Merge pull request #1961 from team-orangeBlue/master

Add some magic cards notes, fix `hf mfp chk`
2025-08-22 14:23:50 -07:00 · 2023-04-15 20:38:13 +02:00 · 2023-04-15 20:38:13 +02:00 · 1f1c1d1458
commit 1f1c1d1458
parent 8f7eae12f4 ef9e14da3b
2 changed files with 48 additions and 4 deletions
--- a/client/src/cmdhfmfp.c
+++ b/client/src/cmdhfmfp.c
@ -596,7 +596,7 @@ static int CmdHFMFPInitPerso(const char *Cmd) {
 static int CmdHFMFPCommitPerso(const char *Cmd) {
    CLIParserContext *ctx;
    CLIParserInit(&ctx, "hf mfp commitp",
-                  "Executes Commit Perso command. Can be used in SL0 mode only.",
+                  "Executes Commit Perso command. Can be used in SL0 mode only.\nOBS! This command will not be executed if CardConfigKey, CardMasterKey and L3SwitchKey AES keys are not written.",
                  "hf mfp commitp\n"
                  //                "hf mfp commitp --sl 1"
                 );
@ -689,7 +689,7 @@ static int CmdHFMFPRdbl(const char *Cmd) {
        arg_lit0("b",  "keyb", "Use key B (def: keyA)"),
        arg_lit0("p",  "plain", "Plain communication mode between reader and card"),
        arg_int1(NULL, "blk", "<0..255>", "Block number"),
-        arg_str0(NULL, "key", "<hex>", "Key, 16 hex bytes"),
+        arg_str0("k", "key", "<hex>", "Key, 16 hex bytes"),
        arg_param_end
    };
    CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -1056,7 +1056,8 @@ static int MFPKeyCheck(uint8_t startSector, uint8_t endSector, uint8_t startKeyA
                }

                // 5 - auth error (rnd not equal)
-                if (res != 5) {
+                // PM3 client says that RND not equal is -16. Corrected. Seems to work.
+                if (res != -16) {
                    if (verbose)
                        PrintAndLogEx(ERR, "\nExchange error. Aborted.");
                    else
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@ -15,6 +15,7 @@ Useful docs:
  * [MIFARE Classic block0](#mifare-classic-block0)
  * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
  * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
+  * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming)
  * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
  * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
  * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
@ -108,6 +109,8 @@ UID 7b:
 ## MIFARE Classic Gen1A aka UID
 ^[Top](#top)

+aka MF ZERO
+
 ### Identify
 ^[Top](#top)

@ -264,7 +267,32 @@ hf 14a info
 * Read: `40(7)`, `30xx`
 * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc

+## MIFARE Classic Gen1A OTP/One Time Programming
+^[Top](#top)

+aka MF OTP 2.0
+
+Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command.
+
+Initial UID is 00000000
+
+All bytes are 00 from factory wherever possible.
+
+### Identify
+^[Top](#top)
+
+Only possible before personalization.
+
+```
+hf 14a info
+...
+[+] Magic capabilities : Gen 1a
+```
+
+### Magic commands
+^[Top](#top)
+
+* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc

 ## MIFARE Classic DirectWrite aka Gen2 aka CUID
 ^[Top](#top)
@ -414,6 +442,8 @@ hf 14a reader
 ## MIFARE Classic DirectWrite, FUID version aka 1-write
 ^[Top](#top)

+aka MF OTP
+
 Same as MIFARE Classic DirectWrite, but block0 can be written only once.

 Initial UID is AA55C396
@ -545,7 +575,7 @@ When writing to persistent memory it is possible to write _bad_ ACL and perm-bri

 **OBS**

-It is possible to write a configuration that perma locks the tag,  ie no more magic
+It is possible to write a configuration that perma locks the tag, i.e. no more magic

 ### Identify
 ^[Top](#top)
@ -844,6 +874,8 @@ See `--uid` and `--full`
 ## MIFARE Ultralight EV1 DirectWrite
 ^[Top](#top)

+aka UL2
+
 Similar to MFUL DirectWrite

 ### Identify
@ -880,6 +912,12 @@ hf 14a info
 * BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
 * ATS: 850000A00A000AC30004030101000B0316D7

+#### MIFARE Ultralight EV1 DirectWrite flavour 3
+^[Top](#top)
+
+* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
+* ATS: 850000A000000A3C0004030101000E03
+
 ## MIFARE Ultralight C Gen1A
 ^[Top](#top)

@ -919,6 +957,11 @@ hf 14a info
 * ATS: 0A78008102DBA0C119402AB5
 * Anticol shortcut (CL1/3000): fails

+**TODO**
+
+* UL-X, UL-Y, UL-Z, ULtra, UL-5 ?
+
+
 # NTAG
 ^[Top](#top)