From b9572d561e16a4194f9f62ed67b7cc73d26d59c4 Mon Sep 17 00:00:00 2001 From: Mykhailo Shevchuk Date: Tue, 26 Dec 2023 22:11:04 +0200 Subject: [PATCH] GDM + small refactoring --- doc/magic_cards_notes.md | 64 +++++++++++++++++++++++++++++++++------- 1 file changed, 54 insertions(+), 10 deletions(-) diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md index 2a43de28e..33b05e0e6 100644 --- a/doc/magic_cards_notes.md +++ b/doc/magic_cards_notes.md @@ -34,6 +34,7 @@ Useful docs: * [FUID](#fuid) * [UFUID](#ufuid) * [ZUID](#zuid) + * [GDM](#gdm) * [MIFARE Classic, other versions](#mifare-classic-other-versions) * [MIFARE Classic Super](#mifare-classic-super) - [MIFARE Ultralight](#mifare-ultralight) @@ -878,7 +879,7 @@ No implemented commands today ^[Top](#top) | Factory configuration | Name | | --- | --- | -| 850000000000000000005A5A00000008 | GDMIC | +| 850000000000000000005A5A00000008 | GDM | | 850000000000005A0000005A5A5A0008 | UCUID | | 8500000000005A00005A005A005A0008 | "7 byte hard" | | 7AFF850102015A00005A005A005A0008 | M1-7B | @@ -900,7 +901,7 @@ Known as "write only once", which is only partially true. Allows direct write to block 0 only when UID is default `AA55C396`. But always could be rewritten multiple times with backdoors commands. -Backdoor commands are available even after the personalization and makes that card detectable. +Backdoor commands are available even after the personalization and makes that tag detectable. That's a key difference from [OTP](#mifare-classic-direct-write-otp)/[OTP 2.0](#mifare-classic-otp-2.0) tags. @@ -933,7 +934,7 @@ More correct detection should be based on a backdoor commands and configuration [usb] pm3 --> hf 14a raw -c -k -a E000 [+] 7A FF 85 00 00 00 00 00 00 FF 00 00 00 00 00 08 [ 66 92 ] ``` -### Proxmark3 commands +### Commands ^[Top](#top) * Commands described under the corresponding section of USCUID chip @@ -958,9 +959,9 @@ More correct detection should be based on a backdoor commands and configuration ## UFUID ^[Top](#top) -The card is positioned as "sealable UID", so that means you could use the same commands, as you could use for UID chip in a default state. But after the sealing (changing the configuration) card will not answer to the backdoor commands and will behave as a normal Mifare Classic card. +The tag is positioned as "sealable UID", so that means you could use the same commands, as you could use for UID chip in a default state. But after the sealing (changing the configuration) tag will not answer to the backdoor commands and will behave as a normal Mifare Classic tag. -*But at the same time there is some unidentified behavior, which doesn't fully corresponds the protocol and original Mifare Classic cards. So the card could be filtered out with a protocol-based filters (i.e. Iron Logic OTP2 filter).* +*But at the same time there is some unidentified behavior, which doesn't fully corresponds the protocol and original Mifare Classic tags. So the tag could be filtered out with a protocol-based filters (i.e. Iron Logic OTP2 filter).* ### Characteristics ^[Top](#top) @@ -980,7 +981,7 @@ hf 14a info ``` -Currently Proxmark3 doesn't identify it as a sepatate card. +Currently Proxmark3 doesn't identify it as a separate tag. Before the sealing could be detected from the config block value: ``` @@ -992,7 +993,7 @@ Before the sealing could be detected from the config block value: [+] 7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08 [ F1 69 ] ``` -### Proxmark3 commands +### Commands ^[Top](#top) All commands are available before sealing. @@ -1012,7 +1013,7 @@ hf 14a raw -c 85000000000000000000000000000008 ## ZUID ^[Top](#top) -That card is a UID card, built on USCUID chip. It doesn't sold separately, but could be found on marketplaces under the guise of a UID card. +That tag is a UID tag, built on USCUID chip. It doesn't sold separately, but could be found on marketplaces under the guise of a UID tag. ### Characteristics ^[Top](#top) @@ -1032,7 +1033,7 @@ hf 14a info ``` -Currently Proxmark3 doesn't identify it as a sepatate card. +Currently Proxmark3 doesn't identify it as a separate tag. Could be detected from the config block value: ``` @@ -1044,13 +1045,56 @@ Could be detected from the config block value: [+] 7A FF 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [ 4E 17 ] ``` -### Proxmark3 commands +### Commands ^[Top](#top) * Proxmark3 magic Gen1 commands * Read configuration: `E000+crc` * Write configuration: `E100+crc` +## GDM +^[Top](#top) + +The tag has a shadow mode, which means that every change to normal MFC memory would be restored back from the persistent memory after being off RFID field. + +### Characteristics +^[Top](#top) + +* Configuration block value: `850000000000000000005A5A00000008` +* No direct write to block 0 +* Responds to magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]` + +### Identify +^[Top](#top) + +``` +hf 14a info +... +[+] Magic capabilities : Gen 4 GDM + +``` + +Could be manually validated with the configuration block value: + +``` +[usb] pm3 --> hf mf gdmcfg +[+] config... 85 00 00 00 00 00 00 5A 00 FF 00 5A 00 00 00 08 +``` + +### Commands +^[Top](#top) + +* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]` + * Backdoor read: `38xx+crc` + * Backdoor write: `A8xx+crc`, `[16 bytes data]+crc` + * Read configuration: `E000+crc` + * Write configuration: `E100+crc`; `[16 bytes data]+crc` +* Proxmark3 commands (does auth and executes the corresponding command) + * Backdoor write: `gdmsetcfg` + * Read configuration: `gdmcfg` + * Write configuration: `gdmsetcfg` + + ## MIFARE Classic, other versions ^[Top](#top)