Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hey All,
I've spoken to a few people and also read here a number of times regarding a second generation of magic mifare cards on the market, but there haven't been any particularly clear answers on what all of the differences are between the first and second generation.
What are some of the advantages of the second generation card? Do the new cards still respond to the old "backdoor" commands?
I was sold a Very Large Number of cards that were supposedly "Gen 2" but I am almost positive they are in-fact "Gen 1". I paid a significantly higher premium because they were claimed to be second generation but now I need proof that not only are these older cards, but that they are not worth the premium demanded as they were claimed to be the newer generation.
Edit: I have read here before that the newer cards may be used with mobile phones, but I haven't found any published commands or methods to verify if one has a gen 2 card.
Last edited by Omikron (2015-04-06 02:53:04)
Offline
Its easy to detect a generation-1 tag nowdays since I implemented a check on the "hf 14a read" command. It will tell you if the tag answers the specific backdoor commands or not.
To verify a tag is generation2, all you need is to write to block0 with the normal mf commands (hf mf wrbl 0) , if it works its a generation2.
The advantage with a generation2 is as you mentioned, that they can be used with a mobile phone.
Offline
Its easy to detect a generation-1 tag nowdays since I implemented a check on the "hf 14a read" command. It will tell you if the tag answers the specific backdoor commands or not.
To verify a tag is generation2, all you need is to write to block0 with the normal mf commands (hf mf wrbl 0) , if it works its a generation2.
The advantage with a generation2 is as you mentioned, that they can be used with a mobile phone.
Yes, I saw that very nifty feature added into the 14a read command, but I wasn't sure if gen 2 still responds to those commands anyway. Did they keep the commands as part of gen 2 for "backwards compatibility"?
To test wrbl 0 writing I've just been reading block 0 from a another mifare card and then attempting to write all 32 bytes at once:
hf mf wrbl 0 AABBCCDDEEFF00112233445566778899
Is this correct?
Offline
if you call "hf mf wrbl" just like that, you will get a help text. It will explain to you howto use the command.
And yes, its good to use a block0 from another working mifare card.
Last edited by iceman (2015-04-06 08:35:37)
Offline
if you call "hf mf wrbl" just like that, you will get a help text. It will explain to you howto use the command.
And yes, its good to use a block0 from another working mifare card.
Of course, and I apologize if my post implied that I didn't already do that. I was writing the command from memory. This is the format I am following:
hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F
The card appears to be rejecting the write so I am assuming that it is not Gen2, but I wanted to confirm that there wasn't something else I was missing.
Can you also confirm that second generation cards do not respond to magic commands from the first generation?
Offline
I actually never got my hands on a Magic Gen-2 tag, so I can't tell by my own experience how it reacts to among others the backdoor commands for Generation1.
However, if you write command fails, it could be because you have the wrong password.
Can you test "hf mf cgetsc 0" ? If it reacts to this, then we can confirm that generation2 tags responds to generation1 backdoor commands.
Offline
I have one that is "2nd gen" and possible to write block 0 as usual (A0 00 command). And not possible to act with a backdoor commands
proxmark3> hf mf csetuid 12345678
--wipe card:00 uid:12 34 56 78
#db# Can't select card
Can't set UID. error=2
proxmark3>
Offline
Thanks for pointing that out J-Run. Can you tell us where you did you bought those 2nd generation cards ?
Offline
Yes, I'm curious as well where you bought it.
Offline
I have one that is "2nd gen" and possible to write block 0 as usual (A0 00 command). And not possible to act with a backdoor commands
proxmark3> hf mf csetuid 12345678 --wipe card:00 uid:12 34 56 78 #db# Can't select card Can't set UID. error=2 proxmark3>
This is exactly what I wanted to know. If I am successful in getting the inventory exchanged for Gen2 cards I'll let everyone here know.
Offline
Asper, Iceman, sure!
I have ordered some cards from xfpga store a year ago and surprised that "UID changeable mifare 4K card S70 card" was "2nd gen".
I consider that all uid-changalbe cards in that store without any references to backdoor functionality in description are actually "2nd gen".
Offline
Ok, I also have s70 (4k) generation2 tags and they work like yours.
I tought we were talking about s50 (1k) tags which I havn't found a gen2 yet.
Offline
Well, I thought question was about gen2 functionality at all :-)
Anyway, I bet uid-changeable s50 ("UID changeable mifare 1k card block0 writable") from that store without backdoor works the same way as s70. Ofcourse this should be checked
Offline
Thats why we ask, to see if someone knows.
Offline