dash/proxmark3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

doc gen1a

Browse Source
This commit is contained in:
Philippe Teuwen
2020-09-11 01:23:30 +02:00
parent 19a6868daa
commit 3bf3e668a5
1 changed files with 94 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
doc/magic_cards_notes.md
View File

@@ -77,20 +77,65 @@ hf 14a info
### Magic commands ### Magic commands
raw commands 40/41/43 * Wipe: `40(7)`, `41` (use 2000ms timeout)
* Read: `40(7)`, `43`, `30xx`+crc
**TODO** details, differences in global wipe command? * Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
### Characteristics ### Characteristics
* UID: Only 4b versions * UID: Only 4b versions
* ATQA: * ATQA:
* all(?) cards play blindly the block0 ATQA bytes * all cards play blindly the block0 ATQA bytes, beware!
* SAK: * SAK:
* some cards play blindly the block0 SAK byte * some cards play blindly the block0 SAK byte, beware!
* some cards use a fix "08" in anticollision, no matter the block0 * some cards use a fix "08" in anticollision, no matter the block0
* some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88"
* BCC: * BCC:
* all cards play blindly the block0 BCC bytes, beware!
* ATS: * ATS:
* no card with ATS
#### MIFARE Classic Gen1A flavour 1
* SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145
* Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 2
* SAK: play blindly the block0 SAK byte, beware!
* PRNG: static 01200145
* Wipe: filled with 0x00
#### MIFARE Classic Gen1A flavour 3
* SAK: 08
* PRNG: static 01200145
* Wipe: filled with 0xFF
#### MIFARE Classic Gen1A flavour 4
* SAK: 08
* PRNG: weak
* Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 5
* SAK: 08
* PRNG: weak
* Wipe: reply ok but no wipe performed
#### MIFARE Classic Gen1A flavour 6
* SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak
* Wipe: timeout, no wipe
#### MIFARE Classic Gen1A flavour 7
* SAK: 08 or 88 if block0_SAK most significant bit is set
* PRNG: weak
* Wipe: filled with 0x00
### Proxmark3 commands ### Proxmark3 commands
@@ -107,11 +152,37 @@ hf mf cview
When "soft-bricked" (by writing invalid data in block0), these ones may help: When "soft-bricked" (by writing invalid data in block0), these ones may help:
```
hf mf csetblk 0 11223344440804006263646566676869
```
``` ```
hf 14a config h hf 14a config h
```
```
script run remagic script run remagic
``` ```
To execute commands manually:
```
hf 14a raw -a -p -b 7 40
hf 14a raw -p 43
hf 14a raw -p -c A000
hf 14a raw -c -t 1000 11223344440804006263646566676869
```
wipe:
```
hf 14a raw -a -p -b 7 40
hf 14a raw -t 1000 41
```
### libnfc commands
```
nfc-mfsetuid
nfc-mfclassic R a u mydump
nfc-mfclassic W a u mydump
```
## MIFARE Classic Gen1B ## MIFARE Classic Gen1B
Similar to Gen1A, but supports only commands 40/43 Similar to Gen1A, but supports only commands 40/43
@@ -124,6 +195,11 @@ hf 14a info
[+] Magic capabilities : Gen 1b [+] Magic capabilities : Gen 1b
``` ```
### Magic commands
* Read: `40(7)`, `30xx`
* Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
## MIFARE Classic DirectWrite aka Gen2 aka CUID ## MIFARE Classic DirectWrite aka Gen2 aka CUID
### Identify ### Identify
@@ -379,6 +455,17 @@ When "soft-bricked" (by writing invalid data in block0), these ones may help:
hf 14a config h hf 14a config h
``` ```
### libnfc commands
```
nfc-mfultralight -h
```
See `--uid` and `--full`
### Android
* MIFARE++ Ultralight
## MIFARE Ultralight EV1 DirectWrite ## MIFARE Ultralight EV1 DirectWrite
Same commands as for MFUL DirectWrite Same commands as for MFUL DirectWrite
@@ -456,9 +543,10 @@ or equivalently
hf 14a apdu -s 00ab00000704112233445566 hf 14a apdu -s 00ab00000704112233445566
``` ```
### pn53x-tamashell commands ### libnfc commands
``` ```
pn53x-tamashell
4a0100 4a0100
420200ab00000704112233445566 420200ab00000704112233445566
``` ```