MifareClassicTool icon indicating copy to clipboard operation
MifareClassicTool copied to clipboard

Published 20 hours ago verified publisher icon ikarus23

Support "Gen3" magic tags

Open ikarus23 opened this issue 3 years ago • 8 comments

The new MIFARE Classic special/magic cards "Gen3" should be configurable using Android. The configuration commands are just issued using the APDU structure: https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-gen3-aka-apdu

The main goal is to implement an extra Gen3 configuration tool. A great addition would be to have writing to block 0 of Gen3 seamlessly integrated into the rest of the application flow.

A way to detect Gen3 cards is to read block 0 without authentication. If this works it should be Gen3.

ikarus23 avatar Jan 30 '21 21:01 ikarus23

@doegox:

What I noticed is that using the APDU to change the UID doesn't change the block0 (which can still contain the previous UID), but using APDU to write block0 seems to change both block0 (with ATQA/SAK/BCC corrected) and UID.

ikarus23 avatar Feb 01 '21 17:02 ikarus23

Step 1: I need to buy Gen3 tags!

ikarus23 avatar Feb 01 '21 17:02 ikarus23

I got some tags. I did some implementation. It did change the UID but it also bricked my tag (partially). All very strange. The function is part of master (bd5d481e05e1eba00865e3b611a2f9045da1ff14) but it is not used/triggered for now.

Maybe someone is willing to contribute to testing at the risk of breaking gen3 tags? :)

ikarus23 avatar May 22 '21 09:05 ikarus23

hey,

just tried your modifications - yes, it modified the uid and bricked the card :)

The card is detected with the new uid (on android and linux (nfc-list)). Your App is not able to read the card (got timeout) - mfoc returns "UNKNOWN_KEY" and "No sector encrypted with the default key has been found, exiting..".

This was the card i used: https://www.amazon.com/dp/B07QM1GWL6?ref_=cm_sw_r_cp_ud_dp_DF1G8SNVF3R3B8DXXYSH

I had to modify one line to get it compiled

writeGen3block0 = writeBlock0Gen3(data, key, useAsKeyB);

into

writeGen3block0 = writeBlock0Gen3(data);

Aendrew87 avatar Apr 20 '22 17:04 Aendrew87

what i found while looking at the output of the app:

block 0 of original card:
04 12 19 c3 cc 98 02 00 64 8e 85 94 41 10 38 07

block 0 the app tries to write:
04 12 19 c3 cc 98 02 08 44 00 85 94 41 10 38 07

Aendrew87 avatar Apr 23 '22 08:04 Aendrew87

Hi @Aendrew87! Thank you very much for testing and I'm sorry for you loss of a card. The behavior you're describing sound exactly the same as I experienced it.

Interesting catch with the difference in writing. How did you observe it? Where you able to read block 0 after it was written? Did you emulate a card and looked you for what MCT was trying to write?

The three bytes in question should be the ATQA and the SAK. The 08 44 00 seem to be the correct values. Somebody noticed that "ATQA and SAK bytes are automatically replaced by fixed values" on Gen3 tags when writing block0. But to my knowledge this is done by the card, and not Android/MCT. Also, this makes the original block look strange...

ikarus23 avatar Apr 23 '22 10:04 ikarus23