Changing the CID on an SD card – Working!

(tl;dr – skip to bottom for instructions, see also update post) The CID register on SD cards is supposed to be read-only, which means it can be used to lock devices to specific SD cards, preventing the user swapping them out, which is very annoying. This can result in you being stuck with a smaller card than you’d like in a device or not being able to use a backup in case of damage.

I’ve spent a while trying to work out how to change the ID on some cards. There is surprisingly little info out there about this, when it’s easy for other devices. For example, if you want to change the supposedly read-only ID on various kinds of RFID tag you can simply buy a special version from China that allows it (often referred to as gold or magic cards). There are rumours of cheap Chinese SD cards that don’t follow the official spec and allow you to change to them – I now have  large pile of cheap Chinese SD cards on my desk, but unfortunately none of them did allow it. The spec includes a command (CMD26) for writing the CID, but it’s only supposed to work once in the factory when the card is first assigned an ID. All the cards I got seemed to honour that restriction. However, there is probably some way to unlock them…

If you’ve found this page by looking for help on this topic you’ve probably already seen Bunnie Huang’s SD card hacking presentation, unfortunately I wasn’t able to track down any APPO AX211 based cards, which I thought would be my best bet.

In that presentation was mention of vendor commands for a Samsung eMMC used as the built-in storage on an Android phone. I’m not well enough versed on the technology to know quite what the difference between eMMC and SD cards are, aside from the way SD cards are packaged of course – although that might be all there is to it. Reading around they seem work in the same way and appear the same within Linux. Then I stumbled upon SamDunk, where Sean Beaupre had managed to unlock a Samsung phone (to developer mode) by reverse engineering some of the eMMC firmware on his device and finding commands that allowed the CID to be unlocked and rewritten.

So I started buying Samsung SD cards, hoping for one with the same moviNAND core as the eMMC in their phones. I now also have a stack of Samsung SD cards on my desk, but with the last different one I found I struck gold! (Collecting Samsung cards is more expensive than cheap Chinese ones and it takes some effort to avoid getting fakes.) The Samsung EVO Plus 32GB MicroSDHC card took the commands from SamDunk and let me change the CID.

I have taken the SamDunk code and reworked it a little to make it easier to use for SD cards, but all the credit really needs to go to the original author. To use you simply need a rooted Android device with an SD card slot. Copy the evoplus_cid binary to the device and put it somewhere with a proper Linux file system (not FAT), then apply execute permission to it. Run the tool and point it to the SD card device e.g. /dev/block/mmcblk1 (you almost certainly do not want to use mmcblk0, that is likely to be the built-in storage on your device). List the /dev/block folder and make sure the device you going to use appears and disappears as you insert and remove the SD card to be sure. Supply the new CID you want to set on the command line. If you only need to change the card serial number (part of the CID) you can supply the old CID and the new serial number and the new CID will be calculated for you. I suggest you make a note of the old CID first, in case you want to set it back later. This can be found in the file like /sys/class/mmc_host/mmc1/mmc1:0001/cid, but the path may vary, and again make sure you are looking at the right card by checking it disappears when you remove the card.

You can find the code here: https://github.com/raburton/evoplus_cid (compiled binary is in the lib folder). Use entirely at your own risk. Use only against genuine Samsung Evo Plus cards, anything else is unlikely to work and could be damaged. Even the right card could potentially be damaged!

To set a new completely new CID:

# Usage: ./evoplus_cid <device> <new cid>
./evoplus_cid /dev/block/mmcblk1 744a454e2f412020106c6d77470104c3

Or to just change the serial number part of the current CID:

# Usage: ./evoplus_cid <device> <currentcid> <new serial>
./evoplus_cid /dev/block/mmcblk1 1b534d30303030301098625deb0102a1 12345678

19 thoughts on “Changing the CID on an SD card – Working!”

  1. Hello Richard,

    firstly thank you for such detailed description how to proceed with CID change. I am happy I’ve found this place!

    Now referring to the latest Samsung Evo+ cards, I need to inform potential users that new cards purchased in March 2017 do not allow modification of CID. I have tested 3pcs of 32GB (MB-MC32DA/EU) cards and 2pcs of 64GB (MB-MC64DA/EU). All of them were bought from the official distributors of Samsung in Poland. Currently I am waiting for delivery of another 32GB card purchased via Aliexpress. I do hope this one will finally work as expected.

    PS. Maybe some of you have such unnecessary card – I would like to buy it or exchange with ones I have. I am open to any suggestions 🙂

    Best regards,
    Leszek

    1. Small update. Even the card purchased on Aliexpress didn’t work. I was not able to change the CID. Maybe the problem is not only with the date of production but also with country of production. All the cards I have been testing were made in Philippines.
      Or maybe my laptop HP EliteBook, which I am using is not proper for such task, I don’t know.

