Pentestips: dont brick it - Introduction to Magic Cards, UIDs and BCC's
Publicado por Lab401 Lee en
Don't brick it!
Introduction to Magic Cards, UIDs and BCCs
- "MIFARE" is a family of High-Frequency 13.56MHz RFID cards, built by Panasonic / NXP that fall into the ISO category 14443a.
- There are many types of cards within the family, each with different storage sizes, encryption and capabilities: Mifare Classic, Ultralight, DESFire, NTAG, and so on.
- All MIFARE cards share the same basic structures:
- UID (Unique ID)
- SAK/ATQS (See our previous tutorial)
- Memory Space
- Card configuration is defined in the "Block 0" or "Manufacturer Block". In original cards, the Block 0 cannot be modified. This was a key element in preventing card cloning - badge contents could be changed, but the Manufacturer Block, and the UID could not be changed.
- Now, modifiable or "Magic" cards are available for almost every type of MIFARE card, which allows the manufacturer block to be modified.
- However: with great power comes great responsibility. If the Block 0 is improperly configured, the card can be "bricked" - irreversibly broken.
- The most common way to "brick" a magic card is with a bad BCC value.
- The BCC is a checksum value for the UID - which acts as 'double check' to ensure that the UID is correct. If the BCC is wrong, the card is no longer detectable, and so cannot be read or modified.
- Let's look at an example.
- Let's open a MIFARE Classic 1K Card, with a 4-byte UID dump in a hex editor, we can see the UID value in Block 0
- If we want to modify the UID, instinctively we'd change just the UID values, let's say to 1 2 3 4 5 6 7 8.
- However, the BCC value is derived from the UID value. So if we change the UID without changing the BCC, when we make the change - the card will be bricked.
- We must calculate the BCC value for our new UID.
the new BCC value is calculated by XOR-ing each byte with the result of the previous XOR - don’t worry there are many tools online to perform this task, ie: https://bcc.beyerleinf.de/
- If we input our new UID: 0x12345678 (as a Hex String), we are given the BCC value of 0x08. So, we change the original card's BCC from 0xFC to 0x08, and write the card.
- Now, we've got a new UID, without bricking the card!
- If you're manually updating UIDs (by using the Proxmark's hf mf wb0 command) you must have the correct BCC calculated, or you'll brick the card.
- Luckily, many tools make this calculation automatically:
- Android: Mifare Classic Tool has a BCC calculator
- Windows/Linux: we can use the LibNFC mf-setuid tool
- For more information about Magic Cards, check out the Lab401 Academy article: Know your magic cards: https://lab401.com/blogs/academy/know-your-magic-cards
Compartir esta publicación
- 0 comentarios
- Etiquetas: bcc, block 0 cards, pentestips, rfid, uid
← Publicación más antigua Publicación más reciente →