Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2011-07-23 18:12:10

martinouyang
Member
Registered: 2011-07-23
Posts: 9

Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

we supply the cards below:

Works exactly like the Mifare S50, with 16 Sectors and 4 Blocks each Sector, but the Sector 0 Block 0 known as Manufacturers Block where the Chip UID is stored, can be re programmed to any UID you wish.
It's advantage;
This is a perfect solution for a lost irreplaceable Mifare Cards ID, you don't need to re-enroll new cards. Just program this new Mifare 1K's UID to the UID of lost card then you have a new Exactly the same card.

Popular applications;
Loyalty
Ticketing
Identification
Access Control

if you need please contact us: ouyangweidaxian@live.cn

Offline

#2 2011-08-02 23:03:56

hat
Contributor
Registered: 2009-04-12
Posts: 160

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Can somebody confirm this?

It's been long expected. However would still be interesting information for risk assesment.

Thanks.

Offline

#3 2011-08-06 06:56:06

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

http://www.facebook.com/nethemba/posts/235254083171750
1 minute at google

Pán ouyangweidaxian@live.cn z Číny mi práve ponúkol Changeable UID Mifare Classic 1K karty, jednu za $24. Pri odbere viac ako 100ks zľava.

translation:

Mr. ouyangweidaxian@live.cn from China just offered me Changeable UID Mifare Classic 1K card, one for $ 24 When you donate more than 100 pieces left.

Offline

#4 2011-08-10 03:40:27

miguegold
Contributor
Registered: 2011-08-05
Posts: 12

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I've contacted this "seller" and it's most probably some kind of scam. Quoting, he asked for $24 per card, min 10 cards and I had to buy his reader and his software. Total, more than $300.
Anyway, when I asked for more specs, he said that after payment he would give me more info
=> Spam

Offline

#5 2011-08-11 19:51:38

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hey people,

I have ordered three of these cards and can confirm it works. I was able to successfully change the UID and the rest of block 0 (using a few special rfid frames). These cards cost 24USD per piece, which is pretty expensive, but they are real and work fine.

For those who want to test them and have some budget laying around, I recommend to try ordering a sample for yourself. The seller will  help you with "re-branding" your UID wink

Cheers,

  Roel

Offline

#6 2011-08-12 11:45:32

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

That's very nice. Does they have ISO 15693 tags with changeable UID?

Offline

#7 2011-08-12 19:05:33

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I don't know. He told me they were working on a 4KB version, but I heard no plans for support of other ISO standards. I know the ATMEL CryptoRF cards already have programmable PUPI (UID) of ISO 14443B cards. For ISO 15693 I've not find any card yet that has a programmable UID. The proxmark could do this without any problems of course wink

Offline

#8 2011-08-13 01:49:00

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I bought two cards and I'm now waiting for them...

Roel, What software are you using? Do you have some info so as soon as my cards are here, I can play with them?

Also, the UID is only one time changeable or you can change as many times as you want?

Thanks!

Offline

#9 2011-08-13 09:42:43

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

roel
Can you print here  proxmark sniffed trace of this card?

Offline

#10 2011-08-13 18:56:04

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

It seems to be modify able for as many as you can change the memory.

I changed the UID in zero's, this is the tx/rx result using nfc-anticol from libnfc and a tikitag reader.

Tx: 26 (7 bits)
Rx: 02 00
Tx: 93 20
Rx: 00 00 00 00 00
Tx: 93 70 00 00 00 00 00 9c d9
Rx: 18 37 cd

I could make a proxmark trace if you are interested (for timing info?).

Offline

#11 2011-08-13 19:43:55

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace

using a few special rfid frames

of changing card's UID?
Who is manufacturer?
Thanks

Last edited by vivat (2011-08-14 09:06:58)

Offline

#12 2011-08-16 23:17:42

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Can anyone send some sample C code or some program in order to operate with these cards? I'm just waiting two of them. I'll tell you my results later wink

Thanks!

Last edited by moebius (2011-08-16 23:18:06)

Offline

#13 2011-08-27 16:40:39

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

vivat wrote:

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace

using a few special rfid frames

of changing card's UID?
Who is manufacturer?
Thanks

can anyone who has this cards make a simple dump????

Offline

#14 2011-08-27 17:42:51

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

vivat wrote:
vivat wrote:

>Rx: 18 37 cd
So, they are selling mifare 4k, right?
>for timing info?
Yes, how the timings differ when you are reading standard normal mifare s50 cards and this ones?
BTW, can you make a trace

using a few special rfid frames

of changing card's UID?
Who is manufacturer?
Thanks

can anyone who has this cards make a simple dump????

