proxmark3/doc/magic_cards_notes.md

854 lines
17 KiB
Markdown
Raw Normal View History

2020-09-10 19:52:56 +08:00
# Notes on Magic Cards, aka UID changeable
2020-09-10 06:14:08 +08:00
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372
2020-09-11 02:49:18 +08:00
Useful docs:
* [AN10833 MIFARE Type Identification Procedure](https://www.nxp.com/docs/en/application-note/AN10833.pdf)
2020-09-13 22:16:53 +08:00
- [ISO14443A](#iso14443a)
* [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic)
2020-09-10 06:14:08 +08:00
- [MIFARE Classic](#mifare-classic)
* [MIFARE Classic block0](#mifare-classic-block0)
* [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
* [MIFARE Classic Gen1B](#mifare-classic-gen1b)
2020-09-10 07:03:53 +08:00
* [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
2020-09-10 07:08:35 +08:00
* [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
* [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
* [MIFARE Classic, other versions](#mifare-classic-other-versions)
2020-09-10 07:06:18 +08:00
* [MIFARE Classic APDU aka Gen3](#mifare-classic-apdu-aka-gen3)
2020-09-10 06:14:08 +08:00
* [MIFARE Classic Super](#mifare-classic-super)
- [MIFARE Ultralight](#mifare-ultralight)
* [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02)
* [MIFARE Ultralight Gen1A](#mifare-ultralight-gen1a)
2020-09-10 07:03:53 +08:00
* [MIFARE Ultralight DirectWrite](#mifare-ultralight-directwrite)
* [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite)
2020-09-10 06:14:08 +08:00
* [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a)
2020-09-10 07:03:53 +08:00
* [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite)
2020-09-10 06:14:08 +08:00
- [NTAG](#ntag)
2020-09-10 07:03:53 +08:00
* [NTAG213 DirectWrite](#ntag213-directwrite)
2020-09-10 06:14:08 +08:00
* [NTAG21x](#ntag21x)
- [DESFire](#desfire)
2020-09-10 07:08:35 +08:00
* ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid)
* ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid)
2020-09-10 06:14:08 +08:00
- [ISO14443B](#iso14443b)
* [ISO14443B magic](#iso14443b-magic)
- [ISO15693](#iso15693)
* [ISO15693 magic](#iso15693-magic)
2020-09-13 22:16:53 +08:00
# ISO14443A
## Identifying broken ISO14443A magic
When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.
Here are some tips if the card doesn't react or gives error on a simple `hf 14a reader`:
Let's force a 4b UID anticollision and see what happens:
```
hf 14a config a 1 b 2 2 2 r 2
hf 14a reader
```
It it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision:
```
hf 14a config a 1 b 2 2 1 3 2 r 2
hf 14a reader
```
At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards.
To restore anticollision config of the Proxmark3:
```
hf 14a config a 0 b 0 2 0 3 0 r 0
```
2020-09-10 06:14:08 +08:00
# MIFARE Classic
Referred as M1, S50 (1k), S70 (4k)
## MIFARE Classic block0
2020-09-11 02:49:18 +08:00
UID 4b: (actually NUID as there are no more "unique" IDs on 4b)
2020-09-10 06:14:08 +08:00
```
11223344440804006263646566676869
^^^^^^^^ UID
^^ BCC
^^ SAK(*)
^^^^ ATQA
^^^^^^^^^^^^^^^^ Manufacturer data
2020-09-11 17:43:49 +08:00
(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
2020-09-10 06:14:08 +08:00
```
Computing BCC on UID 11223344: `hf analyse lcr 11223344` = `44`
UID 7b:
2020-09-11 02:49:18 +08:00
```
04112233445566884400c82000000000
^^ Manufacturer byte
^^^^^^^^^^^^^^ UID
2020-09-11 17:43:49 +08:00
^^ SAK(*)
^^^^ ATQA
2020-09-11 02:49:18 +08:00
^^^^^^^^^^^^ Manufacturer data
2020-09-11 17:43:49 +08:00
(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
2020-09-11 02:49:18 +08:00
```
2020-09-10 06:14:08 +08:00
## MIFARE Classic Gen1A aka UID
2020-09-11 01:24:57 +08:00
### Identify
```
hf 14a info
...
