MF Classic 1K UID Change

Support
1

Hi, I’d like to ask for help. I have an implant with 7 byte UID, which is present in the Access Control database. Now, I’m trying to figure out how to make more ways of authenticating, since the implant is not always a rock solid solution, especially when the readers suck. The important thing to mention is that the HF readers in our scenario only authenticate based on the UID of the chip.

Figured out I still have those MF Classic 1K (CUID) cards you get with the PM3E order, which should do the job. So I tried changing the UID on both of these cards via PM3E, and I always end up with this error:

[usb] pm3 → hf mf csetuid -u SAMPLENUMBER
[#] wupC1 error
[=] couldn’t get old data. Will write over the last bytes of block 0
[+] new block 0… SAMPLENUMBERD20000000000000000
[#] wupC1 error
[!!] Can’t set UID. error -1

So I tried to do this instead, hoping it would help. No luck either.

[usb] pm3 → hf mf cwipe
wipe block 0[#] wupC1 error
[!] retry block 0 …
[|]wipe block 0[#] wupC1 error
[!] retry block 0 …
[/]wipe block 0[#] wupC1 error
[!] retry block 0 …
[!!] error setting block 0 (-1)
[!!] Can’t wipe card. error -1

What am I missing or what are the other ways of solving my problem? :smiley: Thanks!

2

Mifare Classics crypto-1 is about as secure as using just the ID

3

Sure, how does that help my cause though? :sweat_smile: I’m not trying to improve the security standards of the mentioned facility.

4

What do you get if you do an hf search on that card? Does it indicate gen1a?

5

[+] UID: C4 55 6F 4E
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try hf mf commands

[+] Valid ISO 14443-A tag found

Not sure how to detect gen1a functionality.

6

Hmm so this is a strange thing with china and magic chips… CUID is meaningless as to whether it means gen1a or gen2… those terms aren’t even anything manufacturera are typically aware of… they are terms I believe were developed by the proxmark community actually.

So, this may be a gen2 card. You will have to use the standard block write commands to know for sure, or the MCT app for Android, to see if you can change the UID

7

Not sure how to perform this step correctly, I’d be grateful for a little bit more info or at least some kind of a reference.

Scanned the card via the app now, will post a screenshot of the result shortly.

MCT_Result
MCT_Result576×1280 118 KB

8

Screenshot_20210901-145921
Screenshot_20210901-145921945×2048 155 KB

Screenshot_20210901-145939
Screenshot_20210901-145939944×2048 110 KB

Screenshot_20210901-150020
Screenshot_20210901-150020945×2048 208 KB

1 Like
9

I already tried that while exploring the app, but I keep getting this

image
image2696×959 756 KB

Even though the UID is in the correct format (HEX, no spaces, 7 bytes)

10

AFAIK the cards included with the Proxmark3 are 4-byte UID, that’s your problem. Can’t clone a 7-byte UID to a 4-byte card.

1 Like
11

Your NUID is 4 Bytes
MCT can only write to a gen2a
So my guess is if you cant change the NUID a would be you have a gen1

12

Sure, I thought so as well, but if you choose to change the UID in ProxSpace hf mf menu, it offers you to change it to something from 4-7 bytes. Can’t send a screen right now though, I’m not home at the moment.

And the MCT Clone UID menu also offering the option to change from range of 4-10 bytes made me believe it is probably possible.

13

There are 7-byte UID-changeable cards, but they’re not nearly as common. This is why software would support it. It’s sadly not something that can be changed by software, it’s baked into the chip itself.

14

Yeah, I just thought it could be done since it’s under the gen1a options menu, but I guess there’s even more card types I still don’t know.

What are my options then? Which card would support this functionality? And some recommended retailer to get it from?

15

These are some of my observations from whats been posted so far:
Card type: MFC
Magic Capabilities: None or Gen2
UID size: 4B (C4556F4E)
PRNG: weak

Since it has been confirmed that its not a gen1a, it’ll be useful to know what the keys are on sector 0 (where the UID is stored). On a blank card we can normally assume that the keys are default (FFFs) but to confirm this with a proxmark using the command hf mf chk --1k which should give you a table of found keys per sector.

Example Image Showing chk Output

ubuntu_2021-09-02_19-18-37
ubuntu_2021-09-02_19-18-37428×354 1.79 KB

Observed is that all sectors, keys A and B are using Fs which is the default.

Once you have keys you can attempt to write to block 0 which will determine if it is magic or not. The command to do this on a proxmark would be hf mf wrbl --blk 1 -f <key> -d <data>. If it writes successfully then it is a gen2, else its not magic.

If you dont want the more manual approach, gen1a tags are much easier to use and forgiving. Gen1a will allow you to use the hf mf c* subset of commands which take advantage of the backdoor commands unique to gen1a cards.
Gen1a cards are available from a variety of retailers, some more reliable than others. The general things to look out for are that S0 B0 is re-writable, look at reviews for unhappy people mentioning that it doesnt work with MCT and that ‘special’ is needed to write to block 0.

1 Like
16

Okay, so based on what information you guys managed to find out it’s not gen1a?

Key Check

Key_Check
Key_Check445×877 12.4 KB

Write

Write_Test

Read

Read_Test

So I guess it is a gen2 card then. So, would it be possible for me to set a 7 byte UID on it? Or which card should I get in order to do that?

17

Looks like its using default keys which makes things easier.

From your output of hf search this card has a 4 byte UID. Why are you looking for a card with a re-writable 7 byte UID?

It would be worthwhile putting your source card (the one you want to copy) on the proxmark and sharing the ouput of hf 14a info. Feel free to blur the UID but ensure that it doesnt make it difficult to interpret how long it is.

Example Image with Semi-Redacted UID

2021-09-02_20-52-04
2021-09-02_20-52-04491×138 2.09 KB

18

I have trouble scanning my Spark2 with PM for some reason, not sure why, phone reads it just fine, so does KBR. But I know the ID from the phone, so.

Let’s say I’d use the NTAG in my NExT for this scenario, doesn’t really matter.

Here's the requested output.

14a_info
14a_info496×262 5.92 KB

19

Thanks for that info, makes more sense now, my bad for missing it originally.

Since it is UID only auth you can really use anything that is 7B UID changeable. The one thing I would question is if it checks ATQA and SAK and UID which would be a limiting factor.

This is most likely the more reliable retailer for 7B Gen1a MFC. Of course, you’ll be able to find some available elsewhere but it may be more trial and error with less descriptive product details. From my experience, you are more likely to find a 7B Gen1a with 4k memory rather than 1k (not that it matters in your use case).

20

If the implant you’re using for access control is your NExT, then a magic ntag might suit you better than a mifare classic. You can get them from the same place Jirvin linked to.

1 Like