option --force to hf mfu rdb/wrbl and document how to set version & sig on ultimate card

2025-08-20 05:13:46 -07:00 · 2021-12-30 12:11:22 +01:00 · 2021-12-30 12:11:22 +01:00 · 02f2318326
commit 02f2318326
parent 85def31a8d
3 changed files with 49 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,9 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+ - Added option `--force` to `hf mfu rdb/wrbl` to force operation even if address is out of range (@doegox)
+ - Added documentation for detailed usage of the Ultimate Magic Card (@doegox)
+ - Changed HitagS trace record and parsing to deal with partial bytes and to check CRC8 (@doegox)
 - Added support for KS X 6924 (South Korea's T-money card) (@toucan12)
 - Fixed `hf 15 dump` - now correctly dumps 256 blocks w/o crashing the client (@iceman1001)
 - Changed `hf 14a sim -t 3` - anticollision for DESFire simulation now uses different RATS (@mosci)
--- a/client/src/cmdhfmfu.c
+++ b/client/src/cmdhfmfu.c
@ -1772,6 +1772,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
        arg_lit0("l", NULL, "swap entered key's endianness"),
        arg_int1("b", "block", "<dec>", "block number to write"),
        arg_str1("d", "data", "<hex>", "block data (4 or 16 hex bytes, 16 hex bytes will do a compatibility write)"),
+        arg_lit0(NULL, "force", "force operation even if address is out of range"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -1786,6 +1787,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
    int datalen = 0;
    uint8_t data[16] = {0x00};
    CLIGetHexWithReturn(ctx, 4, data, &datalen);
+    bool force = arg_get_lit(ctx, 5);
    CLIParserFree(ctx);

    bool has_auth_key = false;
@ -1823,7 +1825,7 @@ static int CmdHF14AMfUWrBl(const char *Cmd) {
            break;
        }
    }
-    if (blockno > maxblockno) {
+    if ((blockno > maxblockno) && (!force)) {
        PrintAndLogEx(WARNING, "block number too large. Max block is %u/0x%02X \n", maxblockno, maxblockno);
        return PM3_EINVARG;
    }
@ -1901,6 +1903,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
        arg_str0("k", "key", "<hex>", "key for authentication (UL-C 16 bytes, EV1/NTAG 4 bytes)"),
        arg_lit0("l", NULL, "swap entered key's endianness"),
        arg_int1("b", "block", "<dec>", "block number to read"),
+        arg_lit0(NULL, "force", "force operation even if address is out of range"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -1910,6 +1913,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
    CLIGetHexWithReturn(ctx, 1, authenticationkey, &ak_len);
    bool swap_endian = arg_get_lit(ctx, 2);
    int blockno = arg_get_int_def(ctx, 3, -1);
+    bool force = arg_get_lit(ctx, 4);
    CLIParserFree(ctx);

    bool has_auth_key = false;
@ -1942,7 +1946,7 @@ static int CmdHF14AMfURdBl(const char *Cmd) {
            break;
        }
    }
-    if (blockno > maxblockno) {
+    if ((blockno > maxblockno) && (!force)) {
        PrintAndLogEx(WARNING, "block number to large. Max block is %u/0x%02X \n", maxblockno, maxblockno);
        return PM3_EINVARG;
    }
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@ -793,6 +793,46 @@ hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC1910101112131
 hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001
 ```

+### Version and Signature
+
+Ultralight EV1 and NTAG Version info and Signature are stored respectively in blocks 250-251 and 242-249.
+
+Example for an Ultralight EV1 128b with the signature sample from tools/recover_pk.py
+```
+hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000000
+hf mfu wrbl -b 0 -d 04C12865
+hf mfu wrbl -b 1 -d 5A373080
+hf mfu wrbl -b 242 -d CEA2EB0B --force
+hf mfu wrbl -b 243 -d 3C95D084 --force
+hf mfu wrbl -b 244 -d 4A95B824 --force
+hf mfu wrbl -b 245 -d A7553703 --force
+hf mfu wrbl -b 246 -d B3702378 --force
+hf mfu wrbl -b 247 -d 033BF098 --force
+hf mfu wrbl -b 248 -d 7899DB70 --force
+hf mfu wrbl -b 249 -d 151A19E7 --force
+hf mfu wrbl -b 250 -d 00040301 --force
+hf mfu wrbl -b 251 -d 01000E03 --force
+hf mfu info
+```
+
+Example for an NTAG216 with the signature sample from tools/recover_pk.py
+```
+hf 14a raw -s -c -t 1000 CF00000000F001010000000003000978009102DABC19101011121314151644000001
+hf mfu wrbl -b 0 -d 04E10C61
+hf mfu wrbl -b 1 -d DA993C80
+hf mfu wrbl -b 242 -d 8B76052E --force
+hf mfu wrbl -b 243 -d E42F5567 --force
+hf mfu wrbl -b 244 -d BEB53238 --force
+hf mfu wrbl -b 245 -d B3E3F995 --force
+hf mfu wrbl -b 246 -d 0707C0DC --force
+hf mfu wrbl -b 247 -d C956B5C5 --force
+hf mfu wrbl -b 248 -d EFCFDB70 --force
+hf mfu wrbl -b 249 -d 9B2D82B3 --force
+hf mfu wrbl -b 250 -d 00040402 --force
+hf mfu wrbl -b 251 -d 01001303 --force
+hf mfu info
+```
+
 ## MIFARE Classic Super

 It behaves like DirectWrite but records reader auth attempts.