Cloning cloning mifare classic 1k with CUID Gen2 Changeable Magic Card

geir · May 26, 2023, 10:58am

Hi folks. I have been cloning a lot of mifare classic card with the traditional UID Gen1A writable cards.

Recently I have ordered a bunch of CUID Gen2 card with the Magic features. Most of the shop comes with and explanation how to write to the card. But its very unclear for me. The instructions are as follows.

Quote : " The product is as follows:

1,UID card block 0 (UID’s block) can be modified arbitrarily.

2, card of the default password for 12 F,FFFFFFFFFFFF.

3,CUID Support phone NFC android App MCT modify UID.

"

So I am not sure how to write/clone card with my PM3. Can anyone with expert insight please explane a newbe how to to this step by step ?

Have a nice day guys - Regards Geir

Equipter · May 26, 2023, 3:17pm

you change the manufacture block (block 0) using a normal write command

hf mf wrbl —blk 0 -k FFFFFFFFFFF -d [new block 0 data]

you’d take the block 0 from the card you’re copying.

DO NOT mess around and try random values you can and will brick your card if you write an invalid block 0. you need to be precise

geir · May 26, 2023, 3:36pm

What about the rest of the sectors. This will only alter the UID?

amal · May 26, 2023, 3:50pm

The rest of the sectors are written exactly the same way. This is what he meant by saying it’s just a standard write command for the Gen 2 magic chips.

Gen1a chips have a back door command you have to send before you can do a special write command for block 0, but gen2 chips just have a sector 0 (block 0) that is writable like any other sector/block. Therefore you simply use the standard write commands to write to sector 0 that you’d use to write to 1 or 4 or 9… just change the -blk 0 to -blk 1 or 7 or 3 etc.

geir · May 26, 2023, 4:11pm

Ok so basically what you saying is that if I change UID

hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 000102030405060708090a0b0c0d0e0f

and then the normal clone command

hf mf cload -f hf-mf-42588E09-dump.bin

Will clone the card?

Result

pm3 → hf mf wrbl --force --blk 0 -k FFFFFFFFFFFF -d 000102030405060708090a0b0c0d0e0f
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[#] Cmd Error: 04
[#] Write block error
[+] Write ( ok )
[?] try hf mf rdbl to verify
[usb] pm3 → hf mf cload -f hf-mf-42588E09-dump.bin
[+] loaded 1024 bytes from binary file hf-mf-42588E09-dump.bin
[=] Copying to magic gen1a card
[=] .[#] wupC1 error
[!] Can’t set magic card block: 0

Equipter · May 26, 2023, 6:09pm

no because cload is for gen1a chinese magic backdoor cards. a cuid is direct write which means the block 0 is written like a normal block.

hf mf restore -h should give you what you need.

note: supply the -f tag data file from the tag you’re making a copy OF

and the -k flag as the key file for the tag you’re writing TO. these should not be files pertaining to the same card or you’re doing it wrong.

Pilgrimsmaster · May 27, 2023, 1:01am

This is what I use EVERY SINGLE TIME to change the UID & copy the sectors

For me, it’s far easier than a Proxmark, if for no other reason than I “always” have my phone with me, but not my PM3 and laptop