Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-09-27 22:46:02

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Writing 0 sector

Hi,

I bought some nfc tags from ebay and they are 0 block writable. I would like to change the whole 0 block of sector 0 (I want to change the whole 16 bytes). What I have achieved so far is to change the uid (first 4 bytes) however the following 12 bytes get wiped.

Info:

proxmark3> hf 14a read
 UID : aa ee ff cc
ATQA : 00 00
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
#db# halt error. response len: 1
Answers to chinese magic backdoor commands: NO

How I changed the uid:

proxmark3> hf mf csetuid aaeeffcc
uid:aa ee ff cc
#db# halt error. response len: 1
No chinese magic backdoor command detected
#db# halt error. response len: 1
#db# Halt error
Couldn't get old data. Will write over the last bytes of Block 0.
new block 0:  aa ee ff cc 00 00 00 00 00 00 00 00 00 00 00 00
#db# halt error. response len: 1
#db# Halt error
Can't set block 0. Error: 2
Can't set UID. Error=2

So after this command I do change the uid to aaeeffcc but the manufacturer information right after it gets wiped (00's).
I would like to change the whole block 0 of sector 0. Apparently the proxmark3 is able to wipe it so in theory it should be writeable as well. How can I do that? hf mf wrbl 0 a ffffffffffff 000102030405060708090a0b0c0d0e0f doesn't work.
Thanks!

Offline

#2 2017-09-28 05:45:08

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Writing 0 sector

You're running chinese commands to a card that isn't detected as chinese (Answers to chinese magic backdoor commands: NO).
Which is why you get "No chinese magic backdoor command detected".
try running "script run formatMifare -x" on the iceman fork then try the "hf mf wrbl" command.

Offline

#3 2017-09-28 18:47:43

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Re: Writing 0 sector

Yesterday I had a old firmware on my new proxmark3 easy. Today I flashed to the newest. After doing what you suggested I was still not able to revive the tag.

Output:

proxmark3> script run formatMifare -x
--- Executing: formatMifare.lua, args '-x'
----------------------------------------
----------------------------------------

Found:  Unknown (SAK=86)
I don't know how many sectors there are on this type of card, defaulting to 16
Estimating number of blocks: 63
Old key:    FFFFFFFFFFFF
New key:    FFFFFFFFFFFF
New Access: FF0780
----------------------------------------
###     New sector-trailer : FFFFFFFFFFFFFF078000FFFFFFFFFFFF
###     New emptyblock: 00000000000000000000000000000000
###
Do you want to erase this card [y/n] ?y
----------------------------------------
hf mf wrbl  1 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  2 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  3 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl  4 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  5 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  6 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  7 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl  8 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  9 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 10 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 11 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 12 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 13 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 14 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 15 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 16 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 17 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 18 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 19 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 20 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 21 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 22 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 23 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 24 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 25 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 26 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 27 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 28 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 29 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 30 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 31 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 32 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 33 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 34 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 35 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 36 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 37 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 38 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 39 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 40 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 41 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 42 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 43 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 44 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 45 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 46 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 47 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 48 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 49 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 50 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 51 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 52 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 53 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 54 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 55 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 56 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 57 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 58 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 59 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 60 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 61 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 62 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 63 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF

-----Finished

proxmark3> hf 14a read
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

I have another tag (same tag, same seller) and this is how it should look like:

proxmark3> hf 14a read
 UID : aa 11 e3 d2
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands (GEN 1a): YES

Offline

#4 2017-09-29 07:26:04

Dmanufacturer
Contributor
Registered: 2017-08-15
Posts: 42

Re: Writing 0 sector

chickengun wrote:

Yesterday I had a old firmware on my new proxmark3 easy. Today I flashed to the newest. After doing what you suggested I was still not able to revive the tag.

Output:

proxmark3> script run formatMifare -x
--- Executing: formatMifare.lua, args '-x'
----------------------------------------
----------------------------------------

Found:  Unknown (SAK=86)
I don't know how many sectors there are on this type of card, defaulting to 16
Estimating number of blocks: 63
Old key:    FFFFFFFFFFFF
New key:    FFFFFFFFFFFF
New Access: FF0780
----------------------------------------
###     New sector-trailer : FFFFFFFFFFFFFF078000FFFFFFFFFFFF
###     New emptyblock: 00000000000000000000000000000000
###
Do you want to erase this card [y/n] ?y
----------------------------------------
hf mf wrbl  1 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  2 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  3 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl  4 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  5 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  6 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  7 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl  8 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl  9 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 10 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 11 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 12 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 13 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 14 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 15 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 16 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 17 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 18 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 19 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 20 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 21 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 22 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 23 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 24 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 25 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 26 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 27 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 28 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 29 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 30 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 31 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 32 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 33 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 34 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 35 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 36 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 37 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 38 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 39 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 40 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 41 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 42 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 43 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 44 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 45 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 46 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 47 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 48 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 49 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 50 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 51 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 52 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 53 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 54 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 55 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 56 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 57 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 58 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 59 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF
hf mf wrbl 60 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 61 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 62 B FFFFFFFFFFFF 00000000000000000000000000000000
hf mf wrbl 63 B FFFFFFFFFFFF FFFFFFFFFFFFFF078000FFFFFFFFFFFF

-----Finished

proxmark3> hf 14a read
Card doesn't support standard iso14443-3 anticollision
ATQA : 00 00

I have another tag (same tag, same seller) and this is how it should look like:

proxmark3> hf 14a read
 UID : aa 11 e3 d2
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands (GEN 1a): YES

It didn't work because you're not using the iceman fork like I told you to. The script on the original does not have the "-x" option as it's an old script.

You can either copy and replace this file: https://github.com/iceman1001/proxmark3 … Mifare.lua

OR

Use/Flash the iceman fork: https://github.com/iceman1001/proxmark3

BUT

Looks like after you flashed to the new firmware it is indeed a Chinese card (Answers to chinese magic backdoor commands (GEN 1a): YES)..

SO

Try running the "hf mf cwipe 1"command to restore it.

Last edited by Dmanufacturer (2017-09-29 07:50:30)

Offline

#5 2017-09-29 19:46:53

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Re: Writing 0 sector

I understand. Thanks.

Just FYI, however the iceman fork should solve it:

proxmark3> hf mf cwipe 1
#db# halt error. response len: 1
Chinese magic backdoor commands (GEN 1a) detected
--blocks count:64 wipe:y fill:n
#db# wipeC error
OK
proxmark3> hf 14a read
iso14443a card select failed

Offline

#6 2017-09-29 20:45:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,507
Website

Re: Writing 0 sector

...even I am confused now...
1)  the script doesnt execute the generated commands,  just cut 'nd paste it and you will execute them..  Don't need to flash/compile icemanfork
2) you need latest offical pm3 or iceman fork to program your gen1a tag.  It seems to be one of those tags that answers the halt command. The command should been executed anyway (if you are on the latest source)
3) set a new UID with   hf mf csetuid since you seem to have messed it up. I'm guessing a faulty BCC value.  This should enable your tag again.

Online

Pages: 1

Board footer

Powered by FluxBB