Help - I can't seem to read my Magic Ring

ultimav · November 19, 2021, 12:59am

Hey all

I am new to RFID hacking and the like so bare with me. I recently bought the Magic Ring (Magic Mifare 1k + T5577).

I got the Proxmark3 Easy + Access kit bundle…

I managed to get pm3 up and running on my Mac (Big Sur), and the proxymark3 Easy seems to work… I was able to read and identify and read an work id for example. But I don’t seem to be able to do anything with my Magic Ring.

Heres my ‘hw version’ output

[usb] pm3 --> hw version                      

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.3) OS:OSX ARCH:x86_64

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-2027-g177fcbe4 2020-11-19 14:12:28
       os: RRG/Iceman/master/v4.9237-2027-g177fcbe4 2020-11-19 14:13:02
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
  HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 52% used )

[usb] pm3 -->

Heres when i attempt to read the Mifare side of Ring – I have tried a dozen+ different positions on the platform.

[usb] pm3 --> hf search
 🕓  Searching for ISO14443-A tag...          
[+]  UID: 01 50 2D 50 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

 🕓  Searching for FeliCa tag...[=] You can cancel this operation by pressing the pm3 button
[usb] pm3 -->

Lurking around the forum, that ‘# Auth error’ seems to be problem? Mind you have did absolutely nothing to the ring since i took it out of the box, put it on, or set it on the pm3.

If i try the LF (RFID side of the Ring i get the following:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 

[=]   # | word (msb)  | word (lsb)  | desc
[=] ----+-------------+-------------+--------------------
[=]  32 | 00 00 00 00 | 00 00 00 00 | device serial number (read only)
[=] ----+-------------+-------------+--------------------
[=]  Serial: 00 00 00 00 

[+] Valid EM4x50 ID found!

[usb] pm3 -->

Now you would thing that ‘[+] Valid EM4x50 ID found’ would be a good thing, but I basically get that same output if i run the ‘lf search’ with out anything on the platform, or anything electronic near, on a wood cabinet…

Finally to help with diag if anyone chooses to help… I have also run ‘hw tune’ and its seems to come out ok…

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
 🕔   9
[=] ---------- LF Antenna ----------
[+] LF antenna: 26.61 V - 125.00 kHz
[+] LF antenna: 20.86 V - 134.83 kHz
[+] LF optimal: 26.93 V - 126.32 kHz
[+] Approx. Q factor (*): 7.0 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.8 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.31 V - 13.56 MHz
[+] Approx. Q factor (*): 4.5 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

[!] ⚠️  You appear to be on a MacOS device without XQuartz.
[!] ⚠️  You may need to install XQuartz (https://www.xquartz.org/) to make the plot work.

I did install qt5 from brew before i installed proxmark3, it took forever, but it installed… So graph aside, things look good…

Lastly…

I recognize 2 of the cards in the box with ‘IC-UID’ stamp on the back, and they get recognized as ISO14443-A (MIFARE cards) as well but similar output as my ring. including the Auth Error, but in their case, as ‘Gen 1a’ cards.

ultimav:

Hey all

I am new to RFID hacking and the like so bare with me. I recently bought the Magic Ring (Magic Mifare 1k + T5577).

I got the Proxmark3 Easy + Access kit bundle…

I managed to get pm3 up and running on my Mac (Big Sur), and the proxymark3 Easy seems to work… I was able to read and identify and read an work id for example. But I don’t seem to be able to do anything with my Magic Ring.

Heres my ‘hw version’ output
[usb] pm3 --> hw version                      

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.3) OS:OSX ARCH:x86_64

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-2027-g177fcbe4 2020-11-19 14:12:28
       os: RRG/Iceman/master/v4.9237-2027-g177fcbe4 2020-11-19 14:13:02
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
  HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 52% used )

[usb] pm3 --> 
Heres when i attempt to read the Mifare side of Ring – I have tried a dozen+ different positions on the platform.
[usb] pm3 --> hf search
 🕓  Searching for ISO14443-A tag...          
[+]  UID: 01 50 2D 50 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

 🕓  Searching for FeliCa tag...[=] You can cancel this operation by pressing the pm3 button
[usb] pm3 -->                                 
Lurking around the forum, that ‘# Auth error’ seems to be problem? Mind you have did absolutely nothing to the ring since i took it out of the box, put it on, or set it on the pm3.

