Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Since I have a generation 1, I can't use the normal "hf mf wrbl"..
Using the "hf mf csetblk" instead, will write it, but will make my tag unreadable since the bcc & atqa & sak is wrong.
My magic tag is not configured for 7 bytes uid, I guess
Online
Can you tell us where do you get that card ?
Offline
i input the correct atqa & sak but it still locked 100%, as you can see the previous post. I believed your magic card now locked 50%.
I really don't understand why is it "locked" for 7 bytes UID, since all input are correct..
@Asper, you can get the cards at alibaba or ebay .
Offline
Nop, my card is not locked at all. It is still writeable, if you know what to do.
Online
mine is generation 2
Offline
I never seen a magic tag that was able to handle 7bytes UID. Has someone sold you a magic tag the claims to handle 7byte UID? If so, where did you buy it?
Online
Since you don't have 7 bytes tag, you can try 4 bytes magic card with this cmd " hf mf wrbl 0 A FFFFFFFFFFFF 04265f82f43880084400120111001514 ".
Then you tell me what happen.
No, you shouldn't do that! As iceman has pointed out, the SAK and ATQA will be wrong. Writing an inconsistent Block 0 to a Magic card might result in bricking the card. Probably this is what happened.
All the answers are posted earlier, from the output, please take a closer look .
Unfortunately not. You have posted lots of output but never mentioned if this is from reading/writing your original card or clone. You also still haven't answered if you are trying to write to a standard blank card or a magic card. And if it is a magic card it is still yet unclear if it is a 7 Byte version (if such a card exists).
Offline
My experience with generation 1 tags, is that you just need to ignore the standard ISO commands and write to the tag the new data. (works)
If you are using the standard "hf mf wrbl" commands, to write to a generation 2 tag, AND you made a wrong ATQA&SAK, you most likley as Piwi says bricked it. However Magic tags are usually magic for a reason.
Using "hf mf wrbl", you should know that they are following the ISO standard, and since your magic tag is not following the standrad anymore, the second write command to the tag fails.
You need to understand that what fails is the "iso_select_tag", and IF (big if) since I don't know how generation 2 tags responds to direct commands, you can issue a series of "hf 14a raw" commands where you write the new data.
Since I don't have any Generation 2 tags, I can't help you.
The only one claiming to by 7uid, with 0x00 as UID default is this one:
http://item.taobao.com/item.htm?spm=a23 … =17#detail
Online
This is the magic card, default data, is it exist ? or fake ??
proxmark3> hf 14a reader
ATQA : 00 44
UID : 00 00 00 00 00 00 00
SAK : 08 [2]
MANUFACTURER : no tag-info available
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
proxmark3>
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>
Offline
Looks like the one I linked to from TaoBao with all 0x00 default UID.
However, I have no clue how this card works. On a generation 1 tag, the bytes 567 is for ATQA & SAK. But what is valid for your magic tag generation2 with 7bytes uid, I have no clue.
If you got some information from your supplier about the specifics for your tag, do please share it to the community.
Online
since nobody have experience with this magic card, then i quit further testing. no fun ..
Offline
You should ask the seller about the details of your tag. Otherwise nobody will be able to help you.
Online
I got another magic card from other seller, anyone have the same card with me and tested it before ?
proxmark3> hf 14a reader
ATQA : 00 44
UID : 77 77 77 77 77 77 77
SAK : 08 [2]
MANUFACTURER : no tag-info available
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
SAK incorrectly claims that card doesn't support RATS
ATS : 09 78 00 91 02 da bc 19 10 f0 05
- TL : length is 9 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 9 (FWT = 2097152/fc)
- TC1 : NAD is NOT supported, CID is supported
- HB : da bc 19 10
Answers to chinese magic backdoor commands: NO
proxmark3>
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:0 key type:A key:ff ff ff ff ff ff
#db# READ SECTOR FINISHED
isOk:01
data : 77 77 77 77 77 77 77 77 77 77 77 77 77 77 77 77
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
proxmark3>
Offline
Yes, me too , i'm waiting for the seller to reply me. the atqa did not match, but is able to read. strange ??
Offline
Gentlemen
I tried running a nested attack as i have one known key but i get:
Tag isn't vulnerable to Nested Attack (random numbers are not predictable).
I tried running it many times but it keeps failing. So obviously i have the new mifare 4k classic with the new random number generator so nested and darkside will not work.
What are my options? Is my only hope sniffing between a reader and a card?
What if i can't find a way to trigger the reader to read all sectors (=all keys for all sectors)?
I want all keys so i can do a full dump.
I got the known key by sniffing between reader and card but i could only extract 1 key.
P.S This card is already cracked and the keys are known and included in the library but i want to learn by doing it myself. This is insanely fun
Last edited by raptor (2016-12-10 16:02:14)
Offline
Read up on the hardnested attack. (Not in the main trunk yet because it requires a compiler update.)
Offline
Read up on the hardnested attack. (Not in the main trunk yet because it requires a compiler update.)
Huh? What compiler update? I had developed it with gcc 4.7.2. I didn't push to master yet, because it is not finished and some bugs need to be fixed.
Offline
The BF solver needs a compiler update, not your part.
Online
Thanks marshmellow, I'm checking it out.
First part->I'm having problems getting iceman's fork working on my setup.
Offline