RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-03 22:12:11 +08:00
Code Issues Projects Releases Packages Wiki Activity

text

Browse source
This commit is contained in:
iceman1001 2021-12-31 10:48:53 +01:00
parent 8b74f610c8
commit 0e7b61ed55
1 changed files with 93 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
doc/magic_cards_notes.md
View file

@ -45,6 +45,7 @@ Useful docs:
# ISO14443A # ISO14443A
## Identifying broken ISO14443A magic ## Identifying broken ISO14443A magic
^[Top](#top)
When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is. When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.
@ -68,10 +69,12 @@ To restore anticollision config of the Proxmark3:
hf 14a config --std hf 14a config --std
``` ```
# MIFARE Classic # MIFARE Classic
^[Top](#top)
Referred as M1, S50 (1k), S70 (4k) Referred as M1, S50 (1k), S70 (4k)
## MIFARE Classic block0 ## MIFARE Classic block0
^[Top](#top)
UID 4b: (actually NUID as there are no more "unique" IDs on 4b) UID 4b: (actually NUID as there are no more "unique" IDs on 4b)
@ -101,8 +104,10 @@ UID 7b:
``` ```
## MIFARE Classic Gen1A aka UID ## MIFARE Classic Gen1A aka UID
^[Top](#top)
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -111,12 +116,14 @@ hf 14a info
``` ```
### Magic commands ### Magic commands
^[Top](#top)
* Wipe: `40(7)`, `41` (use 2000ms timeout) * Wipe: `40(7)`, `41` (use 2000ms timeout)
* Read: `40(7)`, `43`, `30xx`+crc * Read: `40(7)`, `43`, `30xx`+crc
* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc * Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
### Characteristics ### Characteristics
^[Top](#top)
* UID: Only 4b versions * UID: Only 4b versions
* ATQA: * ATQA:
@ -131,48 +138,56 @@ hf 14a info
* no card with ATS * no card with ATS
#### MIFARE Classic Gen1A flavour 1 #### MIFARE Classic Gen1A flavour 1
^[Top](#top)
* SAK: play blindly the block0 SAK byte, beware! * SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145 * PRNG: static 01200145
* Wipe: filled with 0xFF * Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 2 #### MIFARE Classic Gen1A flavour 2
^[Top](#top)
* SAK: play blindly the block0 SAK byte, beware! * SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145 * PRNG: static 01200145
* Wipe: filled with 0x00 * Wipe: filled with 0x00
#### MIFARE Classic Gen1A flavour 3 #### MIFARE Classic Gen1A flavour 3
^[Top](#top)
* SAK: 08 * SAK: 08
* PRNG: static 01200145 * PRNG: static 01200145
* Wipe: filled with 0xFF * Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 4 #### MIFARE Classic Gen1A flavour 4
^[Top](#top)
* SAK: 08 * SAK: 08
* PRNG: weak * PRNG: weak
* Wipe: timeout, no wipe * Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 5 #### MIFARE Classic Gen1A flavour 5
^[Top](#top)
* SAK: 08 * SAK: 08
* PRNG: weak * PRNG: weak
* Wipe: reply ok but no wipe performed * Wipe: reply ok but no wipe performed
#### MIFARE Classic Gen1A flavour 6 #### MIFARE Classic Gen1A flavour 6
^[Top](#top)
* SAK: 08 or 88 if block0_SAK most significant bit is set * SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak * PRNG: weak
* Wipe: timeout, no wipe * Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 7 #### MIFARE Classic Gen1A flavour 7
^[Top](#top)
* SAK: 08 or 88 if block0_SAK most significant bit is set * SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak * PRNG: weak
* Wipe: filled with 0x00 * Wipe: filled with 0x00
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
hf mf csetuid hf mf csetuid
@ -219,6 +234,7 @@ hf 14a raw -t 1000 41
``` ```
### libnfc commands ### libnfc commands
^[Top](#top)
``` ```
nfc-mfsetuid nfc-mfsetuid
@ -227,10 +243,12 @@ nfc-mfclassic W a u mydump
``` ```
## MIFARE Classic Gen1B ## MIFARE Classic Gen1B
^[Top](#top)
Similar to Gen1A, but supports directly read/write after command 40 Similar to Gen1A, but supports directly read/write after command 40
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -239,15 +257,18 @@ hf 14a info
``` ```
### Magic commands ### Magic commands
^[Top](#top)
* Read: `40(7)`, `30xx` * Read: `40(7)`, `30xx`
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
## MIFARE Classic DirectWrite aka Gen2 aka CUID ## MIFARE Classic DirectWrite aka Gen2 aka CUID
^[Top](#top)
(also referred as MCT compatible by some sellers) (also referred as MCT compatible by some sellers)
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -260,12 +281,14 @@ Not all Gen2 cards can be identified with `hf 14a info`, only those replying to
To identify the other ones, you've to try to write to block0 and see if it works... To identify the other ones, you've to try to write to block0 and see if it works...
### Magic commands ### Magic commands
^[Top](#top)
Android compatible Android compatible
* issue regular write to block0 * issue regular write to block0
### Characteristics ### Characteristics
^[Top](#top)
* UID: 4b and 7b versions * UID: 4b and 7b versions
* ATQA: * ATQA:
@ -282,6 +305,7 @@ Android compatible
* some reply with an ATS * some reply with an ATS
#### MIFARE Classic DirectWrite flavour 1 #### MIFARE Classic DirectWrite flavour 1
^[Top](#top)
* UID 4b * UID 4b
* ATQA: play blindly the block0 ATQA bytes, beware! * ATQA: play blindly the block0 ATQA bytes, beware!
@ -291,6 +315,7 @@ Android compatible
* PRNG: weak * PRNG: weak
#### MIFARE Classic DirectWrite flavour 2 #### MIFARE Classic DirectWrite flavour 2
^[Top](#top)
* UID 4b * UID 4b
* ATQA: fixed * ATQA: fixed
@ -300,6 +325,7 @@ Android compatible
* PRNG: weak * PRNG: weak
#### MIFARE Classic DirectWrite flavour 3 #### MIFARE Classic DirectWrite flavour 3
^[Top](#top)
* UID 4b * UID 4b
* ATQA: play blindly the block0 ATQA bytes, beware! * ATQA: play blindly the block0 ATQA bytes, beware!
@ -309,6 +335,7 @@ Android compatible
* PRNG: weak * PRNG: weak
#### MIFARE Classic DirectWrite flavour 4 #### MIFARE Classic DirectWrite flavour 4
^[Top](#top)
* UID 7b * UID 7b
* ATQA: fixed * ATQA: fixed
@ -318,6 +345,7 @@ Android compatible
* PRNG: static 00000000 * PRNG: static 00000000
#### MIFARE Classic DirectWrite flavour 5 #### MIFARE Classic DirectWrite flavour 5
^[Top](#top)
* UID 4b * UID 4b
* ATQA: fixed * ATQA: fixed
@ -327,6 +355,7 @@ Android compatible
* PRNG: weak * PRNG: weak
#### MIFARE Classic DirectWrite flavour 6 #### MIFARE Classic DirectWrite flavour 6
^[Top](#top)
**TODO** need more info **TODO** need more info
@ -334,6 +363,7 @@ Android compatible
* ATS: 0D780071028849A13020150608563D * ATS: 0D780071028849A13020150608563D
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869 hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 11223344440804006263646566676869
@ -367,12 +397,14 @@ hf 14a config --std
hf 14a reader hf 14a reader
``` ```
## MIFARE Classic DirectWrite, FUID version aka 1-write ## MIFARE Classic DirectWrite, FUID version aka 1-write
^[Top](#top)
Same as MIFARE Classic DirectWrite, but block0 can be written only once. Same as MIFARE Classic DirectWrite, but block0 can be written only once.
Initial UID is AA55C396 Initial UID is AA55C396
### Identify ### Identify
^[Top](#top)
Only possible before personalization. Only possible before personalization.
@ -383,14 +415,17 @@ hf 14a info
``` ```
## MIFARE Classic DirectWrite, UFUID version ## MIFARE Classic DirectWrite, UFUID version
^[Top](#top)
Same as MIFARE Classic DirectWrite, but block0 can be locked with special command. Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
### Identify ### Identify
^[Top](#top)
**TODO** **TODO**
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
To lock definitively block0: To lock definitively block0:
``` ```
@ -401,6 +436,7 @@ hf 14a raw -c 85000000000000000000000000000008
``` ```
## MIFARE Classic, other versions ## MIFARE Classic, other versions
^[Top](#top)
**TODO** **TODO**
@ -408,8 +444,10 @@ hf 14a raw -c 85000000000000000000000000000008
* Some cards exhibit a specific SAK=28 ?? * Some cards exhibit a specific SAK=28 ??
## MIFARE Classic Gen3 aka APDU ## MIFARE Classic Gen3 aka APDU
^[Top](#top)
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -418,6 +456,7 @@ hf 14a info
``` ```
### Magic commands ### Magic commands
^[Top](#top)
Android compatible Android compatible
@ -442,6 +481,7 @@ Writing to block 0 has some side-effects:
* On 4-byte UID cards, BCC byte is automatically corrected. * On 4-byte UID cards, BCC byte is automatically corrected.