If i try the LF (RFID side of the Ring i get the following:
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 

[=]   # | word (msb)  | word (lsb)  | desc
[=] ----+-------------+-------------+--------------------
[=]  32 | 00 00 00 00 | 00 00 00 00 | device serial number (read only)
[=] ----+-------------+-------------+--------------------
[=]  Serial: 00 00 00 00 

[+] Valid EM4x50 ID found!

[usb] pm3 --> 
Now you would thing that ‘[+] Valid EM4x50 ID found’ would be a good thing, but I basically get that same output if i run the ‘lf search’ with out anything on the platform, or anything electronic near, on a wood cabinet…

Finally to help with diag if anyone chooses to help… I have also run ‘hw tune’ and its seems to come out ok…
[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
 🕔   9
[=] ---------- LF Antenna ----------
[+] LF antenna: 26.61 V - 125.00 kHz
[+] LF antenna: 20.86 V - 134.83 kHz
[+] LF optimal: 26.93 V - 126.32 kHz
[+] Approx. Q factor (*): 7.0 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.8 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.31 V - 13.56 MHz
[+] Approx. Q factor (*): 4.5 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

[!] ⚠️  You appear to be on a MacOS device without XQuartz.
[!] ⚠️  You may need to install XQuartz (https://www.xquartz.org/) to make the plot work.
I did install qt5 from brew before i installed proxmark3, it took forever, but it installed… So graph aside, things look good…

Lastly…

I was able to read the 2 cards in the box with ‘IC-UID’ as MIFARE, Gen 1a, but with a similar Auth Error. if that helps any. The other 2 blank cards i assume would be ‘LOW Freq’ and they don’t read anything at all

Sincerely!
noobie, but eager to learn.

darthdomo · November 19, 2021, 2:10am

(Just asking a few questions to make debugging easier)

Firstly, did you run pm3-flash-all? You have a mismatch between your client version and your device version. Your ARM bootrom and os versions should be the same as your client. That could very well be the cause of your LF issues.

To expand on that, how did you install it on your Mac? Was it with the guide at this link?

github.com

RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Mac-OS-X-Homebrew-Installation-Instructions.md

# Homebrew (Mac OS X), automatic installation

## Apple Silicon (M1) Notes

Ensure Rosetta 2 is installed as it's currently needed to run `arm-none-eabi-gcc` as it's delivered as a precombiled x86_64 binary.

If you see an error like:

```sh
bad CPU type in executable
```

Then you are missing Rosetta 2 and need to install it: `/usr/sbin/softwareupdate --install-rosetta`

Homebrew has changed their prefix to differentiate between native Apple Silicon and Intel compiled binaries.  The Makefile attempts to account for this but please note that whichever terminal or application you're using must be running under Architecture "Apple" as seen by Activity Monitor as all child processes inherit the Rosetta 2 environment of their parent.  You can check which architecture you're currently running under with a `uname -m` in your terminal.

Visual Studio Code still runs under Rosetta 2 and if you're developing for proxmark3 on an Apple Silicon Mac you might want to consider running the Insiders build which has support for running natively on Apple Silicon.

## Install Proxmark3 tools

This file has been truncated. show original

Also, regarding your LF issues, this may sound silly, but make sure your Proxmark isn’t sitting on a metal surface (i.e. a laptop or a metal desk). I know you mentioned it happening on a wood cabinet, but I just thought I’d make sure.

A sidenote as well, for the Magic 1k side of the ring, it’s gen2 capable, meaning that it’s possible (and a bit easier) to use an Android phone instead, using the app Mifare Classic Tool (MCT). You can still do it with a proxmark, but AFAIK, it’s a little more complicated than a gen1a tag (which is what those cards are).

EDIT:
Also, the Auth error is normal. Try running “hf 14a info”.

ultimav · November 19, 2021, 2:53am

Thanks for the response @darthdomo!

