RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-11 01:55:38 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #2169 from team-orangeBlue/NotesRevisedRevised

Browse source 
The fix to the completely fixed magic notes
This commit is contained in:
Iceman 2023-11-09 08:18:39 +01:00 committed by GitHub
commit 4ca3f2c3b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 575 additions and 127 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -53,6 +53,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Modified `hf iclass configcard` to only support online mode (@Antiklesys)
- Modified `hf iclass configcard` command to generate config cards without a cardhelper module by porting the contents of blocks 6 & 7 from nfc-iclass (@Antiklesys)
- Fixed `hf iclass info` command showing incorrectly in offline mode (@Antiklesys)
- The "doc/magic_cards_notes.md" file has been rebuilt, filled up, and so on. (@team-orangeBlue)
## [Raccoon.4.17140][2023-09-09]
- Changed text and adjust pm3_test case for mf_aes_brute (@doegox)

701
doc/magic_cards_notes.md
View file

@ -8,20 +8,29 @@ Useful docs:
# Table of Contents
- [Low frequency](#low-frequency)
* [T55xx](#t55xx)
* [EM4x05](#em4x05)
* [ID82xx series](#id82xx-series)
* [ID8265](#id8265)
* [ID-F8268](#id-f8268)
* [K8678](#k8678)
* [H series](#h-series)
* [H1](#h1)
* [H5.5 / H7](h55--h7)
* [i57 / i57v2](#i57--i57v2)
- [ISO14443A](#iso14443a)
* [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic)
- [MIFARE Classic](#mifare-classic)
* [MIFARE Classic block0](#mifare-classic-block0)
* [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
* [MIFARE Classic Gen1B](#mifare-classic-gen1b)
* [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming)
* [MIFARE Classic OTP2](#mifare-classic-otp2)
* [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
* [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
* [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
* [MIFARE Classic, other versions](#mifare-classic-other-versions)
* [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
* [MIFARE Classic Gen4 aka GDM](#mifare-classic-gen4-aka-gdm)
* [MIFARE Classic USCUID](#mifare-classic-uscuid)
* [MIFARE Classic, other versions](#mifare-classic-other-versions)
* [MIFARE Classic Super](#mifare-classic-super)
- [MIFARE Ultralight](#mifare-ultralight)
* [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02)
@ -30,6 +39,11 @@ Useful docs:
* [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite)
* [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a)
* [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite)
* [UL series (RU)](#ul-series-ru)
* [UL-Y](#ul-y)
* [ULtra](#ultra)
* [UL-5](#ul-5)
* [UL, other chips](#ul-other-chips)
- [NTAG](#ntag)
* [NTAG213 DirectWrite](#ntag213-directwrite)
* [NTAG21x](#ntag21x)
@ -37,12 +51,195 @@ Useful docs:
* ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid)
* ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid)
- [ISO14443B](#iso14443b)
* [ISO14443B magic](#iso14443b-magic)
* [Tiananxin TCOS CPU card](#tiananxin-tcos-cpu-card)
- [ISO15693](#iso15693)
* [ISO15693 magic](#iso15693-magic)
- [Multi](#multi)
* [Gen 4 GTU](#gen-4-gtu)
* [UMC](#umc)
- [Other](#other)
* [SID](#sid)
* [NSCK-II](#nsck-ii)
# Low frequency
## T55xx
^[Top](#top)
The temic T55xx/Atmel ATA5577 is the most commonly used chip for cloning LF RFIDs.
A useful document can be found [here](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/T5577_Guide.md).
### Characteristics
* 28/24 bytes of user memory (without/with password)
* Universal output settings (data rate, modulation, etc)
* Password protection (4 bytes), usually "19920427"
* Lock bits per page
* Analog frontend setup
* Other names:
* 5577
* 5200 (CN)
- Cut down version of T55xx chip (no analog frontend setup, no test mode support).
* H2 (RU)
- Seems to be renamed 5200 chip.
* RW125T5 (RU)
* Old variant "T5555" is hard to come across
### Detect
```
[usb] pm3 --> lf search
...
[+] Chipset detection: T55xx
```
This will **not** work if you have a downlink mode other than fixed bit length!
