RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-14 21:58:44 +08:00
Code Issues Projects Releases Packages Wiki Activity

Update magic cards notes

Browse source 
Signed-off-by: Akury83 <87064827+Akury83@users.noreply.github.com>
This commit is contained in:
Akury83 2024-11-12 14:29:29 +11:00 committed by GitHub
parent 96f85d38bc
commit 53e8f56ae2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
doc/magic_cards_notes.md
View file

@ -1043,7 +1043,7 @@ No implemented commands today
| 7AFF000000000000BAFA000000000008 | UFUID |
| 7AFF0000000000000000000000000008 | ZUID |
*Not all tags are the same!* UFUID, ZUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
*Not all tags are the same!* UFUID, ZUID and PFUID* are not full implementations of USCUID - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
*Read and write config commands are flipped
@ -1053,9 +1053,9 @@ Well-known variations are described below.
^[Top](#top)
Known as "write only once", which is only partially true.
Known as "write only once", which is only partially true. Please note that some newer FUIDs have had ton configration blocks locked down and are truly a write-once tag.
Allows direct write to block 0 only when UID is default `AA55C396`. But always could be rewritten multiple times with backdoors commands.
Allows direct write to block 0 only when UID is default `AA55C396`. If your tag responds to a gen4 magic wakeup, the UID could always be rewritten multiple times with backdoors commands.
Backdoor commands are available even after the personalization and makes that tag detectable.
@ -1074,6 +1074,8 @@ That's a key difference from [OTP](#mifare-classic-direct-write-otp)/[OTP 2.0](#
^[Top](#top)
Unlocked tag type:
```
hf mf info
...
@ -1082,6 +1084,15 @@ hf mf info
```
or locked down tag type:
```
hf mf info
...
[+] Magic capabilities... Write Once / FUID
```
### Parsed configuration
^[Top](#top)
@ -1103,6 +1114,7 @@ hf mf info
[+] 00 .. Unknown
[+] 08 SAK
```
**Note: this is only possile on the FUID style that has not been locked down.
### Commands
@ -1115,7 +1127,7 @@ hf mf info
* Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
* Read configuration: `E000+crc`
* Write configuration: `E100+crc`
* Example of changing block 0 after the personalization:
* Example of changing block 0 after the personalization (only possible on tags that have not been locked down):
```
[usb] pm3 --> hf 14a raw -k -a -b 7 20