Merge pull request #2169 from team-orangeBlue/NotesRevisedRevised

The fix to the completely fixed magic notes
2025-08-21 13:53:55 -07:00 · 2023-11-09 08:18:39 +01:00 · 2023-11-09 08:18:39 +01:00 · 4ca3f2c3b6
commit 4ca3f2c3b6
parent fdfe8869ae 23473714c3
2 changed files with 575 additions and 127 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -53,6 +53,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - Modified `hf iclass configcard` to only support online mode (@Antiklesys)
 - Modified `hf iclass configcard` command to generate config cards without a cardhelper module by porting the contents of blocks 6 & 7 from nfc-iclass (@Antiklesys)
 - Fixed `hf iclass info` command showing incorrectly in offline mode (@Antiklesys)
 - The "doc/magic_cards_notes.md" file has been rebuilt, filled up, and so on. (@team-orangeBlue)
 ## [Raccoon.4.17140][2023-09-09]
 - Changed text and adjust pm3_test case for mf_aes_brute (@doegox)
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@ -8,20 +8,29 @@ Useful docs:
 # Table of Contents
-
+- [Low frequency](#low-frequency)
  * [T55xx](#t55xx)
  * [EM4x05](#em4x05)
  * [ID82xx series](#id82xx-series)
    * [ID8265](#id8265)
    * [ID-F8268](#id-f8268)
    * [K8678](#k8678)
  * [H series](#h-series)
    * [H1](#h1)
    * [H5.5 / H7](h55--h7)
    * [i57 / i57v2](#i57--i57v2)
 - [ISO14443A](#iso14443a)
  * [Identifying broken ISO14443A magic](#identifying-broken-iso14443a-magic)
 - [MIFARE Classic](#mifare-classic)
  * [MIFARE Classic block0](#mifare-classic-block0)
  * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
  * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
-  * [MIFARE Classic Gen1A OTP/One Time Programming](#mifare-classic-gen1a-otpone-time-programming)
+  * [MIFARE Classic OTP2](#mifare-classic-otp2)
  * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
  * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
  * [MIFARE Classic DirectWrite, UFUID version](#mifare-classic-directwrite-ufuid-version)
  * [MIFARE Classic, other versions](#mifare-classic-other-versions)
  * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
-  * [MIFARE Classic Gen4 aka GDM](#mifare-classic-gen4-aka-gdm)
+  * [MIFARE Classic USCUID](#mifare-classic-uscuid)
  * [MIFARE Classic, other versions](#mifare-classic-other-versions)
  * [MIFARE Classic Super](#mifare-classic-super)
 - [MIFARE Ultralight](#mifare-ultralight)
  * [MIFARE Ultralight blocks 0..2](#mifare-ultralight-blocks-02)
@ -30,6 +39,11 @@ Useful docs:
  * [MIFARE Ultralight EV1 DirectWrite](#mifare-ultralight-ev1-directwrite)
  * [MIFARE Ultralight C Gen1A](#mifare-ultralight-c-gen1a)
  * [MIFARE Ultralight C DirectWrite](#mifare-ultralight-c-directwrite)
  * [UL series (RU)](#ul-series-ru)
    * [UL-Y](#ul-y)
    * [ULtra](#ultra)
    * [UL-5](#ul-5)
    * [UL, other chips](#ul-other-chips)
 - [NTAG](#ntag)
  * [NTAG213 DirectWrite](#ntag213-directwrite)
  * [NTAG21x](#ntag21x)
@ -37,12 +51,195 @@ Useful docs:
  * ["DESFire" APDU, 7b UID](#desfire-apdu-7b-uid)
  * ["DESFire" APDU, 4b UID](#desfire-apdu-4b-uid)
 - [ISO14443B](#iso14443b)
-  * [ISO14443B magic](#iso14443b-magic)
+  * [Tiananxin TCOS CPU card](#tiananxin-tcos-cpu-card)
 - [ISO15693](#iso15693)
  * [ISO15693 magic](#iso15693-magic)
 - [Multi](#multi)
-  * [Gen 4 GTU](#gen-4-gtu)
+  * [UMC](#umc)
 - [Other](#other)
  * [SID](#sid)
  * [NSCK-II](#nsck-ii)
 # Low frequency
 ## T55xx
 ^[Top](#top)
 The temic T55xx/Atmel ATA5577 is the most commonly used chip for cloning LF RFIDs.
