From b6697615d4272bd00130a08c725f4af0218c12a7 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 31 May 2023 20:33:59 +0300 Subject: [PATCH 01/26] Completely remove the magic cards doc for repurposing The document containing all magic cards will be replaced with 3 documents in the magic_cards folder: 1. `magic_cards_notes.md`, which will contain globally recognized magic tags. 2. `chinese_magic_notes.md`, which will contain magic tags mainly recognized, available and used in China. 3. `russian_magic_notes.md`, which will contain magic tags recognized, available and used in Russia. Files 2 and 3 will be made from scratch. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 1760 -------------------------------------- 1 file changed, 1760 deletions(-) delete mode 100644 doc/magic_cards_notes.md diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md deleted file mode 100644 index c588d3b54f..0000000000 --- a/doc/magic_cards_notes.md +++ /dev/null @@ -1,1760 +0,0 @@ - - -# Notes on Magic Cards, aka UID changeable -This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372 - -Useful docs: -* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf) - - -# Table of Contents - -- [ISO14443A](#iso14443a) - * [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic) -- [MIFARE Classic](#mifare-classic) - * [MIFARE Classic block0](#mifare-classic-block0) - * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) - * [MIFARE Classic Gen1B](#mifare-classic-gen1b) - * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming) - * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) - * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write) - * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version) - * [MIFARE Classic, other versions](#mifare-classic-other-versions) - * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu) - * [MIFARE Classic Gen4 aka GDM](#mifare-classic-gen4-aka-gdm) - * [MIFARE Classic Super](#mifare-classic-super) -- [MIFARE Ultralight](#mifare-ultralight) - * [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02) - * [MIFARE Ultralight Gen1A](#mifare-ultralight-gen1a) - * [MIFARE Ultralight DirectWrite](#mifare-ultralight-directwrite) - * [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite) - * [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a) - * [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite) -- [NTAG](#ntag) - * [NTAG213 DirectWrite](#ntag213-directwrite) - * [NTAG21x](#ntag21x) -- [DESFire](#desfire) - * ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid) - * ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid) -- [ISO14443B](#iso14443b) - * [ISO14443B magic](#iso14443b-magic) -- [ISO15693](#iso15693) - * [ISO15693 magic](#iso15693-magic) -- [Multi](#multi) - * [Gen 4 GTU](#gen-4-gtu) - - -# ISO14443A - -## Identifying broken ISO14443A magic -^[Top](#top) - -When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is. - -Here are some tips if the card doesn't react or gives error on a simple `hf 14a reader`: - -Let's force a 4b UID anticollision and see what happens: -``` -hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip -hf 14a reader -``` -It it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision: -``` -hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip -hf 14a reader -``` -At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards. - -To restore anticollision config of the Proxmark3: - -``` -hf 14a config --std -``` - -# MIFARE Classic -^[Top](#top) - -Referred as M1, S50 (1k), S70 (4k) - -## MIFARE Classic block0 -^[Top](#top) - -UID 4b: (actually NUID as there are no more "unique" IDs on 4b) - -``` -11223344440804006263646566676869 -^^^^^^^^ UID - ^^ BCC - ^^ SAK(*) - ^^^^ ATQA - ^^^^^^^^^^^^^^^^ Manufacturer data -(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98) -``` - - -Computing BCC on UID 11223344: `analyse lcr -d 11223344` = `44` - -UID 7b: - -``` -04112233445566884400c82000000000 -^^ Manufacturer byte -^^^^^^^^^^^^^^ UID - ^^ SAK(*) - ^^^^ ATQA - ^^^^^^^^^^^^ Manufacturer data -(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98) -``` - -## MIFARE Classic Gen1A aka UID -^[Top](#top) - -aka MF ZERO - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 1a -``` - -### Magic commands -^[Top](#top) - -* Wipe: `40(7)`, `41` (use 2000ms timeout) -* Read: `40(7)`, `43`, `30xx`+crc -* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc - -### Characteristics -^[Top](#top) - -* UID: Only 4b versions -* ATQA: - * all cards play blindly the block0 ATQA bytes, beware! -* SAK: - * some cards play blindly the block0 SAK byte, beware! - * some cards use a fix "08" in anticollision, no matter the block0 - * some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88" -* BCC: - * all cards play blindly the block0 BCC byte, beware! -* ATS: - * no card with ATS - -#### MIFARE Classic Gen1A flavour 1 -^[Top](#top) - -* SAK: play blindly the block0 SAK byte, beware! -* PRNG: static 01200145 -* Wipe: filled with 0xFF - -#### MIFARE Classic Gen1A flavour 2 -^[Top](#top) - -* SAK: play blindly the block0 SAK byte, beware! -* PRNG: static 01200145 -* Wipe: filled with 0x00 - -#### MIFARE Classic Gen1A flavour 3 -^[Top](#top) - -* SAK: 08 -* PRNG: static 01200145 -* Wipe: filled with 0xFF - -#### MIFARE Classic Gen1A flavour 4 -^[Top](#top) - -* SAK: 08 -* PRNG: weak -* Wipe: timeout, no wipe - -#### MIFARE Classic Gen1A flavour 5 -^[Top](#top) - -* SAK: 08 -* PRNG: weak -* Wipe: reply ok but no wipe performed - -#### MIFARE Classic Gen1A flavour 6 -^[Top](#top) - -* SAK: 08 or 88 if block0_SAK most significant bit is set -* PRNG: weak -* Wipe: timeout, no wipe - -#### MIFARE Classic Gen1A flavour 7 -^[Top](#top) - -* SAK: 08 or 88 if block0_SAK most significant bit is set -* PRNG: weak -* Wipe: filled with 0x00 - -### Proxmark3 commands -^[Top](#top) - -``` -hf mf csetuid -hf mf cwipe -hf mf csetblk -hf mf cgetblk -hf mf cgetsc -hf mf cload -hf mf csave -hf mf cview -``` - -When "soft-bricked" (by writing invalid data in block0), these ones may help: - -``` -# MFC Gen1A 1k: -hf mf cwipe -u 11223344 -a 0004 -s 08 -# MFC Gen1A 4k: -hf mf cwipe -u 11223344 -a 0044 -s 18 -``` -or just fixing block0: -``` -# MFC Gen1A 1k: -hf mf csetuid -u 11223344 -a 0004 -s 08 -# MFC Gen1A 4k: -hf mf csetuid -u 11223344 -a 0044 -s 18 -``` - -``` -script run hf_mf_magicrevive -``` - -To execute commands manually: -``` -hf 14a raw -a -k -b 7 40 -hf 14a raw -k 43 -hf 14a raw -k -c A000 -hf 14a raw -c -t 1000 11223344440804006263646566676869 -``` -wipe: -``` -hf 14a raw -a -k -b 7 40 -hf 14a raw -t 1000 41 -``` - -### libnfc commands -^[Top](#top) - -``` -nfc-mfsetuid -nfc-mfclassic R a u mydump -nfc-mfclassic W a u mydump -``` - -## MIFARE Classic Gen1B -^[Top](#top) - -Similar to Gen1A, but supports directly read/write after command 40 - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 1b -``` - -### Magic commands -^[Top](#top) - -* Read: `40(7)`, `30xx` -* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc - -## MIFARE Classic Gen1A OTP/One Time Programming -^[Top](#top) - -aka MF OTP 2.0 - -Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command. - -Initial UID is 00000000 - -All bytes are 00 from factory wherever possible. - -### Identify -^[Top](#top) - -Only possible before personalization. - -``` -hf 14a info -... -[+] Magic capabilities : Gen 1a -``` - -### Magic commands -^[Top](#top) - -* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc - -## MIFARE Classic DirectWrite aka Gen2 aka CUID -^[Top](#top) - -(also referred as MCT compatible by some sellers) - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 2 / CUID -``` - -Not all Gen2 cards can be identified with `hf 14a info`, only those replying to RATS. - -To identify the other ones, you've to try to write to block0 and see if it works... - -### Magic commands -^[Top](#top) - -Android compatible - -* issue regular write to block0 - -### Characteristics -^[Top](#top) - -* UID: 4b and 7b versions -* ATQA: - * some cards play blindly the block0 ATQA bytes, beware! - * some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b. -* SAK: - * some cards play blindly the block0 SAK byte, beware! - * some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b. -* BCC: - * some cards play blindly the block0 BCC byte, beware! - * some cards compute a proper BCC in anticollision. Including all 7b computing their BCC0 and BCC1. -* ATS: - * some cards don't reply to RATS - * some reply with an ATS - -#### MIFARE Classic DirectWrite flavour 1 -^[Top](#top) - -* UID 4b -* ATQA: play blindly the block0 ATQA bytes, beware! -* SAK: play blindly the block0 SAK byte, beware! -* BCC: play blindly the block0 BCC byte, beware! -* ATS: no -* PRNG: weak - -#### MIFARE Classic DirectWrite flavour 2 -^[Top](#top) - -* UID 4b -* ATQA: fixed -* SAK: fixed -* BCC: computed -* ATS: 0978009102DABC1910F005 -* PRNG: weak - -#### MIFARE Classic DirectWrite flavour 3 -^[Top](#top) - -* UID 4b -* ATQA: play blindly the block0 ATQA bytes, beware! -* SAK: fixed -* BCC: play blindly the block0 BCC byte, beware! -* ATS: no -* PRNG: weak - -#### MIFARE Classic DirectWrite flavour 4 -^[Top](#top) - -* UID 7b -* ATQA: fixed -* SAK: fixed -* BCC: computed -* ATS: 0978009102DABC1910F005 -* PRNG: static 00000000 - -#### MIFARE Classic DirectWrite flavour 5 -^[Top](#top) - -* UID 4b -* ATQA: fixed -* SAK: play blindly the block0 SAK byte, beware! -* BCC: computed -* ATS: no -* PRNG: weak - -#### MIFARE Classic DirectWrite flavour 6 -^[Top](#top) - -**TODO** need more info - -* UID 7b -* ATS: 0D780071028849A13020150608563D - -### Proxmark3 commands -^[Top](#top) - -``` -hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force - -hf mf wipe --gen2 -``` - -When "soft-bricked" (by writing invalid data in block0), these ones may help: - -``` -hf 14a config -h -``` - -e.g. for 4b UID: - -``` -hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip - -# for 1k -hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force - -# for 4k -hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344441802006263646566676869 --force - -hf 14a config --std -hf 14a reader -``` - -e.g. for 7b UID: - -``` -hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip - -# for 1k -hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 04112233445566084400626364656667 --force - -# for 4k -hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 04112233445566184200626364656667 --force - -hf 14a config --std -hf 14a reader -``` - -## MIFARE Classic DirectWrite, FUID version aka 1-write -^[Top](#top) - -aka MF OTP - -Same as MIFARE Classic DirectWrite, but block0 can be written only once. - -Initial UID is AA55C396 - -### Identify -^[Top](#top) - -Only possible before personalization. - -``` -hf 14a info -... -[+] Magic capabilities : Write Once / FUID -``` - -## MIFARE Classic DirectWrite, UFUID version -^[Top](#top) - -Same as MIFARE Classic DirectWrite, but block0 can be locked with special command. - -### Identify -^[Top](#top) - -**TODO** - -### Proxmark3 commands -^[Top](#top) - -To lock definitively block0: -``` -hf 14a raw -a -k -b 7 40 -hf 14a raw -k 43 -hf 14a raw -k -c e000 -hf 14a raw -k -c e100 -hf 14a raw -c 85000000000000000000000000000008 -``` - -## MIFARE Classic Gen3 aka APDU -^[Top](#top) - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 3 / APDU -``` - -### Magic commands -^[Top](#top) - -Android compatible - -* issue special APDUs - -``` -cla ins p1 p2 len - 90 F0 CC CC 10 - write block 0 - 90 FB CC CC 07 - change uid (independently of block0 data) - 90 FD 11 11 00 - lock permanently -``` -It seems the length byte gets ignored anyway. - -Note: it seems some cards only accept the "change UID" command. - -It accepts direct read of block0 (and only block0) without prior auth. - -Writing to block 0 has some side-effects: - -* It changes also the UID. Changing the UID *does not* change block 0. -* ATQA and SAK bytes are automatically replaced by fixed values. -* On 4-byte UID cards, BCC byte is automatically corrected. - -### Characteristics -^[Top](#top) - -* UID: 4b and 7b versions -* ATQA/SAK: fixed -* BCC: auto -* ATS: none - -### Proxmark3 commands -^[Top](#top) - -``` -# change just UID: -hf mf gen3uid -# write block0: -hf mf gen3blk -# lock (uid/block0?) forever: -hf mf gen3freeze -``` -See also -``` -script run hf_mf_gen3_writer -h -``` - -Equivalent: -``` -# change just UID: -hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677 -# read block0: -hf 14a raw -s -c 3000 -# write block0: -hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000 -# lock (uid/block0?) forever: -hf 14a raw -s -c 90FD111100 -``` - -## MIFARE Classic Gen4 aka GDM -^[Top](#top) - -Tag has shadow mode enabled from start. -Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds -off rfid field. -Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory. - -The persistent memory is also writable. For that tag uses its own backdoor commands. -for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000. -Then send the data to be written. - -This tag has simular commands to the [UFUID](#mifare-classic-directwrite-ufuid-version) -This indicates that both tagtypes are developed by the same person. - -**OBS** - -When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag. - -**OBS** - -It is possible to write a configuration that perma locks the tag, i.e. no more magic - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 4 GDM -``` -### Magic commands -^[Top](#top) - -* Auth: `80xx`+crc -* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc -* Read config: `E000`+crc -* Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc - -### Characteristics -^[Top](#top) - -* Have no knowledge in ATQA/SAK/BCC quirks or if there is a wipe, softbrick recover -* Its magic part seem to be three identified custom command. -* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are. - -Read config: -1. sending custom auth with all zeros key -2. send 0xE000, will return the configuration bytes. -`results: 850000000000000000005A5A00000008` - - -Mapping of configuration bytes so far: -``` -850000000000000000005A5A00000008 - ^^ --> SAK -``` - -Write config: -1. sending custom auth with all zeros key -2. send 0xE100 -3. send 16 bytes - -**Warning** - -Example of configuration to Perma lock tag: -`85000000000000000000000000000008` - - -It is unknown what kind of block 0 changes the tag supports -* UID: 4b -* ATQA/SAK: unknown -* BCC: unknown -* ATS: none - -### Proxmark3 commands -^[Top](#top) -``` -# Write to persistent memory -hf mf gdmsetblk - -# Read configuration (0xE0): -hf mf gdmcfg - -# Write configuration (0xE1): -hf mf gdmsetcfg -``` - -### libnfc commands -^[Top](#top) -No implemented commands today - -## MIFARE Classic, other versions -^[Top](#top) - -**TODO** - -* ZXUID, EUID, ICUID, KUID, HUID, RFUID ? -* Some cards exhibit a specific SAK=28 ?? - -## MIFARE Classic Super -^[Top](#top) - -It behaves like regular Mifare Classic but records reader auth attempts. - -#### MIFARE Classic Super Gen1 -^[Top](#top) - -Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands. - -* UID: 4b version -* ATQA/SAK: fixed -* BCC: auto -* ATS: fixed, 0978009102DABC1910F005 - -ATQA/SAK matches 1k card, but works as 4k card. - -Backdoor commands provided over APDU. Format: - -``` -00 A6 A0 00 05 FF FF FF FF 00 -^^ ^^ Backdoor command header - ^^ Backdoor command (A0 - set UID/B0 - get trace/C0 - reset card) - ^^ Type of answer (used in key recovery to select trace number) - ^^ Length of user provided data - ^^ ^^ ^^ ^^ ^^ User data -``` - -👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer! - -#### MIFARE Classic Super Gen1B - -DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands. -Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c - -#### MIFARE Classic Super Gen2 -^[Top](#top) - -New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces. - -Card always answer `ff ff ff ff` to auth, so writing/reading it via Mifare protocol is impossible. - -UID is changeable via Gen4 backdoor write to 0 block. - -* UID: 4b and 7b versions -* ATQA/SAK: fixed -* BCC: auto -* ATS: changeable, default as Gen1 - -Gen4 commands available: - -``` -CF 34 <1b length><0-16b ATS> // Configure ATS -CF CC // Factory test, returns 00 00 00 02 AA -CF CD <1b block number><16b block data> // Backdoor write 16b block -CF CE <1b block number> // Backdoor read 16b block -CF FE <4b new_password> // Change password -``` - -### Identify -^[Top](#top) - -Only Gen1/Gen2 at this moment (Gen1B is unsupported): - -``` -hf 14a info -... -[+] Magic capabilities : Super card (Gen ?) -``` - -# MIFARE Ultralight -^[Top](#top) - -## MIFARE Ultralight blocks 0..2 -^[Top](#top) - -``` -SN0 SN1 SN2 BCC0 -SN3 SN4 SN5 SN6 -BCC1 Int LCK0 LCK1 -``` - -UID is made of SN0..SN6 bytes - -Computing BCC0 on UID 04112233445566: `analyse lcr -d 88041122` = `bf` - -Computing BCC1 on UID 04112233445566: `analyse lcr -d 33445566` = `44` - -Int is internal, typically 0x48 - -Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C - - -## MIFARE Ultralight Gen1A -^[Top](#top) - -### Identify - -**TODO** - -### Characteristics - -#### Magic commands - -**TODO** - -#### UID - -Only 7b versions - -#### SAK, ATQA, BCC, ATS - -**TODO** need more tests - -### Proxmark3 commands -^[Top](#top) - -``` -script run hf_mfu_setuid -h -``` - -When "soft-bricked" (by writing invalid data in block0), these ones may help: - -``` -hf 14a config -h -script run hf_mf_magicrevive -u -``` - -## MIFARE Ultralight DirectWrite -^[Top](#top) - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 2 / CUID -``` - -It seems so far that all MFUL DW have an ATS. - -### Magic commands -^[Top](#top) - -Issue three regular MFU write commands in a row to write first three blocks. - -### Characteristics -^[Top](#top) - -* UID: Only 7b versions -* ATQA: - * all cards play fix ATQA -* SAK: - * all cards play fix SAK -* BCC: - * some cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! - * some cards compute proper BCC0 and BCC1 in anticollision -* ATS: - * all cards reply with an ATS - -#### MIFARE Ultralight DirectWrite flavour 1 -^[Top](#top) - -* BCC: computed -* ATS: 0A78008102DBA0C119402AB5 -* Anticol shortcut (CL1/3000): fails - -#### MIFARE Ultralight DirectWrite flavour 2 -^[Top](#top) - -* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: 850000A00A000AB00000000000000000184D -* Anticol shortcut (CL1/3000): succeeds - -### Proxmark3 commands -^[Top](#top) - -``` -hf mfu setuid -h -``` - -Equivalent: don't use `hf mfu wrbl` as you need to write three blocks in a row, but do, with proper BCCx: - -``` -hf 14a raw -s -c -k a2 00 041122bf -hf 14a raw -c -k a2 01 33445566 -hf 14a raw -c a2 02 44480000 -``` - -When "soft-bricked" (by writing invalid data in block0), these ones may help: - -``` -hf 14a config -h -``` - -E.g.: -``` -hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip -hf mfu setuid --uid 04112233445566 -hf 14a config --std -hf 14a reader -``` - -### libnfc commands -^[Top](#top) - -``` -nfc-mfultralight -h -``` -See `--uid` and `--full` - -### Android -^[Top](#top) - -* MIFARE++ Ultralight - -## MIFARE Ultralight EV1 DirectWrite -^[Top](#top) - -aka UL2 - -Similar to MFUL DirectWrite - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 2 / CUID -``` - -### Characteristics -^[Top](#top) - -* UID: Only 7b versions -* ATQA: - * all cards play fix ATQA -* SAK: - * all cards play fix SAK -* BCC: - * cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: - * all cards reply with an ATS - -#### MIFARE Ultralight EV1 DirectWrite flavour 1 -^[Top](#top) - -* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: 850000A000000AC30004030101000B0341DF - -#### MIFARE Ultralight EV1 DirectWrite flavour 2 -^[Top](#top) - -* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: 850000A00A000AC30004030101000B0316D7 - -#### MIFARE Ultralight EV1 DirectWrite flavour 3 -^[Top](#top) - -* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: 850000A000000A3C0004030101000E03 - -## MIFARE Ultralight C Gen1A -^[Top](#top) - -Similar to MFUL Gen1A - -## MIFARE Ultralight C DirectWrite -^[Top](#top) - -Similar to MFUL DirectWrite - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 2 / CUID -``` - -### Characteristics -^[Top](#top) - -* UID: Only 7b versions -* ATQA: - * all cards play fix ATQA -* SAK: - * all cards play fix SAK -* BCC: - * cards compute proper BCC0 and BCC1 in anticollision -* ATS: - * all cards reply with an ATS - -#### MIFARE Ultralight C DirectWrite flavour 1 -^[Top](#top) - -* BCC: computed -* ATS: 0A78008102DBA0C119402AB5 -* Anticol shortcut (CL1/3000): fails - -**TODO** - -* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? - - -# NTAG -^[Top](#top) - -## NTAG213 DirectWrite -^[Top](#top) - -Similar to MFUL DirectWrite - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 2 / CUID -``` - -### Characteristics -^[Top](#top) - -* UID: Only 7b versions -* ATQA: - * all cards play fix ATQA -* SAK: - * all cards play fix SAK -* BCC: - * cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: - * all cards reply with an ATS - -#### NTAG213 DirectWrite flavour 1 -^[Top](#top) - -* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! -* ATS: 0A78008102DBA0C119402AB5 -* Anticol shortcut (CL1/3000): succeeds - -## NTAG21x -^[Top](#top) - -### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : NTAG21x -``` - -### Characteristics -^[Top](#top) - -Emulates fully NTAG213, 213F, 215, 216, 216F - -Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS - -Anticol shortcut (CL1/3000): fails - -### Proxmark3 commands -^[Top](#top) - -``` -script run hf_mfu_magicwrite -h -``` - -# DESFire -^[Top](#top) - -## "DESFire" APDU, 7b UID - -### Identify - -**TODO** - -### Magic commands - -Android compatible - -* issue special APDUs - -### Characteristics -^[Top](#top) - -* ATQA: 0344 -* SAK: 20 -* ATS: 0675338102005110 or 06757781028002F0 - -Only mimics DESFire anticollision (but wrong ATS), no further DESFire support - -### Proxmark commands -^[Top](#top) - -UID 04112233445566 -``` -hf 14a raw -s -c 0200ab00000704112233445566 -``` -or equivalently -``` -hf 14a apdu -s 00ab00000704112233445566 -``` - -### libnfc commands -^[Top](#top) - -``` -pn53x-tamashell -4a0100 -420200ab00000704112233445566 -``` -## "DESFire" APDU, 4b UID -^[Top](#top) - -### Magic commands -^[Top](#top) - -Android compatible - -* issue special APDUs - -### Characteristics -^[Top](#top) - -* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything -* SAK: 20 -* ATS: 0675338102005110 or 06757781028002F0 - -Only mimics DESFire anticollision (but wrong ATS), no further DESFire support - -### Proxmark commands -^[Top](#top) - -UID 04112233445566 -``` -hf 14a raw -s -c 0200ab00000411223344 -``` -or equivalently -``` -hf 14a apdu -s 00ab00000411223344 -``` - -It accepts longer UID but that doesn't affect BCC/ATQA/SAK - -### pn53x-tamashell commands -^[Top](#top) -``` -4a0100 -420200ab00000411223344 -``` - -### Remarks -^[Top](#top) - -The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0: - -``` -hf mf csetblk --blk 0 -d 1122334444204403A1A2A3A4A5A6A7A8 -hf 14a info -[+] UID: 11 22 33 44 -[+] ATQA: 03 44 -[+] SAK: 20 [1] -[+] Possible types: -[+] MIFARE DESFire MF3ICD40 -``` - -# ISO14443B -^[Top](#top) - -## ISO14443B magic -^[Top](#top) - -No such card is available. - -Some vendor allow to specify an ID (PUPI) when ordering a card. - -# ISO15693 -^[Top](#top) - -## ISO15693 magic -^[Top](#top) - -### Identify - -**TODO** - -### Proxmark3 commands -^[Top](#top) - -Always set a UID starting with `E0`. - -``` -hf 15 csetuid E011223344556677 -``` -or (ignore errors): -``` -script run hf_15_magic -u E004013344556677 -``` - - - -# Multi -^[Top](#top) - -## Gen 4 GTU -^[Top](#top) - -A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands. - -Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data - -- [Identify](#identify-16) -- [Magic commands](#magic-commands-9) -- [Characteristics](#characteristics-12) -- [Proxmark3 commands](#proxmark3-commands-9) -- [Change ATQA / SAK](#change-atqa--sak) -- [Change ATS](#change-ats) -- [Set UID length (4, 7, 10)](#set-uid-length-4-7-10) -- [Set 14443A UID](#set-14443a-uid) -- [Set 14443B UID and ATQB](#set-14443b-uid-and-atqb) -- [(De)Activate Ultralight mode](#deactivate-ultralight-mode) -- [Select Ultralight mode](#select-ultralight-mode) -- [Set shadow mode (GTU)](#set-shadow-mode-gtu) -- [Direct block read and write](#direct-block-read-and-write) -- [(De)Activate direct write to block 0](#deactivate-direct-write-to-block-0) -- [Change backdoor password](#change-backdoor-password) -- [Dump configuration](#dump-configuration) -- [Fast configuration](#fast-configuration) -- [Presets](#presets) -- [Version and Signature](#version-and-signature) - - -### Identify -^[Top](#top) ^^[Gen4](#g4top) - -👉 **TODO** If the password is not default, Tag doesn't get identified correctly by latest Proxmark3 client (it might get mislabeled as MFC Gen2/CUID, Gen3/APDU or NTAG21x Modifiable, depending on configured UID/ATQA/SAK/ATS) - -``` -hf 14a info -[+] Magic capabilities : Gen 4 GTU -``` - -The card will be identified only if the password is the default one. One can identify manually such card if the password is still the default one, with the command to get the current configuration: -``` -hf 14a raw -s -c -t 1000 CF00000000C6 -``` -If the card is an Ultimate Magic Card, it returns 30 or 32 bytes. - -### Magic commands -^[Top](#top) ^^[Gen4](#g4top) - -There are two ways to program this card. - - 1. Use the raw commands designated by the `hf 14a` examples. - - ***OR*** - - 2. Use the hf_mf_ultimatecard.lua script commands designated but the `script run hf_mf_ulimatecard` examples. - - -script run hf_mf_ultimatecard.lua -h -``` -This script enables easy programming of an Ultimate Mifare Magic card -Usage -script run hf_mf_ultimatecard -h -k -c -w -u -t -p -a -s -o -v -q -g -z -m -n - -Arguments - -h this help - -c read magic configuration - -u UID (8-20 hexsymbols), set UID on tag - -t tag type to impersonate - 1 = Mifare Mini S20 4-byte - 2 = Mifare Mini S20 7-byte 15 = NTAG 210 - 3 = Mifare Mini S20 10-byte 16 = NTAG 212 - 4 = Mifare 1k S50 4-byte 17 = NTAG 213 - 5 = Mifare 1k S50 7-byte 18 = NTAG 215 - 6 = Mifare 1k S50 10-byte 19 = NTAG 216 - 7 = Mifare 4k S70 4-byte 20 = NTAG I2C 1K - 8 = Mifare 4k S70 7-byte 21 = NTAG I2C 2K - 9 = Mifare 4k S70 10-byte 22 = NTAG I2C 1K PLUS - *** 10 = UL - NOT WORKING FULLY 23 = NTAG I2C 2K PLUS - *** 11 = UL-C - NOT WORKING FULLY 24 = NTAG 213F - 12 = UL EV1 48b 25 = NTAG 216F - 13 = UL EV1 128b - *** 14 = UL Plus - NOT WORKING YET - - -p NTAG password (8 hexsymbols), set NTAG password on tag. - -a NTAG pack ( 4 hexsymbols), set NTAG pack on tag. - -s Signature data (64 hexsymbols), set signature data on tag. - -o OTP data (8 hexsymbols), set `One-Time Programmable` data on tag. - -v Version data (16 hexsymbols), set version data on tag. - -q ATQA/SAK (<2b ATQA><1b SAK> hexsymbols), set ATQA/SAK on tag. - -g GTU Mode (1 hexsymbol), set GTU shadow mode. - -z ATS (<1b length><0-16 ATS> hexsymbols), Configure ATS. Length set to 00 will disable ATS. - -w Wipe tag. 0 for Mifare or 1 for UL. Fills tag with zeros and put default values for type selected. - -m Ultralight mode (00 UL EV1, 01 NTAG, 02 UL-C, 03 UL) Set type of UL. - -n Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode - -k Ultimate Magic Card Key (IF DIFFERENT THAN DEFAULT 00000000) - -Example usage - -- read magic tag configuration - script run hf_mf_ultimatecard -c - -- set uid - script run hf_mf_ultimatecard -u 04112233445566 - -- set NTAG pwd / pack - script run hf_mf_ultimatecard -p 11223344 -a 8080 - -- set version to NTAG213 - script run hf_mf_ultimatecard -v 0004040201000f03 - -- set ATQA/SAK to [00 44] [08] - script run hf_mf_ultimatecard -q 004408 - -- wipe tag with a NTAG213 or Mifare 1k S50 4 byte - script run hf_mf_ultimatecard -w 1 - -- use a non default UMC key. Only use this if the default key for the MAGIC CARD was changed. - script run hf_mf_ultimatecard -k ffffffff -w 1 - -- Wipe tag, turn into NTAG215, set sig, version, NTAG pwd/pak, and OTP. - script run hf_mf_ultimatecard -w 1 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 -``` - -Special raw commands summary: - -``` -CF 32 <00-03> // Configure GTU shadow mode -CF 34 <1b length><0-16b ATS> // Configure ATS -CF 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQA bytes) -CF 68 <00-02> // Configure UID length -CF 69 <00-01> // (De)Activate Ultralight mode -CF 6A <00-03> // Select Ultralight mode -CF 6B <1b> // Set Ultralight and M1 maximum read/write sectors -CF C6 // Dump configuration -CF CC // Factory test, returns 6666 -CF CD <1b block number><16b block data> // Backdoor write 16b block -CF CE <1b block number> // Backdoor read 16b block -CF CF <1b param> // (De)Activate direct write to block 0 -CF F0 <30b configuration data> // Configure all params in one cmd -CF F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently -CF FE <4b new_password> // change password -``` -Default ``: `00000000` - -### Characteristics -^[Top](#top) ^^[Gen4](#g4top) - -* UID: 4b, 7b and 10b versions -* ATQA/SAK: changeable -* BCC: auto -* ATS: changeable, can be disabled -* Card Type: changeable -* Shadow mode: GTU -* Backdoor password mode - -### Proxmark3 commands -^[Top](#top) ^^[Gen4](#g4top) - -``` -# view contents of tag memory: -hf mf gview -# Read a specific block via backdoor command: -hf mf ggetblk -# Write a specific block via backdoor command: -hf mf gsetblk -# Load dump to tag: -hf mf gload -# Save dump from tag: -hf mf gsave -``` -👉 **TODO** `hf mf gview` is currently missing Ultralight memory maps - -Equivalent: - -``` -hf 14a raw -s -c -t 1000 CF00000000CE00 -hf 14a raw -s -c -t 1000 CF00000000CE01 -hf 14a raw -s -c -t 1000 CF00000000CE02 -... -``` - -👉 **TODO** In Mifare Ultralight / NTAG mode, the special writes (`hf mfu restore` option `-s`, `-e`, `-r`) do not apply. Use `script run hf_mf_ultimatecard` for UID and signature, and `hf mfu wrbl` for PWD and PACK. - -### Change ATQA / SAK -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF35<2b ATQA><1b SAK> -``` -* ⚠ ATQA bytes are swapped in the command -* ⚠ ATQA bytes that result in `iso14443a card select failed` (I.E. ATQA=0040 in raw form) can be corrected with `hf 14a config --atqa force` -* ⚠ when SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on, otherwise the card may not be recognized by some readers! -* ⚠ never set SAK bit 3 (e.g. SAK=04), it indicates an extra cascade level is required (see `hf 14a config --cl2 skip` or `hf 14a config --cl3 skip` to recover a misconfigured card) - -Example: ATQA 0044 SAK 28, default pwd -``` -hf 14a raw -s -c -t 1000 CF0000000035440028 -``` -OR (Note the script will correct the ATQA correctly) -``` -script run hf_mf_ultimatecard -q 004428 -``` - -### Change ATS -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF34<1b length><0-16b ATS> -``` - * ``: ATS length byte, set to `00` to disable ATS - * ⚠ when SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on, otherwise the card may not be recognized by some readers! - * ATS CRC will be added automatically, don't configure it - * Max ATS length: 16 bytes (+CRC) - -Example: ATS to 0606757781028002F0, default pwd -``` -hf 14a raw -s -c -t 1000 CF000000003406067577810280 -``` - -Or - -``` -script run hf_mf_ultimatecard -z 06067577810280` -``` - -### Set UID length (4, 7, 10) -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF68<1b param> -``` - * `` - * `00`: 4 bytes - * `01`: 7 bytes - * `02`: 10 bytes - -Example: set UID length to 7 bytes, default pwd -``` -hf 14a raw -s -c -t 1000 CF000000006801 -``` - -### Set 14443A UID -^[Top](#top) ^^[Gen4](#g4top) - -UID is configured according to block0 with a backdoor write. (Script commands are below the UID length examples) - -Example: preparing first two blocks: (Note the UMC has to be in MFC mode and the correct UID byte length set) -``` -hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F -hf 14a raw -s -c -t 1000 CF00000000CD01101112131415161718191A1B1C1D1E1F -hf 14a reader -``` -MFC mode 4b UID - -=> UID `00010203` - -`script run hf_mf_ultimatecard -t 4 -u 00010203` - -MFC mode 7b UID - -=> UID `00010203040506` - -`script run hf_mf_ultimatecard -t 5 -u 00010203040506` - -MFC mode, 10b UID - -=> UID `00010203040506070809` - -`script run hf_mf_ultimatecard -t 6 -u 00010203040506070809` - -Ultralight mode, 4b UID - -=> UID `00010203` - -Ultralight mode, 7b UID - -=> UID `00010210111213` - -👉 the UID is composed of first two blocks as in regular Ultralights - * Examples - * UL-EV1 48b = `script run hf_mf_ultimatecard -t 12 -u 00010203040506` - * UL EV1 128b = `script run hf_mf_ultimatecard -t 13 -u 00010203040506` - * NTAG 215 = `script run hf_mf_ultimatecard -t 18 -u 00010203040506` - -Ultralight mode, 10b UID -=> UID `00010203040506070809` -👉 the UID is composed only from block0 - -### Set 14443B UID and ATQB -^[Top](#top) ^^[Gen4](#g4top) - -UID and ATQB are configured according to block0 with a (14a) backdoor write. - -UID size is always 4 bytes. - -Example: -``` -hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F -hf 14b reader -``` -=> UID 00010203 -=> ATQB 0405060708090A - -### (De)Activate Ultralight mode -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF69<1b param> -``` - * `` - * `00`: MIFARE Classic mode - * `01`: MIFARE Ultralight/NTAG mode - -Example: activate Ultralight protocol, default pwd - -``` -hf 14a raw -s -c -t 1000 CF000000006901 -``` - -Or - -``` -script run hf_mf_ultimatecard -n 01 -``` - -In this mode, if SAK=`00` and ATQA=`0044`, it acts as an Ultralight card - -⚠ only the first four bytes of each block will be mapped in the Ultralight memory map (so the Ultralight block numbers follow backdoor R/W block numbers). - -### Select Ultralight mode -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF6A<1b param> -``` - - * `` - * `00`: UL EV1 - * `01`: NTAG - * `02`: UL-C - * `03`: UL - -⚠ it supposes Ultralight mode was activated (cf command `69`) - -Example: set Ultralight mode to Ultralight-C, default pwd - -``` -hf 14a raw -s -c -t 1000 CF000000006A02 -``` -Or - -``` -script run hf_mf_ultimatecard -m 02 -``` - -Now the card supports the 3DES UL-C authentication. - -### Set Ultralight and M1 maximum read/write sectors -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CF6B<1b blocks> -``` -Hexadecimal, maximum sector data, default 0xFF, range 0x00-0xFF - -Example: set maximum 63 blocks read/write for Mifare Classic 1K - -``` -hf 14a raw -s -c -t 1000 CF000000006B3F -``` - -### Set shadow mode (GTU) -^[Top](#top) ^^[Gen4](#g4top) - -This mode is divided into four states: off (pre-write), on (on restore), don’t care, and high-speed read and write. -If you use it, please enter the pre-write mode first. At this time, write the full card data. -After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results. - -Example: -`script run hf_mf_ultimatecard -w 1 -g 00 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 -g 01` - * -w 1 = wipe the card in Ultralight Mode - * -g 00 = turn on pre-write mode - * -t 18 = change the type of card to NTAG 215 - * -u = set the uid - * -s = set the signature - * -p = set the NTAG password - * -a = set the PACK - * -o = set the OTP - * -g 01 = turn on restore mode - -At this point the card is set to a unwritten NTAG 215. Now any data written to the card will only last for 1 read. Write a popular game toy to it, read it, now it is back to the unwritten NTAG 215. - -👉 Remember to disable GTU mode to get the card back to a normal state. - -`script run hf_mf_ultimatecard -g 03` - -``` -hf 14a raw -s -c -t 1000 CF32<1b param> -``` - * `` - * `00`: pre-write, shadow data can be written - * `01`: restore mode - * `02`: disabled - * `03`: disabled, high speed R/W mode for Ultralight? - -### Direct block read and write -^[Top](#top) ^^[Gen4](#g4top) - -Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card. It should be noted that this command must be used to modify UID. - -Backdoor read 16b block: -``` -hf 14a raw -s -c -t 1000 CFCE<1b block number> -``` -Backdoor write 16b block: -``` -hf 14a raw -s -c -t 1000 CFCD<1b block number><16b block data> -``` - -Read/Write operations work on 16 bytes, no matter the Ultralight mode. - -Note that only the first four bytes of each block will be mapped in the Ultralight memory map. - -Example: read block0, default pwd -``` -hf 14a raw -s -c -t 1000 CF00000000CE00 -``` -Example: write block0 with factory data, default pwd -``` -hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000 -``` - -### (De)Activate direct write to block 0 -^[Top](#top) ^^[Gen4](#g4top) - -This command enables/disables direct writes to block 0. - -``` -hf 14a raw -s -c -t 1000 CFCF<1b param> -``` - * `` - * `00`: Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic) - * `01`: Deactivate direct write to block 0 (Same behaviour of vanilla cards) - * `02`: Default value. (Same behaviour as `00` (?)) - -Example: enable direct writes to block 0, default pwd -``` -hf 14a raw -s -c -t 1000 CF00000000CF00 -``` -Example: disable direct writes to block 0, default pwd -``` -hf 14a raw -s -c -t 1000 CF00000000CF01 -``` - -### Change backdoor password -^[Top](#top) ^^[Gen4](#g4top) - -All backdoor operations are protected by a password. If password is forgotten, the card can't be recovered. Default password is `00000000`. - -Change password: -``` -hf 14a raw -s -c -t 1000 CF FE <4b new_password> -``` -Example: change password from 00000000 to AABBCCDD -``` -hf 14a raw -s -c -t 1000 CF00000000FEAABBCCDD -``` -Example: change password from AABBCCDD back to 00000000 -``` -hf 14a raw -s -c -t 1000 CFAABBCCDDFE00000000 -``` - -### Dump configuration -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CFC6 -``` -Default configuration: -``` -00000000000002000978009102DABC191010111213141516040008006B024F6B - ^^^^ ?? - ^^ cf cmd cf: block0 direct write setting, factory value 0x02 - ^^ cf cmd 6b: maximum read/write sectors, factory value 0x6b - ^^ cf cmd 6a: UL mode - ^^^^^^ cf cmd 35: ATQA/SAK - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content - ^^ cf cmd 32: GTU mode - ^^^^^^^^ cf cmd fe: password - ^^ cf cmd 68: UID length -^^ cf cmd 69: Ultralight protocol -``` - -### Fast configuration -^[Top](#top) ^^[Gen4](#g4top) - -``` -hf 14a raw -s -c -t 1000 CFF0<30b configuration data> -``` -cf **Dump configuration** for configuration data description. - -Example: Write factory configuration, using default password -``` -hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B -``` - -⚠ Variant with command `F1` instead of `F0` will set and fuse permanently the configuration. Backdoor R/W will still work. - -### Presets -^[Top](#top) ^^[Gen4](#g4top) - -Here are some presets available in the FuseTool (but with all ATS disabled) - -**MIFARE Mini S20 4-byte UID** -``` -hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000900 -``` - -**MIFARE Mini S20 7-byte UID** -``` -hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000900 -``` - -**MIFARE 1k S50 4-byte UID** (this is the factory setting) -``` -hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800 -``` - -**MIFARE 1k S50 7-byte UID** -``` -hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000800 -``` - -**MIFARE 4k S70 4-byte UID** -``` -hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151602001800 -``` - -**MIFARE 4k S70 7 byte UID** -``` -hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151642001800 -``` - -**Ultralight** -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003 -``` - -**Ultralight-C** -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002 -``` - -**Ultralight EV1** -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 -``` - -**NTAG21x** -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 -``` - -### Version and Signature -^[Top](#top) ^^[Gen4](#g4top) - -Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249. - -Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 -hf mfu wrbl -b 0 -d 04C12865 -hf mfu wrbl -b 1 -d 5A373080 -hf mfu wrbl -b 242 -d CEA2EB0B --force -hf mfu wrbl -b 243 -d 3C95D084 --force -hf mfu wrbl -b 244 -d 4A95B824 --force -hf mfu wrbl -b 245 -d A7553703 --force -hf mfu wrbl -b 246 -d B3702378 --force -hf mfu wrbl -b 247 -d 033BF098 --force -hf mfu wrbl -b 248 -d 7899DB70 --force -hf mfu wrbl -b 249 -d 151A19E7 --force -hf mfu wrbl -b 250 -d 00040301 --force -hf mfu wrbl -b 251 -d 01000E03 --force -hf mfu info -``` - -Example for an NTAG216 with the signature sample from tools/recover_pk.py -``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 -hf mfu wrbl -b 0 -d 04E10C61 -hf mfu wrbl -b 1 -d DA993C80 -hf mfu wrbl -b 242 -d 8B76052E --force -hf mfu wrbl -b 243 -d E42F5567 --force -hf mfu wrbl -b 244 -d BEB53238 --force -hf mfu wrbl -b 245 -d B3E3F995 --force -hf mfu wrbl -b 246 -d 0707C0DC --force -hf mfu wrbl -b 247 -d C956B5C5 --force -hf mfu wrbl -b 248 -d EFCFDB70 --force -hf mfu wrbl -b 249 -d 9B2D82B3 --force -hf mfu wrbl -b 250 -d 00040402 --force -hf mfu wrbl -b 251 -d 01001303 --force -hf mfu info -``` From f20326a56b4a7e53a633145e3897f9797c9697a7 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Thu, 1 Jun 2023 21:34:50 +0300 Subject: [PATCH 02/26] New magic cards docs The magic cards document has been expanded, split and moved to a separate folder. See previous commit for more details Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 325 +++++ doc/magic_cards/magic_cards_notes.md | 1606 ++++++++++++++++++++++++ doc/magic_cards/russian_magic_notes.md | 244 ++++ 3 files changed, 2175 insertions(+) create mode 100644 doc/magic_cards/chinese_magic_notes.md create mode 100644 doc/magic_cards/magic_cards_notes.md create mode 100644 doc/magic_cards/russian_magic_notes.md diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md new file mode 100644 index 0000000000..17c876c089 --- /dev/null +++ b/doc/magic_cards/chinese_magic_notes.md @@ -0,0 +1,325 @@ + + +# Notes on Chinese Magic Cards + +## Low Frequency + +### 5577 +^[Top](#top) + +This is an ATA5577C-compatible tag. +*The price for this tag tends to be the highest..?* + +#### Characteristics +^[Top](#top) + +- Configurable as any tag that requires to send no more than 24(28) bytes of data (without password). +- Well documented + +#### Deviations +^[Top](#top) + +- Some tags have lock bits set on blocks 2-6. +- Some tags do not transmit traceability data, and have it rewritable. + * These tags tend to ignore page 1 block 3 configuration. + +### 5200 +^[Top](#top) + +No information. + +#### Characteristics +^[Top](#top) + +- Advertised as PM3 compatible. +- No info. + +### ID82xx series + +These chips are designed to clone EM410x IDs. + +#### ID8210 +^[Top](#top) + +##### Characteristics +^[Top](#top) + +- Alternative names: + * H-125 +- Identification: + 1. Engravings ("H-[freq., kHz]") +- No info. + +#### ID8211 +^[Top](#top) + +##### Characteristics +^[Top](#top) + +- Identification: + 1. Engravings ("8211") +- No info. + +#### ID8265 +^[Top](#top) + +##### Characteristics +^[Top](#top) + +- Very widespread Chinese magic tag. *May sometimes be sent globally under the name of "T5577/EM4305" with the excuse: "use our cloner".