Please Help! I think I bricked my Magic ring

MrAtlas · October 29, 2021, 11:54pm

Hey everyone.

I am experiencing a weird situation with my Magic Ring (Magic Mifare 1k + T5577). Everything was working great but the moment I ran “hf mf csetuid -u” my chip became problematic.

I was following this guide and trying to clone an RFID card to my ring:

Now I am only receiving Auth errors and I think I bricked my sector 0 because nothing works…
I can still find it with “search” and I get this:

[usb] pm3 --> hf search
 🕕  Searching for ISO14443-A tag...          
[+]  UID: F5 42 2F 00 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found

I am also getting the following errors:

[ **usb** ] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
[#] Auth error

I can’t seem to be able to even wipe it anymore because I receive only errors (here are some of the output) Mostly all blocks are receiving “Auth error”.

[ **usb** ] pm3 --> hf mf wipe
[=] Loaded keys matching MIFARE Classic 1K
[=] Skipping sector 0 / block 0
[=] block 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
.
[ALL BLOCKS ARE ERRORS]
.
[=] block 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )

[=] block 33: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )

[=] block 34: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )

[=] block 35: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF ( ok )
.
[ALL BLOCKS ARE ERRORS]
.
[=] block 55: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF [#] Auth error( fail )
[=] block 55: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF [#] Auth error( fail )
[=] block 56: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 56: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 57: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 57: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 58: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 58: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [#] Auth error( fail )
[=] block 59: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF [#] Auth error ( fail )
[=] block 59: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF [#] Auth error ( fail )
[=] block 60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )
[=] block 61: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )
[=] block 62: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ok )
[=] block 63: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF ( ok )

I tried following this guide but it didn’t work.

github.com

RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md

<a id="top"></a>

# Notes on Magic Cards, aka UID changeable

This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372

Useful docs:

* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)

# Table of Contents

* [Low frequency](#low-frequency)
  * [T55xx](#t55xx)
  * [EM4x05](#em4x05)
  * [ID82xx series](#id82xx-series)
    * [ID8265](#id8265)
    * [ID8211](#id8211)
    * [ID-F8268](#id-f8268)
  * [H series](#h-series)

This file has been truncated. show original

I think I might have bricked my sector 0 somehow. Any help would be really appreciated.

MrAtlas · October 30, 2021, 12:32am

@amal Would it be possible to help me with my case please? Thank you so much for everything.

amal · October 30, 2021, 12:43am

I’m mobile at the moment, but it looks like you used a command meant for a gen 1A magic chip on the gen2 chip inside the magic ring. I’m honestly not sure what effect that might have, but my understanding is that it shouldn’t work actually… though I don’t know if the proxmark checks for the magic command succeeding before attempting to write to block 0 or not

In theory, if it doesn’t check to make sure the back door command was received and succeeded, and just proceeded to write to block 0 assuming it was now unlocked, it might be possible to break block 0 of a gen2 chip this way.

Equipter · October 30, 2021, 12:49am

ive got it handled in the rrg discord. some funky commands messed with it but its recovered. somehow the cset command went rogue on the gen2 tag and scribbled stuff it shouldnt have

MrAtlas · October 30, 2021, 12:52am

Yea, this is exactly what happened… It is fixed now! Yay!

Zwack · October 30, 2021, 1:00am

my chance of saying What was done to fix it?

MrAtlas · October 30, 2021, 1:18am

Yep sorry, so what I had to do was the following:

Replacing block 0 with a valid block 0, in this case 01 02 03 04 04 08 04 00 00 00 00 00 00 00 BE AF which contains a UID of 01020304 and the correct SAK and ATQA of a mifare classic 1k by running the following command:

hf mf wrbl --blk 0 -k F5422F009808 -d 0102030404080400000000000000BEAF

What happened with the other commands was that I changed the uid to something really wrong using the gen1 commands on a gen2 tag and it messed up everything…

Equipter · October 30, 2021, 1:24am

for more context the key provided in that command was the keyA of block 0 which was for some reason changed somehow and prevented the writes from going through so we autopwned it, got the keyfile and wiped that sucker till it was a clean gen2

MrAtlas · October 30, 2021, 1:30am

Thank you again so much! It was really exciting working on it!

anon3825968 · October 30, 2021, 1:31am

Exactly why I don’t like Gen2 magic mifares. You’re lucky you were able to unscrew yours.