From fd9c8f4f7eb61184bc56e76c98f2ac5de3fc4f10 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Sun, 9 Apr 2023 08:52:52 +0300 Subject: [PATCH 1/5] Small corrections to MF+ commands Add -k argument to rdbl, fix chk command Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- client/src/cmdhfmfp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/client/src/cmdhfmfp.c b/client/src/cmdhfmfp.c index 7c729cdc0..6b9c3230d 100644 --- a/client/src/cmdhfmfp.c +++ b/client/src/cmdhfmfp.c @@ -597,6 +597,7 @@ static int CmdHFMFPCommitPerso(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfp commitp", "Executes Commit Perso command. Can be used in SL0 mode only.", + "OBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.", "hf mfp commitp\n" // "hf mfp commitp --sl 1" ); @@ -689,7 +690,7 @@ static int CmdHFMFPRdbl(const char *Cmd) { arg_lit0("b", "keyb", "Use key B (def: keyA)"), arg_lit0("p", "plain", "Plain communication mode between reader and card"), arg_int1(NULL, "blk", "<0..255>", "Block number"), - arg_str0(NULL, "key", "", "Key, 16 hex bytes"), + arg_str0("k", "key", "", "Key, 16 hex bytes"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -1056,7 +1057,8 @@ static int MFPKeyCheck(uint8_t startSector, uint8_t endSector, uint8_t startKeyA } // 5 - auth error (rnd not equal) - if (res != 5) { + // PM3 client says that RND not equal is -16. Corrected. Seems to work. + if (res != -16) { if (verbose) PrintAndLogEx(ERR, "\nExchange error. Aborted."); else From 0b8514bab0d59ea2e3e162cb82b5d5033e2f8e0c Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 11 Apr 2023 18:08:07 +0300 Subject: [PATCH 2/5] Add iKey blanks Too much stuff we don't know yet. The cloners cost too much. Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 43 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index fa5cd0a64..f37ae22a9 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -15,6 +15,7 @@ Useful docs: * [MIFARE Classic block0](#mifare-classic-block0) * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) * [MIFARE Classic Gen1B](#mifare-classic-gen1b) + * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otp/one-time-programming) * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write) * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version) @@ -264,7 +265,32 @@ hf 14a info * Read: `40(7)`, `30xx` * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc +## MIFARE Classic Gen1A OTP/One Time Programming +^[Top](#top) +aka MF OTP 2.0 + +Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command. + +Initial UID is 00000000 + +All bytes are 00 from factory wherever possible. + +### Identify +^[Top](#top) + +Only possible before personalization. + +``` +hf 14a info +... +[+] Magic capabilities : Gen 1a +``` + +### Magic commands +^[Top](#top) + +* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc ## MIFARE Classic DirectWrite aka Gen2 aka CUID ^[Top](#top) @@ -414,6 +440,8 @@ hf 14a reader ## MIFARE Classic DirectWrite, FUID version aka 1-write ^[Top](#top) +aka. MF OTP + Same as MIFARE Classic DirectWrite, but block0 can be written only once. Initial UID is AA55C396 @@ -545,7 +573,7 @@ When writing to persistent memory it is possible to write _bad_ ACL and perm-bri **OBS** -It is possible to write a configuration that perma locks the tag, ie no more magic +It is possible to write a configuration that perma locks the tag, i.e. no more magic ### Identify ^[Top](#top) @@ -844,6 +872,8 @@ See `--uid` and `--full` ## MIFARE Ultralight EV1 DirectWrite ^[Top](#top) +aka. UL2 + Similar to MFUL DirectWrite ### Identify @@ -880,6 +910,12 @@ hf 14a info * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! * ATS: 850000A00A000AC30004030101000B0316D7 +#### MIFARE Ultralight EV1 DirectWrite flavour 3 +^[Top](#top) + +* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware! +* ATS: 850000A000000A3C0004030101000E03 + ## MIFARE Ultralight C Gen1A ^[Top](#top) @@ -919,6 +955,11 @@ hf 14a info * ATS: 0A78008102DBA0C119402AB5 * Anticol shortcut (CL1/3000): fails +**TODO** + +* UL-X, UL-Y, UL-Z, ULtra, UL-5 ? + + # NTAG ^[Top](#top) From 9c5079dc9d34ee3866fdd0ecbf1d2f058760cc4f Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 11 Apr 2023 18:44:19 +0300 Subject: [PATCH 3/5] Add iKey blanks Too much we don't know. Their cloners are expensive... Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index f37ae22a9..4775b6cdc 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -15,7 +15,7 @@ Useful docs: * [MIFARE Classic block0](#mifare-classic-block0) * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid) * [MIFARE Classic Gen1B](#mifare-classic-gen1b) - * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otp/one-time-programming) + * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming) * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid) * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write) * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version) From 022c06c596d8bbcd15a4321953c8fd901542de1d Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 11 Apr 2023 19:14:55 +0300 Subject: [PATCH 4/5] Fix a bug I can't code Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- client/src/cmdhfmfp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/client/src/cmdhfmfp.c b/client/src/cmdhfmfp.c index 6b9c3230d..b6d4aa96a 100644 --- a/client/src/cmdhfmfp.c +++ b/client/src/cmdhfmfp.c @@ -596,8 +596,7 @@ static int CmdHFMFPInitPerso(const char *Cmd) { static int CmdHFMFPCommitPerso(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfp commitp", - "Executes Commit Perso command. Can be used in SL0 mode only.", - "OBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.", + "Executes Commit Perso command. Can be used in SL0 mode only.\nOBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.", "hf mfp commitp\n" // "hf mfp commitp --sl 1" ); From ef9e14da3bcc96af959f54dda8629ad81d926695 Mon Sep 17 00:00:00 2001 From: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> Date: Tue, 11 Apr 2023 19:42:46 +0300 Subject: [PATCH 5/5] grammar correction, add 1 missing definition Signed-off-by: team-orangeBlue <63470411+team-orangeBlue@users.noreply.github.com> --- doc/magic_cards_notes.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 4775b6cdc..c588d3b54 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -109,6 +109,8 @@ UID 7b: ## MIFARE Classic Gen1A aka UID ^[Top](#top) +aka MF ZERO + ### Identify ^[Top](#top) @@ -440,7 +442,7 @@ hf 14a reader ## MIFARE Classic DirectWrite, FUID version aka 1-write ^[Top](#top) -aka. MF OTP +aka MF OTP Same as MIFARE Classic DirectWrite, but block0 can be written only once. @@ -872,7 +874,7 @@ See `--uid` and `--full` ## MIFARE Ultralight EV1 DirectWrite ^[Top](#top) -aka. UL2 +aka UL2 Similar to MFUL DirectWrite