* +- Identification: + 1. Engravings (N/A; "F8265-[freq., kHz]K") + 2. Preprogrammed code: `00:00:00:20:49` (CN: 8265) +- Can be detected. +- Currently unsupported by PM3, but being researched. When the proxmark3 supports this tag, more info will be added. + +#### ID8268/8278/8310 +^[Top](#top) + +Sold as "anti-clone bypass". +ID8268 is claimed to be better than ID8278. + +##### Characteristics +^[Top](#top) + +- Very widespread Chinese magic tag too. +- Idenification: + 1. Engravings (N/A; "F8268-[freq., kHz]K"; 3. "F8310-[freq., kHz]K"; 4. "F8278-[freq., kHz]K") + 2. Preprogrammed code: `00:00:00:20:4C` (CN: 8268); N/A +- No known way to detect. +- Like ID8265, pending support. More info will be added when support is added. + +### K8678 +^[Top](#top) + +Made by Hyctec for CopyKey devices (X100, X3, X5). + +#### Characteristics +^[Top](#top) + +- Very new +- Sold in 125, 175, 250, 375 and 500 kHz variants +- No info + +## High Frequency + +### MIFARE Classic UID +^[Top](#top) + +Sold as magic tag. + +#### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +``` + +#### Magic commands +^[Top](#top) + +* Wipe: `40(7)`, `41` (use 2000ms timeout) +* Read: `40(7)`, `43`, `30xx`+crc +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + +#### Characteristics +^[Top](#top) + +* UID: Only 4b versions +* ATQA: + * all cards play blindly the block0 ATQA bytes, beware! +* SAK: + * some cards play blindly the block0 SAK byte, beware! + * some cards use a fix "08" in anticollision, no matter the block0 + * some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88" +* BCC: + * all cards play blindly the block0 BCC byte, beware! +* ATS: + * no card with ATS + +### MIFARE Classic CUID +^[Top](#top) + +Sold as the general cloning tag. +Behavior: possible to issue a regular write to block 0. + +#### Identify +^[Top](#top) + +No way to reliably identify CUID is known. +The best way is to try writing block 0. Or you can try: +``` +hf 14a info +... +[+] Magic capabilities : Gen2 / CUID +``` + +#### Characteristics +^[Top](#top) + +* UID: 4b and 7b versions +* ATQA: + * some cards play blindly the block0 ATQA bytes, beware! + * some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b. +* SAK: + * some cards play blindly the block0 SAK byte, beware! + * some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b. +* BCC: + * some cards play blindly the block0 BCC byte, beware! + * some cards compute a proper BCC in anticollision. Including all 7b computing their BCC0 and BCC1. +* ATS: + * some cards don't reply to RATS + * some reply with an ATS + +Variations of CUID cards are explained in `magic_cards_notes.md`. + +#### Alternatives to CUID +^[Top](#top) + +- KUID seems to have similar behavior to CUID (allows block 0 direct write). + * That being said, we do not know its' purpose. Please use CUID. + +### MIFARE Classic FUID +^[Top](#top) +Sold as "anti-clone bypass". +Behavior: same as CUID, but after editing block 0, tag becomes original S50 chip. + +Initial UID is AA55C396. Block 0 manufacturer data is null. + +#### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Write Once / FUID +``` +*It is possible to simulate a FUID tag using CopyKey X5. This is probably to detect protection against clones.* + +#### Alternatives to FUID +^[Top](#top) + +- RFUID seems to have similar behavior to FUID. Maybe it is an alternative. +- HUID is sold as a cheaper alternative to FUID. + +### "Magic 85" cards +^[Top](#top) + +TLDR: These magic cards have a 16 byte long configuration page, which always starts with 0x85. +All of the known tags using this, except for Ultralight tags, are listed here. + +#### MIFARE Classic UFUID +^[Top](#top) + +Same as CUID, but block0 can be locked with special command. +Sold as "anti-clone bypass". +No detailed info at the moment. + +##### Identify +^[Top](#top) + +**TODO** + +##### Proxmark3 commands +^[Top](#top) + +To lock definitively block0: +``` +hf 14a raw -a -k -b 7 40 +hf 14a raw -k 43 +hf 14a raw -k -c e000 +hf 14a raw -k -c e100 +hf 14a raw -c 85000000000000000000000000000008 +``` + +#### MIFARE Classic GDM aka Gen4 +^[Top](#top) + +Sold as "rolling code bypass". + +Tag has shadow mode enabled from start. +Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds +off rfid field. +Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory. + +The persistent memory is also writable. To do that, the tag uses its own backdoor commands. +for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000. +Then send the data to be written. + +**OBS** + +When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag. + +##### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 4 GDM +``` +##### Magic commands +^[Top](#top) + +* Auth: `80xx`+crc +* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc +* Read config: `E000`+crc +* Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + +##### Characteristics +^[Top](#top) + +* ATQA/BCC: unknown behavior +* SAK: can be configured using `E100` command +* ATS: N/A +* UID: 4b +* No known true backdoors. +* Its magic part seems to be three identified custom commands. +* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are. + +Read config: +1. sending custom auth with all zeros key +2. send 0xE000, will return the configuration bytes. +`results: 850000000000000000005A5A00000008` + + +Mapping of configuration bytes so far: +``` +850000000000000000005A5A00000008 + ^^ --> SAK +``` + +Write config: +1. sending custom auth with all zeros key +2. send 0xE100 +3. send 16 bytes + +**Warning** + +Example of configuration to Perma lock tag: +`85000000000000000000000000000008` + +##### Proxmark3 commands +^[Top](#top) +``` +# Write to persistent memory +hf mf gdmsetblk + +# Read configuration (0xE0): +hf mf gdmcfg + +# Write configuration (0xE1): +hf mf gdmsetcfg +``` + +### MIFARE Classic, other chips +^[Top](#top) + +**TODO** + +* ZXUID, EUID, ICUID ? +* Some cards exhibit a specific SAK=28 ?? diff --git a/doc/magic_cards/magic_cards_notes.md b/doc/magic_cards/magic_cards_notes.md new file mode 100644 index 0000000000..55a54f1ea4 --- /dev/null +++ b/doc/magic_cards/magic_cards_notes.md @@ -0,0 +1,1606 @@ + + +# Notes on Magic Cards, aka UID changeable +This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372 + +Useful docs: +* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf) + + +# Table of Contents + +- [ISO14443A](#iso14443a) + * [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic) +- [MIFARE Classic](#mifare-classic) + * [MIFARE Classic block0](#mifare-classic-block0) + * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) + * [MIFARE Classic Gen1B](#mifare-classic-gen1b) + * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) + * [MIFARE Classic, other versions](#mifare-classic-other-versions) + * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu) + * [MIFARE Classic Super](#mifare-classic-super) +- [MIFARE Ultralight](#mifare-ultralight) + * [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02) + * [MIFARE Ultralight Gen1A](#mifare-ultralight-gen1a) + * [MIFARE Ultralight DirectWrite](#mifare-ultralight-directwrite) + * [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite) + * [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a) + * [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite) +- [NTAG](#ntag) + * [NTAG213 DirectWrite](#ntag213-directwrite) + * [NTAG21x](#ntag21x) +- [DESFire](#desfire) + * ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid) + * ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid) +- [ISO14443B](#iso14443b) + * [ISO14443B magic](#iso14443b-magic) +- [ISO15693](#iso15693) + * [ISO15693 magic](#iso15693-magic) +- [Multi](#multi) + * [Gen 4 GTU](#gen-4-gtu) + + +# ISO14443A + +## Identifying broken ISO14443A magic +^[Top](#top) + +When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is. + +Here are some tips if the card doesn't react or gives error on a simple `hf 14a reader`: + +Let's force a 4b UID anticollision and see what happens: +``` +hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip +hf 14a reader +``` +It it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision: +``` +hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip +hf 14a reader +``` +At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards. + +To restore anticollision config of the Proxmark3: + +``` +hf 14a config --std +``` + +# MIFARE Classic +^[Top](#top) + +Referred as M1, S50 (1k), S70 (4k) + +## MIFARE Classic block0 +^[Top](#top) + +UID 4b: (actually NUID as there are no more "unique" IDs on 4b) + +``` +11223344440804006263646566676869 +^^^^^^^^ UID + ^^ BCC + ^^ SAK(*) + ^^^^ ATQA + ^^^^^^^^^^^^^^^^ Manufacturer data +(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98) +``` + + +Computing BCC on UID 11223344: `analyse lcr -d 11223344` = `44` + +UID 7b: + +``` +04112233445566884400c82000000000 +^^ Manufacturer byte +^^^^^^^^^^^^^^ UID + ^^ SAK(*) + ^^^^ ATQA + ^^^^^^^^^^^^ Manufacturer data +(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98) +``` + +## MIFARE Classic Gen1A aka UID +^[Top](#top) + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +``` + +### Magic commands +^[Top](#top) + +* Wipe: `40(7)`, `41` (use 2000ms timeout) +* Read: `40(7)`, `43`, `30xx`+crc +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + +### Characteristics +^[Top](#top) + +* UID: Only 4b versions +* ATQA: + * all cards play blindly the block0 ATQA bytes, beware! +* SAK: + * some cards play blindly the block0 SAK byte, beware! + * some cards use a fix "08" in anticollision, no matter the block0 + * some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88" +* BCC: + * all cards play blindly the block0 BCC byte, beware! +* ATS: + * no card with ATS + +#### MIFARE Classic Gen1A flavour 1 +^[Top](#top) + +* SAK: play blindly the block0 SAK byte, beware! +* PRNG: static 01200145 +* Wipe: filled with 0xFF + +#### MIFARE Classic Gen1A flavour 2 +^[Top](#top) + +* SAK: play blindly the block0 SAK byte, beware! +* PRNG: static 01200145 +* Wipe: filled with 0x00 + +#### MIFARE Classic Gen1A flavour 3 +^[Top](#top) + +* SAK: 08 +* PRNG: static 01200145 +* Wipe: filled with 0xFF + +#### MIFARE Classic Gen1A flavour 4 +^[Top](#top) + +* SAK: 08 +* PRNG: weak +* Wipe: timeout, no wipe + +#### MIFARE Classic Gen1A flavour 5 +^[Top](#top) + +* SAK: 08 +* PRNG: weak +* Wipe: reply ok but no wipe performed + +#### MIFARE Classic Gen1A flavour 6 +^[Top](#top) + +* SAK: 08 or 88 if block0_SAK most significant bit is set +* PRNG: weak +* Wipe: timeout, no wipe + +#### MIFARE Classic Gen1A flavour 7 +^[Top](#top) + +* SAK: 08 or 88 if block0_SAK most significant bit is set +* PRNG: weak +* Wipe: filled with 0x00 + +### Proxmark3 commands +^[Top](#top) + +``` +hf mf csetuid +hf mf cwipe +hf mf csetblk +hf mf cgetblk +hf mf cgetsc +hf mf cload +hf mf csave +hf mf cview +``` + +When "soft-bricked" (by writing invalid data in block0), these ones may help: + +``` +# MFC Gen1A 1k: +hf mf cwipe -u 11223344 -a 0004 -s 08 +# MFC Gen1A 4k: +hf mf cwipe -u 11223344 -a 0044 -s 18 +``` +or just fixing block0: +``` +# MFC Gen1A 1k: +hf mf csetuid -u 11223344 -a 0004 -s 08 +# MFC Gen1A 4k: +hf mf csetuid -u 11223344 -a 0044 -s 18 +``` + +``` +script run hf_mf_magicrevive +``` + +To execute commands manually: +``` +hf 14a raw -a -k -b 7 40 +hf 14a raw -k 43 +hf 14a raw -k -c A000 +hf 14a raw -c -t 1000 11223344440804006263646566676869 +``` +wipe: +``` +hf 14a raw -a -k -b 7 40 +hf 14a raw -t 1000 41 +``` + +### libnfc commands +^[Top](#top) + +``` +nfc-mfsetuid +nfc-mfclassic R a u mydump +nfc-mfclassic W a u mydump +``` + +## MIFARE Classic Gen1B +^[Top](#top) + +Similar to Gen1A, but supports directly read/write after command 40 + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1b +``` + +### Magic commands +^[Top](#top) + +* Read: `40(7)`, `30xx` +* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + + +## MIFARE Classic DirectWrite aka Gen2 aka CUID +^[Top](#top) + +(also referred as MCT compatible by some sellers) + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 2 / CUID +``` + +Not all Gen2 cards can be identified with `hf 14a info`, only those replying to RATS. + +To identify the other ones, you've to try to write to block0 and see if it works... + +### Magic commands +^[Top](#top) + +Android compatible + +* issue regular write to block0 + +### Characteristics +^[Top](#top) + +* UID: 4b and 7b versions +* ATQA: + * some cards play blindly the block0 ATQA bytes, beware! + * some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b. +* SAK: + * some cards play blindly the block0 SAK byte, beware! + * some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b. +* BCC: + * some cards play blindly the block0 BCC byte, beware! + * some cards compute a proper BCC in anticollision. Including all 7b computing their BCC0 and BCC1. +* ATS: + * some cards don't reply to RATS + * some reply with an ATS + +#### MIFARE Classic DirectWrite flavour 1 +^[Top](#top) + +* UID 4b +* ATQA: play blindly the block0 ATQA bytes, beware! +* SAK: play blindly the block0 SAK byte, beware! +* BCC: play blindly the block0 BCC byte, beware! +* ATS: no +* PRNG: weak + +#### MIFARE Classic DirectWrite flavour 2 +^[Top](#top) + +* UID 4b +* ATQA: fixed +* SAK: fixed +* BCC: computed +* ATS: 0978009102DABC1910F005 +* PRNG: weak + +#### MIFARE Classic DirectWrite flavour 3 +^[Top](#top) + +* UID 4b +* ATQA: play blindly the block0 ATQA bytes, beware! +* SAK: fixed +* BCC: play blindly the block0 BCC byte, beware! +* ATS: no +* PRNG: weak + +#### MIFARE Classic DirectWrite flavour 4 +^[Top](#top) + +* UID 7b +* ATQA: fixed +* SAK: fixed +* BCC: computed +* ATS: 0978009102DABC1910F005 +* PRNG: static 00000000 + +#### MIFARE Classic DirectWrite flavour 5 +^[Top](#top) + +* UID 4b +* ATQA: fixed +* SAK: play blindly the block0 SAK byte, beware! +* BCC: computed +* ATS: no +* PRNG: weak + +#### MIFARE Classic DirectWrite flavour 6 +^[Top](#top) + +**TODO** need more info + +* UID 7b +* ATS: 0D780071028849A13020150608563D + +### Proxmark3 commands +^[Top](#top) + +``` +hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force + +hf mf wipe --gen2 +``` + +When "soft-bricked" (by writing invalid data in block0), these ones may help: + +``` +hf 14a config -h +``` + +e.g. for 4b UID: + +``` +hf 14a config --atqa force --bcc ignore --cl2 skip --rats skip + +# for 1k +hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 --force + +# for 4k +hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344441802006263646566676869 --force + +hf 14a config --std +hf 14a reader +``` + +e.g. for 7b UID: + +``` +hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip + +# for 1k +hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 04112233445566084400626364656667 --force + +# for 4k +hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 04112233445566184200626364656667 --force + +hf 14a config --std +hf 14a reader +``` + +## MIFARE Classic DirectWrite, FUID version aka 1-write +^[Top](#top) + +Same as MIFARE Classic DirectWrite, but block0 can be written only once. + +Initial UID is AA55C396 + +### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Write Once / FUID +``` + +## MIFARE Classic Gen3 aka APDU +^[Top](#top) + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 3 / APDU +``` + +### Magic commands +^[Top](#top) + +Android compatible + +* issue special APDUs + +``` +cla ins p1 p2 len + 90 F0 CC CC 10 - write block 0 + 90 FB CC CC 07 - change uid (independently of block0 data) + 90 FD 11 11 00 - lock permanently +``` +It seems the length byte gets ignored anyway. + +Note: it seems some cards only accept the "change UID" command. + +It accepts direct read of block0 (and only block0) without prior auth. + +Writing to block 0 has some side-effects: + +* It changes also the UID. Changing the UID *does not* change block 0. +* ATQA and SAK bytes are automatically replaced by fixed values. +* On 4-byte UID cards, BCC byte is automatically corrected. + +### Characteristics +^[Top](#top) + +* UID: 4b and 7b versions +* ATQA/SAK: fixed +* BCC: auto +* ATS: none + +### Proxmark3 commands +^[Top](#top) + +``` +# change just UID: +hf mf gen3uid +# write block0: +hf mf gen3blk +# lock (uid/block0?) forever: +hf mf gen3freeze +``` +See also +``` +script run hf_mf_gen3_writer -h +``` + +Equivalent: +``` +# change just UID: +hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677 +# read block0: +hf 14a raw -s -c 3000 +# write block0: +hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000 +# lock (uid/block0?) forever: +hf 14a raw -s -c 90FD111100 +``` + + +## MIFARE Classic Super +^[Top](#top) + +It behaves like regular Mifare Classic but records reader auth attempts. + +#### MIFARE Classic Super Gen1 +^[Top](#top) + +Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands. + +* UID: 4b version +* ATQA/SAK: fixed +* BCC: auto +* ATS: fixed, 0978009102DABC1910F005 + +ATQA/SAK matches 1k card, but works as 4k card. + +Backdoor commands provided over APDU. Format: + +``` +00 A6 A0 00 05 FF FF FF FF 00 +^^ ^^ Backdoor command header + ^^ Backdoor command (A0 - set UID/B0 - get trace/C0 - reset card) + ^^ Type of answer (used in key recovery to select trace number) + ^^ Length of user provided data + ^^ ^^ ^^ ^^ ^^ User data +``` + +👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer! + +#### MIFARE Classic Super Gen1B + +DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands. +Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c + +#### MIFARE Classic Super Gen2 +^[Top](#top) + +New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces. + +Card always answer `ff ff ff ff` to auth, so writing/reading it via Mifare protocol is impossible. + +UID is changeable via Gen4 backdoor write to 0 block. + +* UID: 4b and 7b versions +* ATQA/SAK: fixed +* BCC: auto +* ATS: changeable, default as Gen1 + +Gen4 commands available: + +``` +CF 34 <1b length><0-16b ATS> // Configure ATS +CF CC // Factory test, returns 00 00 00 02 AA +CF CD <1b block number><16b block data> // Backdoor write 16b block +CF CE <1b block number> // Backdoor read 16b block +CF FE <4b new_password> // Change password +``` + +### Identify +^[Top](#top) + +Only Gen1/Gen2 at this moment (Gen1B is unsupported): + +``` +hf 14a info +... +[+] Magic capabilities : Super card (Gen ?) +``` + +# MIFARE Ultralight +^[Top](#top) + +## MIFARE Ultralight blocks 0..2 +^[Top](#top) + +``` +SN0 SN1 SN2 BCC0 +SN3 SN4 SN5 SN6 +BCC1 Int LCK0 LCK1 +``` + +UID is made of SN0..SN6 bytes + +Computing BCC0 on UID 04112233445566: `analyse lcr -d 88041122` = `bf` + +Computing BCC1 on UID 04112233445566: `analyse lcr -d 33445566` = `44` + +Int is internal, typically 0x48 + +Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C + + +## MIFARE Ultralight Gen1A +^[Top](#top) + +### Identify + +**TODO** + +### Characteristics + +#### Magic commands + +**TODO** + +#### UID + +Only 7b versions + +#### SAK, ATQA, BCC, ATS + +**TODO** need more tests + +### Proxmark3 commands +^[Top](#top) + +``` +script run hf_mfu_setuid -h +``` + +When "soft-bricked" (by writing invalid data in block0), these ones may help: + +``` +hf 14a config -h +script run hf_mf_magicrevive -u +``` + +## MIFARE Ultralight DirectWrite +^[Top](#top) + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 2 / CUID +``` + +It seems so far that all MFUL DW have an ATS. + +### Magic commands +^[Top](#top) + +Issue three regular MFU write commands in a row to write first three blocks. + +### Characteristics +^[Top](#top) + +* UID: Only 7b versions +* ATQA: + * all cards play fix ATQA +* SAK: + * all cards play fix SAK +* BCC: + * some cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! + * some cards compute proper BCC0 and BCC1 in anticollision +* ATS: + * all cards reply with an ATS + +#### MIFARE Ultralight DirectWrite flavour 1 +^[Top](#top) + +* BCC: computed +* ATS: 0A78008102DBA0C119402AB5 +* Anticol shortcut (CL1/3000): fails + +#### MIFARE Ultralight DirectWrite flavour 2 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A00A000AB00000000000000000184D +* Anticol shortcut (CL1/3000): succeeds + +### Proxmark3 commands +^[Top](#top) + +``` +hf mfu setuid -h +``` + +Equivalent: don't use `hf mfu wrbl` as you need to write three blocks in a row, but do, with proper BCCx: + +``` +hf 14a raw -s -c -k a2 00 041122bf +hf 14a raw -c -k a2 01 33445566 +hf 14a raw -c a2 02 44480000 +``` + +When "soft-bricked" (by writing invalid data in block0), these ones may help: + +``` +hf 14a config -h +``` + +E.g.: +``` +hf 14a config --atqa force --bcc ignore --cl2 force --cl3 skip --rats skip +hf mfu setuid --uid 04112233445566 +hf 14a config --std +hf 14a reader +``` + +### libnfc commands +^[Top](#top) + +``` +nfc-mfultralight -h +``` +See `--uid` and `--full` + +### Android +^[Top](#top) + +* MIFARE++ Ultralight + +## MIFARE Ultralight EV1 DirectWrite +^[Top](#top) + +aka UL2 + +Similar to MFUL DirectWrite + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 2 / CUID +``` + +### Characteristics +^[Top](#top) + +* UID: Only 7b versions +* ATQA: + * all cards play fix ATQA +* SAK: + * all cards play fix SAK +* BCC: + * cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: + * all cards reply with an ATS + +#### MIFARE Ultralight EV1 DirectWrite flavour 