Hey @vivat! I own some of these cards. What do you exactly need? A simple dump of what? I can change one cards's uid and post the frames if you want.

cheers my friend.

Offline

#15 2011-08-27 18:32:18

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

Offline

#16 2011-08-28 02:47:31

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

vivat wrote:

moebius
I need this trace to see what 'special' rfid frames used to change this card's UID. I'm waiting for it...

Ok... here you are wink reading and writing with the software they provided to me.. (20usd :S but now I think some of you can write some code for pmark or using libnfc..) if not, in a couple of days i'll write some C code... wink

the uid checksum is really easy to calculate.. it's specified in the data sheet... I cloned one card and it's a success my friends. It's a little expensive but it worth it.

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

Hope that helps you @vivat !

Offline

#17 2011-08-28 17:16:03

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Successful connection to ACS ACR122 0
<< FF CA 00 00 00
>> 71 43 C4 46 90 00
CARD UID:7143C446
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 05 D4 40 01 30 00
>> D5 41 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02 90 00
Read 0 Block Success.

and now the part where i'm writing the same uid...

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00
Edit UID Success.

I wanted a proxmark sniffed trace hmm
So, it is a program that you have received with card, right?

Last edited by vivat (2011-08-28 17:17:17)

Offline

#18 2011-08-29 12:27:31

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I've also some cards. Still waiting for an acs reader though (the software provided does not like my touchatag, anyone with success with a touchatag?).

Is that a complete dump of the conversation with the reader through the pc/sc api?
Correct me if I'm wrong but shouldn't we see there an authentication step?

WriteRegister -> PN53X_REG_CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
InCommunicateThru
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
WriteRegister -> CIU_TxMode (0x6302)
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
InDataExchange  (Mifare cmd - write sector)
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00

Offline

#19 2011-08-29 20:35:26

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.

Basically I want to undestand the comm process because their soft is compiled and always uses default FFFFFFFF key to access block 0 so if you have already cloned one card with other keys, if you want to change its uid again you need to reset its key change the uid and restore the cloned key.

Give me some time becase i'm a little busy with boring stuff. Thanx!

Offline

#20 2011-08-30 03:32:31

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius wrote:

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.

Give me some time becase i'm a little busy with boring stuff. Thanx!

Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

Offline

#21 2011-08-30 09:09:24

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius wrote:
moebius wrote:

It was not a complete dump, it was just the log of the program they sent to me. I can sniff the write tx/rx conversation and post it.

Give me some time becase i'm a little busy with boring stuff. Thanx!

Quoting me... there´s no auth to the sector. It's possible to change the block0 with no valid key. !!! really cool cards. I edited this post because I said some wrong stuff about this.

Are you sure of that? I didn't have the same chance, unless I'm doing something wrong, I tried to write on block 0 and no auth without success.
...
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one:     InListPassiveTarget
TX: ff  00  00  00  04  d4  4a  01  00 
RX: d5  4b  01  01  00  04  08  04  ad  8f  0a  8a  90  00 
Found MIFARE Classic card:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): ad  8f  0a  8a 
      SAK (SEL_RES): 08 
lt-nfc-one: DBG pn53x.c:110
lt-nfc-one:     InDataExchange
TX: ff  00  00  00  15  d4  40  01  a0  00  24  ba  8b  3c  29  88  04  00  47  c1  1d  58  a1  00  24  05 
RX: d5  41  01  90  00 
nfc_initiator_transceive_bytes: Timeout
Writing 1 blocks failed to write trailer block 0
(And of course after trying to read block 0 again it stays unchanged).

+1 For a Proxmark dump trace smile

Offline

#22 2011-08-30 12:29:54

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Ok, it works, i'm happy man, you only have to precede the mifare cmd command by the rest that is shown in the logs. Then is true that you can write to block 0 without authenticating.

e.g.:
  pn53x_transceive(pnd, "\x08\x63\x02\x00\x63\x03\x00", 7, NULL, NULL);
  pn53x_transceive(pnd, "\x42\x50\x00\x57\xCD", 5, NULL, NULL);
  pn53x_transceive(pnd, "\x08\x63\x3D\x07",4, NULL, NULL);
  pn53x_transceive(pnd, "\x42\x40",2, NULL, NULL);
  pn53x_transceive(pnd, "\x08\x63\x3D\x00",4, NULL, NULL);
  pn53x_transceive(pnd, "\x42\x43",2, NULL, NULL);
  pn53x_transceive(pnd, "\x08\x63\x02\x80\x63\x03\x80",7, NULL, NULL);
  And then mifare cmd write... and done!

Now time to decode that... Everything fine and I only blew my proxmark bootloader with tests (I ordered a JTAG to recover, so I'll try to post a trace, but until then please if anyone can do it, go ahead)

Offline

#23 2011-08-30 13:44:54

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Cool! Do you need all these commands in order to successfully write? Those are very Magic frames by now...

You see! No auth to change the first block. Magic Cards from Magic Chinese Guy! XD

Do you want to write a simple code to include within the PMark? like hf mf changeBlock0 [16 bytes]?

That would be a nice command...

Offline

#24 2011-09-02 01:55:50

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

OK, I screwed up one of my cards tongue

I was playing around with block 0 and i changed it to: 04 8c 55 7b a6 b0 08 04 00 46 59 25 58 49 10 23

and now.. it's now being detected by my readers... only Pmark is able to read it...

Is it possible to send APDU commands directly through the Pmark? Is anyone a very fast developer with SVN access to code something or even better, code this new function to change the block 0 of this Cards?

I think that if i get no answer, I'll work on it, so keep me in the loop if you like the idea..

Thanks!

Offline

#25 2011-09-02 03:37:46

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

phewww... I tricked my reader by putting one OK card in front of the broken one... as soon as It detects de OK one, I removed it, leaving the screwed up one, so the reader was now ready to send commands to it. Normal APDU commands were sent then.. and I save the 25usd card tongue

Anyway, I'll try to code some function for PMark to change the block 0 of these cards...

In my first try I thought that by using iso14_apdu(CMD,SIZE, NULL); function between mifare_classic_auth and write block everything would work, but nope sad

Someone here with a little more knowledge of this maybe could help...

It's technically possible... as someone said in another post.

I can write some code with some guidance, I have some spare time.

Thanks a lot.

Offline

#26 2011-09-02 11:12:52

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

A proxmark snooped conversation for writing.

recorded activity:

          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:   0: TAG 04  00              
 +   1647:    :     93  70  44  66  70  3c  6e  72  f2              
 +     65:   0: TAG 88  be  59              
 + 189650:    :     52              
 +   4752:    :     52              
 +     64:   0: TAG 04  00              
 +   1646:    :     93  70  44  66  70  3c  6e  72  f2              
 +     66:   0: TAG 88  be  59              
 +  73474:    :     50  00  57  cd              
 +  57150:    :     40              
 +     81:   0: TAG 0a!             
 +  15717:    :     43              
 +     66:   0: TAG 0a!             
 +  20061:    :     a0  00  5f  b1              
 +     65:   0: TAG 0a!             
 +   2071:    :     44  66  70  3c  6e  88  04  00  47  c1  1d  58  a1  00  24  05  c2  40              
 +   2656:   0: TAG 0a!             

For reading is similar.  Basically sends some frames to activate the "backdoor", which allows from that point on to read or write on any sector without authenticating.

Offline

#27 2011-09-03 09:08:54

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Thanks, dreyercito. I will try to comment this "magic frames" below. However, more proxmark snooped dumps of changing card's UID are welcome(since I don't have such card).

recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +   4752:    :     52              
 +     64:   0: TAG 04  00              
 +   1646:    :     93  70  44  66  70  3c  6e  72  f2   // UID is 44  66  70  3c
 +     66:   0: TAG 88  be  59 // SAK is 88, so the manufacturer is Infineon??? http://www.libnfc.org/documentation/hardware/tags/iso14443
 +  73474:    :     50  00  57  cd       //Halt       
 +  57150:    :     40              //maybe "magic frames"???
 +     81:   0: TAG 0a!             //backdoor???
 +  15717:    :     43              
 +     66:   0: TAG 0a!             
 +  20061:    :     a0  00  5f  b1              //WTF???
 +     65:   0: TAG 0a!             
 +   2071:    :     44  66  70  3c  6e  88  04  00  47  c1  1d  58  a1  00  24  05  c2  40         //Is it manufacturer block(block0, sector0) contents+CRC?
 +   2656:   0: TAG 0a!             

Offline

#28 2011-09-03 16:40:30

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Don't take into account manufacturer and uid, because that card was already written by some blank I had lying around.

