diff --git a/client/src/cmdhfmfp.c b/client/src/cmdhfmfp.c index 7c729cdc0..b6d4aa96a 100644 --- a/client/src/cmdhfmfp.c +++ b/client/src/cmdhfmfp.c @@ -596,7 +596,7 @@ static int CmdHFMFPInitPerso(const char *Cmd) { static int CmdHFMFPCommitPerso(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfp commitp", - "Executes Commit Perso command. Can be used in SL0 mode only.", + "Executes Commit Perso command. Can be used in SL0 mode only.\nOBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.", "hf mfp commitp\n" // "hf mfp commitp --sl 1" ); @@ -689,7 +689,7 @@ static int CmdHFMFPRdbl(const char *Cmd) { arg_lit0("b", "keyb", "Use key B (def: keyA)"), arg_lit0("p", "plain", "Plain communication mode between reader and card"), arg_int1(NULL, "blk", "<0..255>", "Block number"), - arg_str0(NULL, "key", "", "Key, 16 hex bytes"), + arg_str0("k", "key", "", "Key, 16 hex bytes"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -1056,7 +1056,8 @@ static int MFPKeyCheck(uint8_t startSector, uint8_t endSector, uint8_t startKeyA } // 5 - auth error (rnd not equal) - if (res != 5) { + // PM3 client says that RND not equal is -16. Corrected. Seems to work. + if (res != -16) { if (verbose) PrintAndLogEx(ERR, "\nExchange error. Aborted."); else diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index fa5cd0a64..c588d3b54 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -15,6 +15,7 @@ Useful docs: * [MIFARE Classic block0](#mifare-classic-block0) * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) * [MIFARE Classic Gen1B](#mifare-classic-gen1b) + * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming) * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write) * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version) @@ -108,6 +109,8 @@ UID 7b: ## MIFARE Classic Gen1A aka UID ^[Top](#top) +aka MF ZERO + ### Identify ^[Top](#top) @@ -264,7 +267,32 @@ hf 14a info * Read: `40(7)`, `30xx` * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc +## MIFARE Classic Gen1A OTP/One Time Programming +^[Top](#top) +aka MF OTP 2.0 + +Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command. + +Initial UID is 00000000 + +All bytes are 00 from factory wherever possible. + +### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +``` + +### Magic commands +^[Top](#top) + +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc ## MIFARE Classic DirectWrite aka Gen2 aka CUID ^[Top](#top) @@ -414,6 +442,8 @@ hf 14a reader ## MIFARE Classic DirectWrite, FUID version aka 1-write ^[Top](#top) +aka MF OTP + Same as MIFARE Classic DirectWrite, but block0 can be written only once. Initial UID is AA55C396 @@ -545,7 +575,7 @@ When writing to persistent memory it is possible to write _bad_ ACL and perm-bri **OBS** -It is possible to write a configuration that perma locks the tag, ie no more magic +It is possible to write a configuration that perma locks the tag, i.e. no more magic ### Identify ^[Top](#top) @@ -844,6 +874,8 @@ See `--uid` and `--full` ## MIFARE Ultralight EV1 DirectWrite ^[Top](#top) +aka UL2 + Similar to MFUL DirectWrite ### Identify @@ -880,6 +912,12 @@ hf 14a info * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * ATS: 850000A00A000AC30004030101000B0316D7 +#### MIFARE Ultralight EV1 DirectWrite flavour 3 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A000000A3C0004030101000E03 + ## MIFARE Ultralight C Gen1A ^[Top](#top) @@ -919,6 +957,11 @@ hf 14a info * ATS: 0A78008102DBA0C119402AB5 * Anticol shortcut (CL1/3000): fails +**TODO** + +* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? + + # NTAG ^[Top](#top)