      Now I am waiting for delivery of SD cards from manufacturer able to customise the CID. If this will be confirmed source, I will let you know.

  2. Hi I actually tried to change cid but when i finish the end code ist 02 (744a454e2f412020106c6d77470104c2) not 03 (744a454e2f412020106c6d77470104c3) it’s that’s right?

  3. Hi, i try to change cid but i have little problem…
    1. it say ‘s to me> ioctl: Connection timed out
    Unlock command failed.
    2. If i repeat command then unlock command failed.
    3. repeat again then Failed to enter vendor mode. Genuine Samsung Evo Plus?

    So what is wrong? All information about card is here>
    Samsung evoplus 32gb
    oot@ubuntu:~/Desktop/evoplus_cid/jni# ./evoplus_cid /dev/mmcblk0 744a454e2f412020106c6d77470104c3
    Unlock command failed.
    root@ubuntu:~/Desktop/evoplus_cid/jni# ./evoplus_cid /dev/mmcblk0 744a454e2f412020106c6d77470104c3
    Failed to enter vendor mode. Genuine Samsung Evo Plus?

    root@ubuntu:~/Desktop/evoplus_cid/jni# ./evoplus_cid
    /dev/mmcblk0 744a454e2f412020106c6d77470104c3
    Failed to enter vendor mode. Genuine Samsung Evo Plus?
    root@ubuntu:~/Desktop/evoplus_cid/jni# cat /sys/block/mmcblk0/device/cid
    1b534d303030303010829b5d02010b01

    root@ubuntu:~/Desktop/evoplus_cid/jni# ls -l /sys/block |grep mmc
    lrwxrwxrwx 1 root root 0 Dec 17 20:43 mmcblk0 -> ../devices/pci0000:00/0000:00:1c.3/0000:04:00.0/rtsx_pci_sdmmc.0/mmc_host/mmc0/mmc0:0001/block/mmcblk0
    root@ubuntu:~/Desktop/evoplus_cid/jni#

      1. Hello,
        Thanks for the answer. I was compiling on raspberry pi and got:
        evoplus_cid.c: In function ‘program_cid’:
        evoplus_cid.c:58:19: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
        idata.data_ptr = (__u64)cid;
        ^
        evoplus_cid.c: In function ‘parse_serial’:
        evoplus_cid.c:107:7: warning: incompatible implicit declaration of built-in function ‘strlen’
        if ((strlen(str) > 2) && (str[0] == ‘0’) &&
        ^
        evoplus_cid.c: In function ‘main’:
        evoplus_cid.c:135:8: warning: incompatible implicit declaration of built-in function ‘strlen’
        len = strlen(argv[2]);
        ^

        is that okay should i ignore it?

        1. Hello, can help me someone I tried to change the CID, but when I entered comand : gcc evoplus_cid.c -o evoplus_cid
          I got this:
          evoplus_cid.c: In function ‘parse_serial’:
          evoplus_cid.c:107:7: warning: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
          if ((strlen(str) > 2) && (str[0] == ‘0’) &&
          ^
          evoplus_cid.c:107:7: warning: incompatible implicit declaration of built-in function ‘strlen’
          evoplus_cid.c:107:7: note: include ‘’ or provide a declaration of ‘strlen’
          evoplus_cid.c:109:9: warning: implicit declaration of function ‘strtol’ [-Wimplicit-function-declaration]
          val = strtol(str, NULL, 16);
          ^
          evoplus_cid.c: In function ‘main’:
          evoplus_cid.c:135:8: warning: incompatible implicit declaration of built-in function ‘strlen’
          len = strlen(argv[2]);
          ^
          evoplus_cid.c:135:8: note: include ‘’ or provide a declaration of ‘strlen’
          evoplus_cid.c:179:2: warning: implicit declaration of function ‘close’ [-Wimplicit-function-declaration]
          close(fd);
          ^
          Thanks in advance for help

    1. You can copy the compiled evoplus_cid to /data on you phone or tablet and run it form there. Path to current cid of an sd card depends on your kernel, but can usually be found with in /sys/bus/mmc/devices/mmc0:0001/cid (note mmc0:0001 will vary, do a listing of /sys/bus/mmc/devices/ before and after inserting the card and see to see which device id gets added for your card).

    1. I tested with a Samsung Galaxy Tab 2 (p5110) running either CyanogenMod 12 or 13 (not got it hand at this moment). It should work on pretty much any Android phone/tablet though. You might also get it to work on a PC running Linux, but you’ll need to have a proper SD reader, not a USB one (probably only find a real one on a laptop). I read in a forum where someone had compiled this code on Ubuntu and it sounded like it worked. I haven’t tried it because I don’t have a PC with a real SD slot.

      1. I actually tried my laptop with windows and PC with linux to read an CID one day but wasn’t successful.
        I’m going to order a tab and let’s see how this goes! I’ll let you know …
        Thank You for the reply

Leave a Reply