mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-08-21 05:43:48 -07:00
Update supercard docs
This commit is contained in:
AloneLiberty
parent
b903d0bbe2
commit
a81a875df9
1 changed files with 53 additions and 6 deletions
|
|
@ -520,19 +520,66 @@ hf 14a raw -s -c 90FD111100
|
||||||
## MIFARE Classic Super
|
## MIFARE Classic Super
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
It behaves like DirectWrite but records reader auth attempts.
|
It behaves like regular Mifare Classic but records reader auth attempts.
|
||||||
|
|
||||||
To change UID: same commands as for MFC DirectWrite
|
#### MIFARE Classic Super Gen1
|
||||||
|
^[Top](#top)
|
||||||
|
|
||||||
To do reader-only attack: at least two versions exist.
|
Old type of cards, hard to obtain. They are DirectWrite, UID can be changed via 0 block or backdoor commands.
|
||||||
|
|
||||||
* type 1: https://github.com/nfc-tools/nfc-supercard for card with ATS: 0978009102DABC1910F005
|
* UID: 4b version
|
||||||
* type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
|
* ATQA/SAK: fixed
|
||||||
|
* BCC: auto
|
||||||
|
* ATS: fixed, 0978009102DABC1910F005
|
||||||
|
|
||||||
|
ATQA/SAK matches 1k card, but works as 4k card.
|
||||||
|
|
||||||
|
Backdoor commands provided over APDU. Format:
|
||||||
|
|
||||||
|
```
|
||||||
|
00 A6 A0 00 05 FF FF FF FF 00
|
||||||
|
^^ ^^ Backdoor command header
|
||||||
|
^^ Backdoor command (A0 - set UID/B0 - get trace/C0 - reset card)
|
||||||
|
^^ Type of answer (used in key recovery to select trace number)
|
||||||
|
^^ Length of user provided data
|
||||||
|
^^ ^^ ^^ ^^ ^^ User data
|
||||||
|
```
|
||||||
|
|
||||||
|
👉 You can't change UID with backdoor command if incorrect data is written to the 0 sector trailer!
|
||||||
|
|
||||||
|
#### MIFARE Classic Super Gen1B
|
||||||
|
|
||||||
|
DirectWrite card, ATS unknown. Probably same as Gen1, except backdoor commands.
|
||||||
|
Implementation: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c
|
||||||
|
|
||||||
|
#### MIFARE Classic Super Gen2
|
||||||
|
^[Top](#top)
|
||||||
|
|
||||||
|
New generation of cards, based on limited Gen4 chip. Emulates Gen1 backdoor protocol, but can store up to 7 different traces.
|
||||||
|
|
||||||
|
Card always answer `ff ff ff ff` to auth, so writing/reading it via Mifare protocol is impossible.
|
||||||
|
|
||||||
|
UID is changeable via Gen4 backdoor write to 0 block.
|
||||||
|
|
||||||
|
* UID: 4b and 7b versions
|
||||||
|
* ATQA/SAK: fixed
|
||||||
|
* BCC: auto
|
||||||
|
* ATS: changeable, default as Gen1
|
||||||
|
|
||||||
|
Gen4 commands available:
|
||||||
|
|
||||||
|
```
|
||||||
|
CF <passwd> 34 <1b length><0-16b ATS> // Configure ATS
|
||||||
|
CF <passwd> CC // Factory test, returns 00 00 00 02 AA
|
||||||
|
CF <passwd> CD <1b block number><16b block data> // Backdoor write 16b block
|
||||||
|
CF <passwd> CE <1b block number> // Backdoor read 16b block
|
||||||
|
CF <passwd> FE <4b new_password> // Change password
|
||||||
|
```
|
||||||
|
|
||||||
### Identify
|
### Identify
|
||||||
^[Top](#top)
|
^[Top](#top)
|
||||||
|
|
||||||
Only type 1 at the moment:
|
Only Gen1 at the moment:
|
||||||
|
|
||||||
```
|
```
|
||||||
hf 14a info
|
hf 14a info
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue