From dc92ebadcd95697610dae200b9c4430c54612b1a Mon Sep 17 00:00:00 2001
From: Mykhailo Shevchuk <myte@ukr.net>
Date: Sun, 25 Feb 2024 00:18:48 +0200
Subject: [PATCH] Returned plain commands for USCUID kinds

---
 doc/magic_cards_notes.md | 60 ++++++++++++++++++++++++++++++++--------
 1 file changed, 49 insertions(+), 11 deletions(-)

diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md
index 3192f9ca6..9a2ace713 100644
--- a/doc/magic_cards_notes.md
+++ b/doc/magic_cards_notes.md
@@ -1045,7 +1045,13 @@ hf mf info
 
 ^[Top](#top)
 
-* Commands described under the corresponding section of USCUID chip
+* Magic wakeup: `20(7)`, `23`
+  * Backdoor read main block: `30xx+crc`
+  * Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
+  * Read hidden block: `38xx+crc`
+  * Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
+  * Read configuration: `E000+crc`
+  * Write configuration: `E100+crc`
 * Example of changing block 0 after the personalization:
 
 ```
@@ -1131,12 +1137,16 @@ Before the sealing could be detected from the config block value.
 
 ^[Top](#top)
 
-All commands are available before sealing.
+All commands are available before sealing. After the sealing acts as a Mifare Classic 1K tag.
 
-* Proxmark3 magic Gen1 commands
-* Proxmark3 magic Gen4 GDM commands
-
-Example of the sealing, performed by Chinese copiers in raw commands:
+* Magic wakeup: `40(7)`, `43`
+  * Backdoor read main block: `30xx+crc`
+  * Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
+  * Read hidden block: `38xx+crc`
+  * Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
+  * Read configuration: `E000+crc`
+  * Write configuration: `E100+crc`
+* Example of the sealing, performed by Chinese copiers in raw commands:
 
 ```
 hf 14a raw -a -k -b 7 40
@@ -1199,14 +1209,14 @@ Could be detected from the config block value.
 
 ```
 [usb] pm3 --> hf mf gdmcfg --gen1a
-[+] Config... 7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08
+[+] Config... 7A FF 00 00 00 00 00 00 00 00 00 00 00 00 00 08
 [+]           7A FF .......................................... Magic wakeup enabled with GDM config block access
 [+]                 00 ....................................... Magic wakeup style Gen1a 40(7)/43
 [+]                    00 00 00 .............................. Unknown
 [+]                             00 ........................... Key B use allowed when readable by ACL
 [+]                                00 ........................ Block 0 Direct Write Disabled (CUID)
-[+]                                   BA ..................... Unknown
-[+]                                      FA .................. MFC EV1 personalization: 4B UID from Block 0
+[+]                                   00 ..................... Unknown
+[+]                                      00 .................. MFC EV1 personalization: 4B UID from Block 0
 [+]                                         00 ............... Shadow mode disabled
 [+]                                           00 ............. Magic auth disabled
 [+]                                             00 ........... Static encrypted nonce disabled
@@ -1219,8 +1229,13 @@ Could be detected from the config block value.
 
 ^[Top](#top)
 
-* Proxmark3 magic Gen1 commands
-* Proxmark3 magic Gen4 GDM commands
+* Magic wakeup: `40(7)`, `43`
+  * Backdoor read main block: `30xx+crc`
+  * Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
+  * Read hidden block: `38xx+crc`
+  * Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
+  * Read configuration: `E000+crc`
+  * Write configuration: `E100+crc`
 
 ### Proxmark3 commands
 
@@ -1244,6 +1259,9 @@ Could be detected from the config block value.
 
 The tag has a shadow mode, which means that every change to normal MFC memory would be restored back from the persistent memory after being off RFID field.
 
+* Other names:
+  * GDMIC
+
 ### Characteristics
 
 ^[Top](#top)
@@ -1287,6 +1305,16 @@ Could be manually validated with the configuration block value.
 [+]                                                     08 ... SAK
 ```
 
+### Commands
+
+^[Top](#top)
+
+* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
+  * Backdoor read: `38xx+crc`
+  * Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
+  * Read configuration: `E000+crc`
+  * Write configuration: `E100+crc`; `[16 bytes data]+crc`
+
 ### Proxmark3 commands
 
 ^[Top](#top)
@@ -1346,6 +1374,16 @@ Could be manually validated with the configuration block value.
 [+]                                                     08 ... SAK
 ```
 
+### Commands
+
+^[Top](#top)
+
+* Magic authentication: select, `8000+crc`, `[Crypto1 Auth: 000000000000]`
+  * Backdoor read: `38xx+crc`
+  * Backdoor write: `A8xx+crc`, `[16 bytes data]+crc`
+  * Read configuration: `E000+crc`
+  * Write configuration: `E100+crc`; `[16 bytes data]+crc`
+
 ### Proxmark3 commands
 
 ^[Top](#top)