Merge pull request #2216 from mishamyte/doc/magic-cards

Extended documentation for magic tags
2025-08-21 05:43:48 -07:00 · 2023-12-28 18:25:45 +01:00 · 2023-12-28 18:25:45 +01:00 · 56c3187852
commit 56c3187852
parent 9163e26e59 5c69ea7524
1 changed files with 337 additions and 49 deletions
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@ -25,11 +25,17 @@ Useful docs:
  * [MIFARE Classic block0](#mifare-classic-block0)
  * [MIFARE Classic Gen1A aka UID](#mifare-classic-gen1a-aka-uid)
  * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
-  * [MIFARE Classic OTP2](#mifare-classic-otp2)
+  * [Mifare Classic Direct Write OTP](#mifare-classic-direct-write-otp)
  * [MIFARE Classic OTP 2.0](#mifare-classic-otp-2.0)
  * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
  * [MIFARE Classic DirectWrite, FUID version aka 1-write](#mifare-classic-directwrite-fuid-version-aka-1-write)
  * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
  * [MIFARE Classic USCUID](#mifare-classic-uscuid)
     * [FUID](#fuid)
     * [UFUID](#ufuid)
     * [ZUID](#zuid)
     * [GDM](#gdm)
     * [GDCUID](#gdcuid)
  * [MIFARE Classic, other versions](#mifare-classic-other-versions)
  * [MIFARE Classic Super](#mifare-classic-super)
 - [MIFARE Ultralight](#mifare-ultralight)
@ -465,10 +471,43 @@ hf 14a info
 * Read: `40(7)`, `30xx`
 * Write: `40(7)`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
-## MIFARE Classic OTP2
+## Mifare Classic Direct Write OTP
 ^[Top](#top)
 Chip manufactured by iKey LLC as a bypass for Gen1 filters.
 Support Direct Write as CUID, but block0 can be written only once.
 The chip had an issue in the protocol implementation.
 The reader could interrupt radiofield for 2-3 microseconds (standard pause in the bit period of ISO14443-2).
 After the response to first `26 (7)` command, but before the following `93 70` command. In that case original M1 card will stop the flow, but OTP will continue it.
 That issue led to the development of the filters against that card and discontinuation of the production. 
 As a successor, [OTP 2.0](#mifare-classic-otp-2.0) was created.
 ### Characteristics
 ^[Top](#top)
 * Initial UID is AA55C396
 * Android compatible
 ### Identify
 ^[Top](#top)
 Only possible before personalization.
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Write Once / FUID
 ```
 ## MIFARE Classic OTP 2.0
 ^[Top](#top)
 Similar to Gen1A, but after first block 0 edit, tag no longer replies to 0x40 command.
 Were manufactured by iKey LLC as a replacement for [OTP](#mifare-classic-direct-write-otp)
 ### Characteristics
@ -644,29 +683,6 @@ hf 14a config --std
 hf 14a reader
 ```
 ## MIFARE Classic DirectWrite, FUID version aka 1-write
 ^[Top](#top)
 Same as MIFARE Classic DirectWrite, but block0 can be written only once.
 * Other names:
  - OTP (RU)
 ### Characteristics
 * Initial UID is AA55C396
 ### Identify
 ^[Top](#top)
 Only possible before personalization. *It is also possible after, but unknown how.*
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Write Once / FUID
 ```
 ## MIFARE Classic Gen3 aka APDU
 ^[Top](#top)
@ -763,7 +779,6 @@ You cannot turn a Classic tag into an Ultralight and vice-versa!
 * Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
  - Backdoor read: `38xx+crc`
  - Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
  - Read configuration: `E000+crc`
  - Write configuration: `E100+crc`; `[16 bytes data]+crc`
 * Magic wakeup (A: 00): `40(7)`, `43`
@ -772,7 +787,6 @@ You cannot turn a Classic tag into an Ultralight and vice-versa!
  - Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
  - Read hidden block: `38xx+crc`
  - Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
  - Read configuration: `E000+crc`
  - Write configuration: `E100+crc`
@ -844,23 +858,7 @@ Sectors 2-15
 [Unused]
 ```
-### Variations
+### Proxmark3 commands
 ^[Top](#top)
 | Factory configuration | Name |
 | --- | --- |
 | 850000000000000000005A5A00000008 | GDMIC |
 | 850000000000005A0000005A5A5A0008 | UCUID |
 | 8500000000005A00005A005A005A0008 | "7 byte hard" |
 | 7AFF850102015A00005A005A005A0008 | M1-7B |
 | 7AFF85000000000000FF000000000008 | FUID |
 | 7AFF000000000000BAFA358500000008 | PFUID |
 | 7AFF000000000000BAFA000000000008 | UFUID |
 *Not all tags are the same!* UFUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
 *Read and write config commands are flipped
 #### Proxmark3 commands
 ^[Top](#top)
 ```
 Using magic auth:
@ -878,6 +876,265 @@ hf mf gdmsetcfg
 ^[Top](#top)
 No implemented commands today
 ### Variations
 ^[Top](#top)
 | Factory configuration | Name |
 | --- | --- |
 | 850000000000000000005A5A00000008 | GDM |
 | 850000000000005A00FF005A00000008 | GDCUID |
 | 850000000000005A0000005A5A5A0008 | UCUID |
 | 8500000000005A00005A005A005A0008 | "7 byte hard" |
 | 7AFF850102015A00005A005A005A0008 | M1-7B |
 | 7AFF85000000000000FF000000000008 | FUID |
 | 7AFF000000000000BAFA358500000008 | PFUID |
 | 7AFF000000000000BAFA000000000008 | UFUID |
 | 7AFF0000000000000000000000000008 | ZUID |
 *Not all tags are the same!* UFUID, ZUID and PFUID* are not full implementations of Magic85 - they only acknowledge the first 8 (except wakeup command) and last config byte(s).
 *Read and write config commands are flipped
 Well-known variations are described below.
 ## FUID
 ^[Top](#top)
 Known as "write only once", which is only partially true. 
 Allows direct write to block 0 only when UID is default `AA55C396`. But always could be rewritten multiple times with backdoors commands.
 Backdoor commands are available even after the personalization and makes that tag detectable.
 That's a key difference from [OTP](#mifare-classic-direct-write-otp)/[OTP 2.0](#mifare-classic-otp-2.0) tags.
 ### Characteristics
 ^[Top](#top)
 * Configuration block value: `7AFF85000000000000FF000000000008`
 * Initial UID: `AA55C396`
 * Allows direct write to the block 0 (before the personalisation), so is Android compatible
 * Responds to magic wakeup `20(7)`, `23` commands
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Write Once / FUID
 ```
 ⚠️ **Current Proxmark3 identification is based on the initial UID. That could lead to the false positives. Also that doesn't allow to detect FUID after the personalization.**
 More correct detection should be based on a backdoor commands and configuration block value:
 ```
 [usb] pm3 --> hf 14a raw -k -a -b 7 20
 [+] 0A
 [usb] pm3 --> hf 14a raw -k -a 23
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -k -a E000
 [+] 7A FF 85 00 00 00 00 00 00 FF 00 00 00 00 00 08 [ 66 92 ]
 ```
 ### Commands
 ^[Top](#top)
 * Commands described under the corresponding section of USCUID chip
 * Example of changing block 0 after the personalization:
 ```
 [usb] pm3 --> hf 14a raw -k -a -b 7 20
 [+] 0A
 [usb] pm3 --> hf 14a raw -k -a 23
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -k -a A000
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -k -a B502454EBC0804000168AA8947CE4D1D <- Writing 0 block with the backdoor command
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -a 5000
 [usb] pm3 --> hf mf rdbl --blk 0
 [=]   # | sector 00 / 0x00                                | ascii
 [=] ----+-------------------------------------------------+-----------------
 [=]   0 | B5 02 45 4E BC 08 04 00 01 68 AA 89 47 CE 4D 1D | ..EN.....h..G.M.
 ```
 ## UFUID
 ^[Top](#top)
 The tag is positioned as "sealable UID", so that means you could use the same commands, as you could use for UID chip in a default state. But after the sealing (changing the configuration) tag will not answer to the backdoor commands and will behave as a normal Mifare Classic tag. 