### Commands
*See ATMEL ATA5577C datasheet for sending commands to chip*
* **Do not mix "password read" and "regular write" commands! You risk potentially writing incorrect data.
* When replying, the chip will use the modulation and data rate specified in block 0.
## EM4x05
^[Top](#top)
The EM4305 and EM4205 (and 4469/4569) chips are the 2nd most common used chips for cloning LF RFIDs.
It is also used by HID Global (but with a custom chip) for HIDProx credentials.
### Characteristics
* 36 bytes of user memory
* Output settings are limited (ASK only, FSK added on HID variant)
* Password protection (4 bytes), usually "84AC15E2"
* Lock page used
* Other names:
* H3 (RU)
* RW125EM (RU)
### Detect
```
[usb] pm3 --> lf search
...
[+] Chipset detection: EM4x05 / EM4x69
```
### Commands
*See EM microelectronic EM4305 datasheet for sending commands to chip*
## ID82xx series
^[Top](#top)
These are custom chinese chips designed to clone EM IDs only. Often times, these are redesigned clones of Hitag chips.
### ID8265
^[Top](#top)
This is the cheapest and most common ID82xx chip available. It is usually sold as T55xx on AliExpress, with excuses to use cloners.
#### Characteristics
* Chip is likely a Hitag μ (micro)
* Password protection (4b), usually "1AC4999C"
* Currently unimplemented in proxmark3 client
* Other names:
* ID8210 (CN)
* H-125 (CN)
* H5 (RU)
- The sales of "H5" have been ceased because "the chip was leaked".
#### Detect
```
[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00011 -s 3000
[usb] pm3 --> data plot
```
Check the green line of the plot. It must be a straight line at the end with no big waves.
### ID-F8268
^[Top](#top)
This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.
#### Characteristics
* Chip is likely a Hitag 1
* Unsure whether password protection is used
* Currently unimplemeneted in proxmark3 client
* Other names:
- F8278 (CN)
- F8310 (CN)
#### Detect
```
[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000
[usb] pm3 --> data plot
```
Check the green line of the plot. It must be a straight line at the end with no big waves.
### K8678
^[Top](#top)
This is an "even better" chip, manufactured by Hyctec.
#### Characteristics
* Chip is likely a Hitag S256
* Plain mode used, no password protection
* Currently unimplemented in proxmark3 client
* Memory access is odd (chip doesnt reply to memory access commands for unknown reason)
#### Detect
```
[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000
[usb] pm3 --> data plot
```
Check the green line of the plot. It must be a straight line at the end with no big waves.
## H series
^[Top](#top)
These are chips sold in Russia, manufactured by iKey LLC. Often times these are custom.
### H1
^[Top](#top)
Simplest EM ID cloning chip available. Officially discontinued.
#### Characteristics
* Currently almost all structure is unknown
* No locking or password protection
* "OTP" chip is same chip, but with EM ID of zeroes. Locked after first write
* Other names:
* RW64bit
* RW125FL
### H5.5 / H7
^[Top](#top)
First "advanced" custom chip with H naming.
#### Characteristics
* Currently all structure is unknown
* No password protection
* Only supported by Russian "TMD"/"RFD" cloners
* H7 is advertised to work with "Stroymaster" access control
* Setting ID to "3F0096F87E" will make the chip show up like T55xx
### i57 / i57v2
\[ Chip is discontinued, no info \]
# ISO14443A
@ -109,7 +306,8 @@ UID 7b:
## MIFARE Classic Gen1A aka UID
^[Top](#top)
aka MF ZERO
* Other names:
- ZERO (RU)
### Identify
^[Top](#top)
@ -267,16 +465,17 @@ hf 14a info
* Read: `40(7)`, `30xx`
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
## MIFARE Classic Gen1A OTP/One Time Programming
## MIFARE Classic OTP2
^[Top](#top)
aka MF OTP 2.0
Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command.
Initial UID is 00000000
### Characteristics
All bytes are 00 from factory wherever possible.
* Initial UID is 00000000
* BCC: unknown
* SAK/ATQA: fixed
* All bytes are 00 from factory wherever possible.
