mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-09-21 07:46:12 +08:00
updated section about GDM styled tags
This commit is contained in:
iceman1001
parent
42593e586b
commit
761ea6e81a
|
|
@ -68,6 +68,7 @@ To restore anticollision config of the Proxmark3:
|
||||||
```
|
```
|
||||||
hf 14a config --std
|
hf 14a config --std
|
||||||
```
|
```
|
||||||
|
|
||||||
# MIFARE Classic
|
# MIFARE Classic
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
|
|
@ -89,7 +90,7 @@ UID 4b: (actually NUID as there are no more "unique" IDs on 4b)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Computing BCC on UID 11223344: `hf analyse lcr -d 11223344` = `44`
|
Computing BCC on UID 11223344: `analyse lcr -d 11223344` = `44`
|
||||||
|
|
||||||
UID 7b:
|
UID 7b:
|
||||||
|
|
||||||
|
|
@ -262,6 +263,8 @@ hf 14a info
|
||||||
* Read: `40(7)`, `30xx`
|
* Read: `40(7)`, `30xx`
|
||||||
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
|
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## MIFARE Classic DirectWrite aka Gen2 aka CUID
|
## MIFARE Classic DirectWrite aka Gen2 aka CUID
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
|
|
@ -396,6 +399,7 @@ hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 04112233445566184200626364656667 # for 4k
|
||||||
hf 14a config --std
|
hf 14a config --std
|
||||||
hf 14a reader
|
hf 14a reader
|
||||||
```
|
```
|
||||||
|
|
||||||
## MIFARE Classic DirectWrite, FUID version aka 1-write
|
## MIFARE Classic DirectWrite, FUID version aka 1-write
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
|
|
@ -436,14 +440,6 @@ hf 14a raw -k -c e100
|
||||||
hf 14a raw -c 85000000000000000000000000000008
|
hf 14a raw -c 85000000000000000000000000000008
|
||||||
```
|
```
|
||||||
|
|
||||||
## MIFARE Classic, other versions
|
|
||||||
^[Top](#top)
|
|
||||||
|
|
||||||
**TODO**
|
|
||||||
|
|
||||||
* ZXUID, EUID, ICUID ?
|
|
||||||
* Some cards exhibit a specific SAK=28 ??
|
|
||||||
|
|
||||||
## MIFARE Classic Gen3 aka APDU
|
## MIFARE Classic Gen3 aka APDU
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
|
|
@ -517,6 +513,71 @@ hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
|
||||||
hf 14a raw -s -c 90FD111100
|
hf 14a raw -s -c 90FD111100
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MIFARE Classic Gen4 aka GDM
|
||||||
|
^[Top](#top)
|
||||||
|
Tag has shadow mode enabled from start.
|
||||||
|
Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds
|
||||||
|
off rfid field.
|
||||||
|
Tag also seems to support Gen2 style, direct write, to block 0 to the normal MFC memory.
|
||||||
|
|
||||||
|
The persistent memory is also writable. For that tag uses its own backdoor commands.
|
||||||
|
for example to write, you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000.
|
||||||
|
Then send the data to be written.
|
||||||
|
|
||||||
|
** OBS **
|
||||||
|
When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag.
|
||||||
|
|
||||||
|
|
||||||
|
### Identify
|
||||||
|
^[Top](#top)
|
||||||
|
|
||||||
|
```
|
||||||
|
hf 14a info
|
||||||
|
...
|
||||||
|
[+] Magic capabilities : Gen 4 GDM
|
||||||
|
```
|
||||||
|
### Magic commands
|
||||||
|
^[Top](#top)
|
||||||
|
|
||||||
|
* Auth: `80xx`+crc
|
||||||
|
* Write: `A8xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
|
||||||
|
* Read : `E000`+crc (unidentified)
|
||||||
|
|
||||||
|
### Characteristics
|
||||||
|
^[Top](#top)
|
||||||
|
Have no access to card, no knowledge in ATQA/SAK/BCC quirks or if there is a wipe, softbrick recover
|
||||||
|
* Its magic part seem to be three identified custom command.
|
||||||
|
* Auth command 0x80, with the key 0x0000000000, Write 0xA8 allows writing to persistent memory, Read 0xE0 which seems to return a configuration. This is unknown today what these bytes are.
