Passer au contenu

Scroll Indicator

Pentestips: dont brick it - Introduction to Magic Cards, UIDs and BCC's

Pentestips: dont brick it - Introduction to Magic Cards, UIDs and BCC's

Don't brick it!

Introduction to Magic Cards, UIDs and BCCs

- "MIFARE" is a family of High-Frequency 13.56MHz RFID cards, built by Panasonic / NXP that fall into the ISO category 14443a.

- There are many types of cards within the family, each with different storage sizes, encryption and capabilities: Mifare Classic, Ultralight, DESFire, NTAG, and so on.

- All MIFARE cards share the same basic structures:

  - UID (Unique ID)

  - SAK/ATQS (See our previous tutorial)

  - Memory Space

- Card configuration is defined in the "Block 0" or "Manufacturer Block". In original cards, the Block 0 cannot be modified. This was a key element in preventing card cloning - badge contents could be changed, but the Manufacturer Block, and the UID could not be changed.

- Now, modifiable or "Magic" cards are available for almost every type of MIFARE card, which allows  the manufacturer block to be modified.

- However: with great power comes great responsibility. If the Block 0 is improperly configured, the card can be "bricked" - irreversibly broken. 

- The most common way to "brick" a magic card is with a bad BCC value.

- The BCC is a checksum value for the UID - which acts as 'double check' to ensure that the UID is correct. If the BCC is wrong, the card is no longer detectable, and so cannot be read or modified.

- Let's look at an example.


- Let's open a MIFARE Classic 1K Card, with a 4-byte UID dump in a hex editor, we can see the UID value in Block 0

- If we want to modify the UID, instinctively we'd change just the UID values, let's say to 1 2 3 4 5 6 7 8.


- However, the BCC value is derived from the UID value. So if we change the UID without changing the BCC, when we make the change - the card will be bricked.

- We must calculate the BCC value for our new UID. 

the new BCC value is calculated by XOR-ing each byte with the result of the previous XOR - don’t worry there are many tools online to perform this task, ie:

- If we input our new UID: 0x12345678 (as a Hex String), we are given the BCC value of 0x08. So, we change the original card's BCC from 0xFC to 0x08, and write the card.

- Now, we've got a new UID, without bricking the card!

- If you're manually updating UIDs (by using the Proxmark's hf mf wb0 command) you must have the correct BCC calculated, or you'll brick the card.

- Luckily, many tools make this calculation automatically:

- Android: Mifare Classic Tool has a BCC calculator

- Windows/Linux: we can use the LibNFC mf-setuid tool

- For more information about Magic Cards, check out the Lab401 Academy article: Know your magic cards:

Article précédent #pentestips: Chameleontiny pro -Standalone clone of a MIFARE 1K UID
Articles suivant #pentestips - Chargement d'un SAK personnalisé avec le ChameleonTiny

Laisser un commentaire

Les commentaires doivent être approuvés avant d'apparaître

* Champs obligatoires