### Identify
^[Top](#top)
@ -287,6 +486,7 @@ Only possible before personalization.
hf 14a info
...
[+] Magic capabilities : Gen 1a
[+] Prng detection: hard
```
### Magic commands
@ -299,6 +499,11 @@ hf 14a info
(also referred as MCT compatible by some sellers)
* Other names:
* MF-8 (RU)
* MF3 (RU)
- What's so special about this chip in particular..?
### Identify
^[Top](#top)
@ -442,16 +647,19 @@ hf 14a reader
## MIFARE Classic DirectWrite, FUID version aka 1-write
^[Top](#top)
aka MF OTP
Same as MIFARE Classic DirectWrite, but block0 can be written only once.
Initial UID is AA55C396
* Other names:
- OTP (RU)
### Characteristics
* Initial UID is AA55C396
### Identify
^[Top](#top)
Only possible before personalization.
Only possible before personalization. *It is also possible after, but unknown how.*
```
hf 14a info
@ -459,28 +667,6 @@ hf 14a info
[+] Magic capabilities : Write Once / FUID
```
## MIFARE Classic DirectWrite, UFUID version
^[Top](#top)
Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
### Identify
^[Top](#top)
**TODO**
### Proxmark3 commands
^[Top](#top)
To lock definitively block0:
```
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c e000
hf 14a raw -k -c e100
hf 14a raw -c 85000000000000000000000000000008
```
## MIFARE Classic Gen3 aka APDU
^[Top](#top)
@ -554,85 +740,131 @@ hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
hf 14a raw -s -c 90FD111100
```
## MIFARE Classic Gen4 aka GDM
## MIFARE Classic USCUID
^[Top](#top)
Tag has shadow mode enabled from start.
Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds
off rfid field.
Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory.
TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85.
All of the known tags using this, except for Ultralight tags, are listed here.
The persistent memory is also writable. For that tag uses its own backdoor commands.
for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000.
Then send the data to be written.
This tag has simular commands to the [UFUID](#mifare-classic-directwrite-ufuid-version)
This indicates that both tagtypes are developed by the same person.
**OBS**
When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag.
**OBS**
It is possible to write a configuration that perma locks the tag, i.e. no more magic
### Identify
^[Top](#top)
```
hf 14a info
...
[+] Magic capabilities : Gen 4 GDM
```
### Magic commands
^[Top](#top)
* Auth: `80xx`+crc
* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
* Read config: `E000`+crc
* Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
You cannot turn a Classic tag into an Ultralight and vice-versa!
### Characteristics
^[Top](#top)
* Have no knowledge in ATQA/SAK/BCC quirks or if there is a wipe, softbrick recover
* Its magic part seem to be three identified custom command.
* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are.
* UID: 4/7 bytes
* ATQA: always read from block 0
* SAK: read from backdoor or configuration
* BCC: read from memory, beware!
* ATS: no/unknown
Read config:
1. sending custom auth with all zeros key
2. send 0xE000, will return the configuration bytes.
`results: 850000000000000000005A5A00000008`
### Magic commands
^[Top](#top)
* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
- Backdoor read: `38xx+crc`
- Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
Mapping of configuration bytes so far:
- Read configuration: `E000+crc`
- Write configuration: `E100+crc`; `[16 bytes data]+crc`
* Magic wakeup (A: 00): `40(7)`, `43`
* Magic wakeup (B: 85): `20(7)`, `23`
- Backdoor read main block: `30xx+crc`
- Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
- Read hidden block: `38xx+crc`
- Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
- Read configuration: `E000+crc`
- Write configuration: `E100+crc`
**DANGER**
- Set main memory and config to 00 `F000+crc`
- Set main memory and config to FF `F100+crc`
- Set main memory and config to 55 (no 0A response) `F600+crc`
- Set backdoor memory to 00 `F800+crc`
- Set backdoor memory to FF `F900+crc`
- Set backdoor memory to 55 (no 0A response) `FE00+crc`
### USCUID configuration guide
^[Top](#top)
1. Configuration
```
850000000000000000005A5A00000008
^^ --> SAK
85000000000000000000000000000008
^^^^^^ ^^ ^^ >> ??? Mystery ???
^^^^ >> Gen1a mode (works with bitflip)
^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23)
^^ >> Block use of Key B if readable by ACL
^^ >> CUID mode
^^ >> MFC EV1 CL2 Perso config*
^^ >> Shadow mode**
^^ >> Magic Auth command
^^ >> Static encrypted nonce mode
^^ >> Signature sector
^^ >> SAK***
To enable an option, set it to 5A.
* 5A - unfused F0. C3 - F0: CL2 UID; A5 - F1: CL2 UID with anticollision shortcut; 87 - F2: CL1 Random UID; 69 - F3: CL1 non-UID. Anything else is going to be ignored, and set as 4 bytes.
** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer.
*** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead.
```
* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras.
* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23.
* Block use of Key B if readable by ACL: Per the MF1ICS50 datasheet, if Key B is readable by the ACL, using it shall give a Cmd Error 04. This option controls whether it happens or not.
* CUID mode: Allow direct write to block 0, instead of giving Cmd Error 04.
* MFC EV1 CL2 Perso config: When configured, the tag behaves like a real Mifare Classic EV1 7B UID tag, and reads UID from backdoor blocks. Otherwise, the tag acts like a 4 byte tag.
* Shadow mode: Writes to memory persisting in tag RAM. As soon as no power is left, the contents are restored to saved data.
* Magic Auth Command: Acknowledge command `8000` after selection, and call for Crypto1 auth with key `000000000000`.
* Static encrypted nonce mode: Use static encrypted nonces for authentication, making key recovery impossible.
* Signature sector: Acknowledge auth commands to sector 17, which is stored in backdoor sector 1.
* SAK: If perso byte is not set, after UID select, send this value.
2. Backdoor blocks
```
Write config:
1. sending custom auth with all zeros key
2. send 0xE100
3. send 16 bytes
Sector 0
88 04 BD E5 D4 04 6A BB 5B 80 0A 08 44 00 00 00 - Block 0: Perso F0, F1 data
^^ ^^ ^^ ^^ - UID0
^^ - BCC0
^^ - SAK0 (0x04 to call for CL2)
^^ ^^ ^^ ^^ - UID1
^^ - BCC1
^^ - SAK1
^^ ^^ ^^ ^^ - Unused
04 BD E5 6A 36 08 00 00 00 00 00 00 00 00 00 00 - Block 1: Perso F3 data
^^ ^^ ^^ ^^ - UID0
^^ - BCC0
^^ - SAK0
^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ - Unused
Block 2: unused
Block 3: ignored (custom keys, acl; broken acl ignored - anticollision will still work)
Sector 1
[Signature sector (#17) - needs config byte 13 (from 0) enabled to allow auth]
Sectors 2-15
[Unused]
```
**Warning**
### Variations
^[Top](#top)
| Factory configuration | Name |
| --- | --- |
| 850000000000000000005A5A00000008 | GDMIC |
| 850000000000005A0000005A5A5A0008 | UCUID |
| 8500000000005A00005A005A005A0008 | "7 byte hard" |
| 7AFF850102015A00005A005A005A0008 | M1-7B |
| 7AFF85000000000000FF000000000008 | FUID |
| 7AFF000000000000BAFA358500000008 | PFUID |
| 7AFF000000000000BAFA000000000008 | UFUID |
Example of configuration to Perma lock tag:
`85000000000000000000000000000008`
*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
*Read and write config commands are flipped
It is unknown what kind of block 0 changes the tag supports
* UID: 4b
* ATQA/SAK: unknown
* BCC: unknown
* ATS: none
### Proxmark3 commands
#### Proxmark3 commands
^[Top](#top)
```
# Write to persistent memory
Using magic auth:
# Write to persistent memory:
hf mf gdmsetblk
# Read configuration (0xE0):
@ -651,15 +883,14 @@ No implemented commands today
**TODO**
* ZXUID, EUID, ICUID, KUID, HUID, RFUID ?
* Some cards exhibit a specific SAK=28 ??
* ZXUID, EUID, ICUID, KUID?
## MIFARE Classic Super
^[Top](#top)
It behaves like regular Mifare Classic but records reader auth attempts.
#### MIFARE Classic Super Gen1
### MIFARE Classic Super Gen1
^[Top](#top)
Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands.