I’ll try to answer you questions…

No had not run the pm3-flash-all command, like i said i am new to all of this, and the little poking around i did i thought since I saw ‘iceman’ and such i thought i was good on the firmware but obviously no, i will run it shortly after post…

I started with guide you linked, but was having trouble with the ‘brew install proxmark3’ kept hanging and failing the build, and after watching it install dependences first, i started to install the dependences independently first, then i ran the ‘install proxmark3’ and that seemed to finally work after what seemed like a couple of hours of compiling.

Fir the Magic 1k, this is the one instance i wish i did have an android phone, in that its pretty much all Apple here otherwise i would be all over using the that app.

I’ll report back after i do the pm3-flash-all command…

ultimav · November 19, 2021, 4:46am

ok things are better…maybe…

So I ran the pm3-flash-all, and it completed successfully…

here is what i see now…
‘hw version’

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.3) OS:OSX ARCH:x86_64

 [ PROXMARK3 ]
  device.................... device / fw mismatch
  firmware.................. RDV4
  external flash............ present
  smartcard reader.......... absent
  FPC USART for BT add-on... absent

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
       os: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 59% used )

[usb] pm3 -->

I i put my ring on the hw attenna, and run ‘hf search’ i get something closer to right i think

[usb] pm3 --> hf search
 🕔  Searching for ISO14443-A tag...          
[+]  UID: 01 50 2D 50 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 -->

On the low-freq, things look better

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[+] EM 410x ID 2021090050
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 048490000A
[=] HoneyWell IdentKey
[+]     DEZ 8          : 00589904
[+]     DEZ 10         : 0554238032
[+]     DEZ 5.5        : 08457.00080
[+]     DEZ 3.5A       : 032.00080
[+]     DEZ 3.5B       : 033.00080
[+]     DEZ 3.5C       : 009.00080
[+]     DEZ 14/IK2     : 00137993191504
[+]     DEZ 15/IK3     : 000019403898890
[+]     DEZ 20/ZK      : 00040804090000000010
[=] 
[+] Other              : 00080_009_00589904
[+] Pattern Paxton     : 538787408 [0x201D3E50]
[+] Pattern 1          : 393480 [0x60108]
[+] Pattern Sebury     : 80 9 589904  [0x50 0x9 0x90050]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

So after i got something more, i then went back and looked at xquartz again, and figured out that I actually had an outdated homebrew environment. unshalllowed the repo, and ran update again, and now it was pointing to a valid version of xquartz to install. (Before it was missing the download)… So when i run ‘hw tune’ the graphs work, but it also now claims that the HF antenna is UNUSABLE…

So 2 questions… the

HF claims UNUSABLE from ‘hw tune’
I now see a 'mismatch device/ fw device flag in the ‘hw version’, but HF seems to be reading.

darthdomo · November 19, 2021, 4:52am

Okay so, this is something that I was worried about.

The proxmark version you’ve compiled and installed via homebrew is for the RDV4, not the PM3 Easy.
This is why it says you have firmware for an RDV4, as well as the device/fw mismatch.

The guide mentioned this, but you need to use either this command:
brew install --with-generic proxmark3

or this one, if you want the newer (but less stable) release
brew install --HEAD --with-generic proxmark3

Generic proxmark3 includes the PM3 Easy.

Then, after you get it reinstalled with the --with-generic flag, you’ll need to run pm3-flash-all again.

(you might have to do brew remove proxmark3 before you can reinstall, not sure)

ultimav · November 19, 2021, 5:16am

Wow… That was much quicker of uninstall/reinstall when you have updated libraries…

so i reran ‘pm3’ to make sure it still worked, and it connected up

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with Clang/LLVM Apple LLVM 13.0.0 (clang-1300.0.29.3) OS:OSX ARCH:x86_64

 [ PROXMARK3 ]
  device.................... device / fw mismatch
  firmware.................. RDV4
  external flash............ present
  smartcard reader.......... absent
  FPC USART for BT add-on... absent

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
       os: RRG/Iceman/master/v4.14434 2021-09-18 21:44:55
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 59% used )

