2020-09-10 19:52:56 +08:00
|
|
|
# Notes on Magic Cards, aka UID changeable
|
2020-09-10 06:14:08 +08:00
|
|
|
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372
|
|
|
|
|
2020-09-11 02:49:18 +08:00
|
|
|
Useful docs:
|
|
|
|
* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)
|
|
|
|
|
2020-09-13 22:16:53 +08:00
|
|
|
- [ISO14443A](#iso14443a)
|
|
|
|
* [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic)
|
2020-09-10 06:14:08 +08:00
|
|
|
- [MIFARE Classic](#mifare-classic)
|
|
|
|
* [MIFARE Classic block0](#mifare-classic-block0)
|
|
|
|
* [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
|
|
|
|
* [MIFARE Classic Gen1B](#mifare-classic-gen1b)
|
2020-09-10 07:03:53 +08:00
|
|
|
* [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
|
2020-09-10 07:08:35 +08:00
|
|
|
* [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
|
|
|
|
* [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
|
|
|
|
* [MIFARE Classic, other versions](#mifare-classic-other-versions)
|
2020-09-10 07:06:18 +08:00
|
|
|
* [MIFARE Classic APDU aka Gen3](#mifare-classic-apdu-aka-gen3)
|
2020-09-10 06:14:08 +08:00
|
|
|
* [MIFARE Classic Super](#mifare-classic-super)
|
|
|
|
- [MIFARE Ultralight](#mifare-ultralight)
|
|
|
|
* [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02)
|
|
|
|
* [MIFARE Ultralight Gen1A](#mifare-ultralight-gen1a)
|
2020-09-10 07:03:53 +08:00
|
|
|
* [MIFARE Ultralight DirectWrite](#mifare-ultralight-directwrite)
|
|
|
|
* [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite)
|
2020-09-10 06:14:08 +08:00
|
|
|
* [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a)
|
2020-09-10 07:03:53 +08:00
|
|
|
* [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite)
|
2020-09-10 06:14:08 +08:00
|
|
|
- [NTAG](#ntag)
|
2020-09-10 07:03:53 +08:00
|
|
|
* [NTAG213 DirectWrite](#ntag213-directwrite)
|
2020-09-10 06:14:08 +08:00
|
|
|
* [NTAG21x](#ntag21x)
|
|
|
|
- [DESFire](#desfire)
|
2020-09-10 07:08:35 +08:00
|
|
|
* ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid)
|
|
|
|
* ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid)
|
2020-09-10 06:14:08 +08:00
|
|
|
- [ISO14443B](#iso14443b)
|
|
|
|
* [ISO14443B magic](#iso14443b-magic)
|
|
|
|
- [ISO15693](#iso15693)
|
|
|
|
* [ISO15693 magic](#iso15693-magic)
|
|
|
|
|
|
|
|
|
2020-09-13 22:16:53 +08:00
|
|
|
# ISO14443A
|
|
|
|
|
|
|
|
## Identifying broken ISO14443A magic
|
|
|
|
|
|
|
|
When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.
|
|
|
|
|
|
|
|
Here are some tips if the card doesn't react or gives error on a simple `hf 14a reader`:
|
|
|
|
|
|
|
|
Let's force a 4b UID anticollision and see what happens:
|
|
|
|
```
|
|
|
|
hf 14a config a 1 b 2 2 2 r 2
|
|
|
|
hf 14a reader
|
|
|
|
```
|
|
|
|
It it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision:
|
|
|
|
```
|
|
|
|
hf 14a config a 1 b 2 2 1 3 2 r 2
|
|
|
|
hf 14a reader
|
|
|
|
```
|
|
|
|
At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards.
|
|
|
|
|
|
|
|
To restore anticollision config of the Proxmark3:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a config a 0 b 0 2 0 3 0 r 0
|
|
|
|
```
|
2020-09-10 06:14:08 +08:00
|
|
|
# MIFARE Classic
|
|
|
|
|
|
|
|
Referred as M1, S50 (1k), S70 (4k)
|
|
|
|
|
|
|
|
## MIFARE Classic block0
|
|
|
|
|
2020-09-11 02:49:18 +08:00
|
|
|
UID 4b: (actually NUID as there are no more "unique" IDs on 4b)
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
```
|
|
|
|
11223344440804006263646566676869
|
|
|
|
^^^^^^^^ UID
|
|
|
|
^^ BCC
|
|
|
|
^^ SAK(*)
|
|
|
|
^^^^ ATQA
|
|
|
|
^^^^^^^^^^^^^^^^ Manufacturer data
|
2020-09-11 17:43:49 +08:00
|
|
|
(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
Computing BCC on UID 11223344: `hf analyse lcr 11223344` = `44`
|
|
|
|
|
|
|
|
UID 7b:
|
|
|
|
|
2020-09-11 02:49:18 +08:00
|
|
|
```
|
|
|
|
04112233445566884400c82000000000
|
|
|
|
^^ Manufacturer byte
|
|
|
|
^^^^^^^^^^^^^^ UID
|
2020-09-11 17:43:49 +08:00
|
|
|
^^ SAK(*)
|
|
|
|
^^^^ ATQA
|
2020-09-11 02:49:18 +08:00
|
|
|
^^^^^^^^^^^^ Manufacturer data
|
2020-09-11 17:43:49 +08:00
|
|
|
(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
|
2020-09-11 02:49:18 +08:00
|
|
|
```
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
## MIFARE Classic Gen1A aka UID
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 1a
|
|
|
|
```
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Magic commands
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
* Wipe: `40(7)`, `41` (use 2000ms timeout)
|
|
|
|
* Read: `40(7)`, `43`, `30xx`+crc
|
|
|
|
* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: Only 4b versions
|
|
|
|
* ATQA:
|
2020-09-11 07:23:30 +08:00
|
|
|
* all cards play blindly the block0 ATQA bytes, beware!
|
2020-09-10 06:14:08 +08:00
|
|
|
* SAK:
|
2020-09-11 07:23:30 +08:00
|
|
|
* some cards play blindly the block0 SAK byte, beware!
|
2020-09-10 06:14:08 +08:00
|
|
|
* some cards use a fix "08" in anticollision, no matter the block0
|
2020-09-11 07:23:30 +08:00
|
|
|
* some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88"
|
2020-09-10 06:14:08 +08:00
|
|
|
* BCC:
|
2020-09-11 22:36:41 +08:00
|
|
|
* all cards play blindly the block0 BCC byte, beware!
|
2020-09-10 06:14:08 +08:00
|
|
|
* ATS:
|
2020-09-11 07:23:30 +08:00
|
|
|
* no card with ATS
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 1
|
|
|
|
|
|
|
|
* SAK: play blindly the block0 SAK byte, beware!
|
|
|
|
* PRNG: static 01200145
|
|
|
|
* Wipe: filled with 0xFF
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 2
|
|
|
|
|
|
|
|
* SAK: play blindly the block0 SAK byte, beware!
|
|
|
|
* PRNG: static 01200145
|
|
|
|
* Wipe: filled with 0x00
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 3
|
|
|
|
|
|
|
|
* SAK: 08
|
|
|
|
* PRNG: static 01200145
|
|
|
|
* Wipe: filled with 0xFF
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 4
|
|
|
|
|
|
|
|
* SAK: 08
|
|
|
|
* PRNG: weak
|
|
|
|
* Wipe: timeout, no wipe
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 5
|
|
|
|
|
|
|
|
* SAK: 08
|
|
|
|
* PRNG: weak
|
|
|
|
* Wipe: reply ok but no wipe performed
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 6
|
|
|
|
|
|
|
|
* SAK: 08 or 88 if block0_SAK most significant bit is set
|
|
|
|
* PRNG: weak
|
|
|
|
* Wipe: timeout, no wipe
|
|
|
|
|
|
|
|
#### MIFARE Classic Gen1A flavour 7
|
|
|
|
|
|
|
|
* SAK: 08 or 88 if block0_SAK most significant bit is set
|
|
|
|
* PRNG: weak
|
|
|
|
* Wipe: filled with 0x00
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
|
|
|
hf mf csetuid
|
|
|
|
hf mf cwipe
|
|
|
|
hf mf csetblk
|
|
|
|
hf mf cgetblk
|
|
|
|
hf mf cgetsc
|
|
|
|
hf mf cload
|
|
|
|
hf mf csave
|
|
|
|
hf mf cview
|
|
|
|
```
|
|
|
|
|
|
|
|
When "soft-bricked" (by writing invalid data in block0), these ones may help:
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
```
|
2020-09-13 21:19:35 +08:00
|
|
|
# MFC Gen1A 1k:
|
|
|
|
hf mf cwipe -u 11223344 -a 0004 -s 08
|
|
|
|
# MFC Gen1A 4k:
|
|
|
|
hf mf cwipe -u 11223344 -a 0044 -s 18
|
2020-09-11 07:23:30 +08:00
|
|
|
```
|
2020-09-14 06:31:24 +08:00
|
|
|
or just fixing block0:
|
|
|
|
```
|
|
|
|
# MFC Gen1A 1k:
|
|
|
|
hf mf csetuid 11223344 0004 08
|
|
|
|
# MFC Gen1A 4k:
|
|
|
|
hf mf csetuid 11223344 0044 18
|
|
|
|
```
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
```
|
2020-09-23 06:11:11 +08:00
|
|
|
script run run hf_mf_magicrevive
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
To execute commands manually:
|
|
|
|
```
|
2020-10-01 06:29:24 +08:00
|
|
|
hf 14a raw -a -k -b 7 40
|
|
|
|
hf 14a raw -k 43
|
|
|
|
hf 14a raw -k -c A000
|
2020-09-11 07:23:30 +08:00
|
|
|
hf 14a raw -c -t 1000 11223344440804006263646566676869
|
|
|
|
```
|
|
|
|
wipe:
|
|
|
|
```
|
2020-10-01 06:29:24 +08:00
|
|
|
hf 14a raw -a -k -b 7 40
|
2020-09-11 07:23:30 +08:00
|
|
|
hf 14a raw -t 1000 41
|
|
|
|
```
|
|
|
|
|
|
|
|
### libnfc commands
|
|
|
|
|
|
|
|
```
|
|
|
|
nfc-mfsetuid
|
|
|
|
nfc-mfclassic R a u mydump
|
|
|
|
nfc-mfclassic W a u mydump
|
|
|
|
```
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
## MIFARE Classic Gen1B
|
|
|
|
|
2020-09-11 07:35:23 +08:00
|
|
|
Similar to Gen1A, but supports directly read/write after command 40
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 1b
|
|
|
|
```
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
### Magic commands
|
|
|
|
|
|
|
|
* Read: `40(7)`, `30xx`
|
|
|
|
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Classic DirectWrite aka Gen2 aka CUID
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 2 / CUID
|
|
|
|
```
|
|
|
|
|
2020-09-11 20:40:52 +08:00
|
|
|
Not all Gen2 cards can be identified with `hf 14a info`, only those replying to RATS.
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
To identify the other ones, you've to try to write to block0 and see if it works...
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Magic commands
|
|
|
|
|
|
|
|
Android compatible
|
|
|
|
|
|
|
|
* issue regular write to block0
|
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: 4b and 7b versions
|
|
|
|
* ATQA:
|
2020-09-11 20:40:52 +08:00
|
|
|
* some cards play blindly the block0 ATQA bytes, beware!
|
|
|
|
* some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b.
|
2020-09-10 06:14:08 +08:00
|
|
|
* SAK:
|
2020-09-11 20:40:52 +08:00
|
|
|
* some cards play blindly the block0 SAK byte, beware!
|
|
|
|
* some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b.
|
2020-09-10 06:14:08 +08:00
|
|
|
* BCC:
|
2020-09-11 22:36:41 +08:00
|
|
|
* some cards play blindly the block0 BCC byte, beware!