@ -684,19 +915,19 @@ Backdoor commands provided over APDU. Format:
👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer!
#### MIFARE Classic Super Gen1B
### MIFARE Classic Super Gen1B
DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands.
Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c
#### MIFARE Classic Super Gen2
### MIFARE Classic Super Gen2
^[Top](#top)
New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces.
Card always answer `ff ff ff ff` to auth, so writing/reading it via Mifare protocol is impossible.
Card always answers `ff ff ff ff` as `at`, so reading/writing it via Mifare protocol is impossible.
UID is changeable via Gen4 backdoor write to 0 block.
UID is changeable via UMC backdoor write to 0 block.
* UID: 4b and 7b versions
* ATQA/SAK: fixed
@ -707,12 +938,53 @@ Gen4 commands available:
```
CF <passwd> 34 <1b length><0-16b ATS> // Configure ATS
CF <passwd> CC // Factory test, returns 00 00 00 02 AA
CF <passwd> CC // Version information, returns 00 00 00 02 AA
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number> // Backdoor read 16b block
CF <passwd> FE <4b new_password> // Change password
```
### MIFARE Classic Super Furui
^[Top](#top)
#### Characteristics
^[Top](#top)
* SAK/ATQA: play blindly the block0 bytes, beware!
* BCC: play blindly the block0 BCC bytes, beware!
* PRNG: hard
**!!!WARNING!!!** This tag can die for no reason (no reply to WUPA/REQA). We don't know why this happens.
#### Identify
^[Top](#top)
```
[usb] pm3 --> hf 14a raw -sct 250 AAA500000000000000000000000000000000
[+] 90 00
```
#### Magic commands
^[Top](#top)
* Configure: `AAA5[16 byte config]`+crc
* Write block 0: `AAA4[4b UID][1b BCC][1b SAK][2b ATQA reversed]0000000000000000`+crc
* Recover trace: `AAA8[00/01][00-08]`+crc
Caution: tag does not append CRC to magic responses!
Please use config as 00 bytes.
Parsing traces:
```
44 33 22 11 03 61 08 68 7A C7 4B 62 43 A6 11 6F 64 F3
^^ ^^ ^^ ^^ -- UID
^^ ^^ -- auth command, reversed
^^ ^^ ^^ ^^ -- Auth (nt)
^^ ^^ ^^ ^^ -- Auth (nr)
^^ ^^ ^^ ^^ -- Auth (ar)
```
### Identify
^[Top](#top)
@ -724,6 +996,15 @@ hf 14a info
[+] Magic capabilities : Super card (Gen ?)
```
### Proxmark3 commands
```
[usb] pm3 --> hf mf supercard
...
[usb] pm3 --> hf mf supercard --furui
...
```
# MIFARE Ultralight
^[Top](#top)
@ -746,6 +1027,7 @@ Int is internal, typically 0x48
Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
Some cards have a password: `B6AA558D`. Usually "copykey" chips.
## MIFARE Ultralight Gen1A
^[Top](#top)
@ -874,8 +1156,6 @@ See `--uid` and `--full`
## MIFARE Ultralight EV1 DirectWrite
^[Top](#top)
aka UL2
Similar to MFUL DirectWrite
### Identify
@ -957,11 +1237,6 @@ hf 14a info
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
**TODO**
* UL-X, UL-Y, UL-Z, ULtra, UL-5 ?
# NTAG
^[Top](#top)
@ -1027,6 +1302,78 @@ Anticol shortcut (CL1/3000): fails
script run hf_mfu_magicwrite -h
```
## UL series (RU)
^[Top](#top)
Custom chips, manufactured by iKey LLC for cloning Ultralight tags.
### UL-Y
^[Top](#top)
Ultralight magic, 16 pages. Recommended for Vizit RF3.1 with markings "3.1" or "4.1".
Behavior: allows writes to page 0-2.
#### Identify
^[Top](#top)
```
hf mfu rdbl --force -b 16
hf 14a raw -sct 250 60
```
If tag replies with
`Cmd Error: 00`
`00 00 00 00 00 00 00 00`
then it is UL-Y.
### ULtra
^[Top](#top)
Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page.
