Know your magic cards

Posted by Lab401 Steve on

Navigating the world of "Magic" RFID Cards can be difficult. Different suppliers have different badges with different abilities, and each version may have multiple generations.

At Lab401, we work closely with our suppliers to ensure we have the latest and most stable versions of "Magic UID Tags".

But before we can jump into the technical details - first a history lesson.

In the beginning there was the MIFARE CLASSIC® 1K card.
Compared to the 125KHz tags at the time, which simply burped out a string of data, the MIFARE CLASSIC® 1K was an advanced card. 

Each individual card had an individual Unique ID. These UIDs blocks were managed between manufacturers to ensure that no two cards ever had the same UID.

The MIFARE CLASSIC® 1K also featured a plurality of data sectors, access control lists and keys. 

As the MIFARE CLASSIC®1K became more popular, many companies and access control solutions started using the UID as a security feature - relying on the UID to authenticate cards, users, purchases and more.

The MIFARE CLASSIC®1K's cipher system, combined with a poor Pseudo-Random-Number-Generator (PRNG) were cracked - now meaning cards could be cracked and dumped.

At a similar time, Chinese companies, most notably FUDAN, started creating 'Compatible' chipsets - and some of these chipsets evolved special, even.. magical.. abilities - including forging the sacred UID.

The original generations of MIFARE CLASSIC® Compatible / Magic chips required a special sequence to 'Unlock' the badge. Once unlocked - the entire card, including the UID and ACL sections could be read and written.

The unlock code, 0x43 / 0x40 became so well known - that many card reader systems would query this code to all badges. If a tag responded - it was deemed a clone card, and refused.

In response, "Magic" cards evolved other abilities - some allowed "Direct Writing" to anywhere on the card, without unlock codes - and others allowed the UID to be changed only one time.

With each iteration, the chipsets also became more and more stable, and could also emulate more and more badge types.

Today - the most modern "Magic" cards can withstand a fair bit of user abuse (writing incorrect values, corrupting the manufacturer sectors etc) - but should in general be treated with care - as to not 'brick' them.

History lesson aside, Lab401 has compiled a quick Magic Tag Cheatsheet to quickly and easily understand what tags are what.

Chipset Type Generation Notes Features
MIFARE CLASSIC® 1K 1a Original "Magic Mifare" tag
Requires "Unlocking" for 'magic' features
- Unlockable with code 0x43 0x40
- Entire card can be written / read once unlocked
- Detectable as a 'magic' card
- Easily bricked by writing incorrect BCC values
- Compatible with LibNFC & Proxmark
1b Generation 1a tag with custom unlock code - Entire card can be written / read once unlocked
- Easily bricked by writing incorrect BCC values
- Detectable as a 'magic' card
- Requires custom commands for LibNFC & Proxmark
2 No unlocking required
Comes in 4-byte UID and 7-byte UID flavours
- Detectable as a 'magic' card
- Compatible with Android devices
- Compatible with LibNFC & Proxmark
2 OTW One-Time Write UID
No unlocking required
Comes in 4-byte UID only
- Once written, UID cannot be changed
- Undetectable as a 'magic' card
- Compatible with Android devices
- Compatible with LibNFC & Proxmark
MIFARE CLASSIC® 4K 1a Original "Magic Mifare" tag
Comes in 4-byte UID and 7-byte UID flavours
- Unlockable with code 0x43 0x40
- Entire card can be written / read once unlocked
- Detectable as a 'magic' card
- Easily bricked by writing incorrect BCC values
- Compatible with LibNFC & Proxmark
2 No unlocking required - Detectable as a 'magic' card
- Compatible with Android devices
- Compatible with LibNFC & Proxmark
MIFARE ULTRALIGHT® 1a Original "Magic Ultralight" tag - Compatible with LibNFC & Proxmark
- Bricked if 0x43 0x40 code is used
- Detectable as a 'magic' card
1b Variation "Magic Ultralight" tag - Compatible with LibNFC
- Requires unlock code 0x43 0x40 to be used
- Detectable as a 'magic' card
MIFARE ULTRALIGHT-C® 1 No unlocking required - Detectable as a 'magic' card
- Compatible with Android devices
- Compatible with LibNFC & Proxmark

 

There are also several other types of Magic Cards available, that support other chipsets or provide other functionality, but new versions replace the old, instead of maintaining several versions on the market.

Chipset Type Features Notes
NTAG® 213 Compatible Allows UID to be set - Compatible with LibNFC & Proxmark
NTAG® 2xx / Ultralight Emulator Natively emulates:
MIFARE NTAG® 213
NTAG® 215
NTAG® 216

Partially emulates:
NTAG® 210
NTAG® 212
NTAG® I2C 1K
NTAG® 12C 2K
NTAG® I2C 1K Plus
NTAG® 12C 2K Plus
MIFARE Ultralight® EV1 48k
MIFARE Ultralight® EV1 128k
- Supported by Proxmark natively
- Requires special commands to be used with LibNFC
MIFARE DESFire® Emulator Comes in 4-byte UID and 7-byte UID Flavours
Emulates the ATQA/SAK of a DESFire card
Emulates the UID of a DESFire card
- Supported by Proxmark natively
- Requires special commands to be used with LibNFC
Icode SLi / SLix Allows UID to be set - Supported by Proxmark natively
- Requires special commands to be used with LibNFC

Share this post



← Older Post Newer Post →


Leave a comment

Please note, comments must be approved before they are published.