github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

doc: update 82xx

Browse source
This commit is contained in:
douniwan5788 2024-10-17 19:11:50 +08:00
commit 592b0ba75b
1 changed files with 7 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

36
doc/magic_cards_notes.md
View file

@ -17,7 +17,6 @@ Useful docs:
* [ID8265](#id8265) * [ID8265](#id8265)
* [ID8211](#id8211) * [ID8211](#id8211)
* [ID-F8268](#id-f8268) * [ID-F8268](#id-f8268)
* [K8678](#k8678)
* [H series](#h-series) * [H series](#h-series)
* [H1](#h1) * [H1](#h1)
* [H5.5 / H7](#h55--h7) * [H5.5 / H7](#h55--h7)
@ -206,13 +205,13 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
* Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8268](#id-f8268) when set CON1 AUT bit * Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8268](#id-f8268) when set CON1 AUT bit
* No password protection * No password protection
* tearoff time * tearoff time
* The OTP bits do not appear to be erased first. Write done time is less than 735µs * The OTP bits appear to be erased to '1'. Write done time is less than 735µs
* nochange 0-735µs * nochange 735µs-
* bit flip 735-740µs * bit flip 735-740µs
* wiped 740-3250µs * wiped 740-3250µs
* bit flip 3250-3350µs * bit flip 3250-3350µs
* write done 3350µs+ * write done 3350µs+
* page 1 default: `CA 24 00 00` * page 1 fully changeable. default: `CA 24 00 00`
* CON0 RES0 enable some extended TTFM * CON0 RES0 enable some extended TTFM
* TTFM 01: page 4, page 5, page 6 * TTFM 01: page 4, page 5, page 6
* TTFM 10: page 4, page 5, page 6, page 7, page 8 * TTFM 10: page 4, page 5, page 6, page 7, page 8
@ -230,7 +229,7 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
#### Detect #### Detect
``` ```
[usb] pm3 --> lf hitag hts read [usb] pm3 --> lf hitag hts rdbl --count 0
``` ```
### Commands ### Commands
@ -247,7 +246,7 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
* Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8211](#id8211) when clear CON1 AUT bit * Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8211](#id8211) when clear CON1 AUT bit
* Password protection (4b), usually "BBDD3399"(default) or "AAAAAAAA" * Password protection (4b), usually "BBDD3399"(default) or "AAAAAAAA"
* page 1 default: `DA A4 00 00` * page 1 fully changeable. default: `DA A4 00 00`
* CON0 RES0 enable some extended TTFM * CON0 RES0 enable some extended TTFM
* TTFM 01: page 4, page 5, page 6 * TTFM 01: page 4, page 5, page 6
* TTFM 10: page 4, page 5, page 6, page 7, page 8 * TTFM 10: page 4, page 5, page 6, page 7, page 8
@ -269,39 +268,18 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
* Other names: * Other names:
* F8278 (CN) * F8278 (CN)
* F8310 (CN) * F8310 (CN)
* K8678 manufactured by Hyctec.
#### Detect #### Detect
``` ```
[usb] pm3 --> lf hitag hts read --8 [usb] pm3 --> lf hitag hts rdbl --82xx --count 0
``` ```
### Commands ### Commands
*Try NXP Hitag S datasheet for sending commands to chip* *Try NXP Hitag S datasheet for sending commands to chip*
### K8678
^[Top](#top)
This is an "even better" chip, manufactured by Hyctec.
#### Characteristics
* Chip is likely a Hitag S256
* Plain mode used, no password protection
* Currently unimplemented in proxmark3 client
* Memory access is odd (chip doesnt reply to memory access commands for unknown reason)
#### Detect
```
[usb] pm3 --> lf cmdread -d 50 -z 116 -o 166 -e W3000 -c W00110 -s 3000
[usb] pm3 --> data plot
```
Check the green line of the plot. It must be a straight line at the end with no big waves.
## H series ## H series
^[Top](#top) ^[Top](#top)