[+] Magic capabilities : Gen 1a
```
2020-09-10 06:14:08 +08:00
### Magic commands
2020-09-11 07:23:30 +08:00
* Wipe: `40(7)`, `41` (use 2000ms timeout)
* Read: `40(7)`, `43`, `30xx`+crc
* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
2020-09-10 06:14:08 +08:00
### Characteristics
* UID: Only 4b versions
* ATQA:
2020-09-11 07:23:30 +08:00
* all cards play blindly the block0 ATQA bytes, beware!
2020-09-10 06:14:08 +08:00
* SAK:
2020-09-11 07:23:30 +08:00
* some cards play blindly the block0 SAK byte, beware!
2020-09-10 06:14:08 +08:00
* some cards use a fix "08" in anticollision, no matter the block0
2020-09-11 07:23:30 +08:00
* some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88"
2020-09-10 06:14:08 +08:00
* BCC:
2020-09-11 22:36:41 +08:00
* all cards play blindly the block0 BCC byte, beware!
2020-09-10 06:14:08 +08:00
* ATS:
2020-09-11 07:23:30 +08:00
* no card with ATS
#### MIFARE Classic Gen1A flavour 1
* SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145
* Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 2
* SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145
* Wipe: filled with 0x00
#### MIFARE Classic Gen1A flavour 3
* SAK: 08
* PRNG: static 01200145
* Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 4
* SAK: 08
* PRNG: weak
* Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 5
* SAK: 08
* PRNG: weak
* Wipe: reply ok but no wipe performed
#### MIFARE Classic Gen1A flavour 6
* SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak
* Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 7
* SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak
* Wipe: filled with 0x00
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
```
hf mf csetuid
hf mf cwipe
hf mf csetblk
hf mf cgetblk
hf mf cgetsc
hf mf cload
hf mf csave
hf mf cview
```
When "soft-bricked" (by writing invalid data in block0), these ones may help:
2020-09-11 07:23:30 +08:00
```
2020-09-13 21:19:35 +08:00
# MFC Gen1A 1k:
hf mf cwipe -u 11223344 -a 0004 -s 08
# MFC Gen1A 4k:
hf mf cwipe -u 11223344 -a 0044 -s 18
2020-09-11 07:23:30 +08:00
```
2020-09-14 06:31:24 +08:00
or just fixing block0:
```
# MFC Gen1A 1k:
hf mf csetuid 11223344 0004 08
# MFC Gen1A 4k:
hf mf csetuid 11223344 0044 18
```
2020-09-11 07:23:30 +08:00
```
2020-09-23 06:11:11 +08:00
script run run hf_mf_magicrevive
2020-09-10 06:14:08 +08:00
```
2020-09-11 07:23:30 +08:00
To execute commands manually:
```
2020-10-01 06:29:24 +08:00
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c A000
2020-09-11 07:23:30 +08:00
hf 14a raw -c -t 1000 11223344440804006263646566676869
```
wipe:
```
2020-10-01 06:29:24 +08:00
hf 14a raw -a -k -b 7 40
2020-09-11 07:23:30 +08:00
hf 14a raw -t 1000 41
```
### libnfc commands
```
nfc-mfsetuid
nfc-mfclassic R a u mydump
nfc-mfclassic W a u mydump
```
2020-09-10 06:14:08 +08:00
## MIFARE Classic Gen1B
2020-09-11 07:35:23 +08:00
Similar to Gen1A, but supports directly read/write after command 40
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
```
hf 14a info
...
[+] Magic capabilities : Gen 1b
```
2020-09-11 07:23:30 +08:00
### Magic commands
* Read: `40(7)`, `30xx`
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
2020-09-10 07:03:53 +08:00
## MIFARE Classic DirectWrite aka Gen2 aka CUID
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
```
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
```
2020-09-11 20:40:52 +08:00
Not all Gen2 cards can be identified with `hf 14a info`, only those replying to RATS.