|
2020-09-13 21:19:35 +08:00
|
|
|
* some cards compute a proper BCC in anticollision. Including all 7b comuting their BCC0 and BCC1.
|
2020-09-10 06:14:08 +08:00
|
|
|
* ATS:
|
2020-09-11 20:40:52 +08:00
|
|
|
* some cards don't reply to RATS
|
2020-09-13 21:19:35 +08:00
|
|
|
* some reply with an ATS
|
2020-09-11 20:40:52 +08:00
|
|
|
|
|
|
|
#### MIFARE Classic DirectWrite flavour 1
|
|
|
|
|
|
|
|
* UID 4b
|
|
|
|
* ATQA: play blindly the block0 ATQA bytes, beware!
|
|
|
|
* SAK: play blindly the block0 SAK byte, beware!
|
2020-09-11 22:36:41 +08:00
|
|
|
* BCC: play blindly the block0 BCC byte, beware!
|
2020-09-11 20:40:52 +08:00
|
|
|
* ATS: no
|
|
|
|
* PRNG: weak
|
|
|
|
|
|
|
|
#### MIFARE Classic DirectWrite flavour 2
|
|
|
|
|
|
|
|
* UID 4b
|
|
|
|
* ATQA: fixed
|
|
|
|
* SAK: fixed
|
|
|
|
* BCC: computed
|
|
|
|
* ATS: 0978009102DABC1910F005
|
|
|
|
* PRNG: weak
|
|
|
|
|
|
|
|
#### MIFARE Classic DirectWrite flavour 3
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 20:40:52 +08:00
|
|
|
* UID 4b
|
|
|
|
* ATQA: play blindly the block0 ATQA bytes, beware!
|
|
|
|
* SAK: fixed
|
2020-09-11 22:36:41 +08:00
|
|
|
* BCC: play blindly the block0 BCC byte, beware!
|
2020-09-11 20:40:52 +08:00
|
|
|
* ATS: no
|
|
|
|
* PRNG: weak
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 20:40:52 +08:00
|
|
|
#### MIFARE Classic DirectWrite flavour 4
|
|
|
|
|
|
|
|
* UID 7b
|
|
|
|
* ATQA: fixed
|
|
|
|
* SAK: fixed
|
|
|
|
* BCC: computed
|
|
|
|
* ATS: 0978009102DABC1910F005
|
|
|
|
* PRNG: static 00000000
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 22:36:41 +08:00
|
|
|
#### MIFARE Classic DirectWrite flavour 5
|
|
|
|
|
|
|
|
* UID 4b
|
|
|
|
* ATQA: fixed
|
|
|
|
* SAK: play blindly the block0 SAK byte, beware!
|
|
|
|
* BCC: computed
|
|
|
|
* ATS: no
|
|
|
|
* PRNG: weak
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
#### MIFARE Classic DirectWrite flavour 6
|
|
|
|
|
|
|
|
**TODO** need more info
|
|
|
|
|
|
|
|
* UID 7b
|
|
|
|
* ATS: 0D780071028849A13020150608563D
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
|
|
|
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869
|
|
|
|
```
|
|
|
|
|
|
|
|
When "soft-bricked" (by writing invalid data in block0), these ones may help:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a config h
|
|
|
|
```
|
|
|
|
|
|
|
|
e.g. for 4b UID:
|
|
|
|
|
|
|
|
```
|
2020-09-13 21:19:35 +08:00
|
|
|
hf 14a config a 1 b 2 2 2 r 2
|
|
|
|
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869 # for 1k
|
|
|
|
hf mf wrbl 0 A FFFFFFFFFFFF 11223344441802006263646566676869 # for 4k
|
|
|
|
hf 14a config a 0 b 0 2 0 r 0
|
|
|
|
hf 14a reader
|
|
|
|
```
|
|
|
|
|
|
|
|
e.g. for 7b UID:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a config a 1 b 2 2 1 3 2 r 2
|
|
|
|
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566084400626364656667 # for 1k
|
|
|
|
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566184200626364656667 # for 4k
|
2020-09-10 06:14:08 +08:00
|
|
|
hf 14a config a 0 b 0 2 0 3 0 r 0
|
2020-09-13 21:19:35 +08:00
|
|
|
hf 14a reader
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Classic DirectWrite, FUID version aka 1-write
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
Same as MIFARE Classic DirectWrite, but block0 can be written only once.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
Initial UID is AA55C396
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
Only possible before personalisation.
