github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

UFUID

Browse source
This commit is contained in:
Mykhailo Shevchuk 2023-12-26 20:23:40 +02:00
commit 3a811a5872
1 changed files with 48 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

48
doc/magic_cards_notes.md
View file

@ -32,6 +32,7 @@ Useful docs:
* [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu) * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
* [MIFARE Classic USCUID](#mifare-classic-uscuid) * [MIFARE Classic USCUID](#mifare-classic-uscuid)
* [FUID](#fuid) * [FUID](#fuid)
* [UFUID](#ufuid)
* [MIFARE Classic, other versions](#mifare-classic-other-versions) * [MIFARE Classic, other versions](#mifare-classic-other-versions)
* [MIFARE Classic Super](#mifare-classic-super) * [MIFARE Classic Super](#mifare-classic-super)
- [MIFARE Ultralight](#mifare-ultralight) - [MIFARE Ultralight](#mifare-ultralight)
@ -952,6 +953,53 @@ More correct detection should be based on a backdoor commands and configuration
[=] 0 | B5 02 45 4E BC 08 04 00 01 68 AA 89 47 CE 4D 1D | ..EN.....h..G.M. [=] 0 | B5 02 45 4E BC 08 04 00 01 68 AA 89 47 CE 4D 1D | ..EN.....h..G.M.
``` ```
## UFUID
^[Top](#top)
The card is positioned as "sealable UID", so that means you could use the same commands, as you could use for UID chip in a default state. But after the sealing (changing the configuration) card will not answer to the backdoor commands and will behave as a normal Mifare Classic card.
*But at the same time there is some unidentified behavior, which doesn't fully corresponds the protocol and original Mifare Classic cards. So the card could be filtered out with a protocol-based filters (i.e. Iron Logic OTP2 filter).*
### Characteristics
^[Top](#top)
* Configuration block value: `7AFF000000000000BAFA000000000008`
* No direct write to block 0
* Responds to magic wakeup `40(7)`, `43` commands before the sealing
* Acknowledge only the first (except wakeup command) and last config byte(s), so doesn't have the hidden block
### Identify
^[Top](#top)
Currently Proxmark3 doesn't identify it as a sepatate card.
Before the sealing could be detected from the config block value:
```
[usb] pm3 --> hf 14a raw -k -a -b 7 40
[+] 0A
[usb] pm3 --> hf 14a raw -k -a 43
[+] 0A
[usb] pm3 --> hf 14a raw -c -k -a E000
[+] 7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08 [ F1 69 ]
```
### Proxmark3 commands
^[Top](#top)
All commands are available before sealing.
* Proxmark3 magic Gen1 commands
* Read configuration: `E000+crc`
* Write configuration: `E100+crc`
Example of the sealing, performed by Chinese copiers in raw commands:
```
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c e100
hf 14a raw -c 85000000000000000000000000000008
```
## MIFARE Classic, other versions ## MIFARE Classic, other versions
^[Top](#top) ^[Top](#top)