2020-09-13 21:19:35 +08:00
To identify the other ones, you've to try to write to block0 and see if it works...
2020-09-10 06:14:08 +08:00
### Magic commands
Android compatible
* issue regular write to block0
### Characteristics
* UID: 4b and 7b versions
* ATQA:
2020-09-11 20:40:52 +08:00
* some cards play blindly the block0 ATQA bytes, beware!
* some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b.
2020-09-10 06:14:08 +08:00
* SAK:
2020-09-11 20:40:52 +08:00
* some cards play blindly the block0 SAK byte, beware!
* some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b.
2020-09-10 06:14:08 +08:00
* BCC:
2020-09-11 22:36:41 +08:00
* some cards play blindly the block0 BCC byte, beware!
2020-09-13 21:19:35 +08:00
* some cards compute a proper BCC in anticollision. Including all 7b comuting their BCC0 and BCC1.
2020-09-10 06:14:08 +08:00
* ATS:
2020-09-11 20:40:52 +08:00
* some cards don't reply to RATS
2020-09-13 21:19:35 +08:00
* some reply with an ATS
2020-09-11 20:40:52 +08:00
#### MIFARE Classic DirectWrite flavour 1
* UID 4b
* ATQA: play blindly the block0 ATQA bytes, beware!
* SAK: play blindly the block0 SAK byte, beware!
2020-09-11 22:36:41 +08:00
* BCC: play blindly the block0 BCC byte, beware!
2020-09-11 20:40:52 +08:00
* ATS: no
* PRNG: weak
#### MIFARE Classic DirectWrite flavour 2
* UID 4b
* ATQA: fixed
* SAK: fixed
* BCC: computed
* ATS: 0978009102DABC1910F005
* PRNG: weak
#### MIFARE Classic DirectWrite flavour 3
2020-09-10 06:14:08 +08:00
2020-09-11 20:40:52 +08:00
* UID 4b
* ATQA: play blindly the block0 ATQA bytes, beware!
* SAK: fixed
2020-09-11 22:36:41 +08:00
* BCC: play blindly the block0 BCC byte, beware!
2020-09-11 20:40:52 +08:00
* ATS: no
* PRNG: weak
2020-09-10 06:14:08 +08:00
2020-09-11 20:40:52 +08:00
#### MIFARE Classic DirectWrite flavour 4
* UID 7b
* ATQA: fixed
* SAK: fixed
* BCC: computed
* ATS: 0978009102DABC1910F005
* PRNG: static 00000000
2020-09-10 06:14:08 +08:00
2020-09-11 22:36:41 +08:00
#### MIFARE Classic DirectWrite flavour 5
* UID 4b
* ATQA: fixed
* SAK: play blindly the block0 SAK byte, beware!
* BCC: computed
* ATS: no
* PRNG: weak
2020-09-13 21:19:35 +08:00
#### MIFARE Classic DirectWrite flavour 6
**TODO** need more info
* UID 7b
* ATS: 0D780071028849A13020150608563D
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
```
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869
```
When "soft-bricked" (by writing invalid data in block0), these ones may help:
```
hf 14a config h
```
e.g. for 4b UID:
```
2020-09-13 21:19:35 +08:00
hf 14a config a 1 b 2 2 2 r 2
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869 # for 1k
hf mf wrbl 0 A FFFFFFFFFFFF 11223344441802006263646566676869 # for 4k
hf 14a config a 0 b 0 2 0 r 0
hf 14a reader
```
e.g. for 7b UID:
```
hf 14a config a 1 b 2 2 1 3 2 r 2
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566084400626364656667 # for 1k
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566184200626364656667 # for 4k
2020-09-10 06:14:08 +08:00
hf 14a config a 0 b 0 2 0 3 0 r 0
2020-09-13 21:19:35 +08:00
hf 14a reader
2020-09-10 06:14:08 +08:00
```
2020-09-10 07:03:53 +08:00
## MIFARE Classic DirectWrite, FUID version aka 1-write
2020-09-10 06:14:08 +08:00
2020-09-10 07:03:53 +08:00
Same as MIFARE Classic DirectWrite, but block0 can be written only once.
