Know your magic cards
April 29, 2019Navigating the world of "Magic" RFID Cards can be difficult. Different suppliers have different badges with different abilities, and each version may have multiple generations.
At Lab401, we work closely with our suppliers to ensure we have the latest and most stable versions of "Magic UID Tags".
But before we can jump into the technical details - first a history lesson.
In the beginning there was the MIFARE CLASSIC® 1K card.
Compared to the 125KHz tags at the time, which simply burped out a string of data, the MIFARE CLASSIC® 1K was an advanced card.
Each individual card had an individual Unique ID. These UIDs blocks were managed between manufacturers to ensure that no two cards ever had the same UID.
The MIFARE CLASSIC® 1K also featured a plurality of data sectors, access control lists and keys.
As the MIFARE CLASSIC®1K became more popular, many companies and access control solutions started using the UID as a security feature - relying on the UID to authenticate cards, users, purchases and more.
The MIFARE CLASSIC®1K's cipher system, combined with a poor Pseudo-Random-Number-Generator (PRNG) were cracked - now meaning cards could be cracked and dumped.
At a similar time, Chinese companies, most notably FUDAN, started creating 'Compatible' chipsets - and some of these chipsets evolved special, even.. magical.. abilities - including forging the sacred UID.
The original generations of MIFARE CLASSIC® Compatible / Magic chips required a special sequence to 'Unlock' the badge. Once unlocked - the entire card, including the UID and ACL sections could be read and written.
The unlock code, 0x43 / 0x40 became so well known - that many card reader systems would query this code to all badges. If a tag responded - it was deemed a clone card, and refused.
In response, "Magic" cards evolved other abilities - some allowed "Direct Writing" to anywhere on the card, without unlock codes - and others allowed the UID to be changed only one time.
With each iteration, the chipsets also became more and more stable, and could also emulate more and more badge types.
Today - the most modern "Magic" cards can withstand a fair bit of user abuse (writing incorrect values, corrupting the manufacturer sectors etc) - but should in general be treated with care - as to not 'brick' them.
Recently, the "Ultimate Magic Card" was released. Also known as a "Gen 4", this card is a highly configurable 13.56MHz card emulator.
It can natively emulate NTAG / MIFARE / Ultralight tags (and all their variations), supports complete control over ATQA/SAK/ATS values, UID and UID length (4, 7 and 10 byte) and has advanced functionality including Recovery Mode, Shadow Mode and automatic BCC Calculation.
History lesson aside, Lab401 has compiled a quick Magic Tag Cheatsheet to quickly and easily understand what tags are what.
| 1a | Original "Magic Mifare" tag Requires "Unlocking" for 'magic' features | - Unlockable with code 0x43 0x40 - Entire card can be written / read once unlocked - Detectable as a 'magic' card - Easily bricked by writing incorrect BCC values - Compatible with LibNFC & Proxmark | |
| 1b | Generation 1a tag with custom unlock code | - Entire card can be written / read once unlocked - Easily bricked by writing incorrect BCC values - Detectable as a 'magic' card - Requires custom commands for LibNFC & Proxmark | |
| 2 | No unlocking required Comes in 4-byte UID and 7-byte UID flavours | - Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark | |
| 2 OTW | One-Time Write UID No unlocking required Comes in 4-byte UID only | - Once written, UID cannot be changed - Undetectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark | |
| MIFARE CLASSIC® 4K | 1a | Original "Magic Mifare" tag Comes in 4-byte UID and 7-byte UID flavours | - Unlockable with code 0x43 0x40 - Entire card can be written / read once unlocked - Detectable as a 'magic' card - Easily bricked by writing incorrect BCC values - Compatible with LibNFC & Proxmark |
| 2 | No unlocking required | - Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark | |
| MIFARE ULTRALIGHT® | 1a | Original "Magic Ultralight" tag | - Compatible with LibNFC & Proxmark - Bricked if 0x43 0x40 code is used - Detectable as a 'magic' card |
| 1b | Variation "Magic Ultralight" tag | - Compatible with LibNFC - Requires unlock code 0x43 0x40 to be used - Detectable as a 'magic' card | |
| MIFARE ULTRALIGHT-C® | 1 | No unlocking required | - Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark |
There are also several other types of Magic Cards available, that support other chipsets or provide other functionality, but new versions replace the old, instead of maintaining several versions on the market.
| Customise:
Built in functionality:
Natively emulates:
| - "Gen 4" Card | |
| Allows UID to be set | - Compatible with LibNFC & Proxmark | |
| NTAG® 2xx / Ultralight Emulator | Natively emulates: MIFARE NTAG® 213 NTAG® 215 NTAG® 216 Partially emulates: NTAG® 210 NTAG® 212 NTAG® I2C 1K NTAG® 12C 2K NTAG® I2C 1K Plus NTAG® 12C 2K Plus MIFARE Ultralight® EV1 48k MIFARE Ultralight® EV1 128k | - Supported by Proxmark natively - Requires special commands to be used with LibNFC |
| MIFARE DESFire® Emulator | Comes in 4-byte UID and 7-byte UID Flavours Emulates the ATQA/SAK of a DESFire card Emulates the UID of a DESFire card | - Supported by Proxmark natively - Requires special commands to be used with LibNFC |
| Icode SLi / SLix | Allows UID to be set | - Supported by Proxmark natively - Requires special commands to be used with LibNFC |