GEN4 ULTIMATE MAGIC

The most common way a Gen4 gets “bricked” is bad ATQA/SAK values that break anticollision. In this state, hf search fails but the card is still physically responding to the RF field. The chip itself is fine, it just can’t complete the normal ISO 14443-A select sequence. The Gen4 backdoor (CF command) is independent of the public ATQA/SAK, which is why we can still talk to it after anticollision is broken.

This procedure assumes the password was not changed from the factory default 00 00 00 00. If the password was changed and lost, this method will not recover the chip.

Step 1) Manual select

-a activates the field
-k keeps it on
-b 7 sends 7 bits (WUPA short-frame)
-c appends CRC

hf 14a raw -a -k -b 7 52              # WUPA (7-bit) → returns ATQA
hf 14a raw -k 93 20                   # Anticollision CL1 → returns 5 bytes (UID + BCC)
hf 14a raw -k -c 93 70 <UID> <BCC>    # SELECT CL1 → returns SAK

After the second command, the proxmark3 prints a 5-byte response. Copy those 5 bytes verbatim into the third command (4 bytes UID + 1 byte BCC).

Step 2) Read current config (sanity check)

Read config (32 bytes)

hf 14a raw -k -c CF 00000000 C6

Replace 00000000 with the actual password if it was changed from default.

Step 3) Fix identity as Mifare 1k 4 byte ID

hf 14a raw -k -c CF 00000000 68 00         # 68 = UID length opcode (00=4B, 01=7B, 02=10B)
hf 14a raw -k -c CF 00000000 35 04 00 08   # 35 = ATQA + SAK (ATQA 04 00, SAK 08 = Mifare 1K)
hf 14a raw -k -c CF 00000000 34 00         # 34 = ATS config (00 = disable ATS)

Step 4) Verify

• Remove card from proxmark3
• Wait 3 seconds, place back
• hf search should now identify as Mifare 1K
• hf 14a info confirm ATQA/SAK/UID look correct
• hf mf gview full view of all blocks if you want to inspect contents