Know your magic cards

History of Magic Cards

In the beginning there was the MIFARE CLASSIC® 1K card.
Compared to the 125KHz tags at the time, which simply burped out a string of data, the MIFARE CLASSIC® 1K was an advanced card.

Each individual card had an individual Unique ID. These UIDs blocks were managed between manufacturers to ensure that no two cards ever had the same UID.

The MIFARE CLASSIC® 1K also featured a plurality of data sectors, access control lists and keys.

As the MIFARE CLASSIC® 1K became more popular, many companies and access control solutions started using the UID as a security feature - relying on the UID to authenticate cards, users, purchases and more.

The MIFARE CLASSIC® 1K's cipher system, combined with a poor Pseudo-Random-Number-Generator (PRNG) were cracked - now meaning cards could be cracked and dumped.

At a similar time, Chinese companies, most notably FUDAN, started creating 'Compatible' chipsets - and some of these chipsets evolved special, even.. magical.. abilities - including forging the sacred UID.

The original generations of MIFARE CLASSIC® Compatible / Magic chips required a special sequence to 'Unlock' the badge. Once unlocked - the entire card, including the UID and ACL sections could be read and written.

The unlock code, 0x43 / 0x40 became so well known - that many card reader systems would query this code to all badges. If a tag responded - it was deemed a clone card, and refused.

In response, "Magic" cards evolved other abilities - some allowed "Direct Writing" to anywhere on the card, without unlock codes - and others allowed the UID to be changed only one time.

With each iteration, the chipsets also became more and more stable, and could also emulate more and more badge types.

Today - the most modern "Magic" cards can withstand a fair bit of user abuse (writing incorrect values, corrupting the manufacturer sectors etc) - but should in general be treated with care - as to not 'brick' them.

Recently, the "Ultimate Magic Card" was released. Also known as a "Gen 4", this card is a highly configurable 13.56MHz card emulator.

It can natively emulate NTAG / MIFARE / Ultralight tags (and all their variations), supports complete control over ATQA/SAK/ATS values, UID and UID length (4, 7 and 10 byte) and has advanced functionality including Recovery Mode, Shadow Mode and automatic BCC Calculation.

↑ Back to top

Common Magic Card Cheat Sheet

Although now literally hundreds of types of magic cards can be found in the wild, for the purposes of cloning cards, the following magic cards are the most commonly available, most supported and most compatible cards/chipsets available.

MIFARE Classic Magic Cards

Advanced Magic Cards

↑ Back to top

Low Frequency Cards

T55xx

The temic T55xx/Atmel ATA5577 is the most commonly used chip for cloning LF RFIDs.

Characteristics

• 28/24 bytes of user memory (without/with password)
• Universal output settings (data rate, modulation, etc)
• Password protection (4 bytes), usually "19920427"
• Lock bits per page
• Analog frontend setup
• Other names:
  • 5577
  • 5200 (CN) - Cut down version of T55xx chip
  • H2 (RU) - Seems to be renamed 5200 chip
  • RW125T5 (RU)

Detect

↑ Back to top

EM4x05

The EM4305 and EM4205 (and 4469/4569) chips are the 2nd most common used chips for cloning LF RFIDs. It is also used by HID Global (but with a custom chip) for HIDProx credentials.

Characteristics

• 36 bytes of user memory
• Output settings are limited (ASK only, FSK added on HID variant)
• Password protection (4 bytes), usually "84AC15E2"
• Lock page used
• Other names:
  • H3 (RU)
  • RW125EM (RU)

Detect

↑ Back to top

ID82xx Series

These are custom Chinese chips mainly used to clone EM IDs. Often times, these are redesigned clones of Hitag chips.

ID8265

This is the cheapest and most common ID82xx chip available. It is usually sold as T55xx on AliExpress, with excuses to use cloners.

Characteristics:

• Chip is likely a cut down version of Hitag µ (micro) clone
• UID
• Password protection (4b), usually "00000000"(default) or "9AC4999C"(FURUI)
• Config block 0xFF
• Currently unimplemented in proxmark3 client
• Other names: ID8210 (CN), H-125 (CN), H5 (RU)

ID8211

This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.

Characteristics:

• Chip is likely a cut down version of Hitag S2048 clone
• No password protection
• Page 1 fully changeable, default:
• Pages 41-43 contain unknown readonly data
• Pages 44-63 readonly to

ID-F8268

This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.

