Recovering a Magic MIFARE Gen2

9 February 2023

I recently bought a Proxmark3 Easy from Dangerous Things. They don't make the Proxmark, but carry the "easy" version that is a lot cheaper ($90) than the current revision and has user-friendly software. I haven't used other Proxmarks so I can't vouch for the software improvements, but the better price is enough for me. I'm interested in learning about RFID technologies, cloning things like the FOB to get into the gym, hotel room keys, etc. Ultimately, I want to get an implant or 2 from Dangerous Things, but that's another discussion. This is just my experience with the Magic MIFARE cards that came with the PM3 and fixing my mistake.

RFID is divided into 2 types: low frequency (LF) and high-frequency (HF). MIFARE is a popular chip line under the HF category. Hotel RFID room-keys are likely to have a MIFARE chip inside. When you tap your RFID badge to the reader by the door, the most likely thing happening is the reader asking the card what it's ID is. The reader looks up the ID on a server to see if that ID is allowed to open the door.

This ID is supposed to be unique to each chip, thus it's called the UID. The UID on normal MIFARE chips is read-only, but the Magic MIFARE chip lets you change it. This means you can clone other chips and open doors you're not supposed to (or have a backup hotel key without asking for one).

There are more technical details, but this should be enough to understand what I'm discussing.

A chip's memory is divided into sectors, and sub-divided into blocks. Block 0 contains the UID along with some UID check-bytes and other secure info. This is normally write-protected to prevent cloning. Since we're talking about Magic chips though, we can write new data to it. Also, all blocks have access-protection that requires a key to remove. Apparently no one ever changes the key from default so there are standard list that the Proxmark and phone apps have built in.

Gen1 chips have a backdoor command built in that removes the write-protection from block 0. This command can usually only be issued by special hardware like the Proxmark or dedicated readers; phones cannot. This backdoor also removes the access-protection so if you lose the key, it doesn't matter.

Gen2 chips simply do not protect block 0. They don't have the backdoor command though, so you do need the keys to write any data. This lack of protection means a phone app can change the UID.

Running the following command on the Proxmark usually tells you if the chip is Gen1 or 2 by showing if the chip responds to the backdoor command:

hf mf search

Mine doesn't say if it responds or not, which I think means it's gen2. Not understanding this, I kept running commands to try and change the UID. Eventually, I just manually wrote new data using

hf mf wrbl --blk 0 -k <key> -d <new data>

I looked for the UID in block 0 and simply replaced it with 11223344. This bricked the card. Block 0 also contains a field called BCC that serves as a checksum of the UID (or maybe block, I'm not sure). Readers will see that the UID does not match the BCC and not read the card. Even the Proxmark will stop reading once it detects a bad BCC. Luckily, this safety check can be turned off with:

hf 14a config --bcc ignore

With this, you can now use the wrbl command to write valid block 0 data, un-bricking the chip. Don't forget to set the config back to check the BCC. Here's a valid block 0 if you need one:

010203040408040000004A495256494E

Thanks to this forum thread for providing the solution.