 A useful document can be found [here](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/T5577_Guide.md).
 ### Characteristics
 * 28/24 bytes of user memory (without/with password)
 * Universal output settings (data rate, modulation, etc)
 * Password protection (4 bytes), usually "19920427"
 * Lock bits per page
 * Analog frontend setup
 * Other names:
  * 5577
  * 5200 (CN)
    - Cut down version of T55xx chip (no analog frontend setup, no test mode support).
  * H2 (RU)
    - Seems to be renamed 5200 chip.
  * RW125T5 (RU)
 * Old variant "T5555" is hard to come across
 ### Detect
 ```
 [usb] pm3 --> lf search
 ...
 [+] Chipset detection: T55xx
 ```
 This will **not** work if you have a downlink mode other than fixed bit length!
 ### Commands
 *See ATMEL ATA5577C datasheet for sending commands to chip*
 * **Do not mix "password read" and "regular write" commands! You risk potentially writing incorrect data.
 * When replying, the chip will use the modulation and data rate specified in block 0.
 ## EM4x05
 ^[Top](#top)
 The EM4305 and EM4205 (and 4469/4569) chips are the 2nd most common used chips for cloning LF RFIDs.
 It is also used by HID Global (but with a custom chip) for HIDProx credentials.
 ### Characteristics
 * 36 bytes of user memory
 * Output settings are limited (ASK only, FSK added on HID variant)
 * Password protection (4 bytes), usually "84AC15E2"
 * Lock page used
 * Other names:
  * H3 (RU)
  * RW125EM (RU)
 ### Detect
 ```
 [usb] pm3 --> lf search
 ...
 [+] Chipset detection: EM4x05 / EM4x69
 ```
 ### Commands
 *See EM microelectronic EM4305 datasheet for sending commands to chip*
 ## ID82xx series
 ^[Top](#top)
 These are custom chinese chips designed to clone EM IDs only. Often times, these are redesigned clones of Hitag chips.
 ### ID8265
 ^[Top](#top)
 This is the cheapest and most common ID82xx chip available. It is usually sold as T55xx on AliExpress, with excuses to use cloners.
 #### Characteristics
 * Chip is likely a Hitag μ (micro)
 * Password protection (4b), usually "1AC4999C"
 * Currently unimplemented in proxmark3 client
 * Other names:
  * ID8210 (CN)
  * H-125 (CN)
  * H5 (RU)
    - The sales of "H5" have been ceased because "the chip was leaked".
 #### Detect
 ```
 [usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00011 -s 3000
 [usb] pm3 --> data plot
 ```
 Check the green line of the plot. It must be a straight line at the end with no big waves.
 ### ID-F8268
 ^[Top](#top)
 This is an "improved" variant of ID82xx chips, bypassing some magic detection in China.
 #### Characteristics
 * Chip is likely a Hitag 1
 * Unsure whether password protection is used
 * Currently unimplemeneted in proxmark3 client
 * Other names:
  - F8278 (CN)
  - F8310 (CN)
 #### Detect
 ```
 [usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000
 [usb] pm3 --> data plot
 ```
 Check the green line of the plot. It must be a straight line at the end with no big waves.
 ### K8678
 ^[Top](#top)
 This is an "even better" chip, manufactured by Hyctec.
 #### Characteristics
 * Chip is likely a Hitag S256
 * Plain mode used, no password protection
 * Currently unimplemented in proxmark3 client
 * Memory access is odd (chip doesnt reply to memory access commands for unknown reason)
 #### Detect
 ```
 [usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000
 [usb] pm3 --> data plot
 ```
 Check the green line of the plot. It must be a straight line at the end with no big waves.
 ## H series
 ^[Top](#top)
 These are chips sold in Russia, manufactured by iKey LLC. Often times these are custom.
 ### H1
 ^[Top](#top)
 Simplest EM ID cloning chip available. Officially discontinued.
 #### Characteristics
 * Currently almost all structure is unknown
 * No locking or password protection
  * "OTP" chip is same chip, but with EM ID of zeroes. Locked after first write
 * Other names:
  * RW64bit
  * RW125FL
 ### H5.5 / H7
 ^[Top](#top)
 First "advanced" custom chip with H naming.
 #### Characteristics
 * Currently all structure is unknown
 * No password protection
 * Only supported by Russian "TMD"/"RFD" cloners
 * H7 is advertised to work with "Stroymaster" access control
 * Setting ID to "3F0096F87E" will make the chip show up like T55xx
 ### i57 / i57v2
 \[ Chip is discontinued, no info \]
 # ISO14443A
@ -109,7 +306,8 @@ UID 7b:
 ## MIFARE Classic Gen1A aka UID
 ^[Top](#top)
-aka MF ZERO
+* Other names:
  - ZERO (RU)
 ### Identify
 ^[Top](#top)
@ -267,16 +465,17 @@ hf 14a info
 * Read: `40(7)`, `30xx`
 * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
-## MIFARE Classic Gen1A OTP/One Time Programming
+## MIFARE Classic OTP2
 ^[Top](#top)
 aka MF OTP 2.0
 Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command.
-Initial UID is 00000000
+### Characteristics
-All bytes are 00 from factory wherever possible.
+* Initial UID is 00000000
 * BCC: unknown
 * SAK/ATQA: fixed
 * All bytes are 00 from factory wherever possible.
 ### Identify
 ^[Top](#top)
@ -287,6 +486,7 @@ Only possible before personalization.
 hf 14a info
 ...
 [+] Magic capabilities : Gen 1a
 [+] Prng detection: hard
 ```
 ### Magic commands
@ -299,6 +499,11 @@ hf 14a info
 (also referred as MCT compatible by some sellers)
 * Other names:
  * MF-8 (RU)
  * MF3 (RU)
    - What's so special about this chip in particular..?
 ### Identify
 ^[Top](#top)
@ -442,16 +647,19 @@ hf 14a reader
 ## MIFARE Classic DirectWrite, FUID version aka 1-write
 ^[Top](#top)
 aka MF OTP
 Same as MIFARE Classic DirectWrite, but block0 can be written only once.
-Initial UID is AA55C396
+* Other names:
  - OTP (RU)
 ### Characteristics
 * Initial UID is AA55C396
 ### Identify
 ^[Top](#top)
-Only possible before personalization.
+Only possible before personalization. *It is also possible after, but unknown how.*
 ```
 hf 14a info
@ -459,28 +667,6 @@ hf 14a info
 [+] Magic capabilities : Write Once / FUID
 ```
 ## MIFARE Classic DirectWrite, UFUID version
 ^[Top](#top)
 Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
 ### Identify
 ^[Top](#top)
 **TODO**
 ### Proxmark3 commands
 ^[Top](#top)
 To lock definitively block0:
 ```
 hf 14a raw -a -k -b 7 40
 hf 14a raw    -k      43
 hf 14a raw    -k -c   e000
 hf 14a raw    -k -c   e100
 hf 14a raw       -c   85000000000000000000000000000008
 ```
 ## MIFARE Classic Gen3 aka APDU
 ^[Top](#top)
@ -554,85 +740,131 @@ hf 14a raw -s -c  -t 2000  90F0CCCC10 041219c3219316984200e32000000000
 hf 14a raw -s -c 90FD111100
 ```
-## MIFARE Classic Gen4 aka GDM
+## MIFARE Classic USCUID
 ^[Top](#top)
-Tag has shadow mode enabled from start.
+TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85.
-Meaning every write or changes to normal MFC memory is restored back to a copy from persistent memory after about 3 seconds 
+All of the known tags using this, except for Ultralight tags, are listed here.
 off rfid field.
 Tag also seems to support Gen2 style, direct write,  to block 0 to the normal MFC memory.
-The persistent memory is also writable. For that tag uses its own backdoor commands.
+You cannot turn a Classic tag into an Ultralight and vice-versa!
 for example to write,  you must use a customer authentication byte, 0x80, to authenticate with an all zeros key, 0x0000000000.
 Then send the data to be written.
 This tag has simular commands to the [UFUID](#mifare-classic-directwrite-ufuid-version)
 This indicates that both tagtypes are developed by the same person.
 **OBS**
 When writing to persistent memory it is possible to write _bad_ ACL and perm-brick the tag. 
 **OBS**
 It is possible to write a configuration that perma locks the tag, i.e. no more magic
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Gen 4 GDM
 ```
 ### Magic commands
 ^[Top](#top)
 * Auth: `80xx`+crc
 * Write: `A8xx`+crc,  `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
 * Read config: `E000`+crc
 * Write config: `E100`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
 ### Characteristics
 ^[Top](#top)
-* Have no knowledge in ATQA/SAK/BCC quirks or if there is a wipe, softbrick recover
+* UID: 4/7 bytes
-* Its magic part seem to be three identified custom command. 
+* ATQA: always read from block 0
-* Auth command 0x80, with the key 0x0000000000,  Write 0xA8 allows writing to persistent memory,  Read 0xE0  which seems to return a configuration. This is unknown today what these bytes are.
+* SAK: read from backdoor or configuration
 * BCC: read from memory, beware!
 * ATS: no/unknown
-Read config:
+### Magic commands
-1. sending custom auth with all zeros key
+^[Top](#top)
 2. send 0xE000,  will return the configuration bytes.
 `results: 850000000000000000005A5A00000008`
 * Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
  - Backdoor read: `38xx+crc`
  - Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
-Mapping of configuration bytes so far:
+  - Read configuration: `E000+crc`
  - Write configuration: `E100+crc`; `[16 bytes data]+crc`
 * Magic wakeup (A: 00): `40(7)`, `43`
 * Magic wakeup (B: 85): `20(7)`, `23`
  - Backdoor read main block: `30xx+crc`
  - Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
  - Read hidden block: `38xx+crc`
  - Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
  - Read configuration: `E000+crc`
  - Write configuration: `E100+crc`
  **DANGER**
  - Set main memory and config to 00 `F000+crc`
  - Set main memory and config to FF `F100+crc`
  - Set main memory and config to 55 (no 0A response) `F600+crc`
  - Set backdoor memory to 00 `F800+crc`
  - Set backdoor memory to FF `F900+crc`
  - Set backdoor memory to 55 (no 0A response) `FE00+crc`
 ### USCUID configuration guide
 ^[Top](#top)
 1. Configuration
 ```
-850000000000000000005A5A00000008
+85000000000000000000000000000008
-                              ^^  --> SAK
+      ^^^^^^    ^^          ^^   >> ??? Mystery ???
 ^^^^                             >> Gen1a mode (works with bitflip)
    ^^                           >> Magic wakeup command (00 for 40-43; 85 for 20-23)
            ^^                   >> Block use of Key B if readable by ACL
              ^^                 >> CUID mode
                  ^^             >> MFC EV1 CL2 Perso config*
                    ^^           >> Shadow mode**
                      ^^         >> Magic Auth command
                        ^^       >> Static encrypted nonce mode
                          ^^     >> Signature sector
                              ^^ >> SAK***
 To enable an option, set it to 5A.
 * 5A - unfused F0. C3 - F0: CL2 UID; A5 - F1: CL2 UID with anticollision shortcut; 87 - F2: CL1 Random UID; 69 - F3: CL1 non-UID. Anything else is going to be ignored, and set as 4 bytes.
 ** Do not change the real ACL! Backdoor commands only acknowledge FF0780. To recover, disable this byte and issue regular write to sector trailer.
 *** If perso byte is enabled, this SAK is ignored, and hidden SAK is used instead.
 ```
 * Gen1a mode:                            Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras.
 * Magic wakeup command:                  Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23.
 * Block use of Key B if readable by ACL: Per the MF1ICS50 datasheet, if Key B is readable by the ACL, using it shall give a Cmd Error 04. This option controls whether it happens or not.
 * CUID mode:                             Allow direct write to block 0, instead of giving Cmd Error 04.
 * MFC EV1 CL2 Perso config:              When configured, the tag behaves like a real Mifare Classic EV1 7B UID tag, and reads UID from backdoor blocks. Otherwise, the tag acts like a 4 byte tag.
 * Shadow mode:                           Writes to memory persisting in tag RAM. As soon as no power is left, the contents are restored to saved data.
 * Magic Auth Command:                    Acknowledge command `8000` after selection, and call for Crypto1 auth with key `000000000000`.
 * Static encrypted nonce mode:           Use static encrypted nonces for authentication, making key recovery impossible.
 * Signature sector:                      Acknowledge auth commands to sector 17, which is stored in backdoor sector 1.
 * SAK:                                   If perso byte is not set, after UID select, send this value.