2020-09-10 06:14:08 +08:00
Initial UID is AA55C396
2020-09-11 01:24:57 +08:00
### Identify
Only possible before personalisation.
```
hf 14a info
...
[+] Magic capabilities : Write Once / FUID
```
2020-09-10 07:03:53 +08:00
## MIFARE Classic DirectWrite, UFUID version
2020-09-10 06:14:08 +08:00
2020-09-10 07:03:53 +08:00
Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
**TODO**
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
To lock definitively block0:
```
2020-10-01 06:29:24 +08:00
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c e000
2020-09-10 06:14:08 +08:00
hf 14a raw -c 85000000000000000000000000000008
```
## MIFARE Classic, other versions
2020-09-11 01:24:57 +08:00
**TODO**
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
* ZXUID, EUID, ICUID ?
* Some cards exhibit a specific SAK=28 ??
2020-09-10 06:14:08 +08:00
2020-09-10 07:06:18 +08:00
## MIFARE Classic APDU aka Gen3
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
2020-09-12 00:17:58 +08:00
```
hf 14a info
...
[+] Magic capabilities : Gen 3 / APDU
```
2020-09-11 01:24:57 +08:00
2020-09-10 06:14:08 +08:00
### Magic commands
Android compatible
* issue special APDUs
```
cla ins p1 p2 len
2020-09-11 18:00:01 +08:00
90 F0 CC CC 10 <block0> - write block 0
2020-09-11 20:40:52 +08:00
90 FB CC CC 07 <uid> - change uid (independently of block0 data)
90 FD 11 11 00 - lock permanently
2020-09-10 06:14:08 +08:00
```
2020-09-11 20:40:52 +08:00
It seems the length byte gets ignored anyway.
Note: it seems some cards only accept the "change UID" command.
2020-09-10 06:14:08 +08:00
2020-09-12 00:17:58 +08:00
It accepts direct read of block0 (and only block0) without prior auth.
2020-09-10 06:14:08 +08:00
### Characteristics
* UID: 4b and 7b versions
2020-09-11 20:40:52 +08:00
* ATQA/SAK: fixed
* BCC: auto
* ATS: none
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
```
# change just UID:
hf mf gen3uid
# write block0:
hf mf gen3blk
2020-09-11 20:40:52 +08:00
# lock (uid/block0?) forever:
2020-09-11 22:46:13 +08:00
hf mf gen3freeze
2020-09-10 06:14:08 +08:00
```
See also
```
script run hf_mf_gen3_writer -h
2020-09-10 06:14:08 +08:00
```
Equivalent:
```
# change just UID:
hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677
# write block0:
hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
2020-09-11 20:40:52 +08:00
# lock (uid/block0?) forever:
2020-09-11 18:00:01 +08:00
hf 14a raw -s -c 90FD111100
2020-09-10 06:14:08 +08:00
```
## MIFARE Classic Super
2020-09-10 07:03:53 +08:00
It behaves like DirectWrite but records reader auth attempts.
2020-09-10 06:14:08 +08:00
2020-09-10 07:03:53 +08:00
To change UID: same commands as for MFC DirectWrite
2020-09-10 06:14:08 +08:00
To do reader-only attack: at least two versions exist.
2020-09-11 01:24:57 +08:00
* type 1: https://github.com/nfc-tools/nfc-supercard for card with ATS: 0978009102DABC1910F005
* type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
### Identify
Only type 1 at the moment:
```
hf 14a info
...
