github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge branch 'RfidResearchGroup:master' into update_workbench_driver

Browse source
This commit is contained in:
Xavier 2024-07-16 00:29:17 -04:00 committed by GitHub
commit e7a21a42f0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
107 changed files with 4340 additions and 1572 deletions
Download patch file Download diff file Expand all files Collapse all files

150
doc/commands.json
View file

@ -720,7 +720,7 @@
"-h, --help This help",
"--keep keep the current values of the markers",
"-a <dec> yellow marker",
"-b <dec> pink marker",
"-b <dec> purple marker",
"-c <dec> orange marker",
"-d <dec> blue marker"
],
@ -740,6 +740,42 