 *But at the same time there is some unidentified behavior, which doesn't fully corresponds the protocol and original Mifare Classic tags. So the tag could be filtered out with a protocol-based filters (i.e. Iron Logic OTP2 filter).* 
 ### Characteristics
 ^[Top](#top)
 * Configuration block value: `7AFF000000000000BAFA000000000008`
 * No direct write to block 0
 * Responds to magic wakeup `40(7)`, `43` commands before the sealing
 * Acknowledge only the first (except wakeup command) and last config byte(s), so doesn't have the hidden block
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Gen 1a
 ```
 Currently Proxmark3 doesn't identify it as a separate tag. 
 Before the sealing could be detected from the config block value:
 ```
 [usb] pm3 --> hf 14a raw -k -a -b 7 40
 [+] 0A
 [usb] pm3 --> hf 14a raw -k -a 43
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -k -a E000
 [+] 7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08 [ F1 69 ]
 ```
 ### Commands
 ^[Top](#top)
 All commands are available before sealing.
 * Proxmark3 magic Gen1 commands
 * Read configuration: `E000+crc`
 * Write configuration: `E100+crc`
 Example of the sealing, performed by Chinese copiers in raw commands:
 ```
 hf 14a raw -a -k -b 7 40
 hf 14a raw    -k      43
 hf 14a raw    -k -c   e100
 hf 14a raw       -c   85000000000000000000000000000008
 ```
 ## ZUID
 ^[Top](#top)
 That tag is a UID tag, built on USCUID chip. It doesn't sold separately, but could be found on marketplaces under the guise of a UID tag.
 ### Characteristics
 ^[Top](#top)
 * Configuration block value: `7AFF0000000000000000000000000008`
 * No direct write to block 0
 * Responds to magic wakeup `40(7)`, `43` commands
 * Acknowledge only the first (except wakeup command) and last config byte(s), so doesn't have the hidden block
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Gen 1a
 ```
 Currently Proxmark3 doesn't identify it as a separate tag. 
 Could be detected from the config block value:
 ```
 [usb] pm3 --> hf 14a raw -k -a -b 7 40
 [+] 0A
 [usb] pm3 --> hf 14a raw -k -a 43
 [+] 0A
 [usb] pm3 --> hf 14a raw -c -k -a E000
 [+] 7A FF 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [ 4E 17 ]
 ```
 ### Commands
 ^[Top](#top)
 * Proxmark3 magic Gen1 commands
 * Read configuration: `E000+crc`
 * Write configuration: `E100+crc`
 ## GDM
 ^[Top](#top)
 The tag has a shadow mode, which means that every change to normal MFC memory would be restored back from the persistent memory after being off RFID field.
 ### Characteristics
 ^[Top](#top)
 * Configuration block value: `850000000000000000005A5A00000008`
 * No direct write to block 0
 * Responds to magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Gen 4 GDM
 ```
 Could be manually validated with the configuration block value:
 ```
 [usb] pm3 --> hf mf gdmcfg
 [+] config... 85 00 00 00 00 00 00 00 00 00 5A 5A 00 00 00 08
 ```
 ### Commands
 ^[Top](#top)
 * Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
  * Backdoor read: `38xx+crc`
  * Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
  * Read configuration: `E000+crc`
  * Write configuration: `E100+crc`; `[16 bytes data]+crc`
 * Proxmark3 commands (does auth and executes the corresponding command)
  * Backdoor write: `gdmsetcfg`
  * Read configuration: `gdmcfg`
  * Write configuration: `gdmsetcfg`
 ## GDCUID
 ^[Top](#top)
 That tag is a CUID tag, built on USCUID chip. It doesn't sold separately, but could be found on marketplaces under the guise of a CUID tag.
 ### Characteristics
 ^[Top](#top)
 * Configuration block value: `850000000000005A00FF005A00000008`
 * Allows direct write to the block 0, so is Android compatible
 * Responds to magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
 ### Identify
 ^[Top](#top)
 ```
 hf 14a info
 ...