[+] Magic capabilities : super card
```
2020-09-10 06:14:08 +08:00
# MIFARE Ultralight
## MIFARE Ultralight blocks 0..2
```
SN0 SN1 SN2 BCC0
SN3 SN4 SN5 SN6
BCC1 Int LCK0 LCK1
```
UID is made of SN0..SN6 bytes
Computing BCC0 on UID 04112233445566: `analyse lcr 88041122` = `bf`
Computing BCC1 on UID 04112233445566: `analyse lcr 33445566` = `44`
Int is internal, typically 0x48
Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
2020-09-10 06:14:08 +08:00
## MIFARE Ultralight Gen1A
2020-09-11 01:24:57 +08:00
### Identify
**TODO**
2020-09-10 06:14:08 +08:00
### Characteristics
#### Magic commands
2020-09-13 21:19:35 +08:00
**TODO**
2020-09-10 06:14:08 +08:00
#### UID
Only 7b versions
#### SAK, ATQA, BCC, ATS
**TODO** need more tests
### Proxmark3 commands
```
2020-09-23 06:11:11 +08:00
script run hf_mfu_setuid -h
2020-09-10 06:14:08 +08:00
```
When "soft-bricked" (by writing invalid data in block0), these ones may help:
```
hf 14a config h
2020-09-23 06:11:11 +08:00
script run run hf_mf_magicrevive -u
2020-09-10 06:14:08 +08:00
```
2020-09-10 07:03:53 +08:00
## MIFARE Ultralight DirectWrite
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
2020-09-13 21:19:35 +08:00
```
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
```
2020-09-11 01:24:57 +08:00
2020-09-13 21:19:35 +08:00
It seems so far that all MFUL DW have an ATS.
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
### Magic commands
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
Issue three regular MFU write commands in a row to write first three blocks.
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
### Characteristics
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
* UID: Only 7b versions
* ATQA:
* all cards play fix ATQA
* SAK:
* all cards play fix SAK
* BCC:
* some cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* some cards compute proper BCC0 and BCC1 in anticollision
* ATS:
* all cards reply with an ATS
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
#### MIFARE Ultralight DirectWrite flavour 1
* BCC: computed
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
#### MIFARE Ultralight DirectWrite flavour 2
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AB00000000000000000184D
* Anticol shortcut (CL1/3000): succeeds
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
```
hf mfu setuid
```
Equivalent: don't use `hf mfu wrbl` as you need to write three blocks in a row, but do, with proper BCCx:
```
2020-10-01 06:29:24 +08:00
hf 14a raw -s -c -k a2 00 041122bf
hf 14a raw -c -k a2 01 33445566
2020-09-10 06:14:08 +08:00
hf 14a raw -c a2 02 44480000
```
When "soft-bricked" (by writing invalid data in block0), these ones may help:
```
hf 14a config h
```
2020-09-13 21:19:35 +08:00
E.g.:
```
hf 14a config a 1 b 2 2 1 3 2 r 2
hf mfu setuid 04112233445566
hf 14a config a 0 b 0 2 0 3 0 r 0
hf 14a reader
```
2020-09-11 07:23:30 +08:00
### libnfc commands
```
nfc-mfultralight -h
```
See `--uid` and `--full`
### Android
* MIFARE++ Ultralight
2020-09-10 07:03:53 +08:00
## MIFARE Ultralight EV1 DirectWrite
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
Similar to MFUL DirectWrite
### Identify
```
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
```
### Characteristics
* UID: Only 7b versions
* ATQA:
* all cards play fix ATQA
* SAK:
* all cards play fix SAK
* BCC:
* cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS:
* all cards reply with an ATS
#### MIFARE Ultralight EV1 DirectWrite flavour 1
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A000000AC30004030101000B0341DF
#### MIFARE Ultralight EV1 DirectWrite flavour 2
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AC30004030101000B0316D7
2020-09-10 06:14:08 +08:00
## MIFARE Ultralight C Gen1A
2020-09-13 21:19:35 +08:00
Similar to MFUL Gen1A
2020-09-10 06:14:08 +08:00
2020-09-10 07:03:53 +08:00
## MIFARE Ultralight C DirectWrite
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
Similar to MFUL DirectWrite
### Identify
```
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
```
### Characteristics
* UID: Only 7b versions
* ATQA:
* all cards play fix ATQA
* SAK:
* all cards play fix SAK
* BCC:
* cards compute proper BCC0 and BCC1 in anticollision
* ATS:
* all cards reply with an ATS
#### MIFARE Ultralight C DirectWrite flavour 1
* BCC: computed
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
2020-09-10 06:14:08 +08:00
# NTAG
2020-09-13 21:19:35 +08:00
## NTAG213 DirectWrite
Similar to MFUL DirectWrite
2020-09-11 01:24:57 +08:00
### Identify
2020-09-13 21:19:35 +08:00
```
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
```
2020-09-11 01:24:57 +08:00
2020-09-13 21:19:35 +08:00
### Characteristics
* UID: Only 7b versions
* ATQA:
* all cards play fix ATQA
* SAK:
* all cards play fix SAK
* BCC:
* cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS:
* all cards reply with an ATS
#### NTAG213 DirectWrite flavour 1
2020-09-10 06:14:08 +08:00
2020-09-13 21:19:35 +08:00
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): succeeds
2020-09-10 06:14:08 +08:00
## NTAG21x
2020-09-11 01:24:57 +08:00
### Identify
2020-09-11 03:13:05 +08:00
```
hf 14a info
...
[+] Magic capabilities : NTAG21x
```
2020-09-11 01:24:57 +08:00
2020-09-10 06:14:08 +08:00
### Characteristics
Emulates fully NTAG213, 213F, 215, 216, 216F
Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS
Anticol shortcut (CL1/3000): fails
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
```
2020-09-23 06:11:11 +08:00
script run hf_mfu_magicwrite -h
2020-09-10 06:14:08 +08:00
```
# DESFire
2020-09-10 07:03:53 +08:00
## "DESFire" APDU, 7b UID
2020-09-10 06:14:08 +08:00
2020-09-11 01:24:57 +08:00
### Identify
**TODO**
2020-09-10 06:14:08 +08:00
### Magic commands
Android compatible
* issue special APDUs
### Characteristics
* ATQA: 0344
* SAK: 20
* ATS: 0675338102005110 or 06757781028002F0
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
### Proxmark commands
UID 04112233445566
```
hf 14a raw -s -c 0200ab00000704112233445566
```
or equivalently
```
hf 14a apdu -s 00ab00000704112233445566
```
2020-09-11 07:23:30 +08:00
### libnfc commands
2020-09-10 06:14:08 +08:00
```
2020-09-11 07:23:30 +08:00
pn53x-tamashell
2020-09-10 06:14:08 +08:00
4a0100
420200ab00000704112233445566
```
2020-09-10 07:03:53 +08:00
## "DESFire" APDU, 4b UID
2020-09-10 06:14:08 +08:00
### Magic commands
Android compatible
* issue special APDUs
### Characteristics
* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
* SAK: 20
* ATS: 0675338102005110 or 06757781028002F0
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
### Proxmark commands
UID 04112233445566
```
hf 14a raw -s -c 0200ab00000411223344
```
or equivalently
```
hf 14a apdu -s 00ab00000411223344
```
It accepts longer UID but that doesn't affect BCC/ATQA/SAK
### pn53x-tamashell commands
```
4a0100
420200ab00000411223344
```
### Remarks
The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0:
```
hf mf csetblk 0 1122334444204403A1A2A3A4A5A6A7A8
hf 14a info
[+] UID: 11 22 33 44
[+] ATQA: 03 44
[+] SAK: 20 [1]
[+] Possible types:
[+] MIFARE DESFire MF3ICD40
```
# ISO14443B
## ISO14443B magic
No such card is available.
Some vendor allow to specify an ID (PUPI) when ordering a card.
# ISO15693
## ISO15693 magic
2020-09-11 01:24:57 +08:00
### Identify
**TODO**
2020-09-10 06:14:08 +08:00
### Proxmark3 commands
Always set a UID starting with `E0`.
```
hf 15 csetuid E011223344556677
```
or (ignore errors):
```
script run hf_15_magic -u E004013344556677
2020-09-10 06:14:08 +08:00
```