 2. Backdoor blocks
 ```
-Write config:
+Sector 0
-1. sending custom auth with all zeros key
+88 04 BD E5 D4 04 6A BB 5B 80 0A 08 44 00 00 00 - Block 0: Perso F0, F1 data
-2. send 0xE100
+^^ ^^ ^^ ^^                                     - UID0
-3. send 16 bytes
+            ^^                                  - BCC0
               ^^                               - SAK0 (0x04 to call for CL2)
                  ^^ ^^ ^^ ^^                   - UID1
                              ^^                - BCC1
                                 ^^             - SAK1
                                    ^^ ^^ ^^ ^^ - Unused
 04 BD E5 6A 36 08 00 00 00 00 00 00 00 00 00 00 - Block 1: Perso F3 data
 ^^ ^^ ^^ ^^                                     - UID0
            ^^                                  - BCC0
               ^^                               - SAK0
                  ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ - Unused 
 Block 2: unused
 Block 3: ignored (custom keys, acl; broken acl ignored - anticollision will still work)
 Sector 1
 [Signature sector (#17) - needs config byte 13 (from 0) enabled to allow auth]
 Sectors 2-15
 [Unused]
 ```
-**Warning**
+### Variations
 ^[Top](#top)
 | Factory configuration | Name |
 | --- | --- |
 | 850000000000000000005A5A00000008 | GDMIC |
 | 850000000000005A0000005A5A5A0008 | UCUID |
 | 8500000000005A00005A005A005A0008 | "7 byte hard" |
 | 7AFF850102015A00005A005A005A0008 | M1-7B |
 | 7AFF85000000000000FF000000000008 | FUID |
 | 7AFF000000000000BAFA358500000008 | PFUID |
 | 7AFF000000000000BAFA000000000008 | UFUID |
-Example of configuration to Perma lock tag:
+*Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
 `85000000000000000000000000000008`
 *Read and write config commands are flipped
-It is unknown what kind of block 0 changes the tag supports
+#### Proxmark3 commands
 * UID: 4b
 * ATQA/SAK: unknown
 * BCC: unknown
 * ATS: none
 ### Proxmark3 commands
 ^[Top](#top)
 ```
-# Write to persistent memory
+Using magic auth:
 # Write to persistent memory:
 hf mf gdmsetblk
 # Read configuration (0xE0):
@ -651,15 +883,14 @@ No implemented commands today
 **TODO**
-* ZXUID, EUID, ICUID, KUID, HUID, RFUID ?
+* ZXUID, EUID, ICUID, KUID?
 * Some cards exhibit a specific SAK=28 ??
 ## MIFARE Classic Super
 ^[Top](#top)
 It behaves like regular Mifare Classic but records reader auth attempts.
-#### MIFARE Classic Super Gen1
+### MIFARE Classic Super Gen1
 ^[Top](#top)
 Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands.
@ -684,19 +915,19 @@ Backdoor commands provided over APDU. Format:
 👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer!
-#### MIFARE Classic Super Gen1B
+### MIFARE Classic Super Gen1B
 DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands. 
 Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c
-#### MIFARE Classic Super Gen2
+### MIFARE Classic Super Gen2
 ^[Top](#top)
 New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces.
-Card always answer `ff  ff  ff  ff` to auth, so writing/reading it via Mifare protocol is impossible. 
+Card always answers `ff  ff  ff  ff` as `at`, so reading/writing it via Mifare protocol is impossible. 
-UID is changeable via Gen4 backdoor write to 0 block.
+UID is changeable via UMC backdoor write to 0 block.
 * UID: 4b and 7b versions
 * ATQA/SAK: fixed
@ -707,12 +938,53 @@ Gen4 commands available:
 ```
 CF <passwd> 34 <1b length><0-16b ATS>            // Configure ATS
-CF <passwd> CC                                   // Factory test, returns 00 00 00 02 AA
+CF <passwd> CC                                   // Version information, returns 00 00 00 02 AA
 CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
 CF <passwd> CE <1b block number>                 // Backdoor read 16b block
 CF <passwd> FE <4b new_password>                 // Change password
 ```
 ### MIFARE Classic Super Furui
 ^[Top](#top)
 #### Characteristics
 ^[Top](#top)
 * SAK/ATQA: play blindly the block0 bytes, beware!