Characteristics:

• Chip is likely a cut down version of Hitag S2048 clone
• Password protection (4b), usually "BBDD3399"(default) or "AAAAAAAA"
• Page 1 fully changeable, default:
• Other names: F8278 (CN), F8310 (CN), K8678 manufactured by Hyctec

↑ Back to top

H Series

These are chips sold in Russia, manufactured by iKey LLC. Often times these are custom.

H1

Simplest EM ID cloning chip available. Officially discontinued.

Characteristics:

• Currently almost all structure is unknown
• No locking or password protection
• "OTP" chip is same chip, but with EM ID of zeroes. Locked after first write
• Other names: RW64bit, RW125FL

H5.5 / H7

First "advanced" custom chip with H naming.

Characteristics:

• Currently all structure is unknown
• No password protection
• Only supported by Russian "TMD"/"RFD" cloners
• H7 is advertised to work with "Stroymaster" access control
• Setting ID to "3F0096F87E" will make the chip show up like T55xx

↑ Back to top

ISO14443A Cards

Identifying Broken ISO14443A Magic Cards

When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.

Here are some tips if the card doesn't react or gives error on a simple :

Let's force a 4b UID anticollision and see what happens:

If it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision:

At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards.

To restore anticollision config of the Proxmark3:

↑ Back to top

MIFARE Classic

Referred as M1, S50 (1k), S70 (4k)

MIFARE Classic Block 0

UID 4b: (actually NUID as there are no more "unique" IDs on 4b)

(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)

Computing BCC on UID 11223344: =

UID 7b:

(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)

↑ Back to top

MIFARE Classic Gen1A (aka UID)

Other names: ZERO (RU)

Identify

Magic Commands

• Wipe: , (use 2000ms timeout)
• Read: , ,
• Write: , , ,

Characteristics

• UID: Only 4b versions
• ATQA: all cards play blindly the block0 ATQA bytes, beware!
• SAK: behavior varies by flavour
• BCC: all cards play blindly the block0 BCC byte, beware!
• ATS: no card with ATS

Flavours

Proxmark3 Commands

When "soft-bricked" (by writing invalid data in block0), these ones may help:

or just fixing block0:

↑ Back to top

MIFARE Classic Gen1B

Similar to Gen1A, but supports directly read/write after command 40

Identify

Magic Commands

• Read: ,
• Write: , ,

↑ Back to top

MIFARE Classic DirectWrite (Gen2 / CUID)

Also referred as MCT compatible by some sellers

Other names: MF-8 (RU), MF-3 (RU), MF-3.2 (RU)

Identify

Magic Commands

Android (MTools) compatible - issue regular write to block0

Characteristics

• UID: 4b and 7b versions
• ATQA: some cards play blindly the block0 ATQA bytes, some use fixed ATQA
• SAK: some cards play blindly the block0 SAK byte, some use fixed SAK
• BCC: some cards play blindly the block0 BCC byte, some compute proper BCC
• ATS: some cards don't reply to RATS, some reply with an ATS

Proxmark3 Commands

When "soft-bricked", use to force ATQA/BCC settings.

↑ Back to top

MIFARE Classic Gen3 (APDU)

Identify

Magic Commands

Android (MTools) compatible - issue special APDUs

Characteristics

• UID: 4b and 7b versions
• ATQA/SAK: fixed
• BCC: auto
• ATS: none

Proxmark3 Commands

↑ Back to top

MIFARE Classic QL88

Tags designed for use with the "CopyKey X5" cloning device. These cards implement custom features as a form of rudimentary DRM (Digital Rights Management) to prevent the CopyKey from working with other blank tags. Manufactured by QinLin neighbor technology, these cards are named after their distinctive SAK value of 88 in Block 0.

Identify

Characteristics

• UID: 4b versions
• ATQA/SAK: SAK value of 88 stored in Block 0 (not used during anticollision)
• BCC: computed
• ATS: none
• PRNG: hard
• Signature: Contains signature data in Sector 17
• Custom Keys: Sector 17 uses custom Key A () and Key B ()
• Manufacturer Data: Block 0 always contains
• Sector 16: Fully user-writable

Proxmark3 Commands

↑ Back to top

MIFARE Classic HUID

A variation of the QL88 tag that appears to use a custom Key Derivation Function (KDF) for key generation. Despite the custom keying mechanism, the underlying structure and behavior remain similar to QL88 cards. Analysis suggests these are essentially CUID tags with custom keys applied.

Characteristics

• UID: 4b versions
• Key Generation: Uses custom KDF (Key Derivation Function)
• Base Type: Appears to be CUID tag with custom keys
• Compatibility: Same key structure as QL88

↑ Back to top

MIFARE Classic USCUID

These magic cards have a 16 byte long configuration page, which usually starts with 0x85. All of the known tags using this configuration are listed here.