### Characteristics ### Characteristics
^[Top](#top)
* UID: 4b and 7b versions * UID: 4b and 7b versions
* ATQA/SAK: fixed * ATQA/SAK: fixed
@ -449,6 +489,7 @@ Writing to block 0 has some side-effects:
* ATS: none * ATS: none
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
# change just UID: # change just UID:
@ -476,6 +517,7 @@ hf 14a raw -s -c 90FD111100
``` ```
## MIFARE Classic Super ## MIFARE Classic Super
^[Top](#top)
It behaves like DirectWrite but records reader auth attempts. It behaves like DirectWrite but records reader auth attempts.
@ -487,6 +529,7 @@ To do reader-only attack: at least two versions exist.
* type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ?? * type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
### Identify ### Identify
^[Top](#top)
Only type 1 at the moment: Only type 1 at the moment:
@ -497,8 +540,10 @@ hf 14a info
``` ```
# MIFARE Ultralight # MIFARE Ultralight
^[Top](#top)
## MIFARE Ultralight blocks 0..2 ## MIFARE Ultralight blocks 0..2
^[Top](#top)
``` ```
SN0 SN1 SN2 BCC0 SN0 SN1 SN2 BCC0
@ -518,6 +563,7 @@ Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
## MIFARE Ultralight Gen1A ## MIFARE Ultralight Gen1A
^[Top](#top)
### Identify ### Identify
@ -538,6 +584,7 @@ Only 7b versions
**TODO** need more tests **TODO** need more tests
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
script run hf_mfu_setuid -h script run hf_mfu_setuid -h
@ -551,8 +598,10 @@ script run hf_mf_magicrevive -u
``` ```
## MIFARE Ultralight DirectWrite ## MIFARE Ultralight DirectWrite
^[Top](#top)
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -563,10 +612,12 @@ hf 14a info
It seems so far that all MFUL DW have an ATS. It seems so far that all MFUL DW have an ATS.
### Magic commands ### Magic commands
^[Top](#top)
Issue three regular MFU write commands in a row to write first three blocks. Issue three regular MFU write commands in a row to write first three blocks.
### Characteristics ### Characteristics
^[Top](#top)
* UID: Only 7b versions * UID: Only 7b versions
* ATQA: * ATQA:
@ -580,18 +631,21 @@ Issue three regular MFU write commands in a row to write first three blocks.
* all cards reply with an ATS * all cards reply with an ATS
#### MIFARE Ultralight DirectWrite flavour 1 #### MIFARE Ultralight DirectWrite flavour 1
^[Top](#top)
* BCC: computed * BCC: computed
* ATS: 0A78008102DBA0C119402AB5 * ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails * Anticol shortcut (CL1/3000): fails
#### MIFARE Ultralight DirectWrite flavour 2 #### MIFARE Ultralight DirectWrite flavour 2
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AB00000000000000000184D * ATS: 850000A00A000AB00000000000000000184D
* Anticol shortcut (CL1/3000): succeeds * Anticol shortcut (CL1/3000): succeeds
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
hf mfu setuid -h hf mfu setuid -h
@ -620,6 +674,7 @@ hf 14a reader
``` ```
### libnfc commands ### libnfc commands
^[Top](#top)
``` ```
nfc-mfultralight -h nfc-mfultralight -h
@ -627,14 +682,17 @@ nfc-mfultralight -h
See `--uid` and `--full` See `--uid` and `--full`
### Android ### Android
^[Top](#top)
* MIFARE++ Ultralight * MIFARE++ Ultralight
## MIFARE Ultralight EV1 DirectWrite ## MIFARE Ultralight EV1 DirectWrite
^[Top](#top)
Similar to MFUL DirectWrite Similar to MFUL DirectWrite
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -643,6 +701,7 @@ hf 14a info
``` ```
### Characteristics ### Characteristics
^[Top](#top)
* UID: Only 7b versions * UID: Only 7b versions
* ATQA: * ATQA:
@ -655,24 +714,29 @@ hf 14a info
* all cards reply with an ATS * all cards reply with an ATS
#### MIFARE Ultralight EV1 DirectWrite flavour 1 #### MIFARE Ultralight EV1 DirectWrite flavour 1
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A000000AC30004030101000B0341DF * ATS: 850000A000000AC30004030101000B0341DF
#### MIFARE Ultralight EV1 DirectWrite flavour 2 #### MIFARE Ultralight EV1 DirectWrite flavour 2
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AC30004030101000B0316D7 * ATS: 850000A00A000AC30004030101000B0316D7
## MIFARE Ultralight C Gen1A ## MIFARE Ultralight C Gen1A
^[Top](#top)
Similar to MFUL Gen1A Similar to MFUL Gen1A
## MIFARE Ultralight C DirectWrite ## MIFARE Ultralight C DirectWrite
^[Top](#top)
Similar to MFUL DirectWrite Similar to MFUL DirectWrite
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -681,6 +745,7 @@ hf 14a info