Behavior: allows writes to page 0-2.
#### Identify
^[Top](#top)
```
hf mfu info
...
[=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
[=] --- Tag Version
[=] Raw bytes: 00 34 21 01 01 00 0E 03
```
Remember that this is not a reliable method of identification, as it interferes with locked [UL-5](#mifare-ul-5).
### UL-5
^[Top](#top)
Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed.
Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1.
**WARNING!** When using UL-5 to clone, write UID pages in inverse (from 2 to 0) and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits).
#### Identify
^[Top](#top)
```
hf mfu info
[=] UID: AA 55 C3 A1 30 61 80
TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
[=] --- Tag Version
[=] Raw bytes: 00 34 21 01 01 00 0E 03
```
After personalization it is not possible to identify UL-5.
Some chips have UID of `AA 55 C3 A4 30 61 80`.
### UL, other chips
**TODO**
UL-X, UL-Z - ?
# DESFire
^[Top](#top)
@ -1084,7 +1431,8 @@ Android compatible
### Characteristics
^[Top](#top)
* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
* ATQA: 0008
* This is FM1208-9, NOT DESFire!
* SAK: 20
* ATS: 0675338102005110 or 06757781028002F0
@ -1129,12 +1477,37 @@ hf 14a info
# ISO14443B
^[Top](#top)
## ISO14443B magic
## Tiananxin TCOS CPU card
^[Top](#top)
No such card is available.
This is a card sold on Taobao for testing readers.
ISO14443-4 compliant.
Some vendor allow to specify an ID (PUPI) when ordering a card.
### Identify
```
hf 14a apdu -s 90B2900000 // Get Card OS version
>>> 90 B2 90 00 00
<<< 54 43 4F 53 20 56 31 2E 34 2E 30 90 00 | TCOS V1.4.0..
```
### Magic commands
All commands in APDU.
```
CL IN P1 P2 Lc Data
90 F4 CC CC 01 [..1 ] // Change protocol used (1: ISO14443 [AA - type A, BB - type B])
90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed)
90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value (1: FF: static, AB: random)
90 F8 DD DD 01 [..1 ] // Set UID length (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly))
90 F8 EE EE 0B [... ] // Set UID/PUPI value (FF+enter UID value here). To clear, use Lc=01; data=00.
90 FA CC CC 01 [FSCI] // Set FSCI (1: value 0-8)
90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!) (1: value 0-E)
90 FE CC CC 01 [FWI ] // Set FWI (DO NOT SET BELOW 4!!!) (value 0-E)
```
More commands to follow. Be careful with some.
# ISO15693
^[Top](#top)
@ -1164,7 +1537,7 @@ script run hf_15_magic -u E004013344556677
# Multi
^[Top](#top)
## Gen 4 GTU
## UMC
^[Top](#top)
A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands.
@ -1197,6 +1570,8 @@ Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data
👉 **TODO** If the password is not default, Tag doesn't get identified correctly by latest Proxmark3 client (it might get mislabeled as MFC Gen2/CUID, Gen3/APDU or NTAG21x Modifiable, depending on configured UID/ATQA/SAK/ATS)
👉 **TODO** Using C6 command can change config due to a bug in some cards. CC should be used instead.
```
hf 14a info
[+] Magic capabilities : Gen 4 GTU
@ -1289,7 +1664,7 @@ CF <passwd> 69 <00-01> // (De)Activate Ultralight mode
CF <passwd> 6A <00-03> // Select Ultralight mode
CF <passwd> 6B <1b> // Set Ultralight and M1 maximum read/write sectors
CF <passwd> C6 // Dump configuration
CF <passwd> CC // Factory test, returns 6666 for generic card, 02AA for limited functionality card and 06A0 for broken functionality card
CF <passwd> CC // Version info, returns `00 00 00 [03 A0 (old) / 06 A0 (new) ]`
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number> // Backdoor read 16b block
CF <passwd> CF <1b param> // (De)Activate direct write to block 0
@ -1304,10 +1679,10 @@ Default `<passwd>`: `00000000`
* UID: 4b, 7b and 10b versions
* ATQA/SAK: changeable
* BCC: auto
* BCC: computed
* ATS: changeable, can be disabled
* Card Type: changeable
* Shadow mode: GTU
* Card Type: changeable
* Shadow mode: GTU
* Backdoor password mode
### Proxmark3 commands
@ -1446,9 +1821,9 @@ Ultralight mode, 10b UID
### Set 14443B UID and ATQB
^[Top](#top) ^^[Gen4](#g4top)
UID and ATQB are configured according to block0 with a (14a) backdoor write.
