github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-07-11 23:56:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

update notes on ultimate card

Browse source
This commit is contained in:
Philippe Teuwen 2021-12-29 14:49:42 +01:00
parent 3a7c114d45
commit 1c1de3142b
1 changed files with 28 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

24
doc/magic_cards_notes.md
View file

@ -490,13 +490,13 @@ Special commands summary:
CF <passwd> 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQA bytes) CF <passwd> 35 <2b ATQA><1b SAK> // Configure ATQA/SAK (swap ATQA bytes)
CF <passwd> 68 <00-02> // Configure UID length CF <passwd> 68 <00-02> // Configure UID length
CF <passwd> 69 <00-01> // (De)Activate Ultralight mode CF <passwd> 69 <00-01> // (De)Activate Ultralight mode
CF <passwd> 6A <00-??> // Select Ultralight mode CF <passwd> 6A <00-03> // Select Ultralight mode
CF <passwd> C6 // Dump configuration CF <passwd> C6 // Dump configuration
CF <passwd> CC <???> // ??? CF <passwd> CC // Factory test, returns 6666
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
CF <passwd> CE <1b block number> // Backdoor read 16b block CF <passwd> CE <1b block number> // Backdoor read 16b block
CF <passwd> F0 <30b configuration data> // Configure all params in one cmd CF <passwd> F0 <30b configuration data> // Configure all params in one cmd
CF <passwd> F1 <30b configuration data> // Configure all params in one cmd (and fuse??) CF <passwd> F1 <30b configuration data> // Configure all params in one cmd and fuse the configuration permanently
CF <passwd> FE <4b new_password> // change password CF <passwd> FE <4b new_password> // change password
``` ```
Default `<passwd>`: `00000000` Default `<passwd>`: `00000000`
@ -627,7 +627,7 @@ hf 14b reader
=> UID 00010203 => UID 00010203
=> ATQB 0405060708090A => ATQB 0405060708090A
### Set Ultralight mode ### (De)Activate Ultralight mode
``` ```
hf 14a raw -s -c -t 1000 CF<passwd>69<1b param> hf 14a raw -s -c -t 1000 CF<passwd>69<1b param>
@ -651,7 +651,19 @@ In this mode, if SAK=`00` and ATQA=`0044`, it acts as an Ultralight card
hf 14a raw -s -c -t 1000 CF<passwd>6A<1b param> hf 14a raw -s -c -t 1000 CF<passwd>6A<1b param>
``` ```
👉 **TODO** should correspond to selection of EV1/ULC/... mode in the GUI. * `<param>`
* `00`: UL EV1
* `01`: NTAG
* `02`: UL-C
* `03`: UL
⚠ it supposes Ultralight mode was activated (cf command `69`)
Example: set Ultralight mode to Ultralight-C, default pwd
```
hf 14a raw -s -c -t 1000 CF000000006A02
```
Now the card supports the 3DES UL-C authentication.
### Set shadow mode (GTU) ### Set shadow mode (GTU)
This mode is divided into four states: off (pre-write), on (on restore), dont care, and high-speed read and write. This mode is divided into four states: off (pre-write), on (on restore), dont care, and high-speed read and write.
@ -739,7 +751,7 @@ Example: Write factory configuration, using default password
hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B hf 14a raw -s -c -t 1000 CF00000000F000000000000002000978009102DABC191010111213141516040008004F6B
``` ```
👉 **TODO** Variant with command `F1` sets configuration and fuses it ? ⚠ Variant with command `F1` instead of `F0` will set and fuse permanently the configuration. Backdoor R/W will still work.
## MIFARE Classic Super ## MIFARE Classic Super