Characteristics

• UID: 4/7 bytes
• ATQA: always read from block 0
• SAK: read from backdoor or configuration
• BCC: read from memory, beware!
• ATS: no/unknown

Identify

Magic Commands

• Magic authentication: select, ,
• Magic wakeup (A: 00): ,
• Magic wakeup (B: 85): ,
• Backdoor read:
• Backdoor write: ,
• Read configuration:
• Write configuration: ,

USCUID Configuration Guide

Configuration format:

To enable an option, set it to 5A.

Proxmark3 Commands

Known Variations

*Not all tags are the same! UFUID, ZUID and PFUID are not full implementations of USCUID.

↑ Back to top

MIFARE Classic Super

It behaves like regular Mifare Classic but records reader auth attempts.

MIFARE Classic Super Gen1

Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands.

• UID: 4b version
• ATQA/SAK: fixed
• BCC: auto
• ATS: fixed, 0978009102DABC1910F005

ATQA/SAK matches 1k card, but works as 4k card.

MIFARE Classic Super Gen2

New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces.

Card always answers as , so reading/writing it via Mifare protocol is impossible.

• UID: 4b and 7b versions
• ATQA/SAK: fixed
• BCC: auto
• ATS: changeable, default as Gen1

Identify

Proxmark3 Commands

↑ Back to top

MIFARE Ultralight

MIFARE Ultralight Blocks 0..2

UID is made of SN0..SN6 bytes

Computing BCC0 on UID 04112233445566: =

Computing BCC1 on UID 04112233445566: =

Int is internal, typically 0x48

Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C

↑ Back to top

MIFARE Ultralight Gen1A

Proxmark3 Commands

When "soft-bricked" (by writing invalid data in block0), these ones may help:

↑ Back to top

MIFARE Ultralight DirectWrite

Identify

It seems so far that all MFUL DW have an ATS response in factory configuration.

Magic Commands

Issue three regular MFU write commands in a row to write first three blocks.

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: some cards play blindly the block0 BCC0 and block2 BCC1 bytes, some compute proper BCC
• ATS: all cards reply with an ATS

Proxmark3 Commands

Equivalent: don't use as you need to write three blocks in a row, but do, with proper BCCx:

libnfc Commands

See and

Android (MTools)

MIFARE++ Ultralight

↑ Back to top

MIFARE Ultralight EV1 DirectWrite

Similar to MFUL DirectWrite

Identify

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
• ATS: all cards reply with an ATS

↑ Back to top

MIFARE Ultralight C Gen1A

Similar to MFUL Gen1A

↑ Back to top

MIFARE Ultralight C DirectWrite

Similar to MFUL DirectWrite

Identify

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards compute proper BCC0 and BCC1 in anticollision
• ATS: all cards reply with an ATS

↑ Back to top

MIFARE Ultralight USCUID-UL

These magic cards, like the MFC USCUIDs have a 16 byte long configuration page, comprised of 4 blocks of 4 bytes each. This usually starts with 0x85.

Characteristics

• UID: 7 bytes
• ATQA: always read from hidden block F6
• SAK: always read from hidden block F6
• BCC: read from blocks 0-1 per Ultralight specification
• ATS: These respond to an ATS request with the config page in factory mode

Identify

In factory config state:

Magic Commands

• Magic wakeup (A: 00): ,
• Magic wakeup (B: 85): ,
• Backdoor read main and hidden block:
• Backdoor write main and hidden block:
• Read configuration:
• Write configuration:

Known Variations

↑ Back to top

NTAG

NTAG213 DirectWrite

Similar to MFUL DirectWrite

Identify

Characteristics

• UID: Only 7b versions
• ATQA: all cards play fix ATQA
• SAK: all cards play fix SAK
• BCC: cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
• ATS: all cards reply with an ATS

↑ Back to top

NTAG21x

Identify

Characteristics

Emulates fully NTAG213, 213F, 215, 216, 216F

Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS

Anticol shortcut (CL1/3000): fails

Proxmark3 Commands

Version and Signature

Don't forget configure maximum read/write blocks:

Note: 0xFB = 251

Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249.

↑ Back to top

DESFire

"DESFire" APDU, 7b UID

Magic Commands

Android (MTools) compatible - issue special APDUs

Characteristics

• ATQA: 0344
• SAK: 20
• ATS: 0675338102005110 or 06757781028002F0

Only mimics DESFire anticollision (but wrong ATS), no further DESFire support

Proxmark3 Commands

UID 04112233445566

or equivalently

↑ Back to top

"DESFire" APDU, 4b UID

Magic Commands

Android (MTools) compatible - issue special APDUs

Characteristics

• ATQA: 0008 (This is FM1208-9, NOT DESFire!)
• SAK: 20
• ATS: 0675338102005110 or 06757781028002F0

Only mimics DESFire anticollision (but wrong ATS), no further DESFire support

Proxmark3 Commands

UID 04112233445566

or equivalently

↑ Back to top

ISO14443B

Tiananxin TCOS CPU Card

This is a card sold on Taobao for testing readers. ISO14443-4 compliant.

Identify

Magic Commands

All commands in APDU.

↑ Back to top

ISO15693

ISO15693 Magic

Proxmark3 Commands

Always set a UID starting with .

or (ignore errors):

↑ Back to top

Multi-Protocol Cards

Ultimate Magic Card (UMC)

A.k.a ultimate magic card, most prominent feature is shadow mode (GTU) and optional password protected backdoor commands.

Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data.

Identify

The card will be identified only if the password is the default one. One can identify manually such card if the password is still the default one, with the command to get the current configuration:

If the card is an Ultimate Magic Card, it returns 30 or 32 bytes.

Magic Commands

There are two ways to program this card:

1. Use the raw commands designated by the examples.
2. Use the hf_mf_ultimatecard.lua script commands. This script is not fully compatible with new version UMC.

Special raw commands summary:

Default :

Characteristics

• UID: 4b, 7b and 10b versions
• ATQA/SAK: changeable
• BCC: computed
• ATS: changeable, can be disabled
• Card Type: changeable
• Shadow mode: GTU
• Backdoor password mode

Proxmark3 Commands

Change ATQA / SAK

Example: ATQA 0044 SAK 28, default pwd

OR (Note the script will correct the ATQA correctly)

Change ATS

• : ATS length byte, set to to disable ATS
• When SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on
• ATS CRC will be added automatically, don't configure it
• Max ATS length: 16 bytes (+CRC)

Example: ATS to 0606757781028002F0, default pwd

Or

Set UID Length (4, 7, 10)

• • : 4 bytes
  • : 7 bytes
  • : 10 bytes

Example: set UID length to 7 bytes, default pwd

Set 14443A UID

UID is configured according to block0 with a backdoor write.

Example: preparing first two blocks:

MFC mode 4b UID

⇒ UID

MFC mode 7b UID

⇒ UID

MFC mode, 10b UID

⇒ UID

(De)Activate Ultralight Mode

• • : MIFARE Classic mode
  • : MIFARE Ultralight/NTAG mode

Example: activate Ultralight protocol, default pwd

Or

In this mode, if SAK= and ATQA=, it acts as an Ultralight card

Select Ultralight Mode

• • : UL EV1
  • : NTAG
  • : UL-C
  • : UL

Example: set Ultralight mode to Ultralight-C, default pwd

Or

Now the card supports the 3DES UL-C authentication.

Set Shadow Mode (GTU)

• • : pre-write, shadow data can be written
  • : restore mode (WARNING: new UMC (06a0) cards return garbage data when using 01)
  • : disabled
  • : disabled, high speed R/W mode for Ultralight?
  • : split mode, work with new UMC. With old UMC is untested.

Direct Block Read and Write

Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card.

Backdoor read 16b block:

Backdoor write 16b block:

Read/Write operations work on 16 bytes, no matter the Ultralight mode.

Example: read block0, default pwd

Example: write block0 with factory data, default pwd

(De)Activate Direct Write to Block 0

This command enables/disables direct writes to block 0.

• • : Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic)
  • : Deactivate direct write to block 0 (Same behaviour of vanilla cards)
  • : Default value. (Same behaviour as (?))

Change Backdoor Password

All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is .

Change password:

Example: change password from 00000000 to AABBCCDD

Dump Configuration

Default configuration:

Fast Configuration

See Dump configuration for configuration data description.

Example: Write factory configuration, using default password

Presets

Here are some presets available in the FuseTool (but with all ATS disabled)

MIFARE Mini S20 4-byte UID

MIFARE Mini S20 7-byte UID

MIFARE 1k S50 4-byte UID (this is the factory setting)

MIFARE 1k S50 7-byte UID

MIFARE 4k S70 4-byte UID

MIFARE 4k S70 7 byte UID

Ultralight

Ultralight-C

Ultralight EV1

NTAG21x

↑ Back to top