Problems to change uid of XM1 chip

Updated

Hey Amal or anyone familiar,

im having some problems with my new XM1 and hoping you can get me going.

TLDR
unable to change uid
unable to write dump data to card

from a search of the tag in my hand I get


proxmark3> hf search

UID : 7b 84 f7 2e
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search


when trying to change the uid I get the following

proxmark3> hf mf csetuid bcdae8c4
uid:bc da e8 c4
No chinese magic backdoor command detected
#db# wupC1 error
Couldn’t get old data. Will write over the last bytes of Block 0.
new block 0: bc da e8 c4 4a 00 00 00 00 00 00 00 00 00 00 00
#db# wupC1 error
Can’t set block 0. Error: 2
Can’t set UID. Error=2
proxmark3>


proxmark3> hf mf chk *4 ? d default_keys.dic

–sector: 0, block: 3, key type:A, key count:129
Found valid key:[a0a1a2a3a4a5]


proxmark3> hf mf wrbl 0 a ffffffffffff bcdae8c44a0804006263646566676869
–block no:0, key type:A, key:ff ff ff ff ff ff
–data: bc da e8 c4 4a 08 04 00 62 63 64 65 66 67 68 69
#db# Auth error
isOk:00


proxmark3> hf mf wrbl 0 a a0a1a2a3a4a5 bcdae8c44a0804006263646566676869
–block no:0, key type:A, key:a0 a1 a2 a3 a4 a5
–data: bc da e8 c4 4a 08 04 00 62 63 64 65 66 67 68 69
#db# Cmd Error: 04
#db# Write block error
isOk:00
proxmark3>


and trying to restore a dump to the chip I get auth errors also

proxmark3> hf mf restore
Restoring dumpdata.bin to card
Writing to block 0: bc da e8 c4 4a 98 02 00 e0 8e 3d d5 55 20 26 13
#db# Auth error
isOk:00
Writing to block 1: 42 02 03 00 01 48 00 00 00 00 00 00 00 00 00 00
#db# Auth error
isOk:00
Writing to block 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# Auth error
isOk:00
Writing to block 3: a0 a1 a2 a3 a4 a5 78 77 88 c1 ff ff ff ff ff ff
#db# Auth error
isOk:00
Writing to block 4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# Auth error
isOk:00

I’m looking into this now. The xM1+ chip is a “gen1” magic backdoor chip which should respond YES to the “chinese magic backdoor command”.

After testing several chips, it appears that some may actually, in fact, be gen2 which has an open sector 0. I have confirmed you can write to these using the hf mf wrbl 0 command… but do so carefully. Be sure to copy an existing 0/0 block (sector 0, block 0) byte for byte from the source card, or it may leave the chip unselectable. The command looks something like this;

hf mf wrbl 0 A FFFFFFFFFFFF AD65F88FBF8804004885145845103610

i am investigating this further to see what might have happened. I guess chip supply from Chinese manufacturers selling knock-off Mifare 1k die chips with secret back doors are apparently not all that trustworthy.

Hello Amal, I received your email regarding the xM1. I received it today, but I do not have the proxmark3 yet, how to check if it does not have a problem?
thank you

Sorry for my bad english XD

Hi @Oxy,

It’s not possible to test the xM1+ with an NFC phone because the Mifare 1k is not NFC compliant, and so neither is the xM1+… however, some phones will be able to at least read the xM1+ and get the ID. The proxmark is the only way to really test it, and you would have to remove it from the needle to test it.

1 Like

@mzombie the key you used was a0a1a2a3a4a5 but I’m pretty sure the default block 0 key is FFFFFFFFFFFF…

I have already implanted mine. I will be getting a Proxmark3 Easy in the mail today. Would you mind writing a step by step guide on the process of testing it using the Proxmark3/Proxmark3 Easy?

Edit: Does this mean I possibly won’t be able to clone cards to the XM1+ at all or does it just mean I will need to use a different method?

ok, so how do i get thereafter to get the good xM1? knowing i had to order the cybemonday.

Use command hf 14a read and you should get back something like this;

proxmark3> hf 14a read
UID : 7b b8 cf 2e
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES

If you see the last line “Answers to chinese magic backdoor commands: NO” then it’s likely a GEN2 chip.

To write to a gen1 chip with the proxmark3 you issue command hf mf csetuid command, and on gen2 chips you can use the hf mf wrbl 0 command outlined above.

3 Likes

We are working on sorting out the best path forward.

Here is what my chip reads:

proxmark3> hf 14a reader
UID : 7b 9f 37 2e
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

If I understand correctly this gen2 chip can still be cloned to, right? What are the steps to copy the 0/0 Block and use the hf mf wrbl 0 command you mentioned earlier? I am brand new to the Proxmark3 and don’t want to mess anything up.

@geekstreetsolutions

This post is quite interesting… it covers more than simple writing of block data, but you get a good sense of how “mifare hacking” works. https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/ and this is also a great place to start for proxmark3 mifare basics - https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo

Basically, if you have the keys for the source card, you can use the hf mf rdbl command to read blocks… then you manually type that data to use the hf mf wrbl command.

The reason I’m not walking you through exact commands is that you will have to get a grip on how mifare cards work first. Asking for exact commands is like asking you to walk me through how to drive a car to the store… there are so much implicit knowledge that is just assumed… like “avoid pedestrians” for example.

Basically, that link above does a fair bit of explaining how the proxmark3 works with mifare cards… but for a general sense of how they work, you can check my blog post here - http://amal.net/?p=3932

2 Likes

Great! I have some Chinese Backdoor UID changeable cards I got from eBay I will use to test with until I am comfortable enough to do it with my implant. One thing that I am unsure about is that because my Proxmark3 Easy needs to be oriented just right in order to read the tag (my xNT reads better) is there a modified antenna available that I could solder on to get a better range?

@geekstreetsolutions it is possible to construct a more suitable antenna for the proxmark3 to enable better communication with our x-series implants, but at this time we don’t have the resources to commit to designing or manufacturing one. The low power output of the proxmark3 also creates a bit of a hurdle when it comes to properly driving alternative antenna designs… so we’ve just not been able to do much beyond attempting some inductor experiments on the bench. I still have some of those inductors sitting on my desk in fact…

Unfortunately all results were basically useless. I was able to achieve proper resonance with peak voltage at 13.56mhz but not enough power conversion to get any better read performance than the factory antenna. A proper designer should be able to model things better… get the proper inductor coil size, proper ferrite guide rod diameter, magnetic field constraints, maximum flux, etc… but that’s just not me :slight_smile:

1 Like

More examples of my failures :frowning: hhaha

2 Likes

Hi everyone ^^,
would anyone know how to change sector 0 with a pn532 and the libNfc for a gen2 chip?

the equivalent of "hf mf wrbl 0 A a0a1a2a3a4a5 BCDAE8C44A0804006263646566676869"on proxmark3

This process would be used for gen2 chips not gen1… and in that case there are plenty of examples of how to write data to mifare sectors using the pn532 out there. Adafruit has a pretty good example, designed for their NFC Shield, but that’s based on the PN532 reader chip so it should also work with our PN532 mini board as well.

ok thanks, I’ll do some testing tonight