Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support "Gen3" magic tags #336

Open
ikarus23 opened this issue Jan 30, 2021 · 8 comments
Open

Support "Gen3" magic tags #336

ikarus23 opened this issue Jan 30, 2021 · 8 comments
Labels
feature

Comments

@ikarus23
Copy link
Owner

ikarus23 commented Jan 30, 2021
edited

The new MIFARE Classic special/magic cards "Gen3" should be configurable using Android. The configuration commands are just issued using the APDU structure: https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-gen3-aka-apdu

The main goal is to implement an extra Gen3 configuration tool. A great addition would be to have writing to block 0 of Gen3 seamlessly integrated into the rest of the application flow.

A way to detect Gen3 cards is to read block 0 without authentication. If this works it should be Gen3.
@ikarus23
Copy link
Owner Author

ikarus23 commented Feb 1, 2021

@doegox:

What I noticed is that using the APDU to change the UID doesn't change the block0 (which can still contain the previous UID), but using APDU to write block0 seems to change both block0 (with ATQA/SAK/BCC corrected) and UID.

@ikarus23
Copy link
Owner Author

ikarus23 commented Feb 1, 2021

Step 1: I need to buy Gen3 tags!

@ikarus23
Copy link
Owner Author

I got some tags. I did some implementation. It did change the UID but it also bricked my tag (partially). All very strange. The function is part of master (bd5d481) but it is not used/triggered for now.

Maybe someone is willing to contribute to testing at the risk of breaking gen3 tags? :)

@Aendrew87
Copy link

hey,

just tried your modifications - yes, it modified the uid and bricked the card :)

The card is detected with the new uid (on android and linux (nfc-list)).
Your App is not able to read the card (got timeout) - mfoc returns "UNKNOWN_KEY" and "No sector encrypted with the default key has been found, exiting..".

This was the card i used:
https://www.amazon.com/dp/B07QM1GWL6?ref_=cm_sw_r_cp_ud_dp_DF1G8SNVF3R3B8DXXYSH

I had to modify one line to get it compiled

writeGen3block0 = writeBlock0Gen3(data, key, useAsKeyB);

into

writeGen3block0 = writeBlock0Gen3(data);

@Aendrew87
Copy link

what i found while looking at the output of the app:

block 0 of original card:
04 12 19 c3 cc 98 02 00 64 8e 85 94 41 10 38 07

block 0 the app tries to write:
04 12 19 c3 cc 98 02 08 44 00 85 94 41 10 38 07

@ikarus23
Copy link
Owner Author

Hi @Aendrew87! Thank you very much for testing and I'm sorry for you loss of a card. The behavior you're describing sound exactly the same as I experienced it.

Interesting catch with the difference in writing. How did you observe it? Where you able to read block 0 after it was written? Did you emulate a card and looked you for what MCT was trying to write?

The three bytes in question should be the ATQA and the SAK. The 08 44 00 seem to be the correct values. Somebody noticed that "ATQA and SAK bytes are automatically replaced by fixed values" on Gen3 tags when writing block0. But to my knowledge this is done by the card, and not Android/MCT. Also, this makes the original block look strange...

@82ghost82
Copy link

82ghost82 commented May 12, 2024
edited

It seems I have one of these gen3 cards and I confirm this is one of the strangest cards I had in my hands.
I'm sure it "was" a 7bytes uid 4k card. I was experimenting about how to write block0 with an acr122u without the PCSC Mifare software provided for these cards.
Following the proxmark commands I tried to write the whole block 0 with command 90 F0 CC CC 10 <block0>; so I provided a proper block0 for a 7 bytes card.
From that moment the card started acting strangely..I couldn't read the sectors because no key was found, and I never changed the default ffffffffffff keys. After running again the pcsc software I was able to read again the card (can't remember the exact steps but I played with the 4bytes uid fields..) but listen...now the card is a 4bytes uid 4k instead of 7 bytes uid...and...if I change the 4 bytes uid I cannot read anymore the card, because I found that probably the new uid that is written in block 0 is different than that read by the nfc reader. But I still can change the other things in block0. Note that I never blocked block0, nor used the lock command.
A proxmark3 is on its way to home, I need to try with it and see if I could restore this card to 7 bytes 4k, but I don't think it will be a success. No sense in all of this in my opinion.

@ikarus23
Copy link
Owner Author

Interesting observations. Scrolling through https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md looks like there are special tags which allow changing between 4/7 bytes UID. Never had one of those. Since there are so many magic MIFARE Classic tags now, it's hard to keep track.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ikarus23 @Aendrew87 @82ghost82