1 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A000000AC30004030101000B0341DF + +#### MIFARE Ultralight EV1 DirectWrite flavour 2 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A00A000AC30004030101000B0316D7 + +#### MIFARE Ultralight EV1 DirectWrite flavour 3 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A000000A3C0004030101000E03 + +## MIFARE Ultralight C Gen1A +^[Top](#top) + +Similar to MFUL Gen1A + +## MIFARE Ultralight C DirectWrite +^[Top](#top) + +Similar to MFUL DirectWrite + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 2 / CUID +``` + +### Characteristics +^[Top](#top) + +* UID: Only 7b versions +* ATQA: + * all cards play fix ATQA +* SAK: + * all cards play fix SAK +* BCC: + * cards compute proper BCC0 and BCC1 in anticollision +* ATS: + * all cards reply with an ATS + +#### MIFARE Ultralight C DirectWrite flavour 1 +^[Top](#top) + +* BCC: computed +* ATS: 0A78008102DBA0C119402AB5 +* Anticol shortcut (CL1/3000): fails + +**TODO** + +* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? + + +# NTAG +^[Top](#top) + +## NTAG213 DirectWrite +^[Top](#top) + +Similar to MFUL DirectWrite + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 2 / CUID +``` + +### Characteristics +^[Top](#top) + +* UID: Only 7b versions +* ATQA: + * all cards play fix ATQA +* SAK: + * all cards play fix SAK +* BCC: + * cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: + * all cards reply with an ATS + +#### NTAG213 DirectWrite flavour 1 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 0A78008102DBA0C119402AB5 +* Anticol shortcut (CL1/3000): succeeds + +## NTAG21x +^[Top](#top) + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : NTAG21x +``` + +### Characteristics +^[Top](#top) + +Emulates fully NTAG213, 213F, 215, 216, 216F + +Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS + +Anticol shortcut (CL1/3000): fails + +### Proxmark3 commands +^[Top](#top) + +``` +script run hf_mfu_magicwrite -h +``` + +# DESFire +^[Top](#top) + +## "DESFire" APDU, 7b UID + +### Identify + +**TODO** + +### Magic commands + +Android compatible + +* issue special APDUs + +### Characteristics +^[Top](#top) + +* ATQA: 0344 +* SAK: 20 +* ATS: 0675338102005110 or 06757781028002F0 + +Only mimics DESFire anticollision (but wrong ATS), no further DESFire support + +### Proxmark commands +^[Top](#top) + +UID 04112233445566 +``` +hf 14a raw -s -c 0200ab00000704112233445566 +``` +or equivalently +``` +hf 14a apdu -s 00ab00000704112233445566 +``` + +### libnfc commands +^[Top](#top) + +``` +pn53x-tamashell +4a0100 +420200ab00000704112233445566 +``` +## "DESFire" APDU, 4b UID +^[Top](#top) + +### Magic commands +^[Top](#top) + +Android compatible + +* issue special APDUs + +### Characteristics +^[Top](#top) + +* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything +* SAK: 20 +* ATS: 0675338102005110 or 06757781028002F0 + +Only mimics DESFire anticollision (but wrong ATS), no further DESFire support + +### Proxmark commands +^[Top](#top) + +UID 04112233445566 +``` +hf 14a raw -s -c 0200ab00000411223344 +``` +or equivalently +``` +hf 14a apdu -s 00ab00000411223344 +``` + +It accepts longer UID but that doesn't affect BCC/ATQA/SAK + +### pn53x-tamashell commands +^[Top](#top) +``` +4a0100 +420200ab00000411223344 +``` + +### Remarks +^[Top](#top) + +The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0: + +``` +hf mf csetblk --blk 0 -d 1122334444204403A1A2A3A4A5A6A7A8 +hf 14a info +[+] UID: 11 22 33 44 +[+] ATQA: 03 44 +[+] SAK: 20 [1] +[+] Possible types: +[+] MIFARE DESFire MF3ICD40 +``` + +# ISO14443B +^[Top](#top) + +## ISO14443B magic +^[Top](#top) + +No such card is available. + +Some vendor allow to specify an ID (PUPI) when ordering a card. + +# ISO15693 +^[Top](#top) + +## ISO15693 magic +^[Top](#top) + +### Identify + +**TODO** + +### Proxmark3 commands +^[Top](#top) + +Always set a UID starting with `E0`. + +``` +hf 15 csetuid E011223344556677 +``` +or (ignore errors): +``` +script run hf_15_magic -u E004013344556677 +``` + + + +# Multi +^[Top](#top) + +## Gen 4 GTU +^[Top](#top) + +A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands. + +Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data + +- [Identify](#identify-16) +- [Magic commands](#magic-commands-9) +- [Characteristics](#characteristics-12) +- [Proxmark3 commands](#proxmark3-commands-9) +- [Change ATQA / SAK](#change-atqa--sak) +- [Change ATS](#change-ats) +- [Set UID length (4, 7, 10)](#set-uid-length-4-7-10) +- [Set 14443A UID](#set-14443a-uid) +- [Set 14443B UID and ATQB](#set-14443b-uid-and-atqb) +- [(De)Activate Ultralight mode](#deactivate-ultralight-mode) +- [Select Ultralight mode](#select-ultralight-mode) +- [Set shadow mode (GTU)](#set-shadow-mode-gtu) +- [Direct block read and write](#direct-block-read-and-write) +- [(De)Activate direct write to block 0](#deactivate-direct-write-to-block-0) +- [Change backdoor password](#change-backdoor-password) +- [Dump configuration](#dump-configuration) +- [Fast configuration](#fast-configuration) +- [Presets](#presets) +- [Version and Signature](#version-and-signature) + + +### Identify +^[Top](#top) ^^[Gen4](#g4top) + +👉 **TODO** If the password is not default, Tag doesn't get identified correctly by latest Proxmark3 client (it might get mislabeled as MFC Gen2/CUID, Gen3/APDU or NTAG21x Modifiable, depending on configured UID/ATQA/SAK/ATS) +👉 **TODO** Using the `C6` command to identify tags may alter configuration, and `CC` command should be used instead. +``` +hf 14a info +[+] Magic capabilities : Gen 4 GTU +``` + +The card will be identified only if the password is the default one. One can identify manually such card if the password is still the default one, with the command to get the current configuration: +``` +hf 14a raw -s -c -t 1000 CF00000000C6 +``` +If the card is an Ultimate Magic Card, it returns 30 or 32 bytes. + +### Magic commands +^[Top](#top) ^^[Gen4](#g4top) + +There are two ways to program this card. + + 1. Use the raw commands designated by the `hf 14a` examples. + + ***OR*** + + 2. Use the hf_mf_ultimatecard.lua script commands designated but the `script run hf_mf_ulimatecard` examples. + + +script run hf_mf_ultimatecard.lua -h +``` +This script enables easy programming of an Ultimate Mifare Magic card +Usage +script run hf_mf_ultimatecard -h -k -c -w -u -t -p -a -s -o -v -q -g -z -m -n + +Arguments + -h this help + -c read magic configuration + -u UID (8-20 hexsymbols), set UID on tag + -t tag type to impersonate + 1 = Mifare Mini S20 4-byte + 2 = Mifare Mini S20 7-byte 15 = NTAG 210 + 3 = Mifare Mini S20 10-byte 16 = NTAG 212 + 4 = Mifare 1k S50 4-byte 17 = NTAG 213 + 5 = Mifare 1k S50 7-byte 18 = NTAG 215 + 6 = Mifare 1k S50 10-byte 19 = NTAG 216 + 7 = Mifare 4k S70 4-byte 20 = NTAG I2C 1K + 8 = Mifare 4k S70 7-byte 21 = NTAG I2C 2K + 9 = Mifare 4k S70 10-byte 22 = NTAG I2C 1K PLUS + *** 10 = UL - NOT WORKING FULLY 23 = NTAG I2C 2K PLUS + *** 11 = UL-C - NOT WORKING FULLY 24 = NTAG 213F + 12 = UL EV1 48b 25 = NTAG 216F + 13 = UL EV1 128b + *** 14 = UL Plus - NOT WORKING YET + + -p NTAG password (8 hexsymbols), set NTAG password on tag. + -a NTAG pack ( 4 hexsymbols), set NTAG pack on tag. + -s Signature data (64 hexsymbols), set signature data on tag. + -o OTP data (8 hexsymbols), set `One-Time Programmable` data on tag. + -v Version data (16 hexsymbols), set version data on tag. + -q ATQA/SAK (<2b ATQA><1b SAK> hexsymbols), set ATQA/SAK on tag. + -g GTU Mode (1 hexsymbol), set GTU shadow mode. + -z ATS (<1b length><0-16 ATS> hexsymbols), Configure ATS. Length set to 00 will disable ATS. + -w Wipe tag. 0 for Mifare or 1 for UL. Fills tag with zeros and put default values for type selected. + -m Ultralight mode (00 UL EV1, 01 NTAG, 02 UL-C, 03 UL) Set type of UL. + -n Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode + -k Ultimate Magic Card Key (IF DIFFERENT THAN DEFAULT 00000000) + +Example usage + -- read magic tag configuration + script run hf_mf_ultimatecard -c + -- set uid + script run hf_mf_ultimatecard -u 04112233445566 + -- set NTAG pwd / pack + script run hf_mf_ultimatecard -p 11223344 -a 8080 + -- set version to NTAG213 + script run hf_mf_ultimatecard -v 0004040201000f03 + -- set ATQA/SAK to [00 44] [08] + script run hf_mf_ultimatecard -q 004408 + -- wipe tag with a NTAG213 or Mifare 1k S50 4 byte + script run hf_mf_ultimatecard -w 1 + -- use a non default UMC key. Only use this if the default key for the MAGIC CARD was changed. + script run hf_mf_ultimatecard -k ffffffff -w 1 + -- Wipe tag, turn into NTAG215, set sig, version, NTAG pwd/pak, and OTP. + script run hf_mf_ultimatecard -w 1 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 +``` + +Special raw commands summary: + +``` +CF 32 <00-03> // Configure GTU shadow mode +CF 34 <1b length><0-16b ATS> // Configure ATS +CF 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQA bytes) +CF 68 <00-02> // Configure UID length +CF 69 <00-01> // (De)Activate Ultralight mode +CF 6A <00-03> // Select Ultralight mode +CF 6B <1b> // Set Ultralight and M1 maximum read/write sectors +CF C6 // Dump configuration; on old cards this will reset the `6B` value to 6B (bug) +CF CC // Read tag version, returns: `000000 [03A0: old]/[06A0: new]` +CF CD <1b block number><16b block data> // Backdoor write 16b block +CF CE <1b block number> // Backdoor read 16b block +CF CF <1b param> // (De)Activate direct write to block 0 +CF F0 <30b configuration data> // Configure all params in one cmd +CF F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently +CF FE <4b new_password> // change password +``` +Default ``: `00000000` + +### Characteristics +^[Top](#top) ^^[Gen4](#g4top) + +* UID: 4b, 7b and 10b versions +* ATQA/SAK: changeable +* BCC: auto +* ATS: changeable, can be disabled +* Card Type: changeable +* Shadow mode: GTU +* Backdoor password mode + +### Proxmark3 commands +^[Top](#top) ^^[Gen4](#g4top) + +``` +# view contents of tag memory: +hf mf gview +# Read a specific block via backdoor command: +hf mf ggetblk +# Write a specific block via backdoor command: +hf mf gsetblk +# Load dump to tag: +hf mf gload +# Save dump from tag: +hf mf gsave +``` +👉 **TODO** `hf mf gview` is currently missing Ultralight memory maps + +Equivalent: + +``` +hf 14a raw -s -c -t 1000 CF00000000CE00 +hf 14a raw -s -c -t 1000 CF00000000CE01 +hf 14a raw -s -c -t 1000 CF00000000CE02 +... +``` + +👉 **TODO** In Mifare Ultralight / NTAG mode, the special writes (`hf mfu restore` option `-s`, `-e`, `-r`) do not apply. Use `script run hf_mf_ultimatecard` for UID and signature, and `hf mfu wrbl` for PWD and PACK. + +### Change ATQA / SAK +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF35<2b ATQA><1b SAK> +``` +* ⚠ ATQA bytes are swapped in the command +* ⚠ ATQA bytes that result in `iso14443a card select failed` (I.E. ATQA=0040 in raw form) can be corrected with `hf 14a config --atqa force` +* ⚠ when SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on, otherwise the card may not be recognized by some readers! +* ⚠ never set SAK bit 3 (e.g. SAK=04), it indicates an extra cascade level is required (see `hf 14a config --cl2 skip` or `hf 14a config --cl3 skip` to recover a misconfigured card) + +Example: ATQA 0044 SAK 28, default pwd +``` +hf 14a raw -s -c -t 1000 CF0000000035440028 +``` +OR (Note the script will correct the ATQA correctly) +``` +script run hf_mf_ultimatecard -q 004428 +``` + +### Change ATS +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF34<1b length><0-16b ATS> +``` + * ``: ATS length byte, set to `00` to disable ATS + * ⚠ when SAK bit 6 is set (e.g. SAK=20 or 28), ATS must be turned on, otherwise the card may not be recognized by some readers! + * ATS CRC will be added automatically, don't configure it + * Max ATS length: 16 bytes (+CRC) + +Example: ATS to 0606757781028002F0, default pwd +``` +hf 14a raw -s -c -t 1000 CF000000003406067577810280 +``` + +Or + +``` +script run hf_mf_ultimatecard -z 06067577810280` +``` + +### Set UID length (4, 7, 10) +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF68<1b param> +``` + * `` + * `00`: 4 bytes + * `01`: 7 bytes + * `02`: 10 bytes + +Example: set UID length to 7 bytes, default pwd +``` +hf 14a raw -s -c -t 1000 CF000000006801 +``` + +### Set 14443A UID +^[Top](#top) ^^[Gen4](#g4top) + +UID is configured according to block0 with a backdoor write. (Script commands are below the UID length examples) + +Example: preparing first two blocks: (Note the UMC has to be in MFC mode and the correct UID byte length set) +``` +hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F +hf 14a raw -s -c -t 1000 CF00000000CD01101112131415161718191A1B1C1D1E1F +hf 14a reader +``` +MFC mode 4b UID + +=> UID `00010203` + +`script run hf_mf_ultimatecard -t 4 -u 00010203` + +MFC mode 7b UID + +=> UID `00010203040506` + +`script run hf_mf_ultimatecard -t 5 -u 00010203040506` + +MFC mode, 10b UID + +=> UID `00010203040506070809` + +`script run hf_mf_ultimatecard -t 6 -u 00010203040506070809` + +Ultralight mode, 4b UID + +=> UID `00010203` + +Ultralight mode, 7b UID + +=> UID `00010210111213` + +👉 the UID is composed of first two blocks as in regular Ultralights + * Examples + * UL-EV1 48b = `script run hf_mf_ultimatecard -t 12 -u 00010203040506` + * UL EV1 128b = `script run hf_mf_ultimatecard -t 13 -u 00010203040506` + * NTAG 215 = `script run hf_mf_ultimatecard -t 18 -u 00010203040506` + +Ultralight mode, 10b UID +=> UID `00010203040506070809` +👉 the UID is composed only from block0 + +### Set 14443B UID and ATQB +^[Top](#top) ^^[Gen4](#g4top) + +*This command is not available for old gen4 tags. It will return `9000`, but no changes will take place.* +UID and ATQB are configured according to block0 with a (14a) backdoor write. + +UID size is always 4 bytes. + +Example: +``` +hf 14a raw -s -c -t 1000 CF00000000CD00000102030405060708090A0B0C0D0E0F +hf 14b reader +``` +=> UID 00010203 +=> ATQB 0405060708090A + +### (De)Activate Ultralight mode +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF69<1b param> +``` + * `` + * `00`: MIFARE Classic mode + * `01`: MIFARE Ultralight/NTAG mode + +Example: activate Ultralight protocol, default pwd + +``` +hf 14a raw -s -c -t 1000 CF000000006901 +``` + +Or + +``` +script run hf_mf_ultimatecard -n 01 +``` + +In this mode, if SAK=`00` and ATQA=`0044`, it acts as an Ultralight card + +⚠ only the first four bytes of each block will be mapped in the Ultralight memory map (so the Ultralight block numbers follow backdoor R/W block numbers). + +### Select Ultralight mode +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF6A<1b param> +``` + + * `` + * `00`: UL EV1 + * `01`: NTAG + * `02`: UL-C + * `03`: UL + +⚠ it supposes Ultralight mode was activated (cf command `69`) + +Example: set Ultralight mode to Ultralight-C, default pwd + +``` +hf 14a raw -s -c -t 1000 CF000000006A02 +``` +Or + +``` +script run hf_mf_ultimatecard -m 02 +``` + +Now the card supports the 3DES UL-C authentication. + +### Set Ultralight and M1 maximum read/write sectors +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CF6B<1b blocks> +``` +Hexadecimal, maximum sector data, default 0xFF, range 0x00-0xFF + +Example: set maximum 63 blocks read/write for Mifare Classic 1K + +``` +hf 14a raw -s -c -t 1000 CF000000006B3F +``` + +### Set shadow mode (GTU) +^[Top](#top) ^^[Gen4](#g4top) + +This mode is divided into four states: off (pre-write), on (on restore), don’t care, and high-speed read and write. +If you use it, please enter the pre-write mode first. At this time, write the full card data. +After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results. + +Example: +`script run hf_mf_ultimatecard -w 1 -g 00 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 -g 01` + * -w 1 = wipe the card in Ultralight Mode + * -g 00 = turn on pre-write mode + * -t 18 = change the type of card to NTAG 215 + * -u = set the uid + * -s = set the signature + * -p = set the NTAG password + * -a = set the PACK + * -o = set the OTP + * -g 01 = turn on restore mode + +At this point the card is set to a unwritten NTAG 215. Now any data written to the card will only last for 1 read. Write a popular game toy to it, read it, now it is back to the unwritten NTAG 215. + +👉 Remember to disable GTU mode to get the card back to a normal state. + +`script run hf_mf_ultimatecard -g 03` + +``` +hf 14a raw -s -c -t 1000 CF32<1b param> +``` + * `` + * `00`: pre-write, shadow data can be written + * `01`: restore mode + * `02`: disabled + * `03`: disabled, high speed R/W mode for Ultralight? + +### Direct block read and write +^[Top](#top) ^^[Gen4](#g4top) + +Using the backdoor command, one can read and write any area without MFC password, similarly to MFC Gen1 card. It should be noted that this command must be used to modify UID. + +Backdoor read 16b block: +``` +hf 14a raw -s -c -t 1000 CFCE<1b block number> +``` +Backdoor write 16b block: +``` +hf 14a raw -s -c -t 1000 CFCD<1b block number><16b block data> +``` + +Read/Write operations work on 16 bytes, no matter the Ultralight mode. + +Note that only the first four bytes of each block will be mapped in the Ultralight memory map. + +Example: read block0, default pwd +``` +hf 14a raw -s -c -t 1000 CF00000000CE00 +``` +Example: write block0 with factory data, default pwd +``` +hf 14a raw -s -c -t 1000 CF00000000CD00112233441C000011778185BA18000000 +``` + +### (De)Activate direct write to block 0 +^[Top](#top) ^^[Gen4](#g4top) + +This command enables/disables direct writes to block 0. + +``` +hf 14a raw -s -c -t 1000 CFCF<1b param> +``` + * `` + * `00`: Activate direct write to block 0 (Same behaviour of Gen2 cards. Some readers may identify the card as magic) + * `01`: Deactivate direct write to block 0 (Same behaviour of vanilla cards) + * `02`: Default value. (Same behaviour as `00` (?)) + +Example: enable direct writes to block 0, default pwd +``` +hf 14a raw -s -c -t 1000 CF00000000CF00 +``` +Example: disable direct writes to block 0, default pwd +``` +hf 14a raw -s -c -t 1000 CF00000000CF01 +``` + +### Change backdoor password +^[Top](#top) ^^[Gen4](#g4top) + +All backdoor operations are protected by a password. If password is forgotten, the card can't be recovered. Default password is `00000000`. + +Change password: +``` +hf 14a raw -s -c -t 1000 CF FE <4b new_password> +``` +Example: change password from 00000000 to AABBCCDD +``` +hf 14a raw -s -c -t 1000 CF00000000FEAABBCCDD +``` +Example: change password from AABBCCDD back to 00000000 +``` +hf 14a raw -s -c -t 1000 CFAABBCCDDFE00000000 +``` + +### Dump configuration +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CFC6 +``` +Default configuration: +``` +00000000000002000978009102DABC191010111213141516040008006B024F6B + ^^^^ ?? + ^^ cf cmd cf: block0 direct write setting, factory value 0x02 + ^^ cf cmd 6b: maximum read/write sectors, factory value 0x6b + ^^ cf cmd 6a: UL mode + ^^^^^^ cf cmd 35: ATQA/SAK + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cf cmd 34: ATS length & content + ^^ cf cmd 32: GTU mode + ^^^^^^^^ cf cmd fe: password + ^^ cf cmd 68: UID length +^^ cf cmd 69: Ultralight protocol +``` + +### Fast configuration +^[Top](#top) ^^[Gen4](#g4top) + +``` +hf 14a raw -s -c -t 1000 CFF0<30b configuration data> +``` +cf **Dump configuration** for configuration data description. + +Example: Write factory configuration, using default password +``` +hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B +``` + +⚠ Variant with command `F1` instead of `F0` will set and fuse permanently the configuration. Backdoor R/W will still work. + +### Presets +^[Top](#top) ^^[Gen4](#g4top) + +Here are some presets available in the FuseTool (but with all ATS disabled) + +**MIFARE Mini S20 4-byte UID** +``` +hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000900 +``` + +**MIFARE Mini S20 7-byte UID** +``` +hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000900 +``` + +**MIFARE 1k S50 4-byte UID** (this is the factory setting) +``` +hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151604000800 +``` + +**MIFARE 1k S50 7-byte UID** +``` +hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151644000800 +``` + +**MIFARE 4k S70 4-byte UID** +``` +hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC19101011121314151602001800 +``` + +**MIFARE 4k S70 7 byte UID** +``` +hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC19101011121314151642001800 +``` + +**Ultralight** +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003 +``` + +**Ultralight-C** +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002 +``` + +**Ultralight EV1** +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 +``` + +**NTAG21x** +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 +``` + +### Version and Signature +^[Top](#top) ^^[Gen4](#g4top) + +Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249. + +Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 +hf mfu wrbl -b 0 -d 04C12865 +hf mfu wrbl -b 1 -d 5A373080 +hf mfu wrbl -b 242 -d CEA2EB0B --force +hf mfu wrbl -b 243 -d 3C95D084 --force +hf mfu wrbl -b 244 -d 4A95B824 --force +hf mfu wrbl -b 245 -d A7553703 --force +hf mfu wrbl -b 246 -d B3702378 --force +hf mfu wrbl -b 247 -d 033BF098 --force +hf mfu wrbl -b 248 -d 7899DB70 --force +hf mfu wrbl -b 249 -d 151A19E7 --force +hf mfu wrbl -b 250 -d 00040301 --force +hf mfu wrbl -b 251 -d 01000E03 --force +hf mfu info +``` + +Example for an NTAG216 with the signature sample from tools/recover_pk.py +``` +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 +hf mfu wrbl -b 0 -d 04E10C61 +hf mfu wrbl -b 1 -d DA993C80 +hf mfu wrbl -b 242 -d 8B76052E --force +hf mfu wrbl -b 243 -d E42F5567 --force +hf mfu wrbl -b 244 -d BEB53238 --force +hf mfu wrbl -b 245 -d B3E3F995 --force +hf mfu wrbl -b 246 -d 0707C0DC --force +hf mfu wrbl -b 247 -d C956B5C5 --force +hf mfu wrbl -b 248 -d EFCFDB70 --force +hf mfu wrbl -b 249 -d 9B2D82B3 --force +hf mfu wrbl -b 250 -d 00040402 --force +hf mfu wrbl -b 251 -d 01001303 --force +hf mfu info +``` diff --git a/doc/magic_cards/russian_magic_notes.md b/doc/magic_cards/russian_magic_notes.md new file mode 100644 index 0000000000..3b79604b88 --- /dev/null +++ b/doc/magic_cards/russian_magic_notes.md @@ -0,0 +1,244 @@ + + +# Notes on Russian Magic Cards + +## Low Frequency + +### H1 (RW125FL, RW64bit) +^[Top](#top) + +Tag supports EM410x format, and nothing else. +No locking functions. +No info, as this tag is ceasing its' existence. + +### H2 (T5577) +^[Top](#top) + +Tag supports all formats which send data in 24(28) bytes (without password). +Locking is done with lock bits in the beginning of each page, which are not transmitted. + +#### Identify + +``` +lf search +... +[+] Chipset detection: T55xx +``` +Not all tags will show up with this, however. +Some H2 tags ignore test mode commands. + +### H3 (EM4305) + +Tag is original EM4305, and can store 8 bytes of EM410x ID data. +Locking is done with lock pages. Tearoff attacks can be accomplished. + +#### Identify +``` +lf search +... +[+] Chipset detection: EM4x05 +``` +H3 chips usually come with a pre-programmed code, with `0x00` as the 2nd byte. + +### H5 + +Tag has ceased production, as it was leaked. Some companies continue its' sale with a major discount. +Because it is hard to obtain this chip, there is no information. + +### H5.5 + +Tag is manufactured by iKey, and is sold as a replacement to [H5](#h5) chips. +Locking support is unknown. + +#### Identify + +Tag has completely random EM410x ID from factory. +Engravings on fobs: "H5.5" + +### H7 + +Tag is manufactured by iKey, and is sold as the most professional EM410x blank. Targeted to cloning StroyMaster keys. +Locking support cannot be described, as there is conflicting information (see [iKey forums](https://ikey.ru/forum/topic/3199-%D0%BA%D0%BE%D0%BF%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-rfid-%D1%81%D1%87%D0%B8%D1%82%D1%8B%D0%B2%D0%B0%D1%82%D0%B5%D0%BB%D1%8C-atis/)) + +#### Identify + +Tag has completely random EM410x ID from factory. +Engravings on fobs: "H7" (stretched) + +### OTP + +Tag is similar to [H1](#h1-rw125fl-rw64bit), but after writing new ID, tag becomes original EM410x. + +#### Identify + +Initial EM410x ID is `0000 000000` +Engravings on fobs: "OTP" + +### i57/i57v2 + +Tag has ceased production, and can no longer be purchased. +No info. + +## High Frequency + +### MIFARE ZERO +^[Top](#top) + +Cheapest cloning tag, pending replacement by [MF-8](#mf-8) + +#### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +``` + +#### Magic commands +^[Top](#top) + +* Wipe: `40(7)`, `41` (use 2000ms timeout) +* Read: `40(7)`, `43`, `30xx`+crc +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + +### MF-8 +^[Top](#top) + +Behavior: block 0 can be written with a normal write. +As MF-8 is a very new blank, it is assumed to be the last variation of its' chips. + +#### Identify +^[Top](#top) + +No way to reliably identify MF-8 is known. +The best way is to try writing block 0. Or you can try: +``` +hf 14a info +... +[+] Magic capabilities : Gen2 / CUID +``` + +### MIFARE OTP +^[Top](#top) + +Behavior: same as [MF-8](#mf-8), but block0 can be written only once. + +Initial UID is AA55C396 + +#### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Write Once / FUID +``` +*It is possible to identify OTP after personalization. Currently it is unknown to us as to how this is done.* + +### MIFARE OTP 2.0 +^[Top](#top) + +Similar to [ZERO](#mifare-zero), but after first block 0 edit, tag no longer replies to 0x40 command. + +Initial UID is 00000000 + +All bytes are 00 from factory wherever possible. + +#### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +[+] Prng detection: hard +``` + +#### Magic commands +^[Top](#top) + +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc + +### MF3 +^[Top](#top) + +Most advanced tag, but possible to detect. Replacement for [OTP2](#mifare-otp-20) tags. + +#### Identify +^[Top](#top) + +Tag seems to behave like [MF-8](#mf-8), but it is unknown what is special about it. +Try issuing a write to block 0. + +### MIFARE UL-Y +^[Top](#top) + +Ultralight magic, 16 pages. Recommended for Vizit RF3.1 with markings "3.1" or "4.1". +Behavior: allows writes to page 0-2. + +#### Identify +^[Top](#top) + +``` +hf mfu rdbl --force -b 16 +hf 14a raw -sct 250 60 +``` +If tag replies with +`Cmd Error: 00` +`00 00 00 00 00 00 00 00` +then it is UL-Y. + +### MIFARE ULtra +^[Top](#top) + +Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page. +Behavior: allows writes to page 0-2. + +#### Identify +^[Top](#top) + +``` +hf mfu info +... + +[=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000 +[=] --- Tag Version +[=] Raw bytes: 00 34 21 01 01 00 0E 03 +``` + +Remember that this is not a reliable method of identification, as it interferes with locked [UL-5](#mifare-ul-5). + +### MIFARE UL-5 +^[Top](#top) + +Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed. +Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1. + +**WARNING!** When using UL-5 to clone, write UID pages in inverse and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits). + +#### Identify +^[Top](#top) + +``` +hf mfu info + +[=] UID: AA 55 C3 A1 30 61 80 +TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000 +[=] --- Tag Version +[=] Raw bytes: 00 34 21 01 01 00 0E 03 +``` + +After personalization it is not possible to identify UL-5. +Some chips have UID of `AA 55 C3 A4 30 61 80`. + +### MIFARE, other chips + +**TODO** + +UL-X, UL-Z - ? + From 21e42d70738217902f8f728f86b52bdaddbc4cb0 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Thu, 1 Jun 2023 22:25:03 +0300 Subject: [PATCH 03/26] Add table of contents to country-specific magic tags Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 23 +++++++++++++++++++++- doc/magic_cards/russian_magic_notes.md | 27 ++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index 17c876c089..aa6ef4ff6a 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -2,6 +2,27 @@ # Notes on Chinese Magic Cards +# Table of Contents + +- [Low Frequency](#low-frequency) + * [5577](#5577) + * [5200](#5200) + * [ID82xx series](#id82xx-series) + - [ID8210](#id8210) + - [ID8211](#id8211) + - [ID8265](#id8265) + - [ID8268/8278/8310](#id826882788310) + - [K8678](#k8678) +- [High Frequency](#high-frequency) + * [MIFARE Classic UID](#mifare-classic-uid) + * [MIFARE Classic CUID](#mifare-classic-cuid) + * [MIFARE Classic FUID](#mifare-classic-fuid) + * [Magic "85" cards](#magic-85-cards) + - [MIFARE Classic UFUID](#mifare-classic-ufuid) + - [MIFARE Classic GDM aka Gen4](#mifare-classic-gdm-aka-gen4) + * [MIFARE Classic, other chips](#mifare-classic-other-chips) + + ## Low Frequency ### 5577 @@ -321,5 +342,5 @@ hf mf gdmsetcfg **TODO** -* ZXUID, EUID, ICUID ? +* ZXUID, EUID, ICUID; NSCK-II ? * Some cards exhibit a specific SAK=28 ?? diff --git a/doc/magic_cards/russian_magic_notes.md b/doc/magic_cards/russian_magic_notes.md index 3b79604b88..d68e3992d7 100644 --- a/doc/magic_cards/russian_magic_notes.md +++ b/doc/magic_cards/russian_magic_notes.md @@ -2,6 +2,29 @@ # Notes on Russian Magic Cards +# Table of Contents + +- [Low Frequency](#low-frequency) + * [H1 (RW125FL, RW64bit)](#h1-rw125fl-rw64bit) + * [H2 (T5577, RW125T5)](#h2-t5577-rw125t5) + * [H3 (EM4305, RW125EM)](#h3-em4305-rw125em) + * [H5](#h5) + * [H5.5](#h55) + * [H7](#h7) + * [OTP](#otp) + * [i57/i57v2](#i57i57v2) +- [High Frequency](#high-frequency) + * [MIFARE ZERO](#mifare-zero) + * [MF-8](#mf-8) + * [MIFARE OTP](#mifare-otp) + * [MIFARE OTP 2.0](#mifare-otp-20) + * [MF3](#mf3) + * [MIFARE UL-Y](#mifare-ul-y) + * [MIFARE ULtra](#mifare-ultra) + * [MIFARE UL-5](#mifare-ul-5) + * [MIFARE, other chips](#mifare-other-chips) + + ## Low Frequency ### H1 (RW125FL, RW64bit) @@ -11,7 +34,7 @@ Tag supports EM410x format, and nothing else. No locking functions. No info, as this tag is ceasing its' existence. -### H2 (T5577) +### H2 (T5577, RW125T5) ^[Top](#top) Tag supports all formats which send data in 24(28) bytes (without password). @@ -27,7 +50,7 @@ lf search Not all tags will show up with this, however. Some H2 tags ignore test mode commands. -### H3 (EM4305) +### H3 (EM4305, RW125EM) Tag is original EM4305, and can store 8 bytes of EM410x ID data. Locking is done with lock pages. Tearoff attacks can be accomplished. From 3b4040d337e601be2227b501588670c3e1a935d6 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Thu, 1 Jun 2023 22:49:10 +0300 Subject: [PATCH 04/26] Add UL2 Oops, I forgot... Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/russian_magic_notes.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/magic_cards/russian_magic_notes.md b/doc/magic_cards/russian_magic_notes.md index d68e3992d7..9d77b3e2dd 100644 --- a/doc/magic_cards/russian_magic_notes.md +++ b/doc/magic_cards/russian_magic_notes.md @@ -19,6 +19,7 @@ * [MIFARE OTP](#mifare-otp) * [MIFARE OTP 2.0](#mifare-otp-20) * [MF3](#mf3) + * [MIFARE UL2](#mifare-ul2) * [MIFARE UL-Y](#mifare-ul-y) * [MIFARE ULtra](#mifare-ultra) * [MIFARE UL-5](#mifare-ul-5) @@ -198,6 +199,24 @@ Most advanced tag, but possible to detect. Replacement for [OTP2](#mifare-otp-20 Tag seems to behave like [MF-8](#mf-8), but it is unknown what is special about it. Try issuing a write to block 0. +### MIFARE UL2 + +Ultralight magic EV1, amount of pages can be picked when purchasing (20/41/44 pgs.). +Behavior: allows writes to page 0-2; allows rewriting lock+OTP bits. + +#### Identify + +There is no reliable way to identify UL2 magic. +To identify some, try changing page 0. + +#### Characteristics + +MIFARE UL2 variation 1: +ATQA/SAK: fixed +BCC: play blindly the page0/2 BCC0/1, beware! +ATS: `85 00 00 A0 00 00 0A 3C 00 04 03 01 01 00 0E 03` +Pages: 41 + ### MIFARE UL-Y ^[Top](#top) From 9bce8266b849472d56cd74f595473e34313fc897 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Thu, 1 Jun 2023 23:32:22 +0300 Subject: [PATCH 05/26] Formatting fix Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/russian_magic_notes.md | 39 ++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/doc/magic_cards/russian_magic_notes.md b/doc/magic_cards/russian_magic_notes.md index 9d77b3e2dd..3dd2d6d40b 100644 --- a/doc/magic_cards/russian_magic_notes.md +++ b/doc/magic_cards/russian_magic_notes.md @@ -27,12 +27,14 @@ ## Low Frequency +^[Top](#top) ### H1 (RW125FL, RW64bit) ^[Top](#top) Tag supports EM410x format, and nothing else. No locking functions. + No info, as this tag is ceasing its' existence. ### H2 (T5577, RW125T5) @@ -42,6 +44,7 @@ Tag supports all formats which send data in 24(28) bytes (without password). Locking is done with lock bits in the beginning of each page, which are not transmitted. #### Identify +^[Top](#top) ``` lf search @@ -52,11 +55,14 @@ Not all tags will show up with this, however. Some H2 tags ignore test mode commands. ### H3 (EM4305, RW125EM) +^[Top](#top) Tag is original EM4305, and can store 8 bytes of EM410x ID data. Locking is done with lock pages. Tearoff attacks can be accomplished. #### Identify +^[Top](#top) + ``` lf search ... @@ -65,45 +71,60 @@ lf search H3 chips usually come with a pre-programmed code, with `0x00` as the 2nd byte. ### H5 +^[Top](#top) Tag has ceased production, as it was leaked. Some companies continue its' sale with a major discount. + Because it is hard to obtain this chip, there is no information. ### H5.5 +^[Top](#top) Tag is manufactured by iKey, and is sold as a replacement to [H5](#h5) chips. + Locking support is unknown. #### Identify +^[Top](#top) Tag has completely random EM410x ID from factory. + Engravings on fobs: "H5.5" ### H7 +^[Top](#top) Tag is manufactured by iKey, and is sold as the most professional EM410x blank. Targeted to cloning StroyMaster keys. + Locking support cannot be described, as there is conflicting information (see [iKey forums](https://ikey.ru/forum/topic/3199-%D0%BA%D0%BE%D0%BF%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-rfid-%D1%81%D1%87%D0%B8%D1%82%D1%8B%D0%B2%D0%B0%D1%82%D0%B5%D0%BB%D1%8C-atis/)) #### Identify +^[Top](#top) Tag has completely random EM410x ID from factory. + Engravings on fobs: "H7" (stretched) ### OTP +^[Top](#top) Tag is similar to [H1](#h1-rw125fl-rw64bit), but after writing new ID, tag becomes original EM410x. #### Identify +^[Top](#top) Initial EM410x ID is `0000 000000` + Engravings on fobs: "OTP" ### i57/i57v2 +^[Top](#top) Tag has ceased production, and can no longer be purchased. No info. ## High Frequency +^[Top](#top) ### MIFARE ZERO ^[Top](#top) @@ -136,7 +157,9 @@ As MF-8 is a very new blank, it is assumed to be the last variation of its' chip ^[Top](#top) No way to reliably identify MF-8 is known. -The best way is to try writing block 0. Or you can try: +The best way is to try writing block 0. + +Or you can try: ``` hf 14a info ... @@ -197,11 +220,13 @@ Most advanced tag, but possible to detect. Replacement for [OTP2](#mifare-otp-20 ^[Top](#top) Tag seems to behave like [MF-8](#mf-8), but it is unknown what is special about it. + Try issuing a write to block 0. ### MIFARE UL2 Ultralight magic EV1, amount of pages can be picked when purchasing (20/41/44 pgs.). + Behavior: allows writes to page 0-2; allows rewriting lock+OTP bits. #### Identify @@ -211,11 +236,11 @@ To identify some, try changing page 0. #### Characteristics -MIFARE UL2 variation 1: -ATQA/SAK: fixed -BCC: play blindly the page0/2 BCC0/1, beware! -ATS: `85 00 00 A0 00 00 0A 3C 00 04 03 01 01 00 0E 03` -Pages: 41 +MIFARE UL2 flavour 1: +- ATQA/SAK: fixed +- BCC: play blindly the page0/2 BCC0/1, beware! +- ATS: `85 00 00 A0 00 00 0A 3C 00 04 03 01 01 00 0E 03` +- Pages: 41 ### MIFARE UL-Y ^[Top](#top) @@ -259,6 +284,7 @@ Remember that this is not a reliable method of identification, as it interferes ^[Top](#top) Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed. + Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1. **WARNING!** When using UL-5 to clone, write UID pages in inverse and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits). @@ -276,6 +302,7 @@ TAG IC Signature: 00000000000000000000000000000000000000000000000000000000000000 ``` After personalization it is not possible to identify UL-5. + Some chips have UID of `AA 55 C3 A4 30 61 80`. ### MIFARE, other chips From 78ebb809f66444e733b3974bd98e26e60d9dbc86 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 6 Jun 2023 21:15:25 +0300 Subject: [PATCH 06/26] Critical styling fix (I am not a `make style` user) Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index aa6ef4ff6a..462f73dc59 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -12,7 +12,7 @@ - [ID8211](#id8211) - [ID8265](#id8265) - [ID8268/8278/8310](#id826882788310) - - [K8678](#k8678) + * [K8678](#k8678) - [High Frequency](#high-frequency) * [MIFARE Classic UID](#mifare-classic-uid) * [MIFARE Classic CUID](#mifare-classic-cuid) @@ -204,6 +204,7 @@ Variations of CUID cards are explained in `magic_cards_notes.md`. ### MIFARE Classic FUID ^[Top](#top) + Sold as "anti-clone bypass". Behavior: same as CUID, but after editing block 0, tag becomes original S50 chip. From 31e337e87019adb0bde9384ea2bad370eb4ec957 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:38:31 +0300 Subject: [PATCH 07/26] Big chinese update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added info about a lot of Copykey/拷贝齐 magic chips. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 110 ++++++++++++++++++++++--- 1 file changed, 99 insertions(+), 11 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index 462f73dc59..882472d890 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -20,6 +20,8 @@ * [Magic "85" cards](#magic-85-cards) - [MIFARE Classic UFUID](#mifare-classic-ufuid) - [MIFARE Classic GDM aka Gen4](#mifare-classic-gdm-aka-gen4) + * [MIFARE Classic, QL88](#mifare-classic-ql88) + * [MIFARE Classic, FURUi detection (super) card](#mifare-classic-furui-detection-super-card) * [MIFARE Classic, other chips](#mifare-classic-other-chips) @@ -88,6 +90,7 @@ These chips are designed to clone EM410x IDs. ^[Top](#top) - Very widespread Chinese magic tag. *May sometimes be sent globally under the name of "T5577/EM4305" with the excuse: "use our cloner".* +- Chip used: HITAG µ (micro) - Identification: 1. Engravings (N/A; "F8265-[freq., kHz]K") 2. Preprogrammed code: `00:00:00:20:49` (CN: 8265) @@ -104,10 +107,11 @@ ID8268 is claimed to be better than ID8278. ^[Top](#top) - Very widespread Chinese magic tag too. +- Chip used: HITAG 1 - Idenification: 1. Engravings (N/A; "F8268-[freq., kHz]K"; 3. "F8310-[freq., kHz]K"; 4. "F8278-[freq., kHz]K") 2. Preprogrammed code: `00:00:00:20:4C` (CN: 8268); N/A -- No known way to detect. +- ~~No known way to detect.~~ - Like ID8265, pending support. More info will be added when support is added. ### K8678 @@ -119,8 +123,11 @@ Made by Hyctec for CopyKey devices (X100, X3, X5). ^[Top](#top) - Very new +- Chip used: HITAG S - Sold in 125, 175, 250, 375 and 500 kHz variants -- No info +- Identification: + 1. Engravings ("K8678-[freq., kHz]K") + 2. Preprogrammed code: `00:00:00:21:E6` (CN: 8678) ## High Frequency @@ -205,7 +212,7 @@ Variations of CUID cards are explained in `magic_cards_notes.md`. ### MIFARE Classic FUID ^[Top](#top) -Sold as "anti-clone bypass". +Sold as "anti-clone bypass". Also known as RFUID. Behavior: same as CUID, but after editing block 0, tag becomes original S50 chip. Initial UID is AA55C396. Block 0 manufacturer data is null. @@ -225,8 +232,7 @@ hf 14a info #### Alternatives to FUID ^[Top](#top) -- RFUID seems to have similar behavior to FUID. Maybe it is an alternative. -- HUID is sold as a cheaper alternative to FUID. +- HUID is sold as a cheaper alternative to FUID. However, it is protected with a KDF key in all sectors. *Copykey supports this chip.* ### "Magic 85" cards ^[Top](#top) @@ -249,7 +255,7 @@ No detailed info at the moment. ##### Proxmark3 commands ^[Top](#top) -To lock definitively block0: +To lock block0 and hide magic capabilities: ``` hf 14a raw -a -k -b 7 40 hf 14a raw -k 43 @@ -265,16 +271,16 @@ Sold as "rolling code bypass". Tag has shadow mode enabled from start. Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds -off rfid field. +off RF field. Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory. The persistent memory is also writable. To do that, the tag uses its own backdoor commands. -for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000. +For example: to write, you must use a custom authentication command, 0x80, to authenticate with an all zeros key, 0x0000000000. Then send the data to be written. **OBS** -When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag. +Do not change ACL in persistent memory! This tag does not acknowledge anything other than `FF0780`, otherwise the sector will be disabled! ##### Identify ^[Top](#top) @@ -288,6 +294,7 @@ hf 14a info ^[Top](#top) * Auth: `80xx`+crc +* Read: `38xx`+crc * Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc * Read config: `E000`+crc * Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc @@ -313,6 +320,7 @@ Mapping of configuration bytes so far: ``` 850000000000000000005A5A00000008 ^^ --> SAK + ^^ --> Lock byte ``` Write config: @@ -338,10 +346,90 @@ hf mf gdmcfg hf mf gdmsetcfg ``` +### MIFARE Classic, QL88 +^[Top](#top) + +Sold for "QinLin Neighbor Technology" access control system. +The differences are presence of sector 17 and having SAK 88. + +#### Characteristics +^[Top](#top) + +* SAK/ATQA: unknown +* BCC: unknown +* OTP/FUID chip +* PRNG: hard + +#### Identify +^[Top](#top) + +``` +[usb] pm3 --> hf 14a info +... +[+] Magic capabilities: QL88 +``` + +Sector 17 can be accessed using Key B: `707B11FC1481`. Using it, other keys can be recovered. + +#### Magic commands + +**TODO** Need more info about this tag and original, non-magic IC. + +### MIFARE Classic, FURUi detection (super) card +^[Top](#top) + +Supercard, aka tag that records authentication attempts (nt, nr, ar). For recovery uses backdoor commands. + +#### Characteristics +^[Top](#top) + +* SAK/ATQA: play blindly the block0 bytes, beware! +* BCC: play blindly the block0 BCC bytes, beware! +* PRNG: hard + +**!!!WARNING!!!** This tag can die for no reason (no reply to WUPA/REQA). We don't know why this happens. + +#### Identify +^[Top](#top) + +``` +[usb] pm3 --> hf 14a raw -sct 250 AAA500000000000000000000000000000000 +[+] 90 00 +``` + +#### Magic commands +^[Top](#top) + +* Configure: `AAA5[16 byte config]`+crc +* Write block 0: `AAA4[4b UID][1b BCC][1b SAK][2b ATQA reversed]0000000000000000`+crc +* Recover trace: `AAA8[00/01][00-08]`+crc + +Caution: tag does not append CRC to magic responses! + +Please use config as 00 bytes. + +Parsing traces: +``` +44 33 22 11 03 61 08 68 7A C7 4B 62 43 A6 11 6F 64 F3 +^^ ^^ ^^ ^^ -- UID + ^^ ^^ -- auth command, reversed + ^^ ^^ ^^ ^^ -- Auth (nt) + ^^ ^^ ^^ ^^ -- Auth (nr) + ^^ ^^ ^^ ^^ -- Auth (ar) +``` + ### MIFARE Classic, other chips ^[Top](#top) **TODO** -* ZXUID, EUID, ICUID; NSCK-II ? -* Some cards exhibit a specific SAK=28 ?? +* ZXUID, EUID, ICUID, M1-5A, M1-7B; NSCK-II; TID, BOMB? +* ~~Some cards exhibit a specific SAK=28?