| Term | Meaning |
|---|---|
| WUP-SAK | SAK Value found during the Wake up & Anti-collision process, what you would see reported from a basic search. |
| Vanity SAK | SAK Value represented in Block 0 of a Mifare Classic, on legitimate cards this does not inform the value of the WUP-SAK. |
| Magic Card | An illegitimate card capable of changing it's UID; some magic cards are also able to change other values such as ATQA/SAK. |
SAK Swapping is the name given to behaviour that has been observed in Mifare Classic cards where their Vanity SAK is not the same as their WUP-SAK as observed in other Mifare Classic chips where the Vanity SAK is identical to the WUP-SAK.
The correct WUP-SAK for a Mifare Classic 1K is 0x08 and 0x18 for 4K, but when having it's memory dumped, the Vanity SAK shows 0x88 and 0x98 respectively, we believe this to be a means of clone detection as various magic cards mirror their WUP-SAK from the Vanity SAK and if that WUP-SAK is not correct for the chip it's coming from, the system knows it is a cloned card & rejects it.
"The Double Cross" is a name given to an extra step that has been observed in many systems where not only will they do SAK Swapping but then also send a read command to block 0 in order to validate that the WUP-SAK and Vanity SAK are different values, preventing the use of a magic card that mirrors it's WUP-SAK from the Vanity SAK.
The solution to SAK swapping by itself is to change the Vanity SAK in block 0 to reflect the correct WUP-SAK for your card.
If the system is Double Crossing then you will need the WUP-SAK and Vanity SAK to be different, you will need a magic card or emulator that does not mirror the WUP-SAK from the Vanity SAK in block 0, but instead either enforces the correct WUP-SAK regardless of the Vanity SAK, or allows you to specify the value for the WUP-SAK indepedent of the Vanity SAK.
| Gen | Note | Circumvents double crossing? |
|---|---|---|
| Gen1a | Largely observed to mirror WUP-SAK from Vanity SAK | ❌ |
| Gen2 CUID | Largely observed to enforce correct SAK regardless of Vanity SAK. | ☑️ |
| Gen4 UMC | Allows you to manually control the value of the WUP-SAK regardless of Vanity SAK. | ☑️ |
| Gen4 GDM | Allows you to manually control the value of the WUP-SAK regardless of Vanity SAK. | ☑️ |
Magic card gens all have sub-variants so YMMV if the above applies to the card you have in front of you, these are just broad strokes observations on what to use in a given situation.
Note
Brands with [DC] have been reported doing the double cross, this does not mean every single installation of those systems will be double crossing just that they have been observed double crossing, the same goes for those without [DC].
- Schlage [DC]
- Allegion [DC]
- Salto [DC]
- Bandai Namco Passport [DC]
- Sega Aime [Conditional DC]
- VingCard
- FDI Access
- TFL Transport For London
- ICT
- Pandaria [DC]
Note
Bandai Namco Passport (BNP) MFC are able to be read by Sega Aime readers and vice versa
Sega Aime's when read by Sega readers are not double crossed, however, BNP's scanned on Sega readers are double crossed, the workflow for BNP includes that block 0 check on sega readers only for when BNP are scanned.
BNP readers however double cross both BNP and Sega Aime cards and will reject if block 0 has been altered in an attempt to circumvent SAK swapping checks during the wakeup/anticollision process.
Message me on discord at Equip or leave a comment if you need any assistance!
I also have a buymeacoffee if you feel inclined, i greatly appreciate any donations!
Hello there, I loved your post, but I have some questions about the OEM usable bits. How do I interpret them? Do they carry any data? Is there a way to calculate them? I've been looking into Mifare 1k, and thanks to your post, I learnt how to interpret all of the bytes, but the OEM part is the only one that I can't figure out. Any help is greatly appreciated. Thank you. 🤠