 * BCC: play blindly the block0 BCC bytes, beware!
 * PRNG: hard
 **!!!WARNING!!!** This tag can die for no reason (no reply to WUPA/REQA). We don't know why this happens.
 #### Identify
 ^[Top](#top)
 ```
 [usb] pm3 --> hf 14a raw -sct 250 AAA500000000000000000000000000000000
 [+] 90 00
 ```
 #### Magic commands
 ^[Top](#top)
 * Configure: `AAA5[16 byte config]`+crc
 * Write block 0: `AAA4[4b UID][1b BCC][1b SAK][2b ATQA reversed]0000000000000000`+crc
 * Recover trace: `AAA8[00/01][00-08]`+crc
 Caution: tag does not append CRC to magic responses!
 Please use config as 00 bytes.
 Parsing traces:
 ```
 44 33 22 11 03 61 08 68 7A C7 4B 62 43 A6 11 6F 64 F3
 ^^ ^^ ^^ ^^                                           -- UID
            ^^ ^^                                     -- auth command, reversed
                  ^^ ^^ ^^ ^^                         -- Auth (nt)
                              ^^ ^^ ^^ ^^             -- Auth (nr)
                                          ^^ ^^ ^^ ^^ -- Auth (ar)
 ```
 ### Identify
 ^[Top](#top)
@ -724,6 +996,15 @@ hf 14a info
 [+] Magic capabilities : Super card (Gen ?)
 ```
 ### Proxmark3 commands
 ```
 [usb] pm3 --> hf mf supercard
 ...
 [usb] pm3 --> hf mf supercard --furui
 ...
 ```
 # MIFARE Ultralight
 ^[Top](#top)
@ -746,6 +1027,7 @@ Int is internal, typically 0x48
 Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
 Some cards have a password: `B6AA558D`. Usually "copykey" chips.
 ## MIFARE Ultralight Gen1A
 ^[Top](#top)
@ -874,8 +1156,6 @@ See `--uid` and `--full`
 ## MIFARE Ultralight EV1 DirectWrite
 ^[Top](#top)
 aka UL2
 Similar to MFUL DirectWrite
 ### Identify
@ -957,11 +1237,6 @@ hf 14a info
 * ATS: 0A78008102DBA0C119402AB5
 * Anticol shortcut (CL1/3000): fails
 **TODO**
 * UL-X, UL-Y, UL-Z, ULtra, UL-5 ?
 # NTAG
 ^[Top](#top)
@ -1027,6 +1302,78 @@ Anticol shortcut (CL1/3000): fails
 script run hf_mfu_magicwrite -h
 ```
 ## UL series (RU)
 ^[Top](#top)
 Custom chips, manufactured by iKey LLC for cloning Ultralight tags.
 ### UL-Y
 ^[Top](#top)
 Ultralight magic, 16 pages. Recommended for Vizit RF3.1 with markings "3.1" or "4.1".
 Behavior: allows writes to page 0-2.
 #### Identify
 ^[Top](#top)
 ```
 hf mfu rdbl --force -b 16
 hf 14a raw -sct 250 60
 ```
 If tag replies with
 `Cmd Error: 00`
 `00 00 00 00 00 00 00 00`
 then it is UL-Y.
 ### ULtra
 ^[Top](#top)
 Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page.
 Behavior: allows writes to page 0-2.
 #### Identify
 ^[Top](#top)
 ```
 hf mfu info
 ...
 [=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
 [=] --- Tag Version
 [=]        Raw bytes: 00 34 21 01 01 00 0E 03
 ```
 Remember that this is not a reliable method of identification, as it interferes with locked [UL-5](#mifare-ul-5).
 ### UL-5
 ^[Top](#top)
 Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed.
 Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1.
 **WARNING!** When using UL-5 to clone, write UID pages in inverse (from 2 to 0) and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits).
 #### Identify
 ^[Top](#top)
 ```
 hf mfu info
 [=] UID: AA 55 C3 A1 30 61 80
 TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
 [=] --- Tag Version
 [=]        Raw bytes: 00 34 21 01 01 00 0E 03
 ```
 After personalization it is not possible to identify UL-5. 
 Some chips have UID of `AA 55 C3 A4 30 61 80`.
 ### UL, other chips
 **TODO**
 UL-X, UL-Z - ?
 # DESFire
 ^[Top](#top)
@ -1084,7 +1431,8 @@ Android compatible
 ### Characteristics
 ^[Top](#top)
-* ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
+* ATQA: 0008
  * This is FM1208-9, NOT DESFire!
 * SAK: 20
 * ATS: 0675338102005110 or 06757781028002F0
@ -1129,12 +1477,37 @@ hf 14a info
 # ISO14443B
 ^[Top](#top)
-## ISO14443B magic
+## Tiananxin TCOS CPU card
 ^[Top](#top)
-No such card is available.
+This is a card sold on Taobao for testing readers.
 ISO14443-4 compliant.
-Some vendor allow to specify an ID (PUPI) when ordering a card.
+### Identify
 ```
 hf 14a apdu -s 90B2900000 // Get Card OS version
 >>> 90 B2 90 00 00
 <<< 54 43 4F 53 20 56 31 2E 34 2E 30 90 00 | TCOS V1.4.0..
 ```
 ### Magic commands
 All commands in APDU.
 ```
 CL IN P1 P2 Lc Data
 90 F4 CC CC 01 [..1 ] // Change protocol used              (1: ISO14443 [AA - type A, BB - type B])
 90 F6 CC CC 01 [TA1 ] // Change TA1 value (transfer speed)
 90 F8 CC CC 01 [..1 ] // Use random UID/PUPI value         (1: FF: static, AB: random)
 90 F8 DD DD 01 [..1 ] // Set UID length                    (1: bytes in UID (04, 07, 0A for 4, 7, 10 bytes accordingly))
 90 F8 EE EE 0B [... ] // Set UID/PUPI value                (FF+enter UID value here). To clear, use Lc=01; data=00.
 90 FA CC CC 01 [FSCI] // Set FSCI                          (1: value 0-8)
 90 FC CC CC 01 [SFGI] // Set SFGI (DO NOT SET TOO HIGH!)   (1: value 0-E)
 90 FE CC CC 01 [FWI ] // Set FWI (DO NOT SET BELOW 4!!!)   (value 0-E)
 ```
 More commands to follow. Be careful with some.
 # ISO15693
 ^[Top](#top)
@ -1164,7 +1537,7 @@ script run hf_15_magic -u E004013344556677
 # Multi
 ^[Top](#top)
-## Gen 4 GTU
+## UMC
 ^[Top](#top)
 A.k.a ultimate magic card,  most promenent feature is shadow mode (GTU) and optional password protected backdoor commands.
@ -1197,6 +1570,8 @@ Can emulate MIFARE Classic, Ultralight/NTAG families, 14b UID & App Data
 👉 **TODO** If the password is not default, Tag doesn't get identified correctly by latest Proxmark3 client (it might get mislabeled as MFC Gen2/CUID, Gen3/APDU or NTAG21x Modifiable, depending on configured UID/ATQA/SAK/ATS)
 👉 **TODO** Using C6 command can change config due to a bug in some cards. CC should be used instead.
 ```
 hf 14a info
 [+] Magic capabilities : Gen 4 GTU
@ -1289,7 +1664,7 @@ CF <passwd> 69 <00-01>                           // (De)Activate Ultralight mode
 CF <passwd> 6A <00-03>                           // Select Ultralight mode
 CF <passwd> 6B <1b>                              // Set Ultralight and M1 maximum read/write sectors
 CF <passwd> C6                                   // Dump configuration
-CF <passwd> CC                                   // Factory test, returns 6666 for generic card, 02AA for limited functionality card and 06A0 for broken functionality card
+CF <passwd> CC                                   // Version info, returns `00 00 00 [03 A0 (old) / 06 A0 (new) ]`
 CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
 CF <passwd> CE <1b block number>                 // Backdoor read 16b block
 CF <passwd> CF <1b param>                        // (De)Activate direct write to block 0
@ -1304,10 +1679,10 @@ Default `<passwd>`: `00000000`
 * UID: 4b, 7b and 10b versions
 * ATQA/SAK: changeable
-* BCC: auto
+* BCC: computed
 * ATS: changeable, can be disabled
-* Card Type:  changeable
+* Card Type: changeable
-* Shadow mode:  GTU
+* Shadow mode: GTU
 * Backdoor password mode
 ### Proxmark3 commands
@ -1446,9 +1821,9 @@ Ultralight mode, 10b UID
 ### Set 14443B UID and ATQB
 ^[Top](#top) ^^[Gen4](#g4top)
-UID and ATQB are configured according to block0 with a (14a) backdoor write.
