Reputation: 51
How to modify block 0 / UID of a Mifare 1K tag (using a proxmark)
I bricked a Mifare 1k tag during an attempt to write to block n°0 (to change the UID), I would like to understand what I did wrong.
Just for reminder, the datasheet of the Mifare 1k => 1
I used :
- a Proxmark Easy ;
- a tag with a writable block 0 (bought online).
First, I searched the tag
proxmark3> hf search
UID : fa 33 78 19
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
So, the UID is fa 33 78 19
Then, I read de block 0 using the key A (which I knew to be "FFFFFFFFFFFF")
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:fa 33 78 19 a8 08 04 00 62 63 64 65 66 67 68 69
We find the UID identified earlier fa 33 78 19
Then, I tried to modify it by replacing only the bytes associated to the UID :
proxmark3> hf mf wrbl 0 A FFFFFFFFFFFF FFFFFFFFa80804006263646566676869
--block no:0, key type:A, key:ff ff ff ff ff ff
--data: ff ff ff ff a8 08 04 00 62 63 64 65 66 67 68 69
#db# WRITE BLOCK FINISHED
isOk:01
But after that, there's no way to communicate with the tag, it's bricked...
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# Can't select card
#db# READ BLOCK FINISHED
isOk:00
proxmark3> hf search
#db# Reading card ...
No or unknown card found, aborting
Where's my mistake?
Upvotes: 2
Views: 20919
Answers (2)
Reputation: 31
I found It's a very old topic but It still have some info that may help some one. You can "unbrick" a tag that "soft-brick" (cause invalid bcc). Instruction here
#e.g. for 4b UID:
hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869 # for 1k
hf mf wrbl 0 A FFFFFFFFFFFF 11223344441802006263646566676869 # for 4k
hf 14a config --std
hf 14a reader
Upvotes: 3
Reputation: 51
I found the solution :
The block 0 is composed of: 4 bytes of UID, 1 byte of BCC and 11 other Manufacturer bytes Datasheet
BCC depends on UID: it's a XOR of four UID bytes. Writing a bad BCC bricks the tag.
There are several sites that allow the BCC to be calculated from the desired UID : here
Now, the question is: Can we "unbrick" a tag ?
On other forums, some people say they succeeded with their ACR122U (libnfc) but for my part, I own a Proxmark 3 Easy and I didn't find anything.
Upvotes: 3
Related Questions
- re-writing uid and block 0 on Chinese (supposed to be writable) MIFARE 1K card in python
- Can I change the UID of NFC tags
- UID for access control
- is UID of mifare classic editable?
- Changing authentication key of a sector in MIFARE Classic
- Mifare Classic 1k APDU command for retrieving tag UID
- Read Mifare Classic 1K UID with Nexus 5
- How to overwrite a block data that already exists in mifare 1K tag. Authentication fails when trying to override the data ina specific block
- Reading the tag UID of Mifare classic card
- Reading UID of mifare classic 1k