Which as you say is expected…

So now back to the ‘pm3-flash-all’ seems to be failing or taking for ever…
Only light on the device right now is the white on the left side

Danas-MacBook-Pro-2:~ danacleveland$ pm3-flash-all 
[=] Session log /Users/danacleveland/.proxmark3/logs/log_20211119.txt
[+] loaded from JSON file /Users/danacleveland/.proxmark3/preferences.json
[+] About to use the following files:
[+]    /usr/local/Cellar/proxmark3/4.14434/bin/../share/proxmark3/firmware/bootrom.elf
[+]    /usr/local/Cellar/proxmark3/4.14434/bin/../share/proxmark3/firmware/fullimage.elf
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
 🕑  59 found
[+] Entering bootloader...
[+] (Press and release the button only to abort)
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
 🕓  59 found
[=] You can cancel this operation by pressing the pm3 button

its been a few minutes since the last line

darthdomo · November 19, 2021, 5:21am

Try hitting the button on the side of the proxmark, and see if that aborts it. If it doesn’t, hit ctrl-C to cancel the pm3-flash-all command.

Then, once that command is cancelled, unplug the proxmark. There should be a button on the side. Hold down the button, and while still holding the button down, plug it in. Then, while still holding down the button, run pm3-flash-all. Do not let go of the button the entire time.

Once you see:

...................................................................
        @@@  @@@@@@@ @@@@@@@@ @@@@@@@@@@   @@@@@@  @@@  @@@
        @@! !@@      @@!      @@! @@! @@! @@!  @@@ @@!@!@@@
        !!@ !@!      @!!!:!   @!! !!@ @!@ @!@!@!@! @!@@!!@!
        !!: :!!      !!:      !!:     !!: !!:  !!! !!:  !!!
        :    :: :: : : :: :::  :      :    :   : : ::    : 
        .    .. .. . . .. ...  .      .    .   . . ..    . 
...................................................................
..................... OK

[+] All done

[=] Have a nice day!

You can release the button, and try running pm3 again. You might have to unplug and replug one last time for it to connect properly.

ultimav · November 19, 2021, 5:34am

Woot! That did it!

It seems to be finding/accessing both HF and LF portions of the Magic Ring, tune looks good – getting ‘OK’ for both antennas… version looks good matching device/firmware, on ‘PM3 Generic’

Can’t thank you enough, now to try some reading and cloning… Maybe pickup an stray android phone

darthdomo · November 19, 2021, 5:40am

Glad it’s working the PM3 can be a tricky beast.

For the HF side, I’d consult this page:

github.com

RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-directwrite-aka-gen2-aka-cuid

# Notes on Magic Cards, aka UID changeable
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372

Useful docs:
* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)

- [ISO14443A](#iso14443a)
  * [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic)
- [MIFARE Classic](#mifare-classic)
  * [MIFARE Classic block0](#mifare-classic-block0)
  * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
  * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
  * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
  * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
  * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
  * [MIFARE Classic, other versions](#mifare-classic-other-versions)
  * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
  * [MIFARE Classic Gen3 aka GTU](#mifare-classic-gen3-aka-gtu)
  * [MIFARE Classic Super](#mifare-classic-super)
- [MIFARE Ultralight](#mifare-ultralight)

This file has been truncated. show original

It’s not the most explanatory page, but it gives some examples on how to change the UID of a gen2 magic 1k chip. With the proxmark, for gen2 you’re manually writing sector 0 (unless they updated the csetuid command to support gen2, but I’m fairly certain they haven’t).

I would try and get a hold of a gen2 card or something if you can, just so you can get the hang of things without bricking your ring. If you aren’t careful, you can accidentally set the configuration bits as well, forcing the card to be read-only forever.

ultimav · November 19, 2021, 5:44am

Roger that!

The pm3 came with Classic 1 cards, so will try one of those first

Pilgrimsmaster · November 19, 2021, 5:49am

That will likely be a gen1a NOT the gen2 (which is what your ring has)
Ideally you want a gen2 card to practice on.

Here’s some more info