I am experiencing a weird situation with my Magic Ring (Magic Mifare 1k + T5577). Everything was working great but the moment I ran “hf mf csetuid -u” my chip became problematic.
I was following this guide and trying to clone an RFID card to my ring:
Now I am only receiving Auth errors and I think I bricked my sector 0 because nothing works…
I can still find it with “search” and I get this:
[usb] pm3 --> hf search
🕕 Searching for ISO14443-A tag...
[+] UID: F5 42 2F 00
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
I can’t seem to be able to even wipe it anymore because I receive only errors (here are some of the output) Mostly all blocks are receiving “Auth error”.
I’m mobile at the moment, but it looks like you used a command meant for a gen 1A magic chip on the gen2 chip inside the magic ring. I’m honestly not sure what effect that might have, but my understanding is that it shouldn’t work actually… though I don’t know if the proxmark checks for the magic command succeeding before attempting to write to block 0 or not
In theory, if it doesn’t check to make sure the back door command was received and succeeded, and just proceeded to write to block 0 assuming it was now unlocked, it might be possible to break block 0 of a gen2 chip this way.
ive got it handled in the rrg discord. some funky commands messed with it but its recovered. somehow the cset command went rogue on the gen2 tag and scribbled stuff it shouldnt have
Replacing block 0 with a valid block 0, in this case 01 02 03 04 04 08 04 00 00 00 00 00 00 00 BE AF which contains a UID of 01020304 and the correct SAK and ATQA of a mifare classic 1k by running the following command:
What happened with the other commands was that I changed the uid to something really wrong using the gen1 commands on a gen2 tag and it messed up everything…
for more context the key provided in that command was the keyA of block 0 which was for some reason changed somehow and prevented the writes from going through so we autopwned it, got the keyfile and wiped that sucker till it was a clean gen2