add support for generation 2 magic command when setting UID on ISO15693 cards. ref:: https://github.com/RfidResearchGroup/proxmark3/issues/1604#issuecomment-2068444071

CHANGELOG.md

@@ -3,7 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
-- Changed `hf mfp info` to identify Ev2 (@iceman1001)
+- Changed `hf 15 csetuid` - now supports gen2 command (@iceman1001)
+- Changed `hf mfp info` - to identify Ev2 (@iceman1001)
 - Updated Graph Markers implementation to include temporary markers and marker labels (@HACKhalo2)
 - Updated to SWIG 4.2.1 (@iceman1001)
 - Removed `data bin2hex` - replaced by `data num`  (@iceman1001)

armsrc/appmain.c

@@ -1364,6 +1364,14 @@ static void PacketReceived(PacketCommandNG *packet) {
             SetTag15693Uid(payload->uid);
             break;
         }
+        case CMD_HF_ISO15693_CSETUID_V2: {
+            struct p {
+                uint8_t uid[8];
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;
+            SetTag15693Uid_v2(payload->uid);
+            break;
+        }        
         case CMD_HF_ISO15693_SLIX_DISABLE_EAS: {
             struct p {
                 uint8_t pwd[4];

armsrc/iso15693.c

@@ -2890,21 +2890,14 @@ void SetTag15693Uid(const uint8_t *uid) {
     uint8_t cmd[4][9] = {
         {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3e, 0x00, 0x00, 0x00, 0x00, 0xE9, 0x8F},
         {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x3f, 0x69, 0x96, 0x00, 0x00, 0x8A, 0xBB},
-        {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38},
+
-        {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39}
+        // Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X)
+        {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x38, uid[7], uid[6], uid[5], uid[4]},
+
+        // Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X)
+        {ISO15_REQ_DATARATE_HIGH, ISO15693_WRITEBLOCK, 0x39, uid[3], uid[2], uid[1], uid[0]}
     };
 
-    // Command 3 : 02 21 38 u8u7u6u5 (where uX = uid byte X)
-    cmd[2][3] = uid[7];
-    cmd[2][4] = uid[6];
-    cmd[2][5] = uid[5];
-    cmd[2][6] = uid[4];
-
-    // Command 4 : 02 21 39 u4u3u2u1 (where uX = uid byte X)
-    cmd[3][3] = uid[3];
-    cmd[3][4] = uid[2];
-    cmd[3][5] = uid[1];
-    cmd[3][6] = uid[0];
 
     AddCrc15(cmd[2], 7);
     AddCrc15(cmd[3], 7);
@@ -2938,6 +2931,54 @@ void SetTag15693Uid(const uint8_t *uid) {
     switch_off();
 }
 
+// Set the UID on Magic ISO15693 tag ( Gen2 ?)
+// E0 00 09   - seem to be command
+// 0x41, 0x40 - seem to be block referens
+void SetTag15693Uid_v2(const uint8_t *uid) {
+
+    LED_A_ON();
+    uint8_t cmd[2][11] = {
+
+        // hf 15 raw -wac -d 02e00941 + uid first four bytes
+        {ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x41, uid[7], uid[6], uid[5], uid[4], 0x00, 0x00},
+
+        // hf 15 raw -wac -d 02e00940 + uid last four bytes
+        {ISO15_REQ_DATARATE_HIGH, ISO15693_MAGIC_WRITE, 0x00, 0x09, 0x40, uid[3], uid[2], uid[1], uid[0], 0x00, 0x00}
+    };
+
+    AddCrc15(cmd[0], 9);
+    AddCrc15(cmd[1], 9);
+
+    uint8_t buf[ISO15693_MAX_RESPONSE_LENGTH] = {0x00};
+
+    uint32_t start_time = 0;
+    uint32_t eof_time = 0;
+    uint16_t recvlen = 0;
+
+    int res = PM3_SUCCESS;
+
+    for (int i = 0; i < 2; i++) {
+        res = SendDataTag(
+                  cmd[i],
+                  sizeof(cmd[i]),
+                  (i == 0) ? true : false,
+                  true,
+                  buf,
+                  sizeof(buf),
+                  start_time,
+                  ISO15693_READER_TIMEOUT_WRITE,
+                  &eof_time,
+                  &recvlen
+              );
+
+        start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
+    }
+
+    reply_ng(CMD_HF_ISO15693_CSETUID_V2, res, NULL, 0);
+    switch_off();
+}
+
+
 static void init_password_15693_Slix(uint8_t *buffer, const uint8_t *pwd, const uint8_t *rnd) {
     memcpy(buffer, pwd, 4);
     if (rnd) {

client/src/cmdhf15.c

@@ -2735,11 +2735,14 @@ static int CmdHF15CSetUID(const char *Cmd) {
     CLIParserContext *ctx;
     CLIParserInit(&ctx, "hf 15 csetuid",
                   "Set UID for magic Chinese card (only works with such cards)\n",
-                  "hf 15 csetuid -u E011223344556677");
+                  "hf 15 csetuid -u E011223344556677       -> use gen1 command\n"
+                  "hf 15 csetuid -u E011223344556677 --v2  -> use gen2 command"
+                  );
 
