• Registered: 2010-11-04
  • Posts: 1

Topic: Changing block 0

So I have just started mucking around with RFID and I'm looking around on my uni card the only thing that the card has is a  UID which I am assuming gets run against a database somewhere to confirm that you are allowed to access that area.

Therefore if I am going to do this project I am going to need to clone this UID onto a new card.

I know that the block 0 on the cards are read only, my question is are they read only simply because I don't know the authentification code or because it is actually hard coded.

Secondly are mifare cards with writable block 0's available anywhere? Simply buying on of these and cloning on to that would probably be the simplest solution.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 673

Re: Changing block 0

Hello,

practisevoodoo wrote:

Therefore if I am going to do this project I am going to need to clone this UID onto a new card.

You can't clone UID without manufacture yourself a card... and I don't think you have sufficient equipment smile

practisevoodoo wrote:

I know that the block 0 on the cards are read only, my question is are they read only simply because I don't know the authentification code or because it is actually hard coded.

Block 0 in sector 0 is the "manufacturer block", this block is a ROM part, so consider it is "hardwarely" locked.

practisevoodoo wrote:

Secondly are mifare cards with writable block 0's available anywhere?

AFAIK, no, there aren't.

Romuald Conty
  • Registered: 2011-03-19
  • Posts: 9

Re: Changing block 0

You can do that with a Proxmark3 hardware really really easy smile

  • Registered: 2009-12-05
  • Posts: 11

Re: Changing block 0

Writeable cards are now available:

http://www.proxmark.org/forum/viewtopic … 96&p=1

I've modified the libnfc 'nfc-mfclassic' app to unlock and write full card images including block 0. I've also created a new utility 'nfc-mfsetuid' which will just set block 0. This includes fixing cards that are no longer selectable (e.g. you wrote the wrong BCC or something).

Committed as rev 1124.

cheers,
Adam

Last edited by adam@algroup.co.uk (2011-09-05 17:05:33)

  • Registered: 2009-12-05
  • Posts: 11

Re: Changing block 0

... and here it is in action:

$ ./nfc-anticol
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)

Sent bits:     26 (7 bits)
Received bits: 04  00 
Sent bits:     93  20 
Received bits: 01  23  45  67  00 
Sent bits:     93  70  01  23  45  67  00  d0  6f 
Received bits: 08  b6  dd 
Sent bits:     50  00  57  cd 

Found tag with
UID: 01234567
ATQA: 0004
SAK: 08


$ ./nfc-mfsetuid 00dc4420
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)

Sent bits:     26 (7 bits)
Received bits: 04  00 
Sent bits:     93  20 
Received bits: 01  23  45  67  00 
Sent bits:     93  70  01  23  45  67  00  d0  6f 
Received bits: 08  b6  dd 

Found tag with
UID: 01234567
ATQA: 0004
SAK: 08

Sent bits:     50  00  57  cd 
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43 
Received bits: 0a 
Sent bits:     a0  00  5f  b1 
Received bits: 0a 
Sent bits:     00  dc  44  20  b8  08  04  00  46  59  25  58  49  10  23  02  c0  10 
Received bits: 0a 


$ ./nfc-anticol
Connected to NFC reader: ACS ACR 38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)

Sent bits:     26 (7 bits)
Received bits: 04  00 
Sent bits:     93  20 
Received bits: 00  dc  44  20  b8 
Sent bits:     93  70  00  dc  44  20  b8  37  c9 
Received bits: 08  b6  dd 
Sent bits:     50  00  57  cd 

Found tag with
UID: 00dc4420
ATQA: 0004
SAK: 08