 [+] Magic capabilities : Gen 4 GDM
 ```
 Currently Proxmark3 doesn't identify it as a separate tag. 
 Could be manually validated with the configuration block value:
 ```
 [usb] pm3 --> hf mf gdmcfg
 [+] config... 85 00 00 00 00 00 00 5A 00 FF 00 5A 00 00 00 08
 ```
 ### Commands
 ^[Top](#top)
 * Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
  * Read configuration: `E000+crc`
  * Write configuration: `E100+crc`; `[16 bytes data]+crc`
 * Proxmark3 commands (does auth and executes the corresponding command)
  * Read configuration: `gdmcfg`
  * Write configuration: `gdmsetcfg`
 ## MIFARE Classic, other versions
 ^[Top](#top)
@ -1305,7 +1562,7 @@ script run hf_mfu_magicwrite -h
 ## UL series (RU)
 ^[Top](#top)
-Custom chips, manufactured by iKey LLC for cloning Ultralight tags.
+Custom chips, manufactured by iKey LLC for cloning Ultralight tags used in Visit intercoms. That leads to the non-standard for Ultralight chips tag version.
 ### UL-Y
 ^[Top](#top)
@ -1340,16 +1597,44 @@ hf mfu info
 [=] TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
 [=] --- Tag Version
 [=]        Raw bytes: 00 34 21 01 01 00 0E 03
 [=]        Vendor ID: 34, Mikron JSC Russia
 [=]     Product type: 21, unknown
 ```
-Remember that this is not a reliable method of identification, as it interferes with locked [UL-5](#mifare-ul-5).
+#### ULtra flavour 1
 ^[Top](#top)
 Could be identified by indirect evidence before writing
 * Initial UID: `34 D7 08 11 AD D7 D0`
 * `hf mfu dump --ns`
  ```
  [=]   3/0x03 | CF 39 A1 C8 | 1 | .9..
  [=]   4/0x04 | B6 69 26 0D | 1 | .i&.
  [=]   5/0x05 | EC A1 73 C4 | 1 | ..s.
  [=]   6/0x06 | 81 3D 29 B8 | 1 | .=).
  [=]  16/0x10 | 6A F0 2D FF | 0 | j.-.
  [=]  20/0x14 | 6A F0 2D FF | 0 | j.-.
  [=]  24/0x18 | 6A F0 2D FF | 0 | j.-.
  [=]  38/0x26 | 00 E2 00 00 | 0 | .... <- E2, Virtual Card Type Identifier is not default
  ```
 #### ULtra flavour 2
 ^[Top](#top)
 Could be identified by indirect evidence before writing
 * Initial UID: `04 15 4A 23 36 2F 81`
 * Values in pages `3, 4, 5, 6, 16, 20, 24, 38` are default for that tag flavour
 ### UL-5
 ^[Top](#top)
-Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page and if [ULtra](#mifare-ultra) has failed.
+Ultralight EV1 magic; 41 page. Recommended for Vizit RF3.1 with 41 page.
 Created as a response to filters that try to overwrite page 0 (as a detection for [ULtra](#mifare-ultra) tags).
-Behavior: similar to Ultra, but after editing page 0, tag becomes original Mifare Ultralight EV1.
+Behavior: similar to Ultra, but after editing page 0 become locked and tag becomes the original Mifare Ultralight EV1 (except the tag version, which remains specific).
 **WARNING!** When using UL-5 to clone, write UID pages in inverse (from 2 to 0) and do NOT make mistakes! This tag does not allow reversing one-way actions (OTP page, lock bits).
@ -1362,11 +1647,14 @@ hf mfu info
 TAG IC Signature: 0000000000000000000000000000000000000000000000000000000000000000
 [=] --- Tag Version
 [=]        Raw bytes: 00 34 21 01 01 00 0E 03
 [=]        Vendor ID: 34, Mikron JSC Russia
 ```
 After personalization it is not possible to identify UL-5. 
-Some chips have UID of `AA 55 C3 A4 30 61 80`.
+Usually chips have initial UIDs: 
  * `AA 55 C3 A4 30 61 80`
  * `AA 55 C3 A4 30 61 80`
 ### UL, other chips