I’m pretty sure I just bricked my new UG4. I used the hf_mf_ultimatecard.lua script to set the card to mifare classic 1k 4 byte, which is the same as the card I was trying to copy. I have dumped my work access card and succesfully cloned it into a mifare 1k card previously. I tried to do a similar process for rewriting it to the ug4 and clearly messed something up pretty badly. At the time when I had just changed the card format, my phone could get reads with whatever UID it had set. Once I changed it, I can no longer get any reads and the pm3 is throwing all kinds of weirdness at me. I can confirm both versions of firmware on my pm3 are the same.
I tried to unbrick it using this link, and am getting the following error:
[usb] pm3 → hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800
[!] Can’t select card.
[usb] pm3 → hf search
Searching for ISO14443-A tag…
[=] Card doesn’t support standard iso14443-3 anticollision
[+] Valid ISO 14443-A tag found
Some other things I have tried, in an effort to poke around and try see how badly I’ve messed it up:
[usb] pm3 → hf mf ginfo
[!!] No card in the field or card command timeout.
[usb] pm3 → hf mf info
[=] Card doesn’t support standard iso14443-3 anticollision
[usb] pm3 → script run hf_mf_magicrevive
[+] executing lua C:\Users\josh\OneDrive\Desktop\prox\ProxSpace\pm3\proxmark3\client\luascripts/hf_mf_magicrevive.lua
[+] args ‘’
hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -c -k -a A000
hf 14a raw -c -k -a 01020304049802000000000000001001
hf 14a raw -c -a 5000
hf mf csetbl --blk 3 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number: 3 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 7 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number: 7 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
(this basically continues for each block)
ERROR: partial read of configuration, use -k or change cfg0 block
Happy to provide any details required. I don’t have the original logs (I don’t think - do logs for everything save???) but am able to upload exactly what I did if someone points me in the right direction. Do I have to bite the bullet and spend another few hundred dollars on a new chip? Grateful for any help.
As strange as this sounds, performance can be impacted by configuration. Ensure your coupling is good with the proxmark3 to try to fix. You might need a booster board?
The UG4 is pretty power hungry and the stock proxmark3 doesn’t have a great time coupling with it. Many users have found @Hamspiced 's enhancers fix the issue
I can look into the booster board idea, if you think it will work. I put it away yesterday and looking at it today it looks to me like the PM3 is unable to select the card properly. I used hf tune to find the optimal position on the back of the board, but nothing has changed there - it’s dropping by about 1.2V when the flexUG4 is in the optimal spot.
[usb] pm3 → hf 14a reader
[=] Card doesn’t support standard iso14443-3 anticollision
[+] ATQA: 04 00
Using the KBR1 I got with my first implant bundle, it can still read the card and outputs the UID ‘7CACCDAC’ - I believe that’s what I was trying to set it to anyway, I just must have broken some other stuff.
I’ve tried the solution on the first link you sent:
[usb] pm3 → hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800
[!] Can’t select card.
I know the pm3 can detect the chip, it just can’t select it. The github link you sent has lots of useful stuff but I couldn’t find anywhere in the UMC section for specifically unbricking that gen of mifare magic cards, and I’m scared to try a solution for a different gen like gen1 which I think the chip is currently emulating.
I’m not trying to be captain hindsight here, this is something where I practice what I preach.
I always get a test card of the implants I have, and I carry them in a backpack with my RFID Tools (I started a thread about this, but I have made some changes so postponed posting it…watch this space)
I’m not saying I always use a card first, but when its something I’m not familiar with, or if I think i have done everything correctly and not getting successful reads, I can use the card to confirm, if the reader reads the card but not the implant, then its probably a coupling issue etc.
Another good example, If you think a reader/writer may write a password, it would be good practice to use a card first.
Even apps can write passwords, and I did this suspecting POPL may do this, so I used a NTAG analog, and was proven correct a d documented it.
See below
Luckily I was able to sniff the password and could unlock my sticker, but if I couldn’t, who cares, a couple of bucks wasted is better than being locked out of my own implant.
I know none of this helps you now, but something for you to consider.
You could however still get a test card for the ug4, and replicate the fault (if not hard bricked)
It is far easier to work with a card on a proxmark3 than one handed trying to read an implant.
None of this is to say “you fucked up” it is meant as a “in the future…” “you might want to consider…” “here is an example…”
here’s my POPL example
A slight derail, but I think it is a good PSA for people reading the thread, just unfortunate that you are the example to learn from.
This is a good call - I did get a test card pack but unfortunately did not have the foresight to include the UG4 addon. @amal if I paid to ship my implant back + extra for your time would you be able to have a look at it for me? Best case it cant be fixed and I will pay for shipping return to me (plus a test card, good idea pilgrim), worst case you have a spare ug4 do to tests on? If not I guess I will just have to bite the bullet and get a new UG4 for later :/. I think that now it is broken, to fix it would require know-how which I do not have. Let me know.
If you want us to look at it go ahead and ship it back… I won’t charge you to take a look at it. In fact it’ll probably be @tac0s doing the actual investigation. Once we figure out what the situation is, you can decide if you want it shipped back with a test card or not.
