[SOLVED] Wipe chinese cards

Max13.56 · 2019-06-25 09:15:52

Hello everyone!
I'm looking for the right command to wipe chinese magic cards gen1.
It seems that commands exist (I saw old comments on the web like "hf mf cset" or "-wipe"), but i can't find in the last fork.
I use the proxmark RDV4.0 with the iceman fork.
Is there any solution?
Thank you all!

Last edited by Max13.56 (2019-07-04 16:24:46)

mwalker · 2019-06-25 10:46:08

Is the w option what you are after ?
from the rrg rdv4

[usb] pm3 --> hf mf csetblk h
Set block data for magic Chinese card. Only works with magic cards

Usage: hf mf csetblk [ h ] <block number> <block data (32 hex symbols)> [w]
Options:
h this help
w wipe card before writing
<block> block number
<data> block data to write (32 hex symbols)
Examples:
hf mf csetblk 1 01020304050607080910111213141516
hf mf csetblk 1 01020304050607080910111213141516 w

iceman · 2019-06-26 06:26:06

remember the wipe sets everything to zero... everything... even sector trailers.

Max13.56 · 2019-06-27 21:45:30

Ok, if I understand correctly, I have to write new hex symbols on every block (adding w as an argument to wipe the same block).
There isn't a generic command to wipe the whole card in one shot?
Thank you for your answer anyway guys!

Ollibolli · 2019-06-30 17:01:40

Hello,

try to run the script "remagic.lua"!

By the way: What does "sector trailers" exactly mean?

mwalker · 2019-07-01 04:22:12

Ollibolli wrote:

Hello,
By the way: What does "sector trailers" exactly mean?

Sector Trailer is the last block in every sector. It stores the passwords A and B and the permissions for each key.
So in context, when Iceman said including the sector trailers, that means there are NO keys (or set to 000000000000) and NO valid permissions. for that sector. So you would need to put all those back.
In a magic card where it supports the magic commands, thats OK as you can use the magic commands to do that.
If it was a real card and you managed to write all 0's to the sector trailer, you would brick that sector.

Ollibolli · 2019-07-01 21:35:29

Thank you very much!

How can i change/manage the permissions in the sector trailer?

mwalker · 2019-07-02 05:10:23

With care!

Start with reading : https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
Around Section 8
Its a bit tricky at first has the permissions are in there twice and if you get it wrong you can brick the sector.
I would suggest playing with a magic card as you can then recover when it goes wrong.

The idea is
1. work out the permissions you want.
2. build the 3 byte (6 hex digit) - 24 bit permissions.
3. know the current (or new) A/B keys and write that data like any other block write <A key><6 hex digit permission><single byte><B key> to the sector for which you want those keys and permissions applied to.

Ollibolli · 2019-07-02 05:31:18

Okay, but i think, this is a little bit to hard for my brain...:-(

In my case its the following sector 7 i can't write on a Mifare Classic 1k-card:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
81 C0 BB CE 32 E9 70 F7 88 00 E1 08 EA 39 7A 9A

Can you see, what i have to setup?

So, without the A/B-keys, "70 F7 88 00" is left!

mwalker · 2019-07-02 11:21:45

That looks like you need to write with key B
Access block 0: read AB; writeB
Access block 1: read AB; writeB
Access block 2: read AB; writeB
Access block 3: read ACCESS by AB

But it seems that the sector trailer is read only.

Ollibolli · 2019-07-02 18:07:15

So there is no way to write the sector trailer (except with magic-card)?

But what does it take the manufacturer out of it to lock the sector trailer?

Last edited by Ollibolli (2019-07-02 18:07:28)

Max13.56 · 2019-07-04 16:23:02

Thanks for your answer guys!
The remagic script is ok!
I Will try later To write new data on it
!

Max13.56 · 2019-07-12 16:50:49

Hi everyone!
Come back after testing!
Finally i used 2 scripts from the fork to wipe and clean cards

script run remagic.lua
script run formatMifare.lua

I noticed the script changes UID and sometimes SAK (from 08 to 88 or 98) so i just had to do :

hf mf csetuid 01020304 0004 08 to achieve an original configuration.

Final test : restore data from another tag on my "new" magic card and it worked perfectly!

Thank you again for the help and the scripts!

Proxmark3 community

Announcement

#1 2019-06-25 09:15:52

[SOLVED] Wipe chinese cards

#2 2019-06-25 10:46:08

Re: [SOLVED] Wipe chinese cards

#3 2019-06-26 06:26:06

Re: [SOLVED] Wipe chinese cards

#4 2019-06-27 21:45:30

Re: [SOLVED] Wipe chinese cards

#5 2019-06-30 17:01:40

Re: [SOLVED] Wipe chinese cards

#6 2019-07-01 04:22:12

Re: [SOLVED] Wipe chinese cards

#7 2019-07-01 21:35:29

Re: [SOLVED] Wipe chinese cards

#8 2019-07-02 05:10:23

Re: [SOLVED] Wipe chinese cards

#9 2019-07-02 05:31:18

Re: [SOLVED] Wipe chinese cards

#10 2019-07-02 11:21:45

Re: [SOLVED] Wipe chinese cards

#11 2019-07-02 18:07:15

Re: [SOLVED] Wipe chinese cards

#12 2019-07-04 16:23:02

Re: [SOLVED] Wipe chinese cards

#13 2019-07-12 16:50:49

Re: [SOLVED] Wipe chinese cards

Board footer