|
||||||
|
|
||||||
|
It is also unknown what kind of block 0 changes the tag supports today
|
||||||
|
* UID: 4b
|
||||||
|
* ATQA/SAK: unknown
|
||||||
|
* BCC: unknown
|
||||||
|
* ATS: none
|
||||||
|
|
||||||
|
### Proxmark3 commands
|
||||||
|
^[Top](#top)
|
||||||
|
```
|
||||||
|
# Write to persistent memory
|
||||||
|
hf mf gdmsetblk
|
||||||
|
|
||||||
|
# Read 0xE0 configuration:
|
||||||
|
hf mf gdmgetblk
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### libnfc commands
|
||||||
|
^[Top](#top)
|
||||||
|
No implemented commands today
|
||||||
|
|
||||||
|
## MIFARE Classic, other versions
|
||||||
|
^[Top](#top)
|
||||||
|
|
||||||
|
**TODO**
|
||||||
|
|
||||||
|
* ZXUID, EUID, ICUID ?
|
||||||
|
* Some cards exhibit a specific SAK=28 ??
|
||||||
|
|
||||||
## MIFARE Classic Super
|
## MIFARE Classic Super
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
|
|
@ -972,7 +1033,6 @@ script run hf_15_magic -u E004013344556677
|
||||||
|
|
||||||
A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands.
|
A.k.a ultimate magic card, most promenent feature is shadow mode (GTU) and optional password protected backdoor commands.
|
||||||
|
|
||||||
|
|
||||||
Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data
|
Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data
|
||||||
|
|
||||||
- [Identify](#identify)
|
- [Identify](#identify)
|
||||||
|
|
@ -1010,6 +1070,7 @@ The card will be identified only if the password is the default one. One can ide
|
||||||
hf 14a raw -s -c -t 1000 CF00000000C6
|
hf 14a raw -s -c -t 1000 CF00000000C6
|
||||||
```
|
```
|
||||||
If the card is an Ultimate Magic Card, it returns 30 or 32 bytes.
|
If the card is an Ultimate Magic Card, it returns 30 or 32 bytes.
|
||||||
|
|
||||||
### Magic commands
|
### Magic commands
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
@ -1156,6 +1217,7 @@ OR (Note the script will correct the ATQA correctly)
|
||||||
```
|
```
|
||||||
script run hf_mf_ultimatecard -q 004428
|
script run hf_mf_ultimatecard -q 004428
|
||||||
```
|
```
|
||||||
|
|
||||||
### Change ATS
|
### Change ATS
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
@ -1193,6 +1255,7 @@ Example: set UID length to 7 bytes, default pwd
|
||||||
```
|
```
|
||||||
hf 14a raw -s -c -t 1000 CF000000006801
|
hf 14a raw -s -c -t 1000 CF000000006801
|
||||||
```
|
```
|
||||||
|
|
||||||
### Set 14443A UID
|
### Set 14443A UID
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
@ -1306,6 +1369,7 @@ script run hf_mf_ultimatecard -m 02
|
||||||
```
|
```
|
||||||
|
|
||||||
Now the card supports the 3DES UL-C authentication.
|
Now the card supports the 3DES UL-C authentication.
|
||||||
|
|
||||||
### Set Ultralight and M1 maximum read/write sectors
|
### Set Ultralight and M1 maximum read/write sectors
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
@ -1319,6 +1383,7 @@ Example: set maximum 63 blocks read/write for Mifare Classic 1K
|
||||||
```
|
```
|
||||||
hf 14a raw -s -c -t 1000 CF000000006B3F
|
hf 14a raw -s -c -t 1000 CF000000006B3F
|
||||||
```
|
```
|
||||||
|
|
||||||
### Set shadow mode (GTU)
|
### Set shadow mode (GTU)
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
@ -1432,6 +1497,7 @@ Default configuration:
|
||||||
^^ cf cmd 68: UID length
|
^^ cf cmd 68: UID length
|
||||||
^^ cf cmd 69: Ultralight protocol
|
^^ cf cmd 69: Ultralight protocol
|
||||||
```
|
```
|
||||||
|
|
||||||
### Fast configuration
|
### Fast configuration
|
||||||
^[Top](#top) ^^[Gen4](#g4top)
|
^[Top](#top) ^^[Gen4](#g4top)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue