From fb9e79190e122464fac1b1047fd405534881ad4d Mon Sep 17 00:00:00 2001 From: temskiy Date: Tue, 14 Nov 2023 18:19:49 +0700 Subject: [PATCH 1/2] Add some info about UMC --- CHANGELOG.md | 1 + doc/magic_cards_notes.md | 36 ++++++++++++++++++++++++++---------- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 398e369bd..289701649 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added some info about UMC in "doc/magic_cards_notes.md" (@temskiy) ## [Faraday.4.17511][2023-11-13] - Fixed Python support of `experimental_client_with_swig` (@doegox) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index ab125ffb6..b70954774 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -1656,7 +1656,7 @@ Example usage Special raw commands summary: ``` -CF 32 <00-03> // Configure GTU shadow mode +CF 32 <00-04> // Configure GTU shadow mode CF 34 <1b length><0-16b ATS> // Configure ATS CF 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQA bytes) CF 68 <00-02> // Configure UID length @@ -1823,7 +1823,7 @@ Ultralight mode, 10b UID * UID and ATQB are configured according to block0 with a (14a) backdoor write. * UID size is always 4 bytes. -* 14B will show up only on new cards. +* 14B will show up only on new cards. (Need more test on new card. Example not work) Example: ``` @@ -1908,6 +1908,15 @@ This mode is divided into four states: off (pre-write), on (on restore), don’t If you use it, please enter the pre-write mode first. At this time, write the full card data. After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results. +*This is very starnge and fuzzed descripotion. I don`t understand how it can work, if "using any block to read and write in this mode may give wrong result" ? Maybe this mode not work for old card too?* + +Modes description for new UMC (configured as MFC for example): + +Mode 2(3): This mode have persistent buffer. All standart command (rdbl, wrbl e.t.c) and all backdoor (gsetblk, ggetblk, gload e.t.c.) commands use this buffer +Mode 0: This mode have persistent buffer too. Standart read command use this buffer. Write command use this buffer AND buffer mode 2 +Mode 4: Here no any buffers. Read command use buffer mode0 and write command use buffer mode 2. This is split mode. +Mode 1: Crazy mode. For new card this mode looks like a bug. Reading/writing first two block use buffer mode 2. Reading other block use (it`s only my oppinion) invalid region of memory and all data looks like pseudo-random. This data is immutable. And acl for all blocks is incorrect. But data is readable... by keys and acl wich was written in buffer mode 0. Write command in this mode use copy of buffer mode 0 and only it. It`s not affected any other buffers. So if you change keys or/and acl you will must use new keys to read data. + Example: `script run hf_mf_ultimatecard -w 1 -g 00 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 -g 01` * -w 1 = wipe the card in Ultralight Mode @@ -1932,9 +1941,10 @@ hf 14a raw -s -c -t 1000 CF32<1b param> * `` * `00`: pre-write, shadow data can be written * `01`: restore mode - - WARNING: new UMC (06a0) cards return garbage data when using 01, please use 04! + - WARNING: new UMC (06a0) cards return garbage data when using 01 * `02`: disabled * `03`: disabled, high speed R/W mode for Ultralight? + * `04`: split mode, work with new UMC. With old UMC is untested. ### Direct block read and write ^[Top](#top) ^^[Gen4](#g4top) @@ -2014,7 +2024,7 @@ hf 14a raw -s -c -t 1000 CFC6 Default configuration: ``` 00000000000002000978009102DABC191010111213141516040008006B024F6B - ^^^^ ?? + ^^^^ CRC, type unknown ^^ cf cmd cf: block0 direct write setting, factory value 0x02 ^^ cf cmd 6b: maximum read/write sectors, factory value 0x6b ^^ cf cmd 6a: UL mode @@ -2078,32 +2088,38 @@ hf 14a raw -s -c -t 1000 CF00000000F000010000000002000978009102DABC1910101112131 **Ultralight** ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000003FB ``` **Ultralight-C** ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000002FB ``` **Ultralight EV1** ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FB ``` **NTAG21x** ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001FB ``` ### Version and Signature ^[Top](#top) ^^[Gen4](#g4top) +Don`t forget to set up maximum read/write sectors direcly in config or use command 6B + +``` +hf mf raw -s -c -t 1000 CF000000006BFB +``` + Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249. Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000FB hf mfu wrbl -b 0 -d 04C12865 hf mfu wrbl -b 1 -d 5A373080 hf mfu wrbl -b 242 -d CEA2EB0B --force @@ -2121,7 +2137,7 @@ hf mfu info Example for an NTAG216 with the signature sample from tools/recover_pk.py ``` -hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001 +hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001FB hf mfu wrbl -b 0 -d 04E10C61 hf mfu wrbl -b 1 -d DA993C80 hf mfu wrbl -b 242 -d 8B76052E --force From c9246f06be1c1b6f59419b0523383ff8884f8597 Mon Sep 17 00:00:00 2001 From: Artem V Gnatyuk <31589761+temskiy@users.noreply.github.com> Date: Mon, 20 Nov 2023 01:07:21 +0700 Subject: [PATCH 2/2] Fix mistakes. Removed unnecessary. Signed-off-by: Artem V Gnatyuk <31589761+temskiy@users.noreply.github.com> --- doc/magic_cards_notes.md | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index b70954774..ecae5fc68 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -1592,7 +1592,7 @@ There are two ways to program this card. ***OR*** - 2. Use the hf_mf_ultimatecard.lua script commands designated but the `script run hf_mf_ultimatecard` examples. + 2. Use the hf_mf_ultimatecard.lua script commands designated but the `script run hf_mf_ultimatecard` examples. This script is nof fully compartible with new version UMC. script run hf_mf_ultimatecard.lua -h @@ -1823,7 +1823,7 @@ Ultralight mode, 10b UID * UID and ATQB are configured according to block0 with a (14a) backdoor write. * UID size is always 4 bytes. -* 14B will show up only on new cards. (Need more test on new card. Example not work) +* 14B will show up only on new cards. (Need more tests on new card. Example not work) Example: ``` @@ -1904,20 +1904,21 @@ hf 14a raw -s -c -t 1000 CF000000006B3F ### Set shadow mode (GTU) ^[Top](#top) ^^[Gen4](#g4top) -This mode is divided into four states: off (pre-write), on (on restore), don’t care, and high-speed read and write. -If you use it, please enter the pre-write mode first. At this time, write the full card data. -After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results. +This description of shadow modes wroted by seller at marketpalces: -*This is very starnge and fuzzed descripotion. I don`t understand how it can work, if "using any block to read and write in this mode may give wrong result" ? Maybe this mode not work for old card too?* +>This mode is divided into four states: off (pre-write), on (on restore), don’t care, and high-speed read and write. If you use it, please enter the pre-write mode first. At this time, write the full card data. After writing, set it to on. At this time, after writing the data, the first time you read the data just written, the next time you read It is the pre-written data. All modes support this operation. It should be noted that using any block to read and write in this mode may give wrong results. -Modes description for new UMC (configured as MFC for example): +And these conclusions were made after a number of tests with UMC (new version, configured as MFC for example): -Mode 2(3): This mode have persistent buffer. All standart command (rdbl, wrbl e.t.c) and all backdoor (gsetblk, ggetblk, gload e.t.c.) commands use this buffer -Mode 0: This mode have persistent buffer too. Standart read command use this buffer. Write command use this buffer AND buffer mode 2 -Mode 4: Here no any buffers. Read command use buffer mode0 and write command use buffer mode 2. This is split mode. -Mode 1: Crazy mode. For new card this mode looks like a bug. Reading/writing first two block use buffer mode 2. Reading other block use (it`s only my oppinion) invalid region of memory and all data looks like pseudo-random. This data is immutable. And acl for all blocks is incorrect. But data is readable... by keys and acl wich was written in buffer mode 0. Write command in this mode use copy of buffer mode 0 and only it. It`s not affected any other buffers. So if you change keys or/and acl you will must use new keys to read data. +| Mode | Buffer | Standart command (rdbl, wrbl e.t.c) | Backdoor command (gsetblk, ggetblk, gload e.t.c.) | +|------|--------|-----------------------------------------|---------------------------------------------------| +| 2,3 | buf23 | read/write from/to buf23 | read/write from/to buf23 | +| 0 | buf0 | read from buf0, write to buf0 and buf23 | read/write from/to buf23 | +| 4 | - | read from buf0, write to buf23 | read/write from/to buf23 | -Example: +Mode 1: For new card this mode looks like a bug. Reading/writing first two block use *buf23*. Reading other blocks use invalid region of memory and all returned data looks like pseudo-random. All acl looks like invalid. All data is readable by the keys and acl wich was written in *buf0*. Any writing operations in this mode use copy of *buf0* and only it. It`s not affected any other buffers. So if you change keys or/and acl you will must use new keys to read data. + +Example (not work with new UMC): `script run hf_mf_ultimatecard -w 1 -g 00 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111 -g 01` * -w 1 = wipe the card in Ultralight Mode * -g 00 = turn on pre-write mode @@ -2109,12 +2110,14 @@ hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC1910101112131 ### Version and Signature ^[Top](#top) ^^[Gen4](#g4top) -Don`t forget to set up maximum read/write sectors direcly in config or use command 6B +Don`t forget configure maximum read/write blocks. It`s can be adjusted directly in config (see *Dump configuration*) or by command 6B: ``` hf mf raw -s -c -t 1000 CF000000006BFB ``` +Note: 0xFB = 251 + Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249. Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py