"magic" Mifare chips

Jirvin · May 9, 2020, 1:56am

The Mifare “classic” S50 1k chip?

For many years the Mifare MF1ICS50 1k chip was used for all kinds of applications as a “secure chip” for everything from access control to stored value cards, and used for making localized payments within closed systems like public transit and laundry services. However, it uses a security mechanism called “crypto1” which is a simple, proprietary encryption mechanism that hardly has anything to do with modern cryptography. It has been broken for many years now, but the sheer number of systems out there that still use it means the Mifare S50 1k will continue to be used by legacy systems around the world for years to come.

However, the ability to break crypto1 and get at the normally protected data does not necessarily help you if you want to copy that data to another Mifare S50 1k card, fob, or tag. That’s because real Mifare chips do not allow you to change the data in sector 0, which is where special manufacturing information is held as well as the 4 byte non-unique ID or serial number of the chip. You could copy all the data from the user memory sectors to a new Mifare 1k chip, but basically any machine reading the cloned card will know that the serial number doesn’t match or is not registered with the system and will likely ignore the card or even alert security to a possible attempt at something malicious.

“magic” Mifare 1k chips

A “magic” Mifare chip (or magic chip) is a special grey-market chip made in China that can emulate the memory structure and functionality of real Mifare chips, but also allow sector 0 to be modified. This means the serial number and manufacturing data of a Mifare “magic” chip can be changed to act as a perfect clone of a real Mifare S50 1k chip… even the serial number.

gen1a vs gen2

There are now several “generations” of these types of chips, but the most common are still gen1a and gen2. Other types of “magic” chips include the ability to emulate more than just mifare “classic” S50 1k chips, but here we will focus just on the magic Mifare S50 1k (4 byte ID) chip emulators.

github.com

RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md

<a id="top"></a>

# Notes on Magic Cards, aka UID changeable
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372

Useful docs:
* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)


# Table of Contents
- [Low frequency](#low-frequency)
  * [T55xx](#t55xx)
  * [EM4x05](#em4x05)
  * [ID82xx series](#id82xx-series)
    * [ID8265](#id8265)
    * [ID-F8268](#id-f8268)
    * [K8678](#k8678)
  * [H series](#h-series)
    * [H1](#h1)
    * [H5.5 / H7](h55--h7)

This file has been truncated. show original

More details…

gen1a
The gen1a magic Mifare chip requires a special back door command that opens up all sectors to writing, including sector 0. The advantage of this is that even if you have accidentally locked any memory sectors or lost the crypto1 keys for any particular sector, you can still read and overwrite all sectors after issuing the back door command. In short, the back door command removes all security completely for every sector.

The down side is, the back door command is issued to the chip after it supposedly enters the halt state, which means only certain devices can issue the back door command. Smartphones generally cannot do this because the chips and firmware in the phone do not allow further communications after the halt state has been entered. Furthermore, certain readers, especially in Asia, look for magic chips by issuing the back door command and if the chip answers, it shuts down to avoid allowing a possibly cloned chip to access whatever door or service the reader is attached to.

gen2
The gen2 magic Mifare chip has no back door command. All sectors are equally open for writing, as long as access bit permissions and keys allow. The advantage of the gen2 magic chip is that even NFC capable smartphones can issue standard write commands for any sector, including sector 0. This means a smartphone app like MCT could be used change the ID of the chip along with all the data in the manufacturing block. In addition to this, readers looking for magic chips ultimately have no good way to really tell if the chip is a magic chip or not.

The down side is that the real Mifare S50 1k chip’s operation is emulated completely and accurately. There is no back door, so if one or more sectors on the chip become protected by access bit changes, you need valid keys in order to make further changes. In addition to this, if the access bits are misconfigured or bad data is written, the sector becomes unreadable and locked, and there is no way to recover that sector… it will be locked forever.

Changing the ID of a “magic” Mifare chip

Writing to sector 0 of a “magic” chip in order to change it’s ID depends on which version you have.

gen1a
To change the ID of a gen1a magic chip, you will need to use a proxmark3 or some special software that can issue the gen1a back door command to the magic chip through a common reader like the ARC122U.

-todo-

gen2
You can write to sector 0 of a magic gen2 chip like any other sector on a Mifare “classic” S50 1k chip. That means you can even use an NFC smartphone and an app to do it.

-todo-

Cloning card data to a “magic” chip

The first thing you have to do is ensure your source card or fob is a 4 byte “Classic” 1k card, not a new 7 byte “Mifare 1k” card. With the discovery of Crypto1 vulnerabilities in the “Classic” Mifare S50 1k and S70 4k chips, NXP (the company who makes Mifare chips) released a number of different updated versions of Mifare chips. These include Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. The memory structures of these new chips are identical to the real “Classic” 1k chips but they have 7 byte UIDs not 4 byte IDs. While new attacks on these new chip types do exist, success is limited and you will not be able to copy the complete 7 byte ID number to the gen1a chip since it only supports 4 byte IDs.

gen1a
By far the most powerful tool to use is the Proxmark3 - an RFID diagnostics and security research tool that is open source, so it comes in many flavors, shapes, an sizes. It’s flexibility and ability to update the firmware to support the latest security tactics and tools means it’s a great investment for anyone wanting to experiment with RFID. While we do not offer a guide for how to use the Proxmark3 to clone Mifare cards to a “magic” chip, there are plenty of other guides already written that detail how it’s done.

If you don’t have a proxmark3 but you do have a USB reader like the ACR122U, there are a few tools you can use. Here’s an example of how to use them.

gen2
If you have a gen2 chip and want to clone some data to it, you can use an Android smartphone app called MCT. It’s not the most friendly tool, but it works.

The video embedded below drops you right into the section at 42 seconds in which talks about how to program and update the gen2 magic chip in our Magic Ring product using the MCT app for Android.

The video below explores how to use the proxmark3 to dump a complete Mifare Classic 1k chip and use the MCT app to make a complete copy of that chip in a product containing a magic 1k gen2 chip.

Pilgrimsmaster · February 17, 2023, 6:29pm

This is a fantastic, very informative and thorough thread.

I just thought I would add the following information, as this is the most comprehensive thread on the subject.

On this Forum, we generally refer to the chip types as gen1a or gen2 , which is accurate terminology and consistent throught the forum, and thanks to this thread most people understand what you are referring to when you mention them.

When it comes to buying youself test cards etc.
“gen1a” and “gen2” doesn’t always yield the best search results, especially on Chinese shopping sites.

In my experience

You could obviously try a very full description or snippets from one such as

Magic Mifare Classic gen1a 1k 13.56Mhz S50 IC

You will probably get a good number of results, but alot will be red herrings.

From the example I gave above, 2 of the better search terms would be

S50
IC

With those terms you should have narrowed down your results, BUT if you want to be closer to 100% that you are buying exactly what you want, BUT to differentiate between the chips, Look for, or search for

UID = gen1a

CUID = gen2

Personally I have had a very good success rate using this.

I hope this is of some help and saves someone waiting 4-6 week delivery only to get the wrong product

@Jirvin let me know if you want me to shift this elsewhere, and I’ll find another home for it.