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Write Once / FUID
|
|
|
|
```
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Classic DirectWrite, UFUID version
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
**TODO**
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
To lock definitively block0:
|
|
|
|
```
|
2020-10-01 06:29:24 +08:00
|
|
|
hf 14a raw -a -k -b 7 40
|
|
|
|
hf 14a raw -k 43
|
|
|
|
hf 14a raw -k -c e000
|
2020-09-10 06:14:08 +08:00
|
|
|
hf 14a raw -c 85000000000000000000000000000008
|
|
|
|
```
|
|
|
|
|
|
|
|
## MIFARE Classic, other versions
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
**TODO**
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
* ZXUID, EUID, ICUID ?
|
|
|
|
* Some cards exhibit a specific SAK=28 ??
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-10 07:06:18 +08:00
|
|
|
## MIFARE Classic APDU aka Gen3
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
2020-09-12 00:17:58 +08:00
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 3 / APDU
|
|
|
|
```
|
2020-09-11 01:24:57 +08:00
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Magic commands
|
|
|
|
|
|
|
|
Android compatible
|
|
|
|
|
|
|
|
* issue special APDUs
|
|
|
|
|
|
|
|
```
|
|
|
|
cla ins p1 p2 len
|
2020-09-11 18:00:01 +08:00
|
|
|
90 F0 CC CC 10 <block0> - write block 0
|
2020-09-11 20:40:52 +08:00
|
|
|
90 FB CC CC 07 <uid> - change uid (independently of block0 data)
|
|
|
|
90 FD 11 11 00 - lock permanently
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
2020-09-11 20:40:52 +08:00
|
|
|
It seems the length byte gets ignored anyway.
|
|
|
|
|
|
|
|
Note: it seems some cards only accept the "change UID" command.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-12 00:17:58 +08:00
|
|
|
It accepts direct read of block0 (and only block0) without prior auth.
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: 4b and 7b versions
|
2020-09-11 20:40:52 +08:00
|
|
|
* ATQA/SAK: fixed
|
|
|
|
* BCC: auto
|
|
|
|
* ATS: none
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
|
|
|
# change just UID:
|
|
|
|
hf mf gen3uid
|
|
|
|
# write block0:
|
|
|
|
hf mf gen3blk
|
2020-09-11 20:40:52 +08:00
|
|
|
# lock (uid/block0?) forever:
|
2020-09-11 22:46:13 +08:00
|
|
|
hf mf gen3freeze
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
See also
|
|
|
|
```
|
2020-09-23 06:21:42 +08:00
|
|
|
script run hf_mf_gen3_writer -h
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
Equivalent:
|
|
|
|
```
|
|
|
|
# change just UID:
|
|
|
|
hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677
|
|
|
|
# write block0:
|
|
|
|
hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
|
2020-09-11 20:40:52 +08:00
|
|
|
# lock (uid/block0?) forever:
|
2020-09-11 18:00:01 +08:00
|
|
|
hf 14a raw -s -c 90FD111100
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
## MIFARE Classic Super
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
It behaves like DirectWrite but records reader auth attempts.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
To change UID: same commands as for MFC DirectWrite
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
To do reader-only attack: at least two versions exist.
