Know your magic cards

Posted by Lab401 Steve on Apr 29, 2019

Navigating the world of "Magic" RFID Cards can be difficult. Different suppliers have different badges with different abilities, and each version may have multiple generations.

At Lab401, we work closely with our suppliers to ensure we have the latest and most stable versions of "Magic UID Tags".

But before we can jump into the technical details - first a history lesson.

In the beginning there was the MIFARE CLASSIC® 1K card.
Compared to the 125KHz tags at the time, which simply burped out a string of data, the MIFARE CLASSIC® 1K was an advanced card.

Each individual card had an individual Unique ID. These UIDs blocks were managed between manufacturers to ensure that no two cards ever had the same UID.

The MIFARE CLASSIC® 1K also featured a plurality of data sectors, access control lists and keys.

As the MIFARE CLASSIC®1K became more popular, many companies and access control solutions started using the UID as a security feature - relying on the UID to authenticate cards, users, purchases and more.

The MIFARE CLASSIC®1K's cipher system, combined with a poor Pseudo-Random-Number-Generator (PRNG) were cracked - now meaning cards could be cracked and dumped.

At a similar time, Chinese companies, most notably FUDAN, started creating 'Compatible' chipsets - and some of these chipsets evolved special, even.. magical.. abilities - including forging the sacred UID.

The original generations of MIFARE CLASSIC® Compatible / Magic chips required a special sequence to 'Unlock' the badge. Once unlocked - the entire card, including the UID and ACL sections could be read and written.

The unlock code, 0x43 / 0x40 became so well known - that many card reader systems would query this code to all badges. If a tag responded - it was deemed a clone card, and refused.

In response, "Magic" cards evolved other abilities - some allowed "Direct Writing" to anywhere on the card, without unlock codes - and others allowed the UID to be changed only one time.

With each iteration, the chipsets also became more and more stable, and could also emulate more and more badge types.

Today - the most modern "Magic" cards can withstand a fair bit of user abuse (writing incorrect values, corrupting the manufacturer sectors etc) - but should in general be treated with care - as to not 'brick' them.

History lesson aside, Lab401 has compiled a quick Magic Tag Cheatsheet to quickly and easily understand what tags are what.

Chipset Type	Generation	Notes	Features
MIFARE CLASSIC® 1K	1a	Original "Magic Mifare" tag Requires "Unlocking" for 'magic' features	- Unlockable with code 0x43 0x40 - Entire card can be written / read once unlocked - Detectable as a 'magic' card - Easily bricked by writing incorrect BCC values - Compatible with LibNFC & Proxmark
	1b	Generation 1a tag with custom unlock code	- Entire card can be written / read once unlocked - Easily bricked by writing incorrect BCC values - Detectable as a 'magic' card - Requires custom commands for LibNFC & Proxmark
	2	No unlocking required Comes in 4-byte UID and 7-byte UID flavours	- Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark
	2 OTW	One-Time Write UID No unlocking required Comes in 4-byte UID only	- Once written, UID cannot be changed - Undetectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark
MIFARE CLASSIC® 4K	1a	Original "Magic Mifare" tag Comes in 4-byte UID and 7-byte UID flavours	- Unlockable with code 0x43 0x40 - Entire card can be written / read once unlocked - Detectable as a 'magic' card - Easily bricked by writing incorrect BCC values - Compatible with LibNFC & Proxmark
	2	No unlocking required	- Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark
MIFARE ULTRALIGHT®	1a	Original "Magic Ultralight" tag	- Compatible with LibNFC & Proxmark - Bricked if 0x43 0x40 code is used - Detectable as a 'magic' card
	1b	Variation "Magic Ultralight" tag	- Compatible with LibNFC - Requires unlock code 0x43 0x40 to be used - Detectable as a 'magic' card
MIFARE ULTRALIGHT-C®	1	No unlocking required	- Detectable as a 'magic' card - Compatible with Android devices - Compatible with LibNFC & Proxmark

There are also several other types of Magic Cards available, that support other chipsets or provide other functionality, but new versions replace the old, instead of maintaining several versions on the market.

Chipset Type	Features	Notes
NTAG® 213 Compatible	Allows UID to be set	- Compatible with LibNFC & Proxmark
NTAG® 2xx / Ultralight Emulator	Natively emulates: MIFARE NTAG® 213 NTAG® 215 NTAG® 216 Partially emulates: NTAG® 210 NTAG® 212 NTAG® I2C 1K NTAG® 12C 2K NTAG® I2C 1K Plus NTAG® 12C 2K Plus MIFARE Ultralight® EV1 48k MIFARE Ultralight® EV1 128k	- Supported by Proxmark natively - Requires special commands to be used with LibNFC
MIFARE DESFire® Emulator	Comes in 4-byte UID and 7-byte UID Flavours Emulates the ATQA/SAK of a DESFire card Emulates the UID of a DESFire card	- Supported by Proxmark natively - Requires special commands to be used with LibNFC
Icode SLi / SLix	Allows UID to be set	- Supported by Proxmark natively - Requires special commands to be used with LibNFC

Share this post

1 comment
Tags: block 0 cards, direct write cards, magic cards

← Older Post Newer Post →

Share this post

1 comment

Leave a comment