forum/viewtopic … 175#p29175
SO, now I'm attempting to change the UID of the M1 UID card also provided by the Elechouse card. Using a chinese command on this card is incorrect.c
OR I could be totally wrong and in which case I apologise.
Offline
#8 2017-08-28 10:30:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Unable to change UID on s50
... back to magic cards information again... it's like ppl never listen to me. I even did two videos on youtube explaining it.
First of all, understand there is several different kinds of magic tags. Sadly they have all kinds of names.
In China they like to call them uid, cuid, fuid, ufuid, which is hard to understand difference and easy to write wrong in descriptions.
In this forum and other ones, we started calling the first magic card with backdoor commands, Generation1 (gen1). The next generation or revision, is called generation2. Gen2 cards doesn't use backdoor commands.
Now to make things more complicated there are another revision of gen1 tags. I use the nomenclature Gen1a , Gen1b.
In "hf 14a read" you can see which your tag is. Currently it only tests for Gen1* tags.
So, in the ref-thread, FDi tags, they talk about Gen2 card working or the write-once (which is a card where you can change UID ONCE. then it fuses and stay the same) .. I wrote that you should know what kind of magic tag you have. Which you at the moment doesnt seem to know. I'm convince you have a Gen1a tag (m1 uid from elechouse is that) which is useless as stated in the threads you reference to.
Offline
#9 2017-08-28 11:32:58
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
... back to magic cards information again... it's like ppl never listen to me. I even did two videos on youtube explaining it.
First of all, understand there is several different kinds of magic tags. Sadly they have all kinds of names.
In China they like to call them uid, cuid, fuid, ufuid, which is hard to understand difference and easy to write wrong in descriptions.In this forum and other ones, we started calling the first magic card with backdoor commands, Generation1 (gen1). The next generation or revision, is called generation2. Gen2 cards doesn't use backdoor commands.
Now to make things more complicated there are another revision of gen1 tags. I use the nomenclature Gen1a , Gen1b.
In "hf 14a read" you can see which your tag is. Currently it only tests for Gen1* tags.So, in the ref-thread, FDi tags, they talk about Gen2 card working or the write-once (which is a card where you can change UID ONCE. then it fuses and stay the same) .. I wrote that you should know what kind of magic tag you have. Which you at the moment doesnt seem to know. I'm convince you have a Gen1a tag (m1 uid from elechouse is that) which is useless as stated in the threads you reference to.
Understood, mate we're all just trying to learn and contribute.. If you find that multiple people never listen to you it might be because the way you express it isn't clear or confusing..at least it wasn't for me.
Results for running "hf 14a read" on the M1 UID elechouse card would appear that it is a gen 2 tag. (iceman fork)
pm3 --> hf 14a read
UID : 44 6F AF 10
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |44 6f af 10 94 | |
18944 | 29472 | Rdr |93 70 44 6f af 10 94 9f 1c | ok | SELECT_UID
30644 | 34164 | Tag |08 b6 dd | |
48256 | 52960 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
54580 | 59316 | Tag |1b d9 b6 02 | |
pm3 --> Results for the s50 just for good measure. Would appear that this is also gen 2 (iceman fork)
pm3 --> hf 14a read
UID : AA DA 85 EE
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16500 | Tag |aa da 85 ee 1b | |
18944 | 29472 | Rdr |93 70 aa da 85 ee 1b ac b3 | ok | SELECT_UID
30644 | 34164 | Tag |08 b6 dd | |
47232 | 51936 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
53556 | 58228 | Tag |9c 4b 54 72 | |
pm3 --> Results for the Magic UID again for good measure. Of course this shows gen1a. (iceman fork)
pm3 --> hf 14a read
UID : 01 02 03 04
ATQA : 00 02
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN 1a): YES
Prng detection: WEAK
pm3 --> hf 14a list
Recorded Activity (TraceLen = 103 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2244 | 4612 | Tag |02 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |01 02 03 04 04 | |
19072 | 29600 | Rdr |93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30772 | 34292 | Tag |08 b6 dd | |
47232 | 51936 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
53940 | 58676 | Tag |01 20 01 45 | |
pm3 --> I appreciate the time you take to explain and help.
Offline
#10 2017-08-28 12:34:59
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Unable to change UID on s50
The only detection of a Gen2 card is to try writing to block0 with a normal writeblock cmd. If it worked, its a gen2. If it didn't work, its not a gen2.
You got two s50/1k cards in your pm3 kit from Elechouse.
* s50/1k UID gen1a
* normal s50/1k
So you are trying to write block0 on the normal s50/1k card?
Offline
#11 2017-08-28 12:52:03
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Correct. I purchased 2 different 1k cards that claim to be changeable on eBay, I'll report my findings when they arrive.
Offline
#12 2017-08-28 19:19:35
- Dot.Com
- Contributor
- From: Hong Kong
- Registered: 2016-10-05
- Posts: 180
- Website
Re: Unable to change UID on s50
Gen1a - Chinese Backdoor command (csetuid uid 0004 08)
Gen1a - Another kind of Chinese backdoor Command (UFUID) Some claim to work with FDI
(csetuid command/if not you got to sniff the key out)
Gen2 - Till date we have 3 kinds of these tags around (hf mf wrbl b 0 d) All works with FDI
Perfect Gen2 that I am selling
FUID - One time fused
CUID - Uses the same command but easily bricks
I make it pretty clear cut so just try them.
To sum it up, we have 5 types of mifare 1k uid changeable now.
Hope now you understand better.
Last edited by Dot.Com (2017-08-30 15:53:34)
Offline
#13 2017-08-29 02:05:39
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Thanks mate
Offline
#14 2017-08-29 04:51:46
- Dot.Com
- Contributor
- From: Hong Kong
- Registered: 2016-10-05
- Posts: 180
- Website
Re: Unable to change UID on s50
On the other hand, search for the FDI known key on the forum.
You probably need it if you want to do FDI.
Offline
#15 2017-08-29 05:05:05
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
On the other hand, search for the FDI known key on the forum.
You probably need it if you want to do FDI.
Yup, thanks to iceman... it's in his default_keys.dic file. I successfully dumped the FDi card 
Offline
#16 2017-08-29 12:24:52
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Cards that I bought from eBay arrived today and they're Gen1a.. sigh.. another 2 weeks to wait for new cards from china.
Offline
#17 2017-08-29 14:22:10
- Dot.Com
- Contributor
- From: Hong Kong
- Registered: 2016-10-05
- Posts: 180
- Website
Re: Unable to change UID on s50
You can always order from my side to make things simple
No need verification since I know my stuff well.
Good luck testing them.
Offline
#18 2017-08-29 14:46:05
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
Will keep in mind thanks.
Offline
#19 2017-09-28 05:13:59
- Dmanufacturer
- Contributor
- Registered: 2017-08-15
- Posts: 42
Re: Unable to change UID on s50
UPDATE:
A local seller messaged me and asked me to try a new type of writeable Mifare card that wont show up as magic card and here are the results:
proxmark3> hf search
UID : f0 00 00 c5
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search
UID : d3 a2 85 9f
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
proxmark3>
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d4a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff
--data: d4 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf search
no known/supported 13.56 MHz tags found
proxmark3> hf mf wrbl 0 B FFFFFFFFFFFF d3a2859f6b880400c801002000000016
--block no:0, key type:B, key:ff ff ff ff ff ff
--data: d3 a2 85 9f 6b 88 04 00 c8 01 00 20 00 00 00 16
#db# Can't select card
#db# WRITE BLOCK FINISHED
isOk:00
proxmark3>It was able to write successfully on the first attempt but it looks like I bricked the card after writing it the second time.
I've tried running the formatMifare lua script but returns "#db# Can't select card".
It would appear this is a one time write card like you said iceman.
proxmark3> hf list 14a
Recorded Activity (TraceLen = 65 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 04 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16564 | Tag | d4 a2 85 9f 6b | |
18816 | 29280 | Rdr | 93 70 d4 a2 85 9f 6c 5e 96 | ok | SELECT_UID Anyone ever un bricked this?
Offline
#20 2017-09-29 06:58:48
- samburner3
- Contributor
- From: Sydney AUS
- Registered: 2015-03-01
- Posts: 51
Re: Unable to change UID on s50
Dot.Com wrote:On the other hand, search for the FDI known key on the forum.
You probably need it if you want to do FDI.
Yup, thanks to iceman... it's in his default_keys.dic file. I successfully dumped the FDi card
Good job, I remember snooping that FDI key at a building, was so happy when I found it haha. Easier now days 
Offline
Pages: 1