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
* type 1: https://github.com/nfc-tools/nfc-supercard for card with ATS: 0978009102DABC1910F005
|
|
|
|
* type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
|
|
|
|
|
|
|
|
### Identify
|
|
|
|
|
|
|
|
Only type 1 at the moment:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : super card
|
|
|
|
```
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
# MIFARE Ultralight
|
|
|
|
|
|
|
|
## MIFARE Ultralight blocks 0..2
|
|
|
|
|
|
|
|
```
|
|
|
|
SN0 SN1 SN2 BCC0
|
|
|
|
SN3 SN4 SN5 SN6
|
|
|
|
BCC1 Int LCK0 LCK1
|
|
|
|
```
|
|
|
|
|
|
|
|
UID is made of SN0..SN6 bytes
|
|
|
|
|
|
|
|
Computing BCC0 on UID 04112233445566: `analyse lcr 88041122` = `bf`
|
|
|
|
|
|
|
|
Computing BCC1 on UID 04112233445566: `analyse lcr 33445566` = `44`
|
|
|
|
|
|
|
|
Int is internal, typically 0x48
|
|
|
|
|
2020-09-29 06:27:35 +08:00
|
|
|
Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
|
|
|
|
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
## MIFARE Ultralight Gen1A
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
**TODO**
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
#### Magic commands
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
**TODO**
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
#### UID
|
|
|
|
|
|
|
|
Only 7b versions
|
|
|
|
|
|
|
|
#### SAK, ATQA, BCC, ATS
|
|
|
|
|
|
|
|
**TODO** need more tests
|
|
|
|
|
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
2020-09-23 06:11:11 +08:00
|
|
|
script run hf_mfu_setuid -h
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
When "soft-bricked" (by writing invalid data in block0), these ones may help:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a config h
|
2020-09-23 06:11:11 +08:00
|
|
|
script run run hf_mf_magicrevive -u
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Ultralight DirectWrite
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 2 / CUID
|
|
|
|
```
|
2020-09-11 01:24:57 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
It seems so far that all MFUL DW have an ATS.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
### Magic commands
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
Issue three regular MFU write commands in a row to write first three blocks.
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
### Characteristics
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
* UID: Only 7b versions
|
|
|
|
* ATQA:
|
|
|
|
* all cards play fix ATQA
|
|
|
|
* SAK:
|
|
|
|
* all cards play fix SAK
|
|
|
|
* BCC:
|
|
|
|
* some cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* some cards compute proper BCC0 and BCC1 in anticollision
|
|
|
|
* ATS:
|
|
|
|
* all cards reply with an ATS
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
#### MIFARE Ultralight DirectWrite flavour 1
|
|
|
|
|
|
|
|
* BCC: computed
|
|
|
|
* ATS: 0A78008102DBA0C119402AB5
|
2020-09-29 06:27:35 +08:00
|
|
|
* Anticol shortcut (CL1/3000): fails
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
#### MIFARE Ultralight DirectWrite flavour 2
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS: 850000A00A000AB00000000000000000184D
|
2020-09-29 06:27:35 +08:00
|
|
|
* Anticol shortcut (CL1/3000): succeeds
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
|
|
|
hf mfu setuid
|
|
|
|
```
|
|
|
|
|
|
|
|
Equivalent: don't use `hf mfu wrbl` as you need to write three blocks in a row, but do, with proper BCCx:
|
|
|
|
|
|
|
|
```
|
2020-10-01 06:29:24 +08:00
|
|
|
hf 14a raw -s -c -k a2 00 041122bf
|
|
|
|
hf 14a raw -c -k a2 01 33445566
|
2020-09-10 06:14:08 +08:00