+* UID and ATQB are configured according to block0 with a (14a) backdoor write.
-
+* UID size is always 4 bytes.
-UID size is always 4 bytes.
+* 14B will show up only on new cards.
 Example:
 ```
@ -1557,6 +1932,7 @@ hf 14a raw -s -c -t 1000 CF<passwd>32<1b param>
 * `<param>`
   * `00`: pre-write, shadow data can be written
   * `01`: restore mode
     - WARNING: new UMC (06a0) cards return garbage data when using 01, please use 04!
   * `02`: disabled
   * `03`: disabled, high speed R/W mode for Ultralight?
@ -1612,7 +1988,9 @@ hf 14a raw -s -c -t 1000 CF00000000CF01
 ### Change backdoor password
 ^[Top](#top) ^^[Gen4](#g4top)
-All backdoor operations are protected by a password. If password is forgotten, the card can't be recovered. Default password is `00000000`.
+All backdoor operations are protected by a password. If password is forgotten, it can't be recovered. Default password is `00000000`.
 WARNING: new UMC (06A0) returns 6300 when issuing password change command. Please write the password using F0 and entering the full configuration, but with the new password.
 Change password:
 ```
@ -1758,3 +2136,72 @@ hf mfu wrbl -b 250 -d 00040402 --force
 hf mfu wrbl -b 251 -d 01001303 --force
 hf mfu info
 ```
 # Other
 ^[Top](#top)
 These are chips to clone other ICs. Usually the originals are only sold in China.
 ## SID
 ^[Top](#top)
 - Magic tag for Fudan FM1208-9 chips
 ### Characteristics
 ^[Top](#top)
 - ISO14443-A tag
 - ATQA-SAK: `0008`-`20`
 - ATS: `10 78 80 A0 02 00 9D 46 16 40 00 A3 [UID]`
 - Compared to real FM1208 chip:
  - CLA byte is ignored
  - Command parsing is irregular (some replies are wrong)
 ### Magic commands
 ^[Top](#top)
 **WARNING!!!** Risk of bricking tag - cause is unknown
 - Below you can find a list of all INS bytes not present on real FM1208 chip, and what their output is when executed (P1, P2, Lc = 00)
  - Results may vary between chips:
 ```
 INS | RES
 0A  | 44454641554C540000002018112840000000000000000000000000000000000000000000000000000000400000000000
 3B  | 00000000001C0EF90000000000000000000000000000000000000000000000002000000000C09040009002840000000000000000000000000000000000006C0FC08700EB1A9F1BA01801010019000000000000000000000000000090000000000000094B066600000000007D000000000000000000000000000000003B000000107880A002009D46164000A3CA81E15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 3C* | 0000
 3D  | 6700
 7D  | Tag does not reply (if 0<Lc<=15, RES=6700)
 CD  | 6A82
 D5  | 9000
 DD  | 6700
 DE  | 6700
 DF  | 9000
 EE  | 6700
 F0  | 6A82
 FB  | 6A82
 * - DO NOT EXECUTE THIS INSTRUCTION!!! After 2nd execution tag will brick (No reply to REQA/WUPA). Very likely you need to add extra data which we do not know
 ```
 ## NSCK-II
 ^[Top](#top)
 - Magic tag for "NSC/BS-CPU"
 ### Characteristics
 ^[Top](#top)
 - Programming is done via ISO14443-A (but not sure how to modulate). Original tag is working somewhere hidden from proxmark.
 - ATQA-SAK: `0044`-`20`
 - ATS: `05 72 F7 60 02`
 - Communications encrypted(?)
   - When writing with copykey, after RATS, this communication takes place (NSC ID programmed: `5800000000`, tag UID: `1D94CE25840000`):
     ```
     >>> 54 03 8A BC DF C1 [CRC]
     <<< A2 [CRC]
     >>> 54 04 57 AA 84 DD [CRC]
     <<< A2 [CRC]
     ```
 ### Magic commands
 ^[Top](#top)
 - Write NSC UID: `54 [part 1b] [data 4b enc] [CRC]`
    - Tag replies: `A2 [CRC]`