~~ Some chips have unusual properties, like SAK 28 (BOMB) or SAK 5A (M1-5A). We are yet to find out the special functions. + +* What we know: + - ZXUID, EUID, ICUID: [ N/A ] + - M1-5A: tag for CopyKey device to clone Mifare Classic 1K with SAK `5A`. + - M1-7B: tag for CopyKey device to clone Mifare Classic 1K CL2. + - NSCK-II: tag for CopyKey device to clone "N•S•C"/"BS-CPU" chips. *ISO14443A (ATQA: 0044, SAK: 20) with FSK modulation and some UID conversion?* + - TID: tag for cloning FM1208-9 "CPU" card. It is unknown how to write it, and it is very expensive. + - BOMB: tag for cloning FM1208-xx "CPU" card, however properties do not match original chips (ATS is 18 bytes, not 16). *Exclsuive to "qinglong" software, but it costs way too much to be reasonable.* From 0e4814b0dcbecf75f569fa0aa1e36de0efb18580 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 7 Aug 2023 22:22:07 +0300 Subject: [PATCH 08/26] USCUID/magic85 rewrite Now all chips are unified! Explained configuration, backdoor blocks, default configurations for chips, etc. Waiting for updates! Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 194 ++++++++++++------------- 1 file changed, 95 insertions(+), 99 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index 882472d890..be015c51d8 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -18,8 +18,6 @@ * [MIFARE Classic CUID](#mifare-classic-cuid) * [MIFARE Classic FUID](#mifare-classic-fuid) * [Magic "85" cards](#magic-85-cards) - - [MIFARE Classic UFUID](#mifare-classic-ufuid) - - [MIFARE Classic GDM aka Gen4](#mifare-classic-gdm-aka-gen4) * [MIFARE Classic, QL88](#mifare-classic-ql88) * [MIFARE Classic, FURUi detection (super) card](#mifare-classic-furui-detection-super-card) * [MIFARE Classic, other chips](#mifare-classic-other-chips) @@ -36,16 +34,11 @@ This is an ATA5577C-compatible tag. #### Characteristics ^[Top](#top) +- Regular Atmel ATA5577C clone (supports all functions, but traceability is unlocked, and chipset is not detected). +- Default data: `EM410x: 0000 0015C9` (CN: 5577) - Configurable as any tag that requires to send no more than 24(28) bytes of data (without password). - Well documented -#### Deviations -^[Top](#top) - -- Some tags have lock bits set on blocks 2-6. -- Some tags do not transmit traceability data, and have it rewritable. - * These tags tend to ignore page 1 block 3 configuration. - ### 5200 ^[Top](#top) @@ -54,12 +47,13 @@ No information. #### Characteristics ^[Top](#top) -- Advertised as PM3 compatible. -- No info. +- Advertised as PM3, T5577 compatible. +- Other names: "ZX-58U" ### ID82xx series These chips are designed to clone EM410x IDs. +*Chinese vendors pre-program an EM410x ID with card number being the same as chip used* #### ID8210 ^[Top](#top) @@ -70,7 +64,7 @@ These chips are designed to clone EM410x IDs. - Alternative names: * H-125 - Identification: - 1. Engravings ("H-[freq., kHz]") + 1. Engravings ("H-[freq., kHz]", "8210-[freq., kHz]") - No info. #### ID8211 @@ -80,7 +74,7 @@ These chips are designed to clone EM410x IDs. ^[Top](#top) - Identification: - 1. Engravings ("8211") + 1. Engravings (stamp "8211") - No info. #### ID8265 @@ -93,7 +87,6 @@ These chips are designed to clone EM410x IDs. - Chip used: HITAG µ (micro) - Identification: 1. Engravings (N/A; "F8265-[freq., kHz]K") - 2. Preprogrammed code: `00:00:00:20:49` (CN: 8265) - Can be detected. - Currently unsupported by PM3, but being researched. When the proxmark3 supports this tag, more info will be added. @@ -110,7 +103,6 @@ ID8268 is claimed to be better than ID8278. - Chip used: HITAG 1 - Idenification: 1. Engravings (N/A; "F8268-[freq., kHz]K"; 3. "F8310-[freq., kHz]K"; 4. "F8278-[freq., kHz]K") - 2. Preprogrammed code: `00:00:00:20:4C` (CN: 8268); N/A - ~~No known way to detect.~~ - Like ID8265, pending support. More info will be added when support is added. @@ -127,7 +119,6 @@ Made by Hyctec for CopyKey devices (X100, X3, X5). - Sold in 125, 175, 250, 375 and 500 kHz variants - Identification: 1. Engravings ("K8678-[freq., kHz]K") - 2. Preprogrammed code: `00:00:00:21:E6` (CN: 8678) ## High Frequency @@ -220,14 +211,13 @@ Initial UID is AA55C396. Block 0 manufacturer data is null. #### Identify ^[Top](#top) -Only possible before personalization. +Only possible before personalization. *It's possible after, but unknown how..* ``` hf 14a info ... [+] Magic capabilities : Write Once / FUID ``` -*It is possible to simulate a FUID tag using CopyKey X5. This is probably to detect protection against clones.* #### Alternatives to FUID ^[Top](#top) @@ -237,106 +227,113 @@ hf 14a info ### "Magic 85" cards ^[Top](#top) -TLDR: These magic cards have a 16 byte long configuration page, which always starts with 0x85. +TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85. Another name is "USCUID". All of the known tags using this, except for Ultralight tags, are listed here. -#### MIFARE Classic UFUID +#### Characteristics ^[Top](#top) -Same as CUID, but block0 can be locked with special command. -Sold as "anti-clone bypass". -No detailed info at the moment. +* UID: 4/7 bytes +* ATQA: always read from block 0 +* SAK: read from backdoor or configuration +* BCC: read from memory, beware! +* ATS: no/unknown -##### Identify +#### Magic commands ^[Top](#top) -**TODO** +* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]` + - Backdoor read: `38xx+crc` + - Backdoor write: `A8xx+crc`, `[16 bytes data]+crc` -##### Proxmark3 commands -^[Top](#top) + - Read configuration: `E000+crc` + - Write configuration: `E100+crc`; `[16 bytes data]+crc` +* Magic wakeup (A: 00): `40(7)`, `43` +* Magic wakeup (B: 85): `20(7)`, `23` + - Backdoor read main block: `30xx+crc` + - Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc` + - Read hidden block: `38xx+crc` + - Write hidden block: `A8xx+crc`, `[16 bytes data]+crc` -To lock block0 and hide magic capabilities: + - Read configuration: `E000+crc` + - Write configuration: `E100+crc` + + **DANGER** + - Set main memory and config to 00 `F000+crc` + - Set main memory and config to FF `F100+crc` + - Set main memory and config to 55 (no 0A response) `F600+crc` + - Set backdoor memory to 00 `F800+crc` + - Set backdoor memory to FF `F900+crc` + - Set backdoor memory to 55 `FE00+crc` + +#### Magic85 configuration guide +^[Top](#top) + +1. Configuration ``` -hf 14a raw -a -k -b 7 40 -hf 14a raw -k 43 -hf 14a raw -k -c e000 -hf 14a raw -k -c e100 -hf 14a raw -c 85000000000000000000000000000008 +85000000000000000000000000000008 + ^^^^^^ ^^ ^^ >> ??? Mystery ??? +^^^^ >> Gen1a mode (works with bitflip) + ^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23) + ^^ >> Block use of Key B if readable by ACL + ^^ >> CUID mode + ^^ >> MFC EV1 CL2 Perso config* + ^^ >> Shadow mode** + ^^ >> Magic Auth command + ^^ >> Static encrypted nonce mode + ^^ >> Signature sector + ^^ >> SAK*** + +To enable an option, set it to 5A. +* 5A - unfused F0. C3 - F0: CL2 UID; A5 - F1: CL2 UID with anticollision shortcut; 87 - F2: CL1 Random UID; 69 - F3: CL1 non-UID. Anything else is going to be ignored, and set as 4 bytes. +** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer. +*** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead. ``` - -#### MIFARE Classic GDM aka Gen4 -^[Top](#top) - -Sold as "rolling code bypass". - -Tag has shadow mode enabled from start. -Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds -off RF field. -Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory. - -The persistent memory is also writable. To do that, the tag uses its own backdoor commands. -For example: to write, you must use a custom authentication command, 0x80, to authenticate with an all zeros key, 0x0000000000. -Then send the data to be written. - -**OBS** - -Do not change ACL in persistent memory! This tag does not acknowledge anything other than `FF0780`, otherwise the sector will be disabled! - -##### Identify -^[Top](#top) - -``` -hf 14a info -... -[+] Magic capabilities : Gen 4 GDM +2. Backdoor blocks ``` -##### Magic commands -^[Top](#top) - -* Auth: `80xx`+crc -* Read: `38xx`+crc -* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc -* Read config: `E000`+crc -* Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc -##### Characteristics -^[Top](#top) - -* ATQA/BCC: unknown behavior -* SAK: can be configured using `E100` command -* ATS: N/A -* UID: 4b -* No known true backdoors. -* Its magic part seems to be three identified custom commands. -* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are. - -Read config: -1. sending custom auth with all zeros key -2. send 0xE000, will return the configuration bytes. -`results: 850000000000000000005A5A00000008` - - -Mapping of configuration bytes so far: -``` -850000000000000000005A5A00000008 - ^^ --> SAK - ^^ --> Lock byte +Sector 0 +88 04 BD E5 D4 0C 6A BB 5B 80 0A 08 44 00 00 00 - Block 0: Perso F0, F1 data +^^ ^^ ^^ ^^ - UID0 + ^^ - BCC0 + ^^ - SAK0 (+0x04 to call for CL2) + ^^ ^^ ^^ ^^ - UID1 + ^^ - BCC1 + ^^ - SAK1 + ^^ ^^ ^^ ^^ - Unused +04 BD E5 6A 36 08 00 00 00 00 00 00 00 00 00 00 - Block 1: Perso F3 data +^^ ^^ ^^ ^^ - UID0 + ^^ - BCC0 + ^^ - SAK0 + ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ - Unused +Block 2: unused +Block 3: ignored (custom keys, acl; broken acl ignored - anticollision will still work) +Sector 1 +[Signature sector (#17) - needs config byte 13 (from 0) enabled to allow auth] +Sectors 2-15 +[Unused] ``` -Write config: -1. sending custom auth with all zeros key -2. send 0xE100 -3. send 16 bytes +#### Variations +^[Top](#top) +| Factory configuration | Name | +| --- | --- | +| 850000000000000000005A5A00000008 | GDMIC | +| 850000000000005A0000005A5A5A0008 | UCUID | +| 8500000000005A00005A005A005A0008 | "7 byte hard" | +| 7AFF850102015A00005A005A005A0008 | M1-7B | +| 7AFF000000000000BAFA358500000008 | PFUID | +| 7AFF000000000000BAFA000000000008 | UFUID | -**Warning** +*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 2 and last config byte(s). -Example of configuration to Perma lock tag: -`85000000000000000000000000000008` +*Read and write config commands are flipped -##### Proxmark3 commands +#### Proxmark3 commands ^[Top](#top) ``` -# Write to persistent memory +Using magic auth: +# Write to persistent memory: hf mf gdmsetblk # Read configuration (0xE0): @@ -429,7 +426,6 @@ Parsing traces: * What we know: - ZXUID, EUID, ICUID: [ N/A ] - M1-5A: tag for CopyKey device to clone Mifare Classic 1K with SAK `5A`. - - M1-7B: tag for CopyKey device to clone Mifare Classic 1K CL2. - NSCK-II: tag for CopyKey device to clone "N•S•C"/"BS-CPU" chips. *ISO14443A (ATQA: 0044, SAK: 20) with FSK modulation and some UID conversion?* - TID: tag for cloning FM1208-9 "CPU" card. It is unknown how to write it, and it is very expensive. - BOMB: tag for cloning FM1208-xx "CPU" card, however properties do not match original chips (ATS is 18 bytes, not 16). *Exclsuive to "qinglong" software, but it costs way too much to be reasonable.* From 9cf63f6531c9f2c2d047e3066a0a48446581ca46 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:19:11 +0300 Subject: [PATCH 09/26] Explain functionality of Magic85 config Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index be015c51d8..fd4f1f205c 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -289,6 +289,18 @@ To enable an option, set it to 5A. ** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer. *** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead. ``` +* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras. +* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23. +* Block use of Key B if readable by ACL: Per the MF1ICS50 datasheet, if Key B is readable by the ACL, using it shall give a Cmd Error 04. This option controls whether it happens or not. +* CUID mode: Allow direct write to block 0, instead of giving Cmd Error 04. +* MFC EV1 CL2 Perso config: When configured, the tag behaves like a real Mifare Classic EV1 7B UID tag, and reads UID from backdoor blocks. Otherwise, the tag acts like a 4 byte tag. +* Shadow mode: Writes to memory persisting in tag RAM. As soon as no power is left, the contents are restored to saved data. +* Magic Auth Command: Acknowledge command `8000` after selection, and call for Crypto1 auth with key `000000000000`. +* Static encrypted nonce mode: Use static encrypted nonces for authentication, making key recovery impossible. +* Signature sector: Acknowledge auth commands to sector 17, which is stored in backdoor sector 1. +* SAK: If perso byte is not set, after UID select, send this value. + + 2. Backdoor blocks ``` From 2c8fc61bf3761d85819fb34761eb7e0a8a848d72 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Sun, 3 Sep 2023 22:53:52 +0300 Subject: [PATCH 10/26] Quick fill-up commit More info to be added in some hours Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index fd4f1f205c..7a3f7788d5 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -13,6 +13,7 @@ - [ID8265](#id8265) - [ID8268/8278/8310](#id826882788310) * [K8678](#k8678) + * [Detection tips](#detection-tips) - [High Frequency](#high-frequency) * [MIFARE Classic UID](#mifare-classic-uid) * [MIFARE Classic CUID](#mifare-classic-cuid) @@ -65,7 +66,7 @@ These chips are designed to clone EM410x IDs. * H-125 - Identification: 1. Engravings ("H-[freq., kHz]", "8210-[freq., kHz]") -- No info. +- Seemingly ID8265. To be confirmed. #### ID8211 ^[Top](#top) @@ -103,7 +104,6 @@ ID8268 is claimed to be better than ID8278. - Chip used: HITAG 1 - Idenification: 1. Engravings (N/A; "F8268-[freq., kHz]K"; 3. "F8310-[freq., kHz]K"; 4. "F8278-[freq., kHz]K") -- ~~No known way to detect.~~ - Like ID8265, pending support. More info will be added when support is added. ### K8678 @@ -115,11 +115,30 @@ Made by Hyctec for CopyKey devices (X100, X3, X5). ^[Top](#top) - Very new -- Chip used: HITAG S +- Chip used: HITAG S256 (plain mode) - Sold in 125, 175, 250, 375 and 500 kHz variants - Identification: 1. Engravings ("K8678-[freq., kHz]K") +#### Magic commands +^[Top](#top) + +* Okay, it's not necessarily magic commands.. it's regular writes. +``` + >>> 18(5) // Get UID + <<< [ tag replies with UID ] + >>> 00(5) [UID] [CRC] // Selection + <<< [ tag replies with con0-2 ] + >>> 08(4) 04 [CRC] // Writeblock 4 + <<< 01(2) // ACK + >>> [EM410x raw data 0-3] [CRC] + <<< 01(2) // ACK + >>> 08(4) 05 [CRC] // Writeblock 5 + <<< 01(2) // ACK + >>> [EM410x raw data 4-7] [CRC] + >>> 01(2) // ACK +``` + ## High Frequency ### MIFARE Classic UID From d14fd8ed5f75d9bc7f07dba031e9e7e02d37c4c5 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 5 Sep 2023 21:13:33 +0300 Subject: [PATCH 11/26] Update for copykey tags Added NSCK, Ultralight chips. Detailed whatever should have been detailed (ql88 write protect bug, HUID=CUID, how to detect ID8265/F8268/K8678 using proxmark), etc... Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 111 ++++++++++++++++++++----- 1 file changed, 90 insertions(+), 21 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index 7a3f7788d5..b1e49f9ebf 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -15,13 +15,18 @@ * [K8678](#k8678) * [Detection tips](#detection-tips) - [High Frequency](#high-frequency) - * [MIFARE Classic UID](#mifare-classic-uid) - * [MIFARE Classic CUID](#mifare-classic-cuid) - * [MIFARE Classic FUID](#mifare-classic-fuid) - * [Magic "85" cards](#magic-85-cards) - * [MIFARE Classic, QL88](#mifare-classic-ql88) - * [MIFARE Classic, FURUi detection (super) card](#mifare-classic-furui-detection-super-card) - * [MIFARE Classic, other chips](#mifare-classic-other-chips) + - [MIFARE Classic](#mifare-classic) + * [MIFARE Classic UID](#mifare-classic-uid) + * [MIFARE Classic CUID](#mifare-classic-cuid) + * [MIFARE Classic FUID](#mifare-classic-fuid) + * [Magic "85" cards](#magic-85-cards) + * [MIFARE Classic, QL88](#mifare-classic-ql88) + * [MIFARE Classic, FURUi detection (super) card](#mifare-classic-furui-detection-super-card) + * [MIFARE Classic, other chips](#mifare-classic-other-chips) + - [MIFARE Ultralight](#mifare-ultralight) + * [MIFARE Ultralight, Copykey](#mifare-ultralight-copykey) + - [Other chips](#other-chips) + * [NSCK-II](#nsck-ii) ## Low Frequency @@ -35,7 +40,7 @@ This is an ATA5577C-compatible tag. #### Characteristics ^[Top](#top) -- Regular Atmel ATA5577C clone (supports all functions, but traceability is unlocked, and chipset is not detected). +- Regular Atmel ATA5577C ~~clone (supports all functions, but traceability is unlocked, and chipset is not detected)~~ __Some__ vendors seem to sell clones. To be confirmed. - Default data: `EM410x: 0000 0015C9` (CN: 5577) - Configurable as any tag that requires to send no more than 24(28) bytes of data (without password). - Well documented @@ -43,12 +48,16 @@ This is an ATA5577C-compatible tag. ### 5200 ^[Top](#top) -No information. +After checking, this appears to be a regular T55x7 clone. #### Characteristics ^[Top](#top) - Advertised as PM3, T5577 compatible. + - All pages are writable (including traceability). + - Traceability data begins with `E039`. + - Analog front-end is ignored. + - Test mode is ignored. - Other names: "ZX-58U" ### ID82xx series @@ -139,8 +148,20 @@ Made by Hyctec for CopyKey devices (X100, X3, X5). >>> 01(2) // ACK ``` +### Detection tips + +- To check if you have chip A/B/C/..., run this: + 1. `data plot` + 2. Chip-specific info below: + - ID8265: `lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00011 -s 3000`; + - F8268: `lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000`; + - K8678: `lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000`. + 3. Look at the plot window. The green line must be 0 (no big waves) at the end. + ## High Frequency +### MIFARE Classic + ### MIFARE Classic UID ^[Top](#top) @@ -218,6 +239,9 @@ Variations of CUID cards are explained in `magic_cards_notes.md`. - KUID seems to have similar behavior to CUID (allows block 0 direct write). * That being said, we do not know its' purpose. Please use CUID. +- HUID is a CUID chip, but protected with a KDF key. + * When key is recovered using Copykey (auth attempt 23), the tag appears to be a regular CUID chip rev.5. + * When writing, Copykey detects the custom key and locks the ACL to `block 0: read AB; ACL: read AB write --` ### MIFARE Classic FUID ^[Top](#top) @@ -238,17 +262,14 @@ hf 14a info [+] Magic capabilities : Write Once / FUID ``` -#### Alternatives to FUID -^[Top](#top) - -- HUID is sold as a cheaper alternative to FUID. However, it is protected with a KDF key in all sectors. *Copykey supports this chip.* - ### "Magic 85" cards ^[Top](#top) TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85. Another name is "USCUID". All of the known tags using this, except for Ultralight tags, are listed here. +You cannot turn a Classic tag into an Ultralight and vice-versa! + #### Characteristics ^[Top](#top) @@ -283,7 +304,7 @@ All of the known tags using this, except for Ultralight tags, are listed here. - Set main memory and config to 55 (no 0A response) `F600+crc` - Set backdoor memory to 00 `F800+crc` - Set backdoor memory to FF `F900+crc` - - Set backdoor memory to 55 `FE00+crc` + - Set backdoor memory to 55 (no 0A response) `FE00+crc` #### Magic85 configuration guide ^[Top](#top) @@ -356,7 +377,7 @@ Sectors 2-15 | 7AFF000000000000BAFA358500000008 | PFUID | | 7AFF000000000000BAFA000000000008 | UFUID | -*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 2 and last config byte(s). +*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s). *Read and write config commands are flipped @@ -397,11 +418,16 @@ The differences are presence of sector 17 and having SAK 88. [+] Magic capabilities: QL88 ``` -Sector 17 can be accessed using Key B: `707B11FC1481`. Using it, other keys can be recovered. +Oops, the above is flawed. Some other "SAK88-IC" tags get detected as QL88. + +Sector 17 can be accessed using Key B: `707B11FC1481`. ~~Using it, other keys can be recovered.~~ Do not recover keys using this or run `hf 14a info` at all! + +For an unknown reason if you try to get any read access block 0 write protects itself. Without methods of recovery. *To be confirmed* #### Magic commands -**TODO** Need more info about this tag and original, non-magic IC. +- Block 0 can be written using direct write +- No signature sector backdoor ### MIFARE Classic, FURUi detection (super) card ^[Top](#top) @@ -451,12 +477,55 @@ Parsing traces: **TODO** -* ZXUID, EUID, ICUID, M1-5A, M1-7B; NSCK-II; TID, BOMB? +* ZXUID, EUID, ICUID, M1-5A, SUID; TID, BOMB, SID? * ~~Some cards exhibit a specific SAK=28?~~ Some chips have unusual properties, like SAK 28 (BOMB) or SAK 5A (M1-5A). We are yet to find out the special functions. * What we know: - - ZXUID, EUID, ICUID: [ N/A ] + - ZXUID, EUID, ICUID, SUID: [ N/A ] - M1-5A: tag for CopyKey device to clone Mifare Classic 1K with SAK `5A`. - - NSCK-II: tag for CopyKey device to clone "N•S•C"/"BS-CPU" chips. *ISO14443A (ATQA: 0044, SAK: 20) with FSK modulation and some UID conversion?* - TID: tag for cloning FM1208-9 "CPU" card. It is unknown how to write it, and it is very expensive. - BOMB: tag for cloning FM1208-xx "CPU" card, however properties do not match original chips (ATS is 18 bytes, not 16). *Exclsuive to "qinglong" software, but it costs way too much to be reasonable.* + - SID: cheaper CPU cloning tag. No info right now, to be added. A bit cheaper than TID/BOMB. + - *do you know why do the reviews of SID tag have image of "proxmark3 pro"?* + + +### MIFARE Ultralight + +### MIFARE Ultralight, Copykey +^[Top](#top) + +- Tags covered: UL11, UL21, N213, N215, N216 + +#### Characteristics +^[Top](#top) + +- Regular Ultralight DirectWrite (use `hf mfu setuid`) +- Password protected: `B6AA558D` (static) + - PACK seems to be ignored. + +### Other chips + +### NSCK-II +^[Top](#top) + +- Magic tag for "NSC/BS-CPU" + +#### Characteristics +^[Top](#top) +- Programming is done via ISO14443-A (but not sure how to modulate). Original tag is working somewhere hidden from proxmark. +- ATQA-SAK: `0044`-`20` +- ATS: `05 72 F7 60 02` +- Communications encrypted(?) + - When writing with copykey, after RATS, this communication takes place (NSC ID programmed: `5800000000`, tag UID: `1D94CE25840000`): + ``` + >>> 54 03 8A BC DF C1 [CRC] + <<< A2 [CRC] + >>> 54 04 57 AA 84 DD [CRC] + <<< A2 [CRC] + ``` + +#### Magic commands +^[Top](#top) + +- Write NSC UID: `54 [part 1b] [data 4b enc] [CRC]` + - Tag replies: `A2 [CRC]` From 43030656196aa2730f4b41223e0204a09eb273ec Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 13 Sep 2023 21:02:02 +0300 Subject: [PATCH 12/26] EM ID discovery added If you set an H5.5/H7 ID to 3F0096F87E you will see it show up as T55x7. Block 0 will always show up as `E0158801`, and downlink mode will show up as random stuff. Inconsistent. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/russian_magic_notes.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/magic_cards/russian_magic_notes.md b/doc/magic_cards/russian_magic_notes.md index 3dd2d6d40b..92c8c76055 100644 --- a/doc/magic_cards/russian_magic_notes.md +++ b/doc/magic_cards/russian_magic_notes.md @@ -87,9 +87,9 @@ Locking support is unknown. #### Identify ^[Top](#top) -Tag has completely random EM410x ID from factory. - -Engravings on fobs: "H5.5" +* Tag has completely random EM410x ID from factory. +* Engravings on fobs: "H5.5" +* *If you set the EM ID to `3F0096F87E`, it will show up as T55x7 during `lf search`* ### H7 ^[Top](#top) @@ -101,9 +101,9 @@ Locking support cannot be described, as there is conflicting information (see [i #### Identify ^[Top](#top) -Tag has completely random EM410x ID from factory. - -Engravings on fobs: "H7" (stretched) +* Tag has completely random EM410x ID from factory. +* Engravings on fobs: "H7" (stretched) +* *If you set the EM ID to `3F0096F87E`, it will show up as T55x7 during `lf search`* ### OTP ^[Top](#top) From 9521ac3c6e8a9aad408249e6efdd61b33080a441 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Sat, 14 Oct 2023 12:09:00 +0300 Subject: [PATCH 13/26] Add names, add SID SID isn't MFC1K nor mifare, so it's an "Other tag". Added names for CUID (CAID, SUID) Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 45 +++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index b1e49f9ebf..89451efc8c 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -27,6 +27,7 @@ * [MIFARE Ultralight, Copykey](#mifare-ultralight-copykey) - [Other chips](#other-chips) * [NSCK-II](#nsck-ii) + * [SID](#sid) ## Low Frequency @@ -203,6 +204,9 @@ hf 14a info Sold as the general cloning tag. Behavior: possible to issue a regular write to block 0. +* Other names are: + - CAID + - SUID #### Identify ^[Top](#top) @@ -477,7 +481,7 @@ Parsing traces: **TODO** -* ZXUID, EUID, ICUID, M1-5A, SUID; TID, BOMB, SID? +* ZXUID, EUID, ICUID, M1-5A; TID, BOMB? * ~~Some cards exhibit a specific SAK=28?~~ Some chips have unusual properties, like SAK 28 (BOMB) or SAK 5A (M1-5A). We are yet to find out the special functions. * What we know: @@ -529,3 +533,42 @@ Parsing traces: - Write NSC UID: `54 [part 1b] [data 4b enc] [CRC]` - Tag replies: `A2 [CRC]` + +### SID +^[Top](#top) + +- Magic tag for Fudan FM1208-9 chips + +#### Characteristics +^[Top](#top) +- ISO14443-A tag +- ATQA-SAK: `0008`-`20` +- ATS: `10 78 80 A0 02 00 9D 46 16 40 00 A3 [UID]` +- Compared to real FM1208 chip: + - CLA byte is ignored + - Command parsing is irregular (some replies are wrong) + +#### Magic commands +^[Top](#top) + +**WARNING!!!** Risk of bricking tag - cause is unknown +- Below you can find a list of all INS bytes not present on real FM1208 chip, and what their output is when executed (P1, P2, Lc = 00) + - Results may vary between chips: +``` +INS | RES +0A | 44454641554C540000002018112840000000000000000000000000000000000000000000000000000000400000000000 +3B | 00000000001C0EF90000000000000000000000000000000000000000000000002000000000C09040009002840000000000000000000000000000000000006C0FC08700EB1A9F1BA01801010019000000000000000000000000000090000000000000094B066600000000007D000000000000000000000000000000003B000000107880A002009D46164000A3CA81E15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +3C* | 0000 +3D | 6700 +7D | Tag does not reply (if 0 Date: Mon, 16 Oct 2023 21:49:52 +0300 Subject: [PATCH 14/26] GTU->UMC, TCOS, corrections More coverage on 06A0 variant of UMC card (warning about password, warning about shadow mode). Added 14B magic TCOS card by Tianaxin. Not all commands present. Fixed some grammar mistakes. Removed garbage. Added missing definitions. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/magic_cards_notes.md | 57 +++++++++++++++++++--------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/doc/magic_cards/magic_cards_notes.md b/doc/magic_cards/magic_cards_notes.md index 55a54f1ea4..df322bb9ec 100644 --- a/doc/magic_cards/magic_cards_notes.md +++ b/doc/magic_cards/magic_cards_notes.md @@ -33,11 +33,11 @@ Useful docs: * ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid) * ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid) - [ISO14443B](#iso14443b) - * [ISO14443B magic](#iso14443b-magic) + * [Tianaxin TCOS CPU card](#tianaxin-tcos-cpu-card) - [ISO15693](#iso15693) * [ISO15693 magic](#iso15693-magic) - [Multi](#multi) - * [Gen 4 GTU](#gen-4-gtu) + * [Gen 4 UMC](#gen-4-umc) # ISO14443A @@ -719,8 +719,6 @@ See `--uid` and `--full` ## MIFARE Ultralight EV1 DirectWrite ^[Top](#top) -aka UL2 - Similar to MFUL DirectWrite ### Identify @@ -802,10 +800,6 @@ hf 14a info * ATS: 0A78008102DBA0C119402AB5 * Anticol shortcut (CL1/3000): fails -**TODO** - -* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? - # NTAG ^[Top](#top) @@ -929,7 +923,7 @@ Android compatible ### Characteristics ^[Top](#top) -* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything +* ATQA: 0008 - *This is not DESFire, 0008/20 is FM1208-9* * SAK: 20 * ATS: 0675338102005110 or 06757781028002F0 @@ -974,12 +968,35 @@ hf 14a info # ISO14443B ^[Top](#top) -## ISO14443B magic +## Tianaxin TCOS CPU card ^[Top](#top) -No such card is available. +This is a card sold on Taobao for testing readers. +ISO14443-4 compliant. + +### Identify + +``` +hf 14a apdu -s 90B2900000 // Get Card OS version +>>> 90 B2 90 00 00 +<<< 54 43 4F 53 20 56 31 2E 34 2E 30 90 00 | TCOS V1.4.0.. +``` + +### Magic commands + +All commands in APDU. -Some vendor allow to specify an ID (PUPI) when ordering a card. +``` +CL IN P1 P2 Lc Data +90 F4 CC CC 01 [..1 ] // Change protocol used (1: ISO14443 [AA - type A, BB - type B]) +90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed) +90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value (1: FF: static, AB: random) +90 F8 DD DD 01 [..1 ] // Set UID/PUPI length (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly)) +90 F8 EE EE 0B [... ] // Set UID/PUPI value (enter value here). To clear, use Lc=01; data=00. +90 FA CC CC 01 [FSCI] // Set FSCI (1: value 0-8) +90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!) (1: value 0-E) +90 FE CC CC 01 [FWI ] // Set FWI (DO NOT SET BELOW 4!!!) (value 0-E) +``` # ISO15693 ^[Top](#top) @@ -1009,10 +1026,10 @@ script run hf_15_magic -u E004013344556677 # Multi ^[Top](#top) -## Gen 4 GTU +## Gen 4 UMC ^[Top](#top) -A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands. +A.k.a ultimate magic card, most prominent feature is shadow mode (GTU) and optional password protected backdoor commands. Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data @@ -1140,7 +1157,7 @@ CF CE <1b block number> // Backdoor read 16b block CF CF <1b param> // (De)Activate direct write to block 0 CF F0 <30b configuration data> // Configure all params in one cmd CF F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently -CF FE <4b new_password> // change password +CF FE <4b new_password> // change password (does not work on new) ``` Default ``: `00000000` @@ -1291,8 +1308,8 @@ Ultralight mode, 10b UID ### Set 14443B UID and ATQB ^[Top](#top) ^^[Gen4](#g4top) -*This command is not available for old gen4 tags. It will return `9000`, but no changes will take place.* -UID and ATQB are configured according to block0 with a (14a) backdoor write. +*This command is not available for old gen4 tags. It will return `9000`, but this tag cannot reply to REQB.* +UID and ATQB are configured according to block0 with a (14a) backdoor write to block 0. UID size is always 4 bytes. @@ -1402,10 +1419,12 @@ hf 14a raw -s -c -t 1000 CF32<1b param> ``` * `` * `00`: pre-write, shadow data can be written - * `01`: restore mode + * `01`: shadow mode + - WARNING: on new chips, this value is `04`. * `02`: disabled * `03`: disabled, high speed R/W mode for Ultralight? + ### Direct block read and write ^[Top](#top) ^^[Gen4](#g4top) @@ -1473,6 +1492,8 @@ Example: change password from AABBCCDD back to 00000000 hf 14a raw -s -c -t 1000 CFAABBCCDDFE00000000 ``` +WARNING: On new chips, issuing this command returns APDU error `6300`. Please write full config with F0 command instead. + ### Dump configuration ^[Top](#top) ^^[Gen4](#g4top) From fb4688ac60a9823b83b84e8b2f447fb38c2909fb Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 16 Oct 2023 21:57:37 +0300 Subject: [PATCH 15/26] QL88 update Is it.. not magic..? 4th tag tested with copykey. UID still NOT CHANGING!!! Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards/chinese_magic_notes.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/doc/magic_cards/chinese_magic_notes.md b/doc/magic_cards/chinese_magic_notes.md index 89451efc8c..48d32725b6 100644 --- a/doc/magic_cards/chinese_magic_notes.md +++ b/doc/magic_cards/chinese_magic_notes.md @@ -403,16 +403,17 @@ hf mf gdmsetcfg ^[Top](#top) Sold for "QinLin Neighbor Technology" access control system. -The differences are presence of sector 17 and having SAK 88. +The differences are presence of sector 16, 17 and having SAK 88. #### Characteristics ^[Top](#top) -* SAK/ATQA: unknown -* BCC: unknown -* OTP/FUID chip +* UID/BCC/SAK/ATQA: not changable +* OTP/FUID chip (?) * PRNG: hard +* This is potentially a non-magic chip. + #### Identify ^[Top](#top) @@ -422,16 +423,14 @@ The differences are presence of sector 17 and having SAK 88. [+] Magic capabilities: QL88 ``` -Oops, the above is flawed. Some other "SAK88-IC" tags get detected as QL88. - -Sector 17 can be accessed using Key B: `707B11FC1481`. ~~Using it, other keys can be recovered.~~ Do not recover keys using this or run `hf 14a info` at all! - -For an unknown reason if you try to get any read access block 0 write protects itself. Without methods of recovery. *To be confirmed* +* Oops, the above is flawed. Some other "SAK88-IC" tags get detected as QL88. +* Sector 17 can be accessed using Key B: `707B11FC1481`. Using it, other keys can be recovered. #### Magic commands -- Block 0 can be written using direct write +- Block 0 cannot be written using direct write - No signature sector backdoor +- Sector 16 (`10`) present ### MIFARE Classic, FURUi detection (super) card ^[Top](#top) From c46f7f66e6bf573576e7fc15f22b59e486e898ef Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 6 Nov 2023 12:38:55 +0300 Subject: [PATCH 16/26] Correction 0: remove akas My original idea was to add "aka ..." to all chips. Now however I think that this is probably not the smartest way to realize this. Probably going to add a subcategory. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 41d818a3d7..c49c97f524 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -109,8 +109,6 @@ UID 7b: ## MIFARE Classic Gen1A aka UID ^[Top](#top) -aka MF ZERO - ### Identify ^[Top](#top) @@ -270,8 +268,6 @@ hf 14a info ## MIFARE Classic Gen1A OTP/One Time Programming ^[Top](#top) -aka MF OTP 2.0 - Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command. Initial UID is 00000000 @@ -442,8 +438,6 @@ hf 14a reader ## MIFARE Classic DirectWrite, FUID version aka 1-write ^[Top](#top) -aka MF OTP - Same as MIFARE Classic DirectWrite, but block0 can be written only once. Initial UID is AA55C396 @@ -651,8 +645,7 @@ No implemented commands today **TODO** -* ZXUID, EUID, ICUID, KUID, HUID, RFUID ? -* Some cards exhibit a specific SAK=28 ?? +* ZXUID, EUID, ICUID, KUID? ## MIFARE Classic Super ^[Top](#top) @@ -874,8 +867,6 @@ See `--uid` and `--full` ## MIFARE Ultralight EV1 DirectWrite ^[Top](#top) -aka UL2 - Similar to MFUL DirectWrite ### Identify @@ -957,11 +948,6 @@ hf 14a info * ATS: 0A78008102DBA0C119402AB5 * Anticol shortcut (CL1/3000): fails -**TODO** - -* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? - - # NTAG ^[Top](#top) From 9d7e4075bada6f95f85ba02fef231c26cb2fde86 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:21:59 +0300 Subject: [PATCH 17/26] Correction 1: add low frequency chips. Because why not. The market is no smaller. ID82xx is for China. H series is for Russia. Feel free to contribute! It'll help a lot. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 193 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 192 insertions(+), 1 deletion(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index c49c97f524..b02b890e85 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -8,7 +8,17 @@ Useful docs: # Table of Contents - +- [Low frequency](#low-frequency) + * [T55xx](#t55xx) + * [EM4x05](#em4x05) + * [ID82xx series](#id82xx-series) + * [ID8265](#id8265) + * [ID-F8268](#id-f8268) + * [K8678](#k8678) + * [H series](#h-series) + * [H1](#h1) + * [H5.5 / H7](h55--h7) + * [i57 / i57v2](#i57--i57v2) - [ISO14443A](#iso14443a) * [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic) - [MIFARE Classic](#mifare-classic) @@ -44,6 +54,187 @@ Useful docs: * [Gen 4 GTU](#gen-4-gtu) +# Low frequency + +## T55xx +^[Top](#top) + +The temic T55xx/Atmel ATA5577 is the most commonly used chip for cloning LF RFIDs. + +A useful document can be found [here](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/T5577_Guide.md). + +### Characteristics + +* 28/24 bytes of user memory (without/with password) +* Universal output settings (data rate, modulation, etc) +* Password protection (4 bytes), usually "19920427" +* Lock bits per page +* Analog frontend setup +* Other names: + * 5577 + * 5200 (CN) + - Cut down version of T55xx chip (no analog frontend setup, no test mode support). + * H2 (RU) + - Seems to be renamed 5200 chip. + * RW125T5 (RU) +* Old variant "T5555" is hard to come across + +### Detect + +``` +[usb] pm3 --> lf search +... +[+] Chipset detection: T55xx +``` + +This will **not** work if you have a downlink mode other than fixed bit length! + +### Commands + +*See ATMEL ATA5577C datasheet for sending commands to chip* + +* **Do not mix "password read" and "regular write" commands! You risk potentially writing incorrect data. +* When replying, the chip will use the modulation and data rate specified in block 0. + +## EM4x05 +^[Top](#top) + +The EM4305 and EM4205 (and 4469/4569) chips are the 2nd most common used chips for cloning LF RFIDs. +It is also used by HID Global (but with a custom chip) for HIDProx credentials. + +### Characteristics + +* 36 bytes of user memory +* Output settings are limited (ASK only, FSK added on HID variant) +* Password protection (4 bytes), usually "84AC15E2" +* Lock page used +* Other names: + * H3 (RU) + * RW125EM (RU) + +### Detect + +``` +[usb] pm3 --> lf search +... +[+] Chipset detection: EM4x05 / EM4x69 +``` + +### Commands + +*See EM microelectronic EM4305 datasheet for sending commands to chip* + +## ID82xx series +^[Top](#top) + +These are custom chinese chips designed to clone EM IDs only. Often times, these are redesigned clones of Hitag chips. + +### ID8265 +^[Top](#top) + +This is the cheapest and most common ID82xx chip available. It is usually sold as T55xx on AliExpress, with excuses to use cloners. + +#### Characteristics + +* Chip is likely a Hitag μ (micro) +* Password protection (4b), usually "1AC4999C" +* Currently unimplemented in proxmark3 client +* Other names: + * ID8210 (CN) + * H-125 (CN) + * H5 (RU) + - The sales of "H5" have been ceased because "the chip was leaked". + +#### Detect + +``` +[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00011 -s 3000 +[usb] pm3 --> data plot +``` + +Check the green line of the plot. It must be a straight line at the end with no big waves. + +### ID-F8268 +^[Top](#top) + +This is an "improved" variant of ID82xx chips, bypassing some magic detection in China. + +#### Characteristics + +* Chip is likely a Hitag 1 +* Unsure whether password protection is used +* Currently unimplemeneted in proxmark3 client +* Other names: + - F8278 (CN) + - F8310 (CN) + +#### Detect + +``` +[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000 +[usb] pm3 --> data plot +``` + +Check the green line of the plot. It must be a straight line at the end with no big waves. + +### K8678 +^[Top](#top) + +This is an "even better" chip, manufactured by Hyctec. + +#### Characteristics + +* Chip is likely a Hitag S256 +* Plain mode used, no password protection +* Currently unimplemented in proxmark3 client +* Memory access is odd (chip doesnt reply to memory access commands for unknown reason) + +#### Detect + +``` +[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000 +[usb] pm3 --> data plot +``` + +Check the green line of the plot. It must be a straight line at the end with no big waves. + +## H series +^[Top](#top) + +These are chips sold in Russia, manufactured by iKey LLC. Often times these are custom. + +### H1 +^[Top](#top) + +Simplest EM ID cloning chip available. Officially discontinued. + +#### Characteristics + +* Currently almost all structure is unknown +* No locking or password protection + * "OTP" chip is same chip, but with EM ID of zeroes. Locked after first write +* Other names: + * RW64bit + * RW125FL + + +### H5.5 / H7 +^[Top](#top) + +First "advanced" custom chip with H naming. + +#### Characteristics + +* Currently all structure is unknown +* No password protection +* Only supported by Russian "TMD"/"RFD" cloners +* H7 is advertised to work with "Stroymaster" access control +* Setting ID to "3F0096F87E" will make the chip show up like T55xx + +### i57 / i57v2 + +\[ Chip is discontinued, no info \] + # ISO14443A ## Identifying broken ISO14443A magic From b8bcd72144edb420cd30246d6f79d2922000f7a0 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:35:41 +0300 Subject: [PATCH 18/26] Correction 2: 14b magic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's not what we want, eh.. but is there standartization in 14B, either way? Of course not. So make it the tiananxin(天安信) reader tester card. At least it is part 4 compliant Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index b02b890e85..39105f4e69 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -1309,9 +1309,37 @@ hf 14a info ## ISO14443B magic ^[Top](#top) -No such card is available. +### Tiananxin TCOS CPU card +^[Top](#top) + +This is a card sold on Taobao for testing readers. +ISO14443-4 compliant. + +### Identify + +``` +hf 14a apdu -s 90B2900000 // Get Card OS version +>>> 90 B2 90 00 00 +<<< 54 43 4F 53 20 56 31 2E 34 2E 30 90 00 | TCOS V1.4.0.. +``` + +### Magic commands + +All commands in APDU. + +``` +CL IN P1 P2 Lc Data +90 F4 CC CC 01 [..1 ] // Change protocol used (1: ISO14443 [AA - type A, BB - type B]) +90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed) +90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value (1: FF: static, AB: random) +90 F8 DD DD 01 [..1 ] // Set UID/PUPI length (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly)) +90 F8 EE EE 0B [... ] // Set UID/PUPI value (enter value here). To clear, use Lc=01; data=00. +90 FA CC CC 01 [FSCI] // Set FSCI (1: value 0-8) +90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!) (1: value 0-E) +90 FE CC CC 01 [FWI ] // Set FWI (DO NOT SET BELOW 4!!!) (value 0-E) +``` -Some vendor allow to specify an ID (PUPI) when ordering a card. +More commands to follow. Be careful with some. # ISO15693 ^[Top](#top) From 991eaf88f4f4acb91dce49c4992d2d9fdc98bbb1 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 6 Nov 2023 16:36:53 +0300 Subject: [PATCH 19/26] Correction 2 followup Removed useless header and added to Table of Contents Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 39105f4e69..d20ff7bd1f 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -47,7 +47,7 @@ Useful docs: * ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid) * ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid) - [ISO14443B](#iso14443b) - * [ISO14443B magic](#iso14443b-magic) + * [Tiananxin TCOS CPU card](#tiananxin-tcos-cpu-card) - [ISO15693](#iso15693) * [ISO15693 magic](#iso15693-magic) - [Multi](#multi) @@ -1306,10 +1306,7 @@ hf 14a info # ISO14443B ^[Top](#top) -## ISO14443B magic -^[Top](#top) - -### Tiananxin TCOS CPU card +## Tiananxin TCOS CPU card ^[Top](#top) This is a card sold on Taobao for testing readers. From 229287f9666eeea125e229f792652725ef226e48 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Mon, 6 Nov 2023 23:08:56 +0300 Subject: [PATCH 20/26] Correction 3: add data to classic chips Added AKAs. Renamed some points (otp2). Filled up USCUID (previous GDM). Added Furui supercard. More to come.. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 302 +++++++++++++++++++++++++-------------- 1 file changed, 197 insertions(+), 105 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index d20ff7bd1f..254440412c 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -25,13 +25,12 @@ Useful docs: * [MIFARE Classic block0](#mifare-classic-block0) * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) * [MIFARE Classic Gen1B](#mifare-classic-gen1b) - * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming) + * [MIFARE Classic OTP2](#mifare-classic-otp2) * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write) - * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version) - * [MIFARE Classic, other versions](#mifare-classic-other-versions) * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu) - * [MIFARE Classic Gen4 aka GDM](#mifare-classic-gen4-aka-gdm) + * [MIFARE Classic USCUID](#mifare-classic-uscuid) + * [MIFARE Classic, other versions](#mifare-classic-other-versions) * [MIFARE Classic Super](#mifare-classic-super) - [MIFARE Ultralight](#mifare-ultralight) * [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02) @@ -300,6 +299,9 @@ UID 7b: ## MIFARE Classic Gen1A aka UID ^[Top](#top) +* Other names: + - ZERO (RU) + ### Identify ^[Top](#top) @@ -456,14 +458,17 @@ hf 14a info * Read: `40(7)`, `30xx` * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc -## MIFARE Classic Gen1A OTP/One Time Programming +## MIFARE Classic OTP2 ^[Top](#top) Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command. -Initial UID is 00000000 +### Characteristics -All bytes are 00 from factory wherever possible. +* Initial UID is 00000000 +* BCC: unknown +* SAK/ATQA: fixed +* All bytes are 00 from factory wherever possible. ### Identify ^[Top](#top) @@ -474,6 +479,7 @@ Only possible before personalization. hf 14a info ... [+] Magic capabilities : Gen 1a +[+] Prng detection: hard ``` ### Magic commands @@ -486,6 +492,11 @@ hf 14a info (also referred as MCT compatible by some sellers) +* Other names: + * MF-8 (RU) + * MF3 (RU) + - What's so special about this chip in particular..? + ### Identify ^[Top](#top) @@ -631,12 +642,17 @@ hf 14a reader Same as MIFARE Classic DirectWrite, but block0 can be written only once. -Initial UID is AA55C396 +* Other names: + - OTP (RU) + +### Characteristics + +* Initial UID is AA55C396 ### Identify ^[Top](#top) -Only possible before personalization. +Only possible before personalization. *It is also possible after, but unknown how.* ``` hf 14a info @@ -644,28 +660,6 @@ hf 14a info [+] Magic capabilities : Write Once / FUID ``` -## MIFARE Classic DirectWrite, UFUID version -^[Top](#top) - -Same as MIFARE Classic DirectWrite, but block0 can be locked with special command. - -### Identify -^[Top](#top) - -**TODO** - -### Proxmark3 commands -^[Top](#top) - -To lock definitively block0: -``` -hf 14a raw -a -k -b 7 40 -hf 14a raw -k 43 -hf 14a raw -k -c e000 -hf 14a raw -k -c e100 -hf 14a raw -c 85000000000000000000000000000008 -``` - ## MIFARE Classic Gen3 aka APDU ^[Top](#top) @@ -739,85 +733,133 @@ hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000 hf 14a raw -s -c 90FD111100 ``` -## MIFARE Classic Gen4 aka GDM +## MIFARE Classic USCUID ^[Top](#top) -Tag has shadow mode enabled from start. -Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds -off rfid field. -Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory. - -The persistent memory is also writable. For that tag uses its own backdoor commands. -for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000. -Then send the data to be written. - -This tag has simular commands to the [UFUID](#mifare-classic-directwrite-ufuid-version) -This indicates that both tagtypes are developed by the same person. - -**OBS** - -When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag. - -**OBS** - -It is possible to write a configuration that perma locks the tag, i.e. no more magic - -### Identify ^[Top](#top) -``` -hf 14a info -... -[+] Magic capabilities : Gen 4 GDM -``` -### Magic commands -^[Top](#top) +TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85. +All of the known tags using this, except for Ultralight tags, are listed here. -* Auth: `80xx`+crc -* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc -* Read config: `E000`+crc -* Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc +You cannot turn a Classic tag into an Ultralight and vice-versa! ### Characteristics ^[Top](#top) -* Have no knowledge in ATQA/SAK/BCC quirks or if there is a wipe, softbrick recover -* Its magic part seem to be three identified custom command. -* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are. - -Read config: -1. sending custom auth with all zeros key -2. send 0xE000, will return the configuration bytes. -`results: 850000000000000000005A5A00000008` - +* UID: 4/7 bytes +* ATQA: always read from block 0 +* SAK: read from backdoor or configuration +* BCC: read from memory, beware! +* ATS: no/unknown -Mapping of configuration bytes so far: -``` -850000000000000000005A5A00000008 - ^^ --> SAK -``` - -Write config: -1. sending custom auth with all zeros key -2. send 0xE100 -3. send 16 bytes - -**Warning** - -Example of configuration to Perma lock tag: -`85000000000000000000000000000008` - - -It is unknown what kind of block 0 changes the tag supports -* UID: 4b -* ATQA/SAK: unknown -* BCC: unknown -* ATS: none - -### Proxmark3 commands +### Magic commands ^[Top](#top) -``` -# Write to persistent memory + +* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]` + - Backdoor read: `38xx+crc` + - Backdoor write: `A8xx+crc`, `[16 bytes data]+crc` + + - Read configuration: `E000+crc` + - Write configuration: `E100+crc`; `[16 bytes data]+crc` +* Magic wakeup (A: 00): `40(7)`, `43` +* Magic wakeup (B: 85): `20(7)`, `23` + - Backdoor read main block: `30xx+crc` + - Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc` + - Read hidden block: `38xx+crc` + - Write hidden block: `A8xx+crc`, `[16 bytes data]+crc` + + - Read configuration: `E000+crc` + - Write configuration: `E100+crc` + + **DANGER** + - Set main memory and config to 00 `F000+crc` + - Set main memory and config to FF `F100+crc` + - Set main memory and config to 55 (no 0A response) `F600+crc` + - Set backdoor memory to 00 `F800+crc` + - Set backdoor memory to FF `F900+crc` + - Set backdoor memory to 55 (no 0A response) `FE00+crc` + +### USCUID configuration guide +^[Top](#top) + +1. Configuration +``` +85000000000000000000000000000008 + ^^^^^^ ^^ ^^ >> ??? Mystery ??? +^^^^ >> Gen1a mode (works with bitflip) + ^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23) + ^^ >> Block use of Key B if readable by ACL + ^^ >> CUID mode + ^^ >> MFC EV1 CL2 Perso config* + ^^ >> Shadow mode** + ^^ >> Magic Auth command + ^^ >> Static encrypted nonce mode + ^^ >> Signature sector + ^^ >> SAK*** + +To enable an option, set it to 5A. +* 5A - unfused F0. C3 - F0: CL2 UID; A5 - F1: CL2 UID with anticollision shortcut; 87 - F2: CL1 Random UID; 69 - F3: CL1 non-UID. Anything else is going to be ignored, and set as 4 bytes. +** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer. +*** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead. +``` +* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras. +* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23. +* Block use of Key B if readable by ACL: Per the MF1ICS50 datasheet, if Key B is readable by the ACL, using it shall give a Cmd Error 04. This option controls whether it happens or not. +* CUID mode: Allow direct write to block 0, instead of giving Cmd Error 04. +* MFC EV1 CL2 Perso config: When configured, the tag behaves like a real Mifare Classic EV1 7B UID tag, and reads UID from backdoor blocks. Otherwise, the tag acts like a 4 byte tag. +* Shadow mode: Writes to memory persisting in tag RAM. As soon as no power is left, the contents are restored to saved data. +* Magic Auth Command: Acknowledge command `8000` after selection, and call for Crypto1 auth with key `000000000000`. +* Static encrypted nonce mode: Use static encrypted nonces for authentication, making key recovery impossible. +* Signature sector: Acknowledge auth commands to sector 17, which is stored in backdoor sector 1. +* SAK: If perso byte is not set, after UID select, send this value. + + +2. Backdoor blocks +``` + +Sector 0 +88 04 BD E5 D4 04 6A BB 5B 80 0A 08 44 00 00 00 - Block 0: Perso F0, F1 data +^^ ^^ ^^ ^^ - UID0 + ^^ - BCC0 + ^^ - SAK0 (0x04 to call for CL2) + ^^ ^^ ^^ ^^ - UID1 + ^^ - BCC1 + ^^ - SAK1 + ^^ ^^ ^^ ^^ - Unused +04 BD E5 6A 36 08 00 00 00 00 00 00 00 00 00 00 - Block 1: Perso F3 data +^^ ^^ ^^ ^^ - UID0 + ^^ - BCC0 + ^^ - SAK0 + ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ - Unused +Block 2: unused +Block 3: ignored (custom keys, acl; broken acl ignored - anticollision will still work) +Sector 1 +[Signature sector (#17) - needs config byte 13 (from 0) enabled to allow auth] +Sectors 2-15 +[Unused] +``` + +### Variations +^[Top](#top) +| Factory configuration | Name | +| --- | --- | +| 850000000000000000005A5A00000008 | GDMIC | +| 850000000000005A0000005A5A5A0008 | UCUID | +| 8500000000005A00005A005A005A0008 | "7 byte hard" | +| 7AFF850102015A00005A005A005A0008 | M1-7B | +| 7AFF85000000000000FF000000000008 | FUID | +| 7AFF000000000000BAFA358500000008 | PFUID | +| 7AFF000000000000BAFA000000000008 | UFUID | + +*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s). + +*Read and write config commands are flipped + +#### Proxmark3 commands +^[Top](#top) +``` +Using magic auth: +# Write to persistent memory: hf mf gdmsetblk # Read configuration (0xE0): @@ -843,7 +885,7 @@ No implemented commands today It behaves like regular Mifare Classic but records reader auth attempts. -#### MIFARE Classic Super Gen1 +### MIFARE Classic Super Gen1 ^[Top](#top) Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands. @@ -868,19 +910,19 @@ Backdoor commands provided over APDU. Format: 👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer! -#### MIFARE Classic Super Gen1B +### MIFARE Classic Super Gen1B DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands. Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c -#### MIFARE Classic Super Gen2 +### MIFARE Classic Super Gen2 ^[Top](#top) New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces. -Card always answer `ff ff ff ff` to auth, so writing/reading it via Mifare protocol is impossible. +Card always answers `ff ff ff ff` as `at`, so reading/writing it via Mifare protocol is impossible. -UID is changeable via Gen4 backdoor write to 0 block. +UID is changeable via UMC backdoor write to 0 block. * UID: 4b and 7b versions * ATQA/SAK: fixed @@ -891,12 +933,53 @@ Gen4 commands available: ``` CF 34 <1b length><0-16b ATS> // Configure ATS -CF CC // Factory test, returns 00 00 00 02 AA +CF CC // Version information, returns 00 00 00 02 AA CF CD <1b block number><16b block data> // Backdoor write 16b block CF CE <1b block number> // Backdoor read 16b block CF FE <4b new_password> // Change password ``` +### MIFARE Classic Super Furui +^[Top](#top) + +#### Characteristics +^[Top](#top) + +* SAK/ATQA: play blindly the block0 bytes, beware! +* BCC: play blindly the block0 BCC bytes, beware! +* PRNG: hard + +**!!!WARNING!!!** This tag can die for no reason (no reply to WUPA/REQA). We don't know why this happens. + +#### Identify +^[Top](#top) + +``` +[usb] pm3 --> hf 14a raw -sct 250 AAA500000000000000000000000000000000 +[+] 90 00 +``` + +#### Magic commands +^[Top](#top) + +* Configure: `AAA5[16 byte config]`+crc +* Write block 0: `AAA4[4b UID][1b BCC][1b SAK][2b ATQA reversed]0000000000000000`+crc +* Recover trace: `AAA8[00/01][00-08]`+crc + +Caution: tag does not append CRC to magic responses! + +Please use config as 00 bytes. + +Parsing traces: +``` +44 33 22 11 03 61 08 68 7A C7 4B 62 43 A6 11 6F 64 F3 +^^ ^^ ^^ ^^ -- UID + ^^ ^^ -- auth command, reversed + ^^ ^^ ^^ ^^ -- Auth (nt) + ^^ ^^ ^^ ^^ -- Auth (nr) + ^^ ^^ ^^ ^^ -- Auth (ar) +``` + ### Identify ^[Top](#top) @@ -908,6 +991,15 @@ hf 14a info [+] Magic capabilities : Super card (Gen ?) ``` +### Proxmark3 commands + +``` +[usb] pm3 --> hf mf supercard +... + +[usb] pm3 --> hf mf supercard --furui +... +``` # MIFARE Ultralight ^[Top](#top) From b30b7e50422da1010bf2c2eebe60a937350780ba Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 7 Nov 2023 22:22:06 +0300 Subject: [PATCH 21/26] Correction 4: ultralight updated, CN Copykey password added Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 254440412c..5a73a42766 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -1022,6 +1022,7 @@ Int is internal, typically 0x48 Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C +Some cards have a password: `B6AA558D`. Usually "copykey" chips. ## MIFARE Ultralight Gen1A ^[Top](#top) From b79956b4641084a48c4a7679cdaa0dd382f369c2 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 8 Nov 2023 22:02:02 +0300 Subject: [PATCH 22/26] Correction 5: russian ultralight chips added Also I added the DF 4b as fm1208-9..? why? Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 86 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 3 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 5a73a42766..b3dc8c397d 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -39,6 +39,11 @@ Useful docs: * [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite) * [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a) * [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite) + * [UL series (RU)](#ul-series-ru) + * [UL-Y](#ul-y) + * [ULtra](#ultra) + * [UL-5](#ul-5) + * [UL, other chips](#ul-other-chips) - [NTAG](#ntag) * [NTAG213 DirectWrite](#ntag213-directwrite) * [NTAG21x](#ntag21x) @@ -1297,6 +1302,80 @@ Anticol shortcut (CL1/3000): fails script run hf_mfu_magicwrite -h ``` +## UL series (RU) +^[Top](#top) + +Custom chips, manufactured by iKey LLC for cloning Ultralight tags. + +### UL-Y +^[Top](#top) + +^[Top](#top) + +Ultralight magic, 16 pages. Recommended for Vizit RF3.1 with markings "3.1" or "4.1". +Behavior: allows writes to page 0-2. + +#### Identify +^[Top](#top) + +``` +hf mfu rdbl --force -b 16 +hf 14a raw -sct 250 60 +``` +If tag replies with +`Cmd Error: 00` +`00 00 00 00 00 00 00 00` +then it is UL-Y. + +### ULtra +^[Top](#top) + +Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page. +Behavior: allows writes to page 0-2. + +#### Identify +^[Top](#top) + +``` +hf mfu info +... +[=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000 +[=] --- Tag Version +[=] Raw bytes: 00 34 21 01 01 00 0E 03 +``` + +Remember that this is not a reliable method of identification, as it interferes with locked [UL-5](#mifare-ul-5). + +### UL-5 +^[Top](#top) + +Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed. + +Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1. + +**WARNING!** When using UL-5 to clone, write UID pages in inverse (from 2 to 0) and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits). + +#### Identify +^[Top](#top) + +``` +hf mfu info +[=] UID: AA 55 C3 A1 30 61 80 +TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000 +[=] --- Tag Version +[=] Raw bytes: 00 34 21 01 01 00 0E 03 +``` + +After personalization it is not possible to identify UL-5. + +Some chips have UID of `AA 55 C3 A4 30 61 80`. + +### UL, other chips + +**TODO** + +UL-X, UL-Z - ? + # DESFire ^[Top](#top) @@ -1354,7 +1433,8 @@ Android compatible ### Characteristics ^[Top](#top) -* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything +* ATQA: 0008 + * This is FM1208-9, NOT DESFire! * SAK: 20 * ATS: 0675338102005110 or 06757781028002F0 @@ -1422,8 +1502,8 @@ CL IN P1 P2 Lc Data 90 F4 CC CC 01 [..1 ] // Change protocol used (1: ISO14443 [AA - type A, BB - type B]) 90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed) 90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value (1: FF: static, AB: random) -90 F8 DD DD 01 [..1 ] // Set UID/PUPI length (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly)) -90 F8 EE EE 0B [... ] // Set UID/PUPI value (enter value here). To clear, use Lc=01; data=00. +90 F8 DD DD 01 [..1 ] // Set UID length (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly)) +90 F8 EE EE 0B [... ] // Set UID/PUPI value (FF+enter UID value here). To clear, use Lc=01; data=00. 90 FA CC CC 01 [FSCI] // Set FSCI (1: value 0-8) 90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!) (1: value 0-E) 90 FE CC CC 01 [FWI ] // Set FWI (DO NOT SET BELOW 4!!!) (value 0-E) From 53a5c40d11dd8327d23a54b9aea900561d920d12 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 8 Nov 2023 22:02:41 +0300 Subject: [PATCH 23/26] Correction 5 followup Oh no, one extra ^Top! No biggie. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index b3dc8c397d..b531066c73 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -1310,8 +1310,6 @@ Custom chips, manufactured by iKey LLC for cloning Ultralight tags. ### UL-Y ^[Top](#top) -^[Top](#top) - Ultralight magic, 16 pages. Recommended for Vizit RF3.1 with markings "3.1" or "4.1". Behavior: allows writes to page 0-2. From 1768a47f6c3bd3fea2da0f63ee8fc7fe8876161c Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 8 Nov 2023 22:28:54 +0300 Subject: [PATCH 24/26] Correction 3 followup Another one... Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index b531066c73..ca56b043a2 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -741,8 +741,6 @@ hf 14a raw -s -c 90FD111100 ## MIFARE Classic USCUID ^[Top](#top) -^[Top](#top) - TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85. All of the known tags using this, except for Ultralight tags, are listed here. From ae6c62e037c3ce29a674362b854bdb3a4c917e49 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Wed, 8 Nov 2023 22:43:58 +0300 Subject: [PATCH 25/26] Correction 6: smartcards Are we.. done yet? QL88... Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 93 +++++++++++++++++++++++++++++++++++----- 1 file changed, 83 insertions(+), 10 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index ca56b043a2..48605beb86 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -55,8 +55,10 @@ Useful docs: - [ISO15693](#iso15693) * [ISO15693 magic](#iso15693-magic) - [Multi](#multi) - * [Gen 4 GTU](#gen-4-gtu) - + * [UMC](#umc) +- [Other](#other) + * [SID](#sid) + * [NSCK-II](#nsck-ii) # Low frequency @@ -1535,7 +1537,7 @@ script run hf_15_magic -u E004013344556677 # Multi ^[Top](#top) -## Gen 4 GTU +## UMC ^[Top](#top) A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands. @@ -1568,6 +1570,8 @@ Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data 👉 **TODO** If the password is not default, Tag doesn't get identified correctly by latest Proxmark3 client (it might get mislabeled as MFC Gen2/CUID, Gen3/APDU or NTAG21x Modifiable, depending on configured UID/ATQA/SAK/ATS) +👉 **TODO** Using C6 command can change config due to a bug in some cards. CC should be used instead. + ``` hf 14a info [+] Magic capabilities : Gen 4 GTU @@ -1660,7 +1664,7 @@ CF 69 <00-01> // (De)Activate Ultralight mode CF 6A <00-03> // Select Ultralight mode CF 6B <1b> // Set Ultralight and M1 maximum read/write sectors CF C6 // Dump configuration -CF CC // Factory test, returns 6666 for generic card, 02AA for limited functionality card and 06A0 for broken functionality card +CF CC // Version info, returns `00 00 00 [03 A0 (old) / 06 A0 (new) ]` CF CD <1b block number><16b block data> // Backdoor write 16b block CF CE <1b block number> // Backdoor read 16b block CF CF <1b param> // (De)Activate direct write to block 0 @@ -1675,10 +1679,10 @@ Default ``: `00000000` * UID: 4b, 7b and 10b versions * ATQA/SAK: changeable -* BCC: auto +* BCC: computed * ATS: changeable, can be disabled -* Card Type: changeable -* Shadow mode: GTU +* Card Type: changeable +* Shadow mode: GTU * Backdoor password mode ### Proxmark3 commands @@ -1817,9 +1821,9 @@ Ultralight mode, 10b UID ### Set 14443B UID and ATQB ^[Top](#top) ^^[Gen4](#g4top) -UID and ATQB are configured according to block0 with a (14a) backdoor write. - -UID size is always 4 bytes. +* UID and ATQB are configured according to block0 with a (14a) backdoor write. +* UID size is always 4 bytes. +* 14B will show up only on new cards. Example: ``` @@ -2129,3 +2133,72 @@ hf mfu wrbl -b 250 -d 00040402 --force hf mfu wrbl -b 251 -d 01001303 --force hf mfu info ``` + +# Other +^[Top](#top) + +These are chips to clone other ICs. Usually the originals are only sold in China. + +## SID +^[Top](#top) + +- Magic tag for Fudan FM1208-9 chips + +### Characteristics +^[Top](#top) +- ISO14443-A tag +- ATQA-SAK: `0008`-`20` +- ATS: `10 78 80 A0 02 00 9D 46 16 40 00 A3 [UID]` +- Compared to real FM1208 chip: + - CLA byte is ignored + - Command parsing is irregular (some replies are wrong) + +### Magic commands +^[Top](#top) + +**WARNING!!!** Risk of bricking tag - cause is unknown +- Below you can find a list of all INS bytes not present on real FM1208 chip, and what their output is when executed (P1, P2, Lc = 00) + - Results may vary between chips: +``` +INS | RES +0A | 44454641554C540000002018112840000000000000000000000000000000000000000000000000000000400000000000 +3B | 00000000001C0EF90000000000000000000000000000000000000000000000002000000000C09040009002840000000000000000000000000000000000006C0FC08700EB1A9F1BA01801010019000000000000000000000000000090000000000000094B066600000000007D000000000000000000000000000000003B000000107880A002009D46164000A3CA81E15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +3C* | 0000 +3D | 6700 +7D | Tag does not reply (if 0