|
|
|
hf 14a raw -c a2 02 44480000
|
|
|
|
```
|
|
|
|
|
|
|
|
When "soft-bricked" (by writing invalid data in block0), these ones may help:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a config h
|
|
|
|
```
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
E.g.:
|
|
|
|
```
|
|
|
|
hf 14a config a 1 b 2 2 1 3 2 r 2
|
|
|
|
hf mfu setuid 04112233445566
|
|
|
|
hf 14a config a 0 b 0 2 0 3 0 r 0
|
|
|
|
hf 14a reader
|
|
|
|
```
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
### libnfc commands
|
|
|
|
|
|
|
|
```
|
|
|
|
nfc-mfultralight -h
|
|
|
|
```
|
|
|
|
See `--uid` and `--full`
|
|
|
|
|
|
|
|
### Android
|
|
|
|
|
|
|
|
* MIFARE++ Ultralight
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Ultralight EV1 DirectWrite
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
Similar to MFUL DirectWrite
|
|
|
|
|
|
|
|
### Identify
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 2 / CUID
|
|
|
|
```
|
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: Only 7b versions
|
|
|
|
* ATQA:
|
|
|
|
* all cards play fix ATQA
|
|
|
|
* SAK:
|
|
|
|
* all cards play fix SAK
|
|
|
|
* BCC:
|
|
|
|
* cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS:
|
|
|
|
* all cards reply with an ATS
|
|
|
|
|
|
|
|
#### MIFARE Ultralight EV1 DirectWrite flavour 1
|
|
|
|
|
|
|
|
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS: 850000A000000AC30004030101000B0341DF
|
|
|
|
|
|
|
|
#### MIFARE Ultralight EV1 DirectWrite flavour 2
|
|
|
|
|
|
|
|
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS: 850000A00A000AC30004030101000B0316D7
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
## MIFARE Ultralight C Gen1A
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
Similar to MFUL Gen1A
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## MIFARE Ultralight C DirectWrite
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
Similar to MFUL DirectWrite
|
|
|
|
|
|
|
|
### Identify
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 2 / CUID
|
|
|
|
```
|
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: Only 7b versions
|
|
|
|
* ATQA:
|
|
|
|
* all cards play fix ATQA
|
|
|
|
* SAK:
|
|
|
|
* all cards play fix SAK
|
|
|
|
* BCC:
|
|
|
|
* cards compute proper BCC0 and BCC1 in anticollision
|
|
|
|
* ATS:
|
|
|
|
* all cards reply with an ATS
|
|
|
|
|
|
|
|
#### MIFARE Ultralight C DirectWrite flavour 1
|
|
|
|
|
|
|
|
* BCC: computed
|
|
|
|
* ATS: 0A78008102DBA0C119402AB5
|
2020-09-29 06:27:35 +08:00
|
|
|
* Anticol shortcut (CL1/3000): fails
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
# NTAG
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
## NTAG213 DirectWrite
|
|
|
|
|
|
|
|
Similar to MFUL DirectWrite
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : Gen 2 / CUID
|
|
|
|
```
|
2020-09-11 01:24:57 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* UID: Only 7b versions
|
|
|
|
* ATQA:
|
|
|
|
* all cards play fix ATQA
|
|
|
|
* SAK:
|
|
|
|
* all cards play fix SAK
|
|
|
|
* BCC:
|
|
|
|
* cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS:
|
|
|
|
* all cards reply with an ATS
|
|
|
|
|
|
|
|
#### NTAG213 DirectWrite flavour 1
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-13 21:19:35 +08:00
|
|
|
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
|
|
|
|
* ATS: 0A78008102DBA0C119402AB5
|
2020-09-29 06:27:35 +08:00
|
|
|
* Anticol shortcut (CL1/3000): succeeds
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
## NTAG21x
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
2020-09-11 03:13:05 +08:00
|
|
|
```
|
|
|
|
hf 14a info
|
|
|
|
...
|
|
|
|
[+] Magic capabilities : NTAG21x
|
|
|
|
```
|
2020-09-11 01:24:57 +08:00
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
Emulates fully NTAG213, 213F, 215, 216, 216F
|
|
|
|
|
|
|
|
Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS
|
|
|
|
|
2020-09-29 06:27:35 +08:00
|
|
|
Anticol shortcut (CL1/3000): fails
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
```
|
2020-09-23 06:11:11 +08:00
|
|
|
script run hf_mfu_magicwrite -h
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
# DESFire
|
|
|
|
|
2020-09-10 07:03:53 +08:00
|
|
|
## "DESFire" APDU, 7b UID
|
2020-09-10 06:14:08 +08:00
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
**TODO**
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Magic commands
|
|
|
|
|
|
|
|
Android compatible
|
|
|
|
|
|
|
|
* issue special APDUs
|
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* ATQA: 0344
|
|
|
|
* SAK: 20
|
|
|
|
* ATS: 0675338102005110 or 06757781028002F0
|
|
|
|
|
|
|
|
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
|
|
|
|
|
|
|
|
### Proxmark commands
|
|
|
|
|
|
|
|
UID 04112233445566
|
|
|
|
```
|
|
|
|
hf 14a raw -s -c 0200ab00000704112233445566
|
|
|
|
```
|
|
|
|
or equivalently
|
|
|
|
```
|
|
|
|
hf 14a apdu -s 00ab00000704112233445566
|
|
|
|
```
|
|
|
|
|
2020-09-11 07:23:30 +08:00
|
|
|
### libnfc commands
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
```
|
2020-09-11 07:23:30 +08:00
|
|
|
pn53x-tamashell
|
2020-09-10 06:14:08 +08:00
|
|
|
4a0100
|
|
|
|
420200ab00000704112233445566
|
|
|
|
```
|
2020-09-10 07:03:53 +08:00
|
|
|
## "DESFire" APDU, 4b UID
|
2020-09-10 06:14:08 +08:00
|
|
|
|
|
|
|
### Magic commands
|
|
|
|
|
|
|
|
Android compatible
|
|
|
|
|
|
|
|
* issue special APDUs
|
|
|
|
|
|
|
|
### Characteristics
|
|
|
|
|
|
|
|
* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
|
|
|
|
* SAK: 20
|
|
|
|
* ATS: 0675338102005110 or 06757781028002F0
|
|
|
|
|
|
|
|
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
|
|
|
|
|
|
|
|
### Proxmark commands
|
|
|
|
|
|
|
|
UID 04112233445566
|
|
|
|
```
|
|
|
|
hf 14a raw -s -c 0200ab00000411223344
|
|
|
|
```
|
|
|
|
or equivalently
|
|
|
|
```
|
|
|
|
hf 14a apdu -s 00ab00000411223344
|
|
|
|
```
|
|
|
|
|
|
|
|
It accepts longer UID but that doesn't affect BCC/ATQA/SAK
|
|
|
|
|
|
|
|
### pn53x-tamashell commands
|
|
|
|
```
|
|
|
|
4a0100
|
|
|
|
420200ab00000411223344
|
|
|
|
```
|
|
|
|
|
|
|
|
### Remarks
|
|
|
|
|
|
|
|
The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0:
|
|
|
|
|
|
|
|
```
|
|
|
|
hf mf csetblk 0 1122334444204403A1A2A3A4A5A6A7A8
|
|
|
|
hf 14a info
|
|
|
|
[+] UID: 11 22 33 44
|
|
|
|
[+] ATQA: 03 44
|
|
|
|
[+] SAK: 20 [1]
|
|
|
|
[+] Possible types:
|
|
|
|
[+] MIFARE DESFire MF3ICD40
|
|
|
|
```
|
|
|
|
|
|
|
|
# ISO14443B
|
|
|
|
|
|
|
|
## ISO14443B magic
|
|
|
|
|
|
|
|
No such card is available.
|
|
|
|
|
|
|
|
Some vendor allow to specify an ID (PUPI) when ordering a card.
|
|
|
|
|
|
|
|
# ISO15693
|
|
|
|
|
|
|
|
## ISO15693 magic
|
|
|
|
|
2020-09-11 01:24:57 +08:00
|
|
|
### Identify
|
|
|
|
|
|
|
|
**TODO**
|
|
|
|
|
2020-09-10 06:14:08 +08:00
|
|
|
### Proxmark3 commands
|
|
|
|
|
|
|
|
Always set a UID starting with `E0`.
|
|
|
|
|
|
|
|
```
|
|
|
|
hf 15 csetuid E011223344556677
|
|
|
|
```
|
|
|
|
or (ignore errors):
|
|
|
|
```
|
2020-09-23 06:23:29 +08:00
|
|
|
script run hf_15_magic -u E004013344556677
|
2020-09-10 06:14:08 +08:00
|
|
|
```
|