Cloning cloning mifare classic 1k with CUID Gen2 Changeable Magic Card

Hi folks. I have been cloning a lot of mifare classic card with the traditional UID Gen1A writable cards.

Recently I have ordered a bunch of CUID Gen2 card with the Magic features. Most of the shop comes with and explanation how to write to the card. But its very unclear for me. The instructions are as follows.

Quote : " The product is as follows:

1,UID card block 0 (UID’s block) can be modified arbitrarily.

2, card of the default password for 12 F,FFFFFFFFFFFF.

3,CUID Support phone NFC android App MCT modify UID.

"

So I am not sure how to write/clone card with my PM3. Can anyone with expert insight please explane a newbe how to to this step by step ?

Have a nice day guys - Regards Geir

you change the manufacture block (block 0) using a normal write command

hf mf wrbl —blk 0 -k FFFFFFFFFFF -d [new block 0 data]

you’d take the block 0 from the card you’re copying.

DO NOT mess around and try random values you can and will brick your card if you write an invalid block 0. you need to be precise

What about the rest of the sectors. This will only alter the UID?

The rest of the sectors are written exactly the same way. This is what he meant by saying it’s just a standard write command for the Gen 2 magic chips.

Gen1a chips have a back door command you have to send before you can do a special write command for block 0, but gen2 chips just have a sector 0 (block 0) that is writable like any other sector/block. Therefore you simply use the standard write commands to write to sector 0 that you’d use to write to 1 or 4 or 9… just change the -blk 0 to -blk 1 or 7 or 3 etc.

Ok so basically what you saying is that if I change UID

hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 000102030405060708090a0b0c0d0e0f

and then the normal clone command

hf mf cload -f hf-mf-42588E09-dump.bin

Will clone the card?

Result

pm3 → hf mf wrbl --force --blk 0 -k FFFFFFFFFFFF -d 000102030405060708090a0b0c0d0e0f
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[#] Cmd Error: 04
[#] Write block error
[+] Write ( ok )
[?] try hf mf rdbl to verify
[usb] pm3 → hf mf cload -f hf-mf-42588E09-dump.bin
[+] loaded 1024 bytes from binary file hf-mf-42588E09-dump.bin
[=] Copying to magic gen1a card
[=] .[#] wupC1 error
[!] Can’t set magic card block: 0

no because cload is for gen1a chinese magic backdoor cards. a cuid is direct write which means the block 0 is written like a normal block.

hf mf restore -h should give you what you need.

note: supply the -f tag data file from the tag you’re making a copy OF

and the -k flag as the key file for the tag you’re writing TO. these should not be files pertaining to the same card or you’re doing it wrong.

This is what I use EVERY SINGLE TIME to change the UID & copy the sectors

For me, it’s far easier than a Proxmark, if for no other reason than I “always” have my phone with me, but not my PM3 and laptop

Big thanks to everyone over in the iceman discord for helping me recover the ring after I haphazardly wrote bad data to it and figuring out it was a UCUID chip. I got the newer batch of rings that has only one dot, on the T5577 side.

So use the PM3 to retrieve key A and B of the needed sectors, and input them manually in MCT (or create and add a new key file) would be the easiest way to fully clone a Mifare Classic on a CUID gen2 card.
Is that correct ?

If you have a PM3, you might as well use that for the whole process

Assuming that the PM3 is necessary to crack the keys, you’re right, but I am still reading the manual and MCT is a little more straight forward and user friendly!!!
Anyway I have not heard of any Android app that would decipher keys.