DT Magic Ring hf uid programming problem

Just got my DT Magic Ring. Here’s what PM3 shows me:

[usb] pm3 → hf search
[|] Searching for ISO14443-A tag…
[+] UID: 01 45 AC A0
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try hf mf commands
[+] Valid ISO 14443-A tag found

What is the “Auth error” issue?

And leaving the ring on the antenna in the same position as the read, when I try to change the UID hf (mifare) door lock, it won’t. Here’s what I get:

[usb] pm3 → hf mf csetuid -u 7B9763D3
[#] wupC1 error
[=] couldn’t get old data. Will write over the last bytes of block 0
[+] new block 0… 7A9763D35C0000000000000000000000
[#] wupC1 error
[!!] Can’t set UID. error -1
[usb] pm3 →

and another hf search indeed shows that the UID wasn’t changed and is the original one in the ring. I need some help! Thanks in advance.

its a generation 2 ring. which means the hf mf c commands don’t work. they’re got gen1

you need to set block 0 to be identical of that as your old tag, so do hf mf rdbl --blk 0 -k [key] on the old tag and then do hf mf wrbl --blk 0 -d [data] -k [key] on your ring

and that auth error is nothing to worry about it was just a check for a sig that doesn’t exist on your card ))

Thanks, but now I’m in worse trouble, I think. Using “hf mf fchk”, all 32 keys on the fob (and the ring) shows successfully determined as FFFFFFFFFFFF.

So then doing a rdbl of block 0 on the ring before doing any writing shows:
[usb] pm3 → hf mf rdbl --blk 0 -k FFFFFFFFFFFF

[=] # | sector 00 / 0x00 | ascii
[=] ----±------------------------------------------------±----------------
[=] 0 | 01 45 AC A0 48 08 04 00 62 63 64 65 66 67 68 69 | .E…H…bcdefghi

For the door fob, doing a rdbl of block 0 shows:

[usb] pm3 → hf mf rdbl --blk 0 -k FFFFFFFFFFFF

[=] # | sector 00 / 0x00 | ascii
[=] ----±------------------------------------------------±----------------
[=] 0 | 7A 97 63 D3 5D 08 04 00 62 63 64 65 66 67 68 69 | z.c.]…bcdefghi

Now I figured I’m ready to the wrbl in your format (though because it’s the manufacturer block zero, it told me that I had to add a --force). I put in, and got back:

[usb] pm3 → hf mf wrbl --blk 0 -d 7A9763D3480804006263646566676869 -k FFFFFFFFFFFF --force
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 7A 97 63 D3 48 08 04 00 62 63 64 65 66 67 68 69
[+] Write ( ok )
[?] try hf mf rdbl to verify

Doing the rdbl, this is what I put in and got back:

[usb] pm3 → hf mf rdbl --blk 0 -k FFFFFFFFFFFF
[#] BCC0 incorrect, got 0x48, expected 0x5d
[#] Aborting
[#] Can’t select card

That’s worrisome, so I run hf search to see what it says:

[usb] pm3 → hf search
[-] Searching for ISO14443-A tag…[#] BCC0 incorrect, got 0x48, expected 0x5d
[#] Aborting
[!] No known/supported 13.56 MHz tags found

More worrisome. I try to put block 0 back to its original data:

[usb] pm3 → hf mf wrbl --blk 0 -d 0145ACA0480804006263646566676869 -k FFFFFFFFFFFF --force
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 01 45 AC A0 48 08 04 00 62 63 64 65 66 67 68 69
[#] BCC0 incorrect, got 0x48, expected 0x5d
[#] Aborting
[#] Can’t select card
[-] Write ( fail )
[?] Maybe access rights? Try specify keytype hf mf wrbl -b ... instead

and hf search still shows:

[usb] pm3 → hf search
[/] Searching for ISO14443-A tag…[#] BCC0 incorrect, got 0x48, expected 0x5d
[#] Aborting
[!] No known/supported 13.56 MHz tags found

I’m in trouble! Did I somehow render the mifare side of the ring unusable, or is this something I can recover from?

and what u put for wrbl 7A9763D3480804006263646566676869
are not the same values.

and unfortunately to say, because of this incorrectness you overwrote the BCC and SAK to be incorrect so the card isn’t reporting back as a mifare anything anymore

and unfortunately because this is a gen2. that’s not recoverable

EDIT: in future cases i suggest copy and pasting the output from RDBL and just removing the spaces.

Ah, there it is! Expensive but important lesson. Thank you!

At least it wasn’t an implant; more expensive lesson.

I am always very careful with my FlexM1 gen2

Of ever unsure about something, I always (recommend) testing on a test card first.

FYI
That’s why I grabbed a Test card pack

its one youll always remember thats for sure

sorry it had to be learned in such brutal fashion

Is there a pack like that available in the U.S.? A quick search didn’t yield one, but I guess I could buy the elements individually…

None that I am aware of, However, when I bought mine there was only one postage option, But @KaiCastledine has done some work and there are more/ cheaper options now.

I just bought a few more cards from him, and The postage was only…quick head calculation from GPB - NZD - USD would be about USD$10

You might be able to fix it if you are lucky by following the instructions at this page.

I guarantee nothing as I haven’t broken a gen2 card (yet)

@Concorde If you have any luck with @zwack 's suggestion, please let us know, and I will add that to the Handy Dandy thread

OMG, it WORKED! Working down the page there trying the different example commands, the command that finally did the trick was:

hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip

then I was able to write their known sequence for a 1K chip (but adding the --force flag)::
hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 – force

and then go back and do that same command line substituting my ring data that I had captured before I screwed it up. SUCCESS! “Bricked” Gen2 chip recovered!

That “-bcc ignore” option is perfect for my situation (there’s also a “-bcc fix” option that I didn’t try but I presume would have recalculated the proper chksum).

THANK YOU ZWACK for the reference and whoever came up with that! I’ve bookmarked that page.

I am glad that it worked, and yes the Proxmark3 documentation can be rather scattered and odd, but generally it is useful.

@Pilgrimsmaster I guess you need to add that page to the handy tips.