github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

doc mfc gen2

Browse source
This commit is contained in:
Philippe Teuwen 2020-09-11 14:40:52 +02:00
commit 5cb12db5af
1 changed files with 57 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

68
doc/magic_cards_notes.md
View file

@ -211,6 +211,8 @@ hf 14a info
[+] Magic capabilities : Gen 2 / CUID [+] Magic capabilities : Gen 2 / CUID
``` ```
Not all Gen2 cards can be identified with `hf 14a info`, only those replying to RATS.
### Magic commands ### Magic commands
Android compatible Android compatible
@ -221,14 +223,56 @@ Android compatible
* UID: 4b and 7b versions * UID: 4b and 7b versions
* ATQA: * ATQA:
* some cards play blindly the block0 ATQA bytes, beware!
* some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b.
* SAK: * SAK:
* some cards play blindly the block0 SAK byte, beware!
* some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b.
* BCC: * BCC:
* some cards play blindly the block0 BCC bytes, beware!
* some cards compute a proper BCC in anticollision. Including all 7b.
* ATS: * ATS:
* some cards don't reply to RATS
* some reply with 0978009102DABC1910F005
**todo** #### MIFARE Classic DirectWrite flavour 1
* some card will die if invalid block0! (or can be recovered with anticol...? "hf 14a config a 1 b 1 ..." then "hf mf wrbl 0 ...") * UID 4b
* some card have always correct anticol no matter block0, e.g. ATS=0948009102DABC1910F005 * ATQA: play blindly the block0 ATQA bytes, beware!
* SAK: play blindly the block0 SAK byte, beware!
* BCC: play blindly the block0 BCC bytes, beware!
* ATS: no
* PRNG: weak
F1 ATQAwarn SAKxx
BCCwarn Pweak
#### MIFARE Classic DirectWrite flavour 2
* UID 4b
* ATQA: fixed
* SAK: fixed
* BCC: computed
* ATS: 0978009102DABC1910F005
* PRNG: weak
#### MIFARE Classic DirectWrite flavour 3
* UID 4b
* ATQA: play blindly the block0 ATQA bytes, beware!
* SAK: fixed
* BCC: play blindly the block0 BCC bytes, beware!
* ATS: no
* PRNG: weak
#### MIFARE Classic DirectWrite flavour 4
* UID 7b
* ATQA: fixed
* SAK: fixed
* BCC: computed
* ATS: 0978009102DABC1910F005
* PRNG: static 00000000
### Proxmark3 commands ### Proxmark3 commands
@ -305,17 +349,19 @@ Android compatible
``` ```
cla ins p1 p2 len cla ins p1 p2 len
90 F0 CC CC 10 <block0> - write block 0 90 F0 CC CC 10 <block0> - write block 0
90 FB CC CC 07 <uid> - write uid separated instead of block 0 90 FB CC CC 07 <uid> - change uid (independently of block0 data)
90 FD 11 11 00 - lock uid permanently 90 FD 11 11 00 - lock permanently
``` ```
It seems the length byte gets ignored anyway.
Note: it seems some cards only accept the "change UID" command.
### Characteristics ### Characteristics
* UID: 4b and 7b versions * UID: 4b and 7b versions
* ATQA: * ATQA/SAK: fixed
* SAK: * BCC: auto
* BCC: * ATS: none
* ATS:
### Proxmark3 commands ### Proxmark3 commands
@ -324,7 +370,7 @@ cla ins p1 p2 len
hf mf gen3uid hf mf gen3uid
# write block0: # write block0:
hf mf gen3blk hf mf gen3blk
# lock block0 forever: # lock (uid/block0?) forever:
hf mf gen3freez hf mf gen3freez
``` ```
See also See also
@ -338,7 +384,7 @@ Equivalent:
hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677 hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677
# write block0: # write block0:
hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000 hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
# lock block0 forever: # lock (uid/block0?) forever:
hf 14a raw -s -c 90FD111100 hf 14a raw -s -c 90FD111100
``` ```