Issues with "Magic Auth"

Carnivex · April 11, 2026, 8:10pm

Hi,

I bought some Byte 7, Gen 2 cards from Aliexpress, but they are reported as

[=] — Magic Tag Information

[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )

And whenever I try writing something to them I get hit with [-] Write ( fail ) despite using the appropriate command for the card:

hf mf gdmsetblk --blk 0 -d

So is it me that is doing something wrong or is it just “shitty” sellers on Aliexpress etc that sells locked cards and doesn’t want to supply the key to write to them?.

amal · April 11, 2026, 8:19pm

welcome to the forum!

please show exactly what you’re doing.. the breadcrumbs above are not enough to diagnose or make suggestions. Complete logs or screenshots make helping you easier.. otherwise we’re doing mental gymnastics to fill in the giant gaps in your story.. and that’s wasted mental effort just putting the picture together vs making apt suggestions.

jerrymaguire help me help you

Carnivex · April 11, 2026, 8:22pm

I will, I just packed up the rig for tonight, since I was getting headaches from dealing with this . I will get back at it tomorrow and then I will try to elaborate and post logs.

amal · April 11, 2026, 8:30pm

ok perf

Carnivex · April 12, 2026, 8:09pm

Doing hf 14a info yields the following:

[=] ---------- ISO14443-A Information ----------
[+] UID: 04 CD E5 00 02 F7 D2 ( double )
[+] ATQA: 00 44

+\] SAK: 08 \[2 $$

> \[+\] NXP Semiconductors Germany > \[+\] Possible types: > \[+\] MIFARE Classic 1K CL2 > > $$ > =

[=] Proprietary non iso14443-4 card found
[=] RATS not supported

[+] Magic capabilities… Gen 4 GDM / USCUID ( Magic Auth )
[+] Prng detection… weak
[=] TAG IC Signature: 8373FCCC33D9F8802B49B618F451F7DA
[=] : 3167868683B0E0C0D173A0CAFE419932
[+] Signature verification: failed

[?] Hint: Use hf mf gdm* magic commands
[?] Hint: Try hf mf info

hf mf gdmcfg yielded the following:

[+] ------------------- GDM Gen4 Configuration -----------------------------------------
[+] 8500000000005A00005A005A005A0008
[+] 8500… Magic wakeup disabled
[+] …00… Magic wakeup style Gen1a 40(7)/43
[+] …000000… unknown
[+] …5A… Key B use blocked when readable by ACL
[+] …00… CUID Disabled
[+] …00… n/a
[+] …5A… MFC EV1 perso. Unfused
[+] …00… Shadow mode disabled
[+] …5A… Magic auth enabled
[+] …00… Static encrypted nonce disabled
[+] …5A… MFC EV1 signature enabled
[+] …00.. n/a
[+] …08 SAK

So I am assuming I need to write another config block to the card disabling magic auth in order to write to block 0 and replace the UID. But how is the question.

Carnivex · April 12, 2026, 8:48pm

Because trying the command:

[usb] pm3 → hf mf gdmsetblk --blk 0 -d (16 bytes HEX UID)
[=] Writing block no 0, key 000000000000
[=] data: (16 bytes HEX UID)
[-] Write ( fail )

GIves me the same write failed.

Aoxhwjfoavdlhsvfpzha · April 12, 2026, 8:51pm

Try adding --gen1a to your gdm commands

Carnivex · April 12, 2026, 8:59pm

[usb] pm3 → hf mf gdmsetblk --blk 0 -d XXXXXXXXX --gen1a
hf mf gdmsetblk: invalid option “–gen1a”
[!] Try ‘hf mf gdmsetblk --help’ for more information.

According to the help there is no –gen1a option to specify

Aoxhwjfoavdlhsvfpzha · April 12, 2026, 9:14pm

Oh, weird

Try just hf mf gdmcfg --gen1a

Carnivex · April 12, 2026, 9:23pm

[usb] pm3 → hf mf gdmcfg --gen1a
[#] wupC1 error

Aoxhwjfoavdlhsvfpzha · April 13, 2026, 4:32am

Cool

I would try hf mf gdmsetcfg -d 7AFF000000005A5A005A005A005A0008

If you can change the GDM cfg, this should let you enable gen1a and gen2 behavior, which you can re-check with hf mf info

Carnivex · April 13, 2026, 9:27pm

I can change the config, and I can change the UID. But all of a sudden the UID has reverted back to its old state as in its not persistant

Now I am confused:

[usb] pm3 → hf mf csetuid --uid 04DB3EAAD86484
[+] old block 0… 04DB3EAAD86484884400C82000000000
[+] new block 0… 04DB3EAAD86484734400C82000000000
[+] Old UID… 04 DB 3E AA D8 64 84
[+] New UID… 04 DB 3E AA D8 64 84 ( verified )
[usb] pm3 → hf 14a info

[=] ---------- ISO14443-A Information ----------
[+] UID: 04 CD E5 00 02 F7 D2 ( double )
[+] ATQA: 00 44

+\] SAK: 08 \[2 $$

> \[+\] NXP Semiconductors Germany > \[+\] Possible types: > \[+\] MIFARE Classic 1K CL2 > > $$ > =

And I have a memorydump I am trying to write as well. But when I compare the dump I have with the dump from what’s written its not a match.

Carnivex · April 15, 2026, 8:28pm

Am I doing something wrong or is the “card” wonky

DR_bangs · April 16, 2026, 11:12pm

Hi, You could try the script instead, It handles the config in a hopefully not dangerous way. I’ have a feeling if you manage to disable all backdoors, magic and gdm, you mikght end up locking yourself out of the card.

You could try:

set for 7 byte uid mode
script run hf_mf_uscuid_prog -t 2 -u aa55c396aa0804

If the -t 2 doesn’t work, try -t 4.

You could use -g 1 -a 1 -c 0 -2 1

That should enable all the magic backdoors to 40-43.

Carnivex · April 17, 2026, 7:46pm

And I am doing that command from inside proxspace i take it?

DR_bangs · April 18, 2026, 1:51pm

The normal proxmark prompt, same place you’d do hf mf info etc.

They are lua scripts, should run on proxspace builds or the standalone.

The .PI scripts need to run in the prompt under proxspace, but that’s not relavent here.

Carnivex · April 18, 2026, 8:42pm

Ah i will try that. But im still wondering why it reports the change went through but hf 14a info reveals the old UID

DR_bangs · April 18, 2026, 9:53pm

Might be a shadow UID on those cards, I think block 0 and UIDs returned by other commands might not always come from the same place.

You could try the script with the

-3      Update UID for F3 Perso
as well, this should set it in all places.

Carnivex · April 18, 2026, 10:21pm

Would i need to “relock” it in order for it to retain its “non detection” features or?

DR_bangs · April 19, 2026, 7:36pm

I’d probably set gen1a to 20/23 instead of standard, beyond that, test it and see what your system does.