     void *argtable[] = {
         arg_param_begin,
         arg_str1("u", "uid", "<hex>", "UID, 8 hex bytes"),
+        arg_lit0("2", "v2", "Use gen2 magic command"),
         arg_param_end
     };
     CLIExecWithReturn(ctx, Cmd, argtable, false);
@@ -2750,6 +2753,7 @@ static int CmdHF15CSetUID(const char *Cmd) {
 
     int uidlen = 0;
     CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen);
+    bool use_v2 = arg_get_lit(ctx, 2);
     CLIParserFree(ctx);
 
     if (uidlen != HF15_UID_LENGTH) {
@@ -2775,8 +2779,14 @@ static int CmdHF15CSetUID(const char *Cmd) {
     PrintAndLogEx(INFO, "Writing...");
     PacketResponseNG resp;
     clearCommandBuffer();
-    SendCommandNG(CMD_HF_ISO15693_CSETUID, (uint8_t *)&payload, sizeof(payload));
+
-    if (WaitForResponseTimeout(CMD_HF_ISO15693_CSETUID, &resp, 2000) == false) {
+    uint16_t cmd = CMD_HF_ISO15693_CSETUID;
+    if (use_v2) {
+        cmd = CMD_HF_ISO15693_CSETUID_V2;
+    }
+
+    SendCommandNG(cmd, (uint8_t *)&payload, sizeof(payload));
+    if (WaitForResponseTimeout(cmd, &resp, 2000) == false) {
         PrintAndLogEx(WARNING, "timeout while waiting for reply");
         DropField();
         return PM3_ESOFT;

client/src/cmdhflist.c

@@ -704,6 +704,9 @@ void annotateIso15693(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
             case ISO15693_READ_SIGNATURE:
                 snprintf(exp, size, "READ_SIGNATURE");
                 return;
+            case ISO15693_MAGIC_WRITE:
+                snprintf(exp, size, "MAGIC_WRITEBLOCK");
+                return;
             default:
                 break;
         }
@@ -2223,7 +2226,7 @@ bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isRes
                 char sat[5] = {0, 0, 0, 0, 0};
                 mf_get_paritybinstr(sat, AuthData.at_enc, AuthData.at_enc_par);
 
-                PrintAndLogEx(NORMAL, "Nested authentication detected. ");
+                PrintAndLogEx(NORMAL, "Nested authentication detected!");
                 PrintAndLogEx(NORMAL, "tools/mf_nonce_brute/mf_nonce_brute %x %x %s %x %x %s %x %s %s\n"
                               , AuthData.uid
                               , AuthData.nt_enc

include/pm3_cmd.h

@@ -564,7 +564,6 @@ typedef struct {
 #define CMD_HF_ISO15693_SNIFF                                             0x0312
 #define CMD_HF_ISO15693_COMMAND                                           0x0313
 #define CMD_HF_ISO15693_FINDAFI                                           0x0315
-#define CMD_HF_ISO15693_CSETUID                                           0x0316
 #define CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY                               0x0867
 #define CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY                              0x0317
 #define CMD_HF_ISO15693_SLIX_DISABLE_EAS                                  0x0318
@@ -578,12 +577,17 @@ typedef struct {
 #define CMD_HF_ISO15693_EML_SETMEM                                        0x0331
 #define CMD_HF_ISO15693_EML_GETMEM                                        0x0332
 
+#define CMD_HF_ISO15693_CSETUID                                           0x0316
+#define CMD_HF_ISO15693_CSETUID_V2                                        0x0333
+
 #define CMD_LF_SNIFF_RAW_ADC                                              0x0360
 
 // For Hitag2 transponders
 #define CMD_LF_HITAG_SNIFF                                                0x0370
 #define CMD_LF_HITAG_SIMULATE                                             0x0371
 #define CMD_LF_HITAG_READER                                               0x0372
+#define CMD_LF_HITAG2_WRITE                                               0x0377
+#define CMD_LF_HITAG2_CRACK                                               0x0378
 
 // For HitagS
 #define CMD_LF_HITAGS_TEST_TRACES                                         0x0367

include/protocols.h

@@ -369,10 +369,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 #define CRYPTORF_ERR_MEMORY_ACCESS                    0xEE
 #define CRYPTORF_ERR_MEMORY_ACCESS_SEC                0xF9
 
-//First byte is 26
+// First byte is 26
 #define ISO15693_INVENTORY     0x01
 #define ISO15693_STAYQUIET     0x02
-//First byte is 02
+// First byte is 02
 #define ISO15693_READBLOCK                   0x20
 #define ISO15693_WRITEBLOCK                  0x21
 #define ISO15693_LOCKBLOCK                   0x22
@@ -412,6 +412,9 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 #define ISO15693_STAYQUIET_PERSISTENT        0xBC
 #define ISO15693_READ_SIGNATURE              0xBD
 
+//
+#define ISO15693_MAGIC_WRITE                 0xE0
+
 // Topaz command set:
 #define TOPAZ_REQA                    0x26 // Request
 #define TOPAZ_WUPA                    0x52 // WakeUp