From 945b9196fe122f8deb51ca32a38502a74e87a251 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Thu, 10 Sep 2020 00:14:08 +0200
Subject: [PATCH] magic_cards_notes

---
 doc/magic_cards_notes.md | 448 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 448 insertions(+)
 create mode 100644 doc/magic_cards_notes.md

diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md
new file mode 100644
index 000000000..7d515598e
--- /dev/null
+++ b/doc/magic_cards_notes.md
@@ -0,0 +1,448 @@
+This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372
+
+- [MIFARE Classic](#mifare-classic)
+  * [MIFARE Classic block0](#mifare-classic-block0)
+  * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
+  * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
+  * [MIFARE Classic Gen2 aka CUID](#mifare-classic-gen2-aka-cuid)
+  * [MIFARE Classic Gen2, FUID version](#mifare-classic-gen2--fuid-version)
+  * [MIFARE Classic Gen2, UFUID version](#mifare-classic-gen2--ufuid-version)
+  * [MIFARE Classic, other versions](#mifare-classic--other-versions)
+  * [MIFARE Classic Gen3](#mifare-classic-gen3)
+  * [MIFARE Classic Super](#mifare-classic-super)
+- [MIFARE Ultralight](#mifare-ultralight)
+  * [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02)
+  * [MIFARE Ultralight Gen1A](#mifare-ultralight-gen1a)
+  * [MIFARE Ultralight Gen2](#mifare-ultralight-gen2)
+  * [MIFARE Ultralight EV1 Gen2](#mifare-ultralight-ev1-gen2)
+  * [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a)
+  * [MIFARE Ultralight C Gen2](#mifare-ultralight-c-gen2)
+- [NTAG](#ntag)
+  * [NTAG213 Gen2](#ntag213-gen2)
+  * [NTAG21x](#ntag21x)
+- [DESFire](#desfire)
+  * [DESFire "Gen3", 7b UID](#desfire--gen3---7b-uid)
+  * [DESFire "Gen3", 4b UID](#desfire--gen3---4b-uid)
+- [ISO14443B](#iso14443b)
+  * [ISO14443B magic](#iso14443b-magic)
+- [ISO15693](#iso15693)
+  * [ISO15693 magic](#iso15693-magic)
+
+
+# MIFARE Classic
+
+Referred as M1, S50 (1k), S70 (4k)
+
+## MIFARE Classic block0
+
+UID 4b:
+
+```
+11223344440804006263646566676869
+^^^^^^^^                         UID
+        ^^                       BCC
+          ^^                     SAK(*)
+            ^^^^                 ATQA
+                ^^^^^^^^^^^^^^^^ Manufacturer data
+(*) some cards have on purpose a different SAK in their anticollision and in block0
+```
+
+ 
+Computing BCC on UID 11223344: `hf analyse lcr 11223344` = `44`
+
+UID 7b:
+
+**todo**
+
+## MIFARE Classic Gen1A aka UID
+
+### Magic commands
+
+raw commands 40/41/43
+
+**TODO** details, differences in global wipe command?
+
+### Characteristics
+
+* UID: Only 4b versions
+* ATQA:
+  * all(?) cards play blindly the block0 ATQA bytes
+* SAK:
+  * some cards play blindly the block0 SAK byte
+  * some cards use a fix "08" in anticollision, no matter the block0
+* BCC:
+* ATS:
+
+### Proxmark3 commands
+
+```
+hf mf csetuid
+hf mf cwipe
+hf mf csetblk
+hf mf cgetblk
+hf mf cgetsc
+hf mf cload 
+hf mf csave
+hf mf cview
+```
+
+When "soft-bricked" (by writing invalid data in block0), these ones may help:
+
+```
+hf 14a config h
+script run remagic
+```
+
+## MIFARE Classic Gen1B
+
+Similar to Gen1A, but supports only commands 40/43
+
+## MIFARE Classic Gen2 aka CUID
+
+### Magic commands
+
+Android compatible
+
+* issue regular write to block0
+
+### Characteristics
+
+* UID: 4b and 7b versions
+* ATQA:
+* SAK:
+* BCC:
+* ATS:
+
+**todo**
+
+* some card will die if invalid block0! (or can be recovered with anticol...? "hf 14a config a 1 b 1 ..." then "hf mf wrbl 0 ...")
+* some card have always correct anticol no matter block0, e.g. ATS=0948009102DABC1910F005
+
+### Proxmark3 commands
+
+```
+hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869
+```
+
+When "soft-bricked" (by writing invalid data in block0), these ones may help:
+
+```
+hf 14a config h
+```
+
+e.g. for 4b UID:
+
+```
+hf 14a config a 1 b 2 2 2 3 2 r 2
+hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869
+hf 14a config a 0 b 0 2 0 3 0 r 0
+```
+## MIFARE Classic Gen2, FUID version
+
+Same as MIFARE Classic Gen2, but block0 can be written only once.
+
+Initial UID is AA55C396
+
+## MIFARE Classic Gen2, UFUID version
+
+Same as MIFARE Classic Gen2, but block0 can be locked with special command.
+
+### Proxmark3 commands
+
+To lock definitively block0:
+```
+hf 14a raw -a -p -b 7 40
+hf 14a raw    -p      43
+hf 14a raw    -p -c   e000
+hf 14a raw       -c   85000000000000000000000000000008
+```
+
+## MIFARE Classic, other versions
+
+**todo** ZXUID, EUID, ICUID ?
+
+Some cards exhibit a specific SAK=28 ??
+
+## MIFARE Classic Gen3
+
+### Magic commands
+
+Android compatible
+
+* issue special APDUs
+
+```
+cla  ins p1  p2  len
+ 90  F0  CC  CC  10   - write block 0
+ 90  FB  CC  CC  07   - write uid separated instead of block 0
+ 90  FD  11  11  00   - lock uid permanently
+```
+
+### Characteristics
+
+* UID: 4b and 7b versions
+* ATQA:
+* SAK:
+* BCC:
+* ATS:
+
+### Proxmark3 commands
+
+```
+# change just UID:
+hf mf gen3uid
+# write block0:
+hf mf gen3blk
+# lock block0 forever:
+hf mf gen3freez
+```
+See also
+```
+script run mfc_gen3_writer -h
+```
+
+Equivalent:
+```
+# change just UID:
+hf 14a raw -s -c  -t 2000  90FBCCCC07 11223344556677
+# write block0:
+hf 14a raw -s -c  -t 2000  90F0CCCC10 041219c3219316984200e32000000000
+# lock block0 forever:
+hf 14a raw -s -c 90fd11100
+```
+
+## MIFARE Classic Super
+
+It behaves like Gen2 but records reader auth attempts.
+
+To change UID: same commands as for MFC Gen2
+
+To do reader-only attack: at least two versions exist.
+
+* https://github.com/nfc-tools/nfc-supercard for card with ATS: 0978009102DABC1910F005
+* https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
+
+# MIFARE Ultralight
+
+## MIFARE Ultralight blocks 0..2
+
+```
+SN0  SN1  SN2  BCC0
+SN3  SN4  SN5  SN6
+BCC1 Int  LCK0 LCK1
+```
+
+UID is made of SN0..SN6 bytes
+
+Computing BCC0 on UID 04112233445566: `analyse lcr 88041122` = `bf`
+
+Computing BCC1 on UID 04112233445566: `analyse lcr 33445566` = `44`
+
+Int is internal, typically 0x48
+
+## MIFARE Ultralight Gen1A
+
+### Characteristics
+
+#### Magic commands
+
+**todo**
+
+#### UID
+
+Only 7b versions
+
+#### SAK, ATQA, BCC, ATS
+
+**TODO** need more tests
+
+### Proxmark3 commands
+
+```
+script run ul_uid -h
+```
+
+When "soft-bricked" (by writing invalid data in block0), these ones may help:
+
+```
+hf 14a config h
+script run remagic -u
+```
+
+## MIFARE Ultralight Gen2
+
+### Characteristics
+
+#### Magic commands
+
+**todo**
+
+#### UID
+
+Only 7b versions
+
+#### SAK, ATQA, BCC, ATS
+
+Some fix their BCC in anticol, some don't, be careful!
+
+**TODO** need more tests
+
+### Proxmark3 commands
+
+```
+hf mfu setuid
+```
+
+Equivalent: don't use `hf mfu wrbl` as you need to write three blocks in a row, but do, with proper BCCx:
+
+```
+hf 14a raw -s -c -p a2 00 041122bf 
+hf 14a raw    -c -p a2 01 33445566
+hf 14a raw    -c    a2 02 44480000
+```
+
+When "soft-bricked" (by writing invalid data in block0), these ones may help:
+
+```
+hf 14a config h
+```
+
+## MIFARE Ultralight EV1 Gen2
+
+Same commands as for MFUL Gen2
+
+## MIFARE Ultralight C Gen1A
+
+Same commands as for MFUL Gen1A
+
+## MIFARE Ultralight C Gen2
+
+Same commands as for MFUL Gen2
+
+# NTAG
+
+## NTAG213 Gen2
+
+Same commands as for MFUL Gen2
+
+## NTAG21x
+
+### Characteristics
+
+Emulates fully NTAG213, 213F, 215, 216, 216F
+
+Emulates partially  UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS
+
+### Proxmark3 commands
+
+```
+script run mfu_magic -h
+```
+
+# DESFire
+
+## DESFire "Gen3", 7b UID
+
+### Magic commands
+
+Android compatible
+
+* issue special APDUs
+
+### Characteristics
+
+* ATQA: 0344
+* SAK: 20
+* ATS: 0675338102005110 or 06757781028002F0
+
+Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
+
+### Proxmark commands
+
+UID 04112233445566
+```
+hf 14a raw -s -c 0200ab00000704112233445566
+```
+or equivalently
+```
+hf 14a apdu -s 00ab00000704112233445566
+```
+
+### pn53x-tamashell commands
+
+```
+4a0100
+420200ab00000704112233445566
+```
+## DESFire "Gen3", 4b UID
+
+### Magic commands
+
+Android compatible
+
+* issue special APDUs
+
+### Characteristics
+
+* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
+* SAK: 20
+* ATS: 0675338102005110 or 06757781028002F0
+
+Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
+
+### Proxmark commands
+
+UID 04112233445566
+```
+hf 14a raw -s -c 0200ab00000411223344
+```
+or equivalently
+```
+hf 14a apdu -s 00ab00000411223344
+```
+
+It accepts longer UID but that doesn't affect BCC/ATQA/SAK
+
+### pn53x-tamashell commands
+```
+4a0100
+420200ab00000411223344
+```
+
+### Remarks
+
+The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0:
+
+```
+hf mf csetblk 0 1122334444204403A1A2A3A4A5A6A7A8
+hf 14a info
+[+]  UID: 11 22 33 44 
+[+] ATQA: 03 44
+[+]  SAK: 20 [1]
+[+] Possible types:
+[+]    MIFARE DESFire MF3ICD40
+```
+
+# ISO14443B
+
+## ISO14443B magic
+
+No such card is available.
+
+Some vendor allow to specify an ID (PUPI) when ordering a card.
+
+# ISO15693
+
+## ISO15693 magic
+
+### Proxmark3 commands
+
+Always set a UID starting with `E0`.
+
+```
+hf 15 csetuid E011223344556677
+```
+or (ignore errors):
+```
+script run iso15_magic -u E004013344556677  
+```