Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-04 15:29:11

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

7 byte UID S70 magic card...not magic?

I got some 7 byte UID S70 "magic cards". This is the English description of the product (copy and paste): "13.56mhz MF4K S70 0 Block Writable 7 Byte UID Changeable Rewritable RFID Card Chinese Magic Card". I ran "hf search" and they don't seem to be magic

pm3 --> hf search
 UID : 04 12 19 C3 21 93 16
ATQA : 00 42
 SAK : 18 [2]
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1 | 4k Ev1
MANUFACTURER : NXP Semiconductors Germany
[=] proprietary non iso14443-4 card found, RATS not supported
[=] Answers to magic commands: NO
[+] Prng detection: WEAK

[+] Valid ISO14443-A Tag Found

I tried "hf mf wrbl 0 a ffffffffffff" but

pm3 --> hf mf wrbl 0 a ffffffffffff 0497ca4a913780894400c20000000000
--block no:0, key type:A, key:FF FF FF FF FF FF FF
--data: 04 97 CA 4A 91 37 80 89 44 00 C2 00 00 00 00 00
#db# Cmd Error: 04
#db# Write block error
isOk:00

If I run "hf 14a reader" and "hf list 14a" in a row I get

pm3 --> hf 14a reader
 UID : 04 12 19 C3 21 93 16
ATQA : 00 42
 SAK : 18 [2]
[+] field dropped.
pm3 --> hf list 14a
Recorded Activity (TraceLen = 133 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |42  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16516 | Tag |88  04  12  19  87                                                       |     |
      19456 |      29920 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
      31172 |      34692 | Tag |1c  13  8b                                                               |     |
      36096 |      38560 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39748 |      45636 | Tag |c3  21  93  16  67                                                       |     |
      48512 |      59040 | Rdr |95  70  c3  21  93  16  67  e7  f4                                       |  ok | ANTICOLL-2
      60228 |      63812 | Tag |18  37  cd                                                               |     |

Did the seller send me normal 7 byte UID S70 tags by mistake? What do you guys think?

Last edited by zantzue (2019-06-05 14:59:28)

Offline

#2 2019-06-05 04:11:22

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: 7 byte UID S70 magic card...not magic?

I am interested in this for a different reason, I am looking at the block 0 data format.
Note there are Magic Cards that if true magic cards will support the magic functions.
e.g.
csetuid          Set UID for magic Chinese card
csetblk          Write block - Magic Chinese card
cgetblk          Read block - Magic Chinese card
cgetsc           Read sector - Magic Chinese card
cload            Load dump into magic Chinese card
csave            Save dump from magic Chinese card into file or emulator

So you could try the csetblk command to write to block 0
But since pm3 did not detect it as magic it could be a UID  gen 2 card.

from my understanding there are 3 types of UID changable cards.
a) Magic (gen 1)
b) CUID where they don't support the magic functions but do allow the write of block 0
c) FUID this is like a full mifare card, but the block 1 is "blank" and you can change it ONCE.

NOTE: if b or c you could "break" the card if block 0 is not correct (this is what I am trying to learn now, so happy to be corrected).
What is the correct format for block 0 and what would make it invalid.
So far, best I can figure is if its a NXP Mifare then byte 1 MUST be some specific value to say its 7 bytes, else it will be 4 bytes.
Then if you take the UID and XOR each value, that should be the Check Sum Byte (the very next byte after the UID)
e.g. XX XX XX XX cs <other data> or XX XX XX XX XX XX XX cs <other data>

That said, what is the data in block 3 (the permissions)
Maybe you cant write with the A key, so you can try the B key

Note the CUID/FUID are about being as close to the original card but allow you to change the UID.  Some systems new will auto call the csetuid for block 0 then read.  so if it supports that it will break the clone, others will try a normal write for the same task.

Could you post the cards current Block 0 and 3
Thanks

Last edited by mwalker (2019-06-05 04:15:30)

Offline

#3 2019-06-05 07:51:02

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: 7 byte UID S70 magic card...not magic?

pm3 --> hf mf wrbl 0 a ffffffffffff 0497ca4a913780894400c20000000000
--block no:0, key type:A, key:80 D1 2B 91 6E 71

The key in the second line doesn't match the key in the first line. Did you edit the output? Are you sure that you are using the correct key? Which key do you get with 'hf mf mifare'? Did you flash the firmware which matches your client software?

Offline

#4 2019-06-05 14:54:10

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

Ups! My fault. I edited the output and made a mistake :S. This is what I see when I run the client

pm3 ~$ ./client/proxmark3.exe com9

Proxmark3 RFID instrument


 [ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: iceman// 2018-12-30 00:52:24
      os: iceman// 2018-12-30 00:52:37

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 237342 bytes (45%) Free: 286946 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

I've just taken a brand new magic tag. I ran "hf mf darkside"

pm3 --> hf mf darkside
--------------------------------------------------------------------------------

executing Darkside attack. Expected execution time: 25sec on average
press pm3-button on the proxmark3 device to abort both proxmark3 and client.
--------------------------------------------------------------------------------

..
[-] card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown
[-] generating polynomial with 16 effective bits only, but shows unexpected behaviour.

I read block 0 by using ffffffffffff key A

pm3 --> hf mf rdsc 0 a ffffffffffff
--sector no:0 key type:A key:FF FF FF FF FF FF

isOk:01
data   : 04 12 19 C3 21 93 16 98 42 00 E3 20 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
trailer: 00 00 00 00 00 00 FF 07 80 69 FF FF FF FF FF FF

And then I tried to write block 0

pm3 --> hf mf wrbl 0 a ffffffffffff 0497ca4a913780894400c20000000000
--block no:0, key type:A, key:FF FF FF FF FF FF
--data: 04 97 CA 4A 91 37 80 89 44 00 C2 00 00 00 00 00
#db# Cmd Error: 04
#db# Write block error
isOk:00

Edit: UPDATE
I sent a message to the seller and he has just answered back: "...Hi again The card we use lastest chip , Gen 3 . promark 3 software not update yet . Now we have the card tool for ACR122 device ."

Gen3 card? First news. @Iceman I saw your videos about magic tags and you don't speak about them. I know those videos are "old" but it seems to me that we may have here a new type of tag. Would you like to get one? If you think this would contribute in any way to the proxmark3 development (new scripts or whatever), I can send you one anywhere in the world.

Last edited by zantzue (2019-06-05 15:45:03)

Offline

#5 2019-06-05 17:09:53

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: 7 byte UID S70 magic card...not magic?

[ ARM ]
bootrom: iceman// 2018-12-30 00:52:24
      os: iceman// 2018-12-30 00:52:37

Firmware from December 2018. I assume that you are using newer client software. Either downgrade client software or upgrade firmware. They must match.

Offline

#6 2019-06-05 21:57:01

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: 7 byte UID S70 magic card...not magic?

Can we get the command sequence to set the uid?

Offline

#7 2019-06-06 07:29:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: 7 byte UID S70 magic card...not magic?

Dunno,
maybe its related to this tag?
http://www.proxmark.org/forum/viewtopic … 188#p32188

Offline

#8 2019-06-06 14:39:07

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

@mwalker
Is this what you're asking for?

pm3 --> hf mf wrbl 0 a ffffffffffff 0497ca4a913780894400c20000000000
--block no:0, key type:A, key:FF FF FF FF FF FF
--data: 04 97 CA 4A 91 37 80 89 44 00 C2 00 00 00 00 00
#db# Cmd Error: 00
#db# Write block error
isOk:00
pm3 --> hf 14a list
trace pointer not allocated
Recorded Activity (TraceLen = 202 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |42  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16516 | Tag |88  04  12  19  87                                                       |     |
      62720 |      73184 | Rdr |93  70  88  04  12  19  87  16  f9                                       |  ok | SELECT_UID
      74436 |      77956 | Tag |1c  13  8b                                                               |     |
      79360 |      81824 | Rdr |95  20                                                                   |     | ANTICOLL-2
      83012 |      88900 | Tag |c3  21  93  16  67                                                       |     |
      91776 |     102304 | Rdr |95  70  c3  21  93  16  67  e7  f4                                       |  ok | ANTICOLL-2
     103492 |     107076 | Tag |18  37  cd                                                               |     |
     109312 |     114016 | Rdr |60  00  f5  7b                                                           |  ok | AUTH-A(0)
     120132 |     124868 | Tag |46  03  e5  cb                                                           |     |
     134144 |     143456 | Rdr |58! 0c! cb  59  b6  3a! 79! e9!                                          | !crc|
     146756 |     151428 | Tag |08  38! 65! 63                                                           |     |
     157440 |     162144 | Rdr |af! 9f  8f  d2                                                           | !crc| AUTH_ANSW

Offline

#9 2019-06-06 23:52:06

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: 7 byte UID S70 magic card...not magic?

Sorry, I was refering to the seller suppling some more detail
Quote:

Hi again The card we use lastest chip , Gen 3 . promark 3 software not update yet . Now we have the card tool for ACR122 device

So if they have the tool to do it, then they may have the "instructions/commands" to just tell us (save some time).

Offline

#10 2019-06-07 12:35:13

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

Oh, I see. I sent another message to the seller. They are supossed to be raw commands, aren't they?

Last edited by zantzue (2019-06-07 14:48:48)

Offline

#11 2019-06-07 14:42:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: 7 byte UID S70 magic card...not magic?

Where did you buy it from?

Offline

#12 2019-06-07 14:47:19

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

Aliexpress https://es.aliexpress.com/item/13-56mhz-MF4K-S70-0-Block-Writable-7-Byte-UID-Changeable-Rewritable-RFID-Card-Chinese-Magic/33003942691.html?spm=a219c.10010108.1000016.1.54be429aH1SFdX&isOrigTitle=true

Offline

#13 2019-06-08 04:38:00

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: 7 byte UID S70 magic card...not magic?

Quick Correction:

Seems that the card knows its 4,7 or 10 bytes.  The Checksum is only for transmission of the UID and not stored on the card.
A good reference is : AN10927
that said, UID0 (first byte) does have special and restricted use (As covered in AN10927)

e.g. on a 4 byte UID if you set UID0 to 0x88 it seems to make the card un-selectable as the reader is expecting a bigger UID but the card wont send it since its only a 4 byte UID.

The magic card let me update block 0 again via the csetuid and csetblk, but I expect the CUID and FUID would be dead as you wont be able to selected the card to update.

Offline

#14 2019-06-10 16:03:54

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

This is a part of the message I sent to the seller:

"...I would like to know what the command sequence to set the uid is. I want to post it on the proxmark forum so that some devs can update proxmark sofware. That would make your cards pm3 compatible and, by the way, you may sell more magic cards."

Today he has just answered back:

"That's great ! I ask my engieer, waiting reply."

Not sure what kind of information I'm going to get but I'll share it here.

EDIT:

Another message: "Hi. Yes, forgot reply you , my engieer is updating the PM3 software."

Last edited by zantzue (2019-06-13 06:30:11)

Offline

#15 2019-06-20 15:41:36

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

I bought an acr122u and I can set a 7-byte UID (many times) on s50 (yep, I got s50 gen3 cards also) and s70 non-magic cards. I can edit the whole block 0 but I can't set ATQA nor SAK.Or, at least, I tried with no luck. I got the program the seller supplies. @Iceman are inrerested in getting the program? It's called PCSC Mifare.

Offline

#16 2019-06-20 19:18:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: 7 byte UID S70 magic card...not magic?

Yes!
definitly interested in that software.  Been trying to get hold of it   smile
Noone has the gen3 command sequence yet

Offline

#17 2019-06-20 21:31:16

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

There you go! https://www.dropbox.com/s/7rwcu3y5lptss77/PCSC_Mifare%20V2.2.0%20Release%20New.rar?dl=0 I used the main window (the one in English). If you press Scan/Write tag, it's in chinese but I used an online image traslator and got this
10fwegj.png
With that program I could change the UID. The seller also gave me this https://www.dropbox.com/s/vxhibjp287ef4cv/ACR122%20SDK%20New%202019.rar?dl=0 (a bunch of programs). I don't really think you need it but just in case...

Last edited by zantzue (2019-06-20 21:32:29)

Offline

#18 2019-06-20 22:21:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: 7 byte UID S70 magic card...not magic?

Awesome!

Thanks!

Offline

#19 2019-06-21 12:21:00

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: 7 byte UID S70 magic card...not magic?

thx 4 sharing the software
where to buy those gen3 cards? The AliExpress link is not valid anymore ...

Offline

#20 2019-06-21 12:52:04

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

Here's the link https://es.aliexpress.com/item/13-56mhz-MF4K-S70-0-Block-Writable-7-Byte-UID-Changeable-Rewritable-RFID-Card-Chinese-Magic/33003942691.html?spm=a219c.10010108.1000016.1.692b429aWCHUEl&isOrigTitle=true. We can't set ATQA and SAK on those tags. Just the UID (well, whole block 0, in fact).  I asked the seller and he said that 7-byte UID s50 tags need customization if I want them to be ATQA and SAK writable. I may place an order of customized tags but it has to be a bulk order and I'm not sure how big a bulk order is. Right now I would like to get a sample to make sure I can clone propperly some DI tokens. I've just asked for the price of a bunch of tags. I'm afraid it is going to be too pricey...

Edit: s50 7-byte UID magic cards from the same seller https://es.aliexpress.com/item/13-56mhz-MF1k-S50-0-Block-Writable-7-byte-UID-Changeable-Rewritable-RFID-Card/33001366623.html?spm=a219c.10010108.1000016.1.635e5ae9uAQ6dQ&isOrigTitle=true

Last edited by zantzue (2019-06-21 12:56:52)

Offline

#21 2019-06-24 07:30:35

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: 7 byte UID S70 magic card...not magic?

please keep us updated ...
I cannot access your links:
"¡Vaya! Parece que la página que estás buscando ha sido eliminada o no es accesible temporalmente."

Can you please post the seller name or link to his Aliexpress Shop?

Offline

#22 2019-06-24 09:03:23

zantzue
Contributor
Registered: 2018-12-13
Posts: 38

Re: 7 byte UID S70 magic card...not magic?

The links work for me! On Aliexpress search for "s70 7 Byte". The seller is XCRFID Store https://www.aliexpress.com/store/2224012?spm=a219c.10010108.0.0.74e4429aC57Sum. They sell rewritable 7 byte UID s50 tags also.

Offline

#23 2019-06-24 20:43:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,533
Website

Re: 7 byte UID S70 magic card...not magic?

OK, I have sniffed the commands.   Its one strange kind of tags,  these new cards.
They really mix things up.

Offline

#24 2019-07-05 07:33:08

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: 7 byte UID S70 magic card...not magic?

zantzue wrote:

The links work for me! On Aliexpress search for "s70 7 Byte". The seller is XCRFID Store https://www.aliexpress.com/store/2224012?spm=a219c.10010108.0.0.74e4429aC57Sum. They sell rewritable 7 byte UID s50 tags also.

I solved my issue - atleast I know why I cannot find the mentioned products:
the seller does not ship to my country hmm

Offline

#25 2020-07-23 02:57:49

Kosmic
Contributor
Registered: 2020-05-27
Posts: 5

Re: 7 byte UID S70 magic card...not magic?

Any updates on these cards? I had bought the S70 4byte and the S70 7byte. The only thing I can do is change the UID on both. When I do a HF Search on the 4byte one I get PRNG error managed to get one to read properly somehow. But after trying a few commands on it same Prng Error. the 7byte ones reads fine. Even when they read fine and some times accept write commands, it does not seem to change any data on them. Pretty weird cards. Any info on these would be appreciated.

Offline

Board footer

Powered by FluxBB