RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:RfidResearchGroup/proxmark3

Browse source
This commit is contained in:
iceman1001 2024-05-14 10:03:58 +02:00
parent dd94207ee8 6e938fa0c5
commit 72a11cfd89
1 changed files with 183 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

195
doc/magic_cards_notes.md
View file

@ -51,6 +51,7 @@ Useful docs:
* [ULtra](#ultra)
* [UL-5](#ul-5)
* [UL, other chips](#ul-other-chips)
* [MIFARE Ultralight USCUID-UL](#mifare-ultralight-uscuid-ul)
* [NTAG](#ntag)
* [NTAG213 DirectWrite](#ntag213-directwrite)
* [NTAG21x](#ntag21x)
@ -823,7 +824,7 @@ hf 14a raw -s -c 90FD111100
^[Top](#top)
TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85.
All of the known tags using this, except for Ultralight tags, are listed here.
All of the known tags are using this, except for Ultralight tags, are listed here.
You cannot turn a Classic tag into an Ultralight and vice-versa!
@ -1142,8 +1143,6 @@ All commands are available before sealing. After the sealing acts as a Mifare Cl
* Magic wakeup: `40(7)`, `43`
* Backdoor read main block: `30xx+crc`
* Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
* Read hidden block: `38xx+crc`
* Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
* Read configuration: `E000+crc`
* Write configuration: `E100+crc`
* Example of the sealing, performed by Chinese copiers in raw commands:
@ -1607,7 +1606,7 @@ hf 14a info
[+] Magic capabilities : Gen 2 / CUID
```
It seems so far that all MFUL DW have an ATS.
It seems so far that all MFUL DW have an ATS response in factory configuration.
### Magic commands
@ -1638,14 +1637,6 @@ Issue three regular MFU write commands in a row to write first three blocks.
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
#### MIFARE Ultralight DirectWrite flavour 2
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AB00000000000000000184D
* Anticol shortcut (CL1/3000): succeeds
### Proxmark3 commands
^[Top](#top)
@ -1977,6 +1968,186 @@ The manufacturer confirmed unpersonalized tags could be identified by first 3 by
UL-X, UL-Z - ?
## MIFARE Ultralight USCUID-UL
^[Top](#top)
TLDR: These magic cards, like the MFC USCUIDs have a 16 byte long configuration page, comprised of 4 blocks of 4 bytes each. This usually starts with 0x85. All of the known tags use the same format config page.
The cards will respond to a RATS with the config page in the factory configuration.
As with the MFC USCUIDs, one cannot turn a Classic tag into an Ultralight and vice-versa!
### Characteristics
^[Top](#top)
* UID: 7 bytes
* ATQA: always read from hidden block `F6`
* SAK: always read from hidden block `F6`
* BCC: read from blocks 0-1 per Ultralight specification
* ATS: These respond to an ATS request with the config page in factory mode.
### Identify
^[Top](#top)
In factory config state:
```
hf 14a info
...
[=] -------------------------- ATS --------------------------
[!] ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
[+] ATS: 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
If config has been modified to not display config block as ATS response:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43
OR (depending on the magic wakeup method set)
hf 14a raw -akb 7 20; hf 14a raw -k 23
THEN
hf 14a raw -c e100
[+] 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
Possible tag wakeup mechanisms are:
* Gen1 Magic Wakeup
* Alt Magic Wakeup
### Magic commands
^[Top](#top)
* Magic wakeup (A: 00): `40(7)`, `43`
* Magic wakeup (B: 85): `20(7)`, `23`
* Backdoor read main and hidden block: `30xx+crc`
* Backdoor write main and hidden block: `A2xx[4 bytes data]+crc`
* Read configuration: `E050+crc`
* Write configuration: `E2[offset*4, 1b][data, 4b]+crc`
* **DANGER**
* Set memory and config to 00 `F000+crc`
* Set memory and config to FF `F100+crc`
* Set memory and config to 55 (no 0A response) `F600+crc`
### USCUID-UL configuration guide
^[Top](#top)
1. Configuration
```
0 1 2 3
850000A0 00000AC3 00040301 01000B03
^^ >> ??? Mystery ???
^^^^ >> Gen1a mode (works with bitflip)
^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23)
^^ >> Config available using regular mode (ON: A0)
^^ >> Do not reply to 1B, making auth impossible
^^ >> Do not enforce OTP properties (ON: A0)
^^ >> Maximum memory configuration*
^^^^^^^^ ^^^^^^^^ >> Version info
* This isn't a customizable value - it's a preset. So far:
C3 = UL11
3C = UL21
00 = UL-C
A5 = NTAG 213
5A = NTAG 215
AA = NTAG 216
55 = Unknown IC w/ 238 pgs.
```
* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras.
* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23.
* Config available using regular mode: If this option is turned on via A0, the tag will reply to RATS with the config block and the config block can be modified without doing a magic wakeup.
To write config:
You must send config info in E2 packets of 4 bytes each (format: `E2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -sck E200850000A0; hf 14a raw -ck E20100000AC3; hf 14a raw -ck E20200040301; hf 14a raw -c E20301000B03
```
2. Hidden blocks
```
F0: 00000000
^^^^^^^^ >> Unknown, usually always 00
F1: 00000000
^^^^^^^^ >> Unknown, usually always 00
F2: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F3: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F4: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F5: 00000000
^^^^^^^^ >> Unknown, usually always 00
F6: 44000400
^^^^ >> ATQA in byte reverse order. 4400 = ATQA of 0044
^^ >> Unknown, usually always set to 04. Changing this value also has something to do with the SAK value in the next byte
^^ >> SAK, if previous byte set to 04
F7: 88AF0000
^^ >> First byte of UID BCC calculation, for Ultralight family is always 88 per the datasheet
^^ >> Unknown, usually always AF.
^^^^ >> Unknown, usually always 00
F8 - FF: xxxxxxxx >> signature
```
To read / write hidden blocks:
A config block beginning with `7AFF` must be set to enable a `40:43` / `20:23` magic wakeup. From limited testing, the `20:23` magic wakeup is not guaranteed to work, however the `40:43` wakeup works 100% of the time.
You must send config info in A2 packets of 4 bytes each (format: `A2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43; hf 14a raw -ck A2F2000000BD; hf 14a raw -ck A2F3000000BD; hf 14a raw -ck A2F4000000BD; hf 14a raw -ck A2F644000400; hf 14a raw -c A2F888AF0000
```
### Proxmark3 commands
^[Top](#top)
No implemented commands at time of writing
### libnfc commands
^[Top](#top)
No implemented commands at time of writing
### Variations
^[Top](#top)
| Factory configuration | Name |
| --- | --- |
| 850000A0 00000AC3 00040301 01000B03 | UL-11 |
| 850000A0 00000A3C 00040301 01000E03 | UL-21 |
| 850000A0 0A000A00 00000000 00000000 | UL-C |
| 850085A0 00000AA5 00040402 01000F03 | NTAG213 |
| 850000A0 00000A5A 00040402 01001103 | NTAG215 |
| 850000A0 00000AAA 00040402 01001303 | NTAG216 |
# DESFire
^[Top](#top)