I think is easier to help oneself with the log of the program, as there are some things that stay hidden from the mifare snoop
dump, I hope I didn't decode it wrongly:

1: Operation: WriteRegister -> PN53X_REG_CIU_TxMode (0x6302) and RxMode(0x6303)
Doc:
7           6   5   4   3   2   1   0
CRC-enable |TxSpeed  |  nu  nu | TxFraming

Speed:
000: 106 kbps
001: 212 kbps
010: 424 kbps
011: 848 kbps

Framing:
00: Mifare
01: Active
10: Felica
11: 14443B

Write on register 02 = 00 ( TxSpeed = 106 kbps , TxFraming = Mifare, CRC disable)
Write on register 03 = 00 ( RxSpeed = 106 Kbps , RxFraming = Mifare, CRC disable )

<< FF 00 00 00 08 D4 08 63 02 00 63 03 00
>> D5 09 90 00
---------------------------
2: Operation: InCommunicateThru
Send to the card this raw data:  50 00 57 CD
<< FF 00 00 00 06 D4 42 50 00 57 CD
>> D5 43 01 90 00
---------------------------
3: Operation: WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
TxFraming = 14443B
<< FF 00 00 00 05 D4 08 63 3D 07
>> D5 09 90 00
----------------------------
4: Operation: InCommunicateThru
Send to the card this raw data: 40
<< FF 00 00 00 03 D4 42 40
>> D5 43 00 0A 90 00
----------------------------
5: Operation: WriteRegister -> PN53X_REG_CIU_BitFraming (0x633D)
TxFraming = Mifare
<< FF 00 00 00 05 D4 08 63 3D 00
>> D5 09 90 00
-----------------------------
6: Operation: InCommunicateThru
Send to the card this raw data: 43
InCommunicateThru
<< FF 00 00 00 03 D4 42 43
>> D5 43 00 0A 90 00
-----------------------------
7: WriteRegister -> CIU_TxMode (0x6302)  RxMode(0x6303)
CRC-Enable = yes ,  Speed = 106 kbps , Framing = Mifare
<< FF 00 00 00 08 D4 08 63 02 80 63 03 80
>> D5 09 90 00
-----------------------------
8: InDataExchange  (Mifare cmd - write block 0)
<< FF 00 00 00 15 D4 40 01 A0 00 71 43 C4 46 B0 08 04 00 46 59 25 58 49 10 23 02
>> D5 41 00 90 00

Offline

#29 2011-09-04 00:25:27

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

@Vivat, what are you exactly trying to do? Do you think we can put this functionality inside proxmark? I'm trying to do so but with no luck yet.

Thanks.

Offline

#30 2011-09-04 12:27:42

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

dreyercito wrote:

2: Operation: InCommunicateThru
Send to the card this raw data:  50 00 57 CD

50 00 57 CD means 'Halt' command, prooflink:
http://www.proxmark.org/files/index.php … Manual.pdf
This datasheet explains mifare frames. I can't understand your dump you have posted here using nfc-list.
moebius
I want to understand how this backdoor works and maybe code something...Anyway, everybody can post here dumps, upload this software you've bought from chinese guys, share your ideas.

Offline

#31 2011-09-04 16:36:20

dreyercito
Member
Registered: 2008-09-21
Posts: 7

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

vivat wrote:

50 00 57 CD means 'Halt' command, prooflink:
http://www.proxmark.org/files/index.php … Manual.pdf
This datasheet explains mifare frames. I can't understand your dump you have posted here using nfc-list.

I believe you smile I have also have read specs where the 50 00 is the halt command, but I prefer not to associate to the frames sent any meaning yet (what about the 57 CD?), anyway we don't really know what they have implemented in the card. What it matters is that these are the series of frames to be sent.

What  I posted is not a dump with nfc-list, but the commented communication with the reader.

http://www.nfc-reader.com/NFC-smart-car … ACR122.pdf
http://www.nxp.com/documents/user_manual/141520.pdf
lib-nfc sources

Offline

#32 2011-09-04 18:01:32

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

what about the 57 CD?

Parity bit+CRC
http://www.google.com/search?q=site%3Ap … 0+00+57+cd
BTW I don't have any libnfc device. I have pm3 instead. Maybe I'll buy SCL3711.

Offline

#33 2011-09-04 19:07:09

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

@Vivat, I bought my SCL3711 from: http://www.javacardsdk.com/ (Futako)

Hope that helps.

Offline

#34 2011-09-04 21:57:07

thefkboss
Contributor
Registered: 2008-10-26
Posts: 198

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I think you are making the things more difficult than they are.
If you send the halt, then 40 wait for the tag answere and then send 43 i think that is the Backdoor only 40  and 43

Offline

#35 2011-09-05 13:07:16

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).

Committed as rev 1124.

Note that this only works on the *special* Chinese clone cards discussed earlier in this thread.

cheers,
Adam

Last edited by adam@algroup.co.uk (2011-09-06 10:44:11)

Offline

#36 2011-09-06 00:07:32

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

adam@algroup.co.uk wrote:

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).

Unfortunately my commit status appears to have vaporised, so until I get that sorted out, you can pick it up here:

http://www.rfidiot.org/libnfc-r1123-setuid.diff

cheers,
Adam

wait.. ANY card? of just the special cards from this magic chinese?

Offline

#37 2011-09-06 10:44:53

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

moebius wrote:
adam@algroup.co.uk wrote:

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).


wait.. ANY card? of just the special cards from this magic chinese?

I've amended my original post to make it clearer - this is just for the Chinese copies.

Last edited by adam@algroup.co.uk (2011-09-06 10:46:22)

Offline

#38 2011-09-06 15:14:03

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Thanks!

Works like a charm and Out of the box smile

Offline

#39 2011-10-26 10:45:33

henry74918
Member
Registered: 2011-10-18
Posts: 4

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I've just buy a changeable UID mifare card
I have a proxmark3, but I don't have any other devices can access the card

I try to change UID using proxmark3 by command "hf mf wrbl 0 XXXX"
but it's was fail to change

is any one can help here?
I'm a new for his.
thank!

Offline

#40 2012-07-05 08:34:04

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Hi,

Now it's possible to work with "magic Chinese" card.
http://code.google.com/p/proxmark3/source/detail?r=585

enjoy)

Offline

#41 2012-07-05 12:06:27

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

new release http://code.google.com/p/proxmark3/source/detail?r=588.
topic for release http://www.proxmark.org/forum/viewtopic … 5678#p5678

Last edited by merlok (2012-07-05 12:07:23)

Offline

#42 2012-07-06 10:57:04

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

I have tried to program some of block0 data.
As I see:
first 4 bytes - UID
1 byte - UID BCC
1 byte SAK
2 byte ATQA (as it in field - 0x40 0x00 - sample!)

I dont understand what the next. Have anyone know what theese next bytes (8) do?

As I see this card cant work with 7 byte UID? I have tried to fill block 0 with one from mifare classic 7buid and i cant get it to work.

Offline

#43 2012-07-06 13:49:20

o0o0o0o
Contributor
From: Germany
Registered: 2011-10-06
Posts: 64

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Thank you merlok for adding this feature to the Proxmark.

I am wondering (sorry if the manufacturer of those "magic cards" feels offended) :
How these "magic cards" are made ?
My guess is that there is physical modification of the chip (?)

And I am sure that there is some hard work behind this changeable UID because this kind of prices are always justified in China...

Offline

#44 2012-07-06 17:07:23

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

It is physical modification of the chip.
Added backdoor into it's chematics.

Offline

#45 2012-07-06 17:10:17

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Why do you need a special reading command to this chinese cards? Can't regular mifare readers read them?

Is it posible to completely rewrite block 0 of these cards, or only the 4 byte UID?

I don't know what that last 8 bytes in block 0 is, but one of my cards i got with a simple reader from ebay have the values: 62 63 64 65 66 67 68 69. Very strange.

Offline

#46 2012-07-06 19:52:57

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

1 because there is a "special" card functionality. yes
2 complete block

Last edited by merlok (2012-07-07 08:31:32)

Offline

#47 2012-07-06 21:27:04

edo1
Contributor
Registered: 2012-05-02
Posts: 18

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

urkis wrote:

Why do you need a special reading command to this chinese cards? Can't regular mifare readers read them?

AFAIK new commands allow reading and writing withouts specified key (you may read from card with unknown keys).

Offline

#48 2012-08-22 15:43:44

pyusk
Member
Registered: 2012-08-21
Posts: 2

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Anyone know of a different place to buy these card where they are a bit cheaper?

Offline

#49 2012-08-23 16:03:04

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

pyusk wrote:

Anyone know of a different place to buy these card where they are a bit cheaper?

Try to search on chinese websites like aliexpress

Offline

#50 2012-10-22 12:37:44

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Changeable UID Mifare 1K (Mifare 1K cards Copy) MIFARE Classic Card Re

Sorry to resume this thread but, for what I understood, the correct "magic" sequence is this:

50 00 57 CD (halt command+crc) and no answer from the TAG
40 (TAG answer 0A)
43 (TAG answer 0A)

from now on I can send read-write commands without authenticating ? For example:

A0 00 + 16bytes-manufacturer block (to write block0)

and

30 00 (to read block0)

both withouth a 2 bytes CRC ?

Offline

Board footer

Powered by FluxBB