UID size is always 4 bytes.
* UID and ATQB are configured according to block0 with a (14a) backdoor write.
* UID size is always 4 bytes.
* 14B will show up only on new cards.
Example:
```
@ -1557,6 +1932,7 @@ hf 14a raw -s -c -t 1000 CF<passwd>32<1b param>
* `<param>`
* `00`: pre-write, shadow data can be written
* `01`: restore mode
- WARNING: new UMC (06a0) cards return garbage data when using 01, please use 04!
* `02`: disabled
* `03`: disabled, high speed R/W mode for Ultralight?
@ -1612,7 +1988,9 @@ hf 14a raw -s -c -t 1000 CF00000000CF01
### Change backdoor password
^[Top](#top) ^^[Gen4](#g4top)
All backdoor operations are protected by a password. If password is forgotten, the card can't be recovered. Default password is `00000000`.
All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is `00000000`.
WARNING: new UMC (06A0) returns 6300 when issuing password change command. Please write the password using F0 and entering the full configuration, but with the new password.
Change password:
```
@ -1758,3 +2136,72 @@ hf mfu wrbl -b 250 -d 00040402 --force
hf mfu wrbl -b 251 -d 01001303 --force
hf mfu info
```
# Other
^[Top](#top)
These are chips to clone other ICs. Usually the originals are only sold in China.
## SID
^[Top](#top)
- Magic tag for Fudan FM1208-9 chips
### Characteristics
^[Top](#top)
- ISO14443-A tag
- ATQA-SAK: `0008`-`20`
- ATS: `10 78 80 A0 02 00 9D 46 16 40 00 A3 [UID]`
- Compared to real FM1208 chip:
- CLA byte is ignored
- Command parsing is irregular (some replies are wrong)
### Magic commands
^[Top](#top)
**WARNING!!!** Risk of bricking tag - cause is unknown
- Below you can find a list of all INS bytes not present on real FM1208 chip, and what their output is when executed (P1, P2, Lc = 00)
- Results may vary between chips:
```
INS | RES
0A | 44454641554C540000002018112840000000000000000000000000000000000000000000000000000000400000000000
3B | 00000000001C0EF90000000000000000000000000000000000000000000000002000000000C09040009002840000000000000000000000000000000000006C0FC08700EB1A9F1BA01801010019000000000000000000000000000090000000000000094B066600000000007D000000000000000000000000000000003B000000107880A002009D46164000A3CA81E15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3C* | 0000
3D | 6700
7D | Tag does not reply (if 0<Lc<=15, RES=6700)
CD | 6A82
D5 | 9000
DD | 6700
DE | 6700
DF | 9000
EE | 6700
F0 | 6A82
FB | 6A82
* - DO NOT EXECUTE THIS INSTRUCTION!!! After 2nd execution tag will brick (No reply to REQA/WUPA). Very likely you need to add extra data which we do not know
```
## NSCK-II
^[Top](#top)
- Magic tag for "NSC/BS-CPU"
### Characteristics
^[Top](#top)
- Programming is done via ISO14443-A (but not sure how to modulate). Original tag is working somewhere hidden from proxmark.
- ATQA-SAK: `0044`-`20`
- ATS: `05 72 F7 60 02`
- Communications encrypted(?)
- When writing with copykey, after RATS, this communication takes place (NSC ID programmed: `5800000000`, tag UID: `1D94CE25840000`):
```
>>> 54 03 8A BC DF C1 [CRC]
<<< A2 [CRC]
>>> 54 04 57 AA 84 DD [CRC]
<<< A2 [CRC]
```
### Magic commands
^[Top](#top)
- Write NSC UID: `54 [part 1b] [data 4b enc] [CRC]`
- Tag replies: `A2 [CRC]`