``` ```
### Characteristics ### Characteristics
^[Top](#top)
* UID: Only 7b versions * UID: Only 7b versions
* ATQA: * ATQA:
@ -693,18 +758,22 @@ hf 14a info
* all cards reply with an ATS * all cards reply with an ATS
#### MIFARE Ultralight C DirectWrite flavour 1 #### MIFARE Ultralight C DirectWrite flavour 1
^[Top](#top)
* BCC: computed * BCC: computed
* ATS: 0A78008102DBA0C119402AB5 * ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails * Anticol shortcut (CL1/3000): fails
# NTAG # NTAG
^[Top](#top)
## NTAG213 DirectWrite ## NTAG213 DirectWrite
^[Top](#top)
Similar to MFUL DirectWrite Similar to MFUL DirectWrite
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -713,6 +782,7 @@ hf 14a info
``` ```
### Characteristics ### Characteristics
^[Top](#top)
* UID: Only 7b versions * UID: Only 7b versions
* ATQA: * ATQA:
@ -725,14 +795,17 @@ hf 14a info
* all cards reply with an ATS * all cards reply with an ATS
#### NTAG213 DirectWrite flavour 1 #### NTAG213 DirectWrite flavour 1
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 0A78008102DBA0C119402AB5 * ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): succeeds * Anticol shortcut (CL1/3000): succeeds
## NTAG21x ## NTAG21x
^[Top](#top)
### Identify ### Identify
^[Top](#top)
``` ```
hf 14a info hf 14a info
@ -741,6 +814,7 @@ hf 14a info
``` ```
### Characteristics ### Characteristics
^[Top](#top)
Emulates fully NTAG213, 213F, 215, 216, 216F Emulates fully NTAG213, 213F, 215, 216, 216F
@ -749,12 +823,14 @@ Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K
Anticol shortcut (CL1/3000): fails Anticol shortcut (CL1/3000): fails
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
``` ```
script run hf_mfu_magicwrite -h script run hf_mfu_magicwrite -h
``` ```
# DESFire # DESFire
^[Top](#top)
## "DESFire" APDU, 7b UID ## "DESFire" APDU, 7b UID
@ -769,6 +845,7 @@ Android compatible
* issue special APDUs * issue special APDUs
### Characteristics ### Characteristics
^[Top](#top)
* ATQA: 0344 * ATQA: 0344
* SAK: 20 * SAK: 20
@ -777,6 +854,7 @@ Android compatible
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
### Proxmark commands ### Proxmark commands
^[Top](#top)
UID 04112233445566 UID 04112233445566
``` ```
@ -788,6 +866,7 @@ hf 14a apdu -s 00ab00000704112233445566
``` ```
### libnfc commands ### libnfc commands
^[Top](#top)
``` ```
pn53x-tamashell pn53x-tamashell
@ -795,14 +874,17 @@ pn53x-tamashell
420200ab00000704112233445566 420200ab00000704112233445566
``` ```
## "DESFire" APDU, 4b UID ## "DESFire" APDU, 4b UID
^[Top](#top)
### Magic commands ### Magic commands
^[Top](#top)
Android compatible Android compatible
* issue special APDUs * issue special APDUs
### Characteristics ### Characteristics
^[Top](#top)
* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything * ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
* SAK: 20 * SAK: 20
@ -811,6 +893,7 @@ Android compatible
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
### Proxmark commands ### Proxmark commands
^[Top](#top)
UID 04112233445566 UID 04112233445566
``` ```
@ -824,12 +907,14 @@ hf 14a apdu -s 00ab00000411223344
It accepts longer UID but that doesn't affect BCC/ATQA/SAK It accepts longer UID but that doesn't affect BCC/ATQA/SAK
### pn53x-tamashell commands ### pn53x-tamashell commands
^[Top](#top)
``` ```
4a0100 4a0100
420200ab00000411223344 420200ab00000411223344
``` ```
### Remarks ### Remarks
^[Top](#top)
The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0: The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0:
@ -844,22 +929,27 @@ hf 14a info
``` ```
# ISO14443B # ISO14443B
^[Top](#top)
## ISO14443B magic ## ISO14443B magic
^[Top](#top)
No such card is available. No such card is available.
Some vendor allow to specify an ID (PUPI) when ordering a card. Some vendor allow to specify an ID (PUPI) when ordering a card.
# ISO15693 # ISO15693
^[Top](#top)
## ISO15693 magic ## ISO15693 magic
^[Top](#top)
### Identify ### Identify
**TODO** **TODO**
### Proxmark3 commands ### Proxmark3 commands
^[Top](#top)
Always set a UID starting with `E0`. Always set a UID starting with `E0`.
@ -874,8 +964,11 @@ script run hf_15_magic -u E004013344556677
<a id="g4top"></a> <a id="g4top"></a>
# Multi # Multi
^[Top](#top)
## Gen 4 GTU ## Gen 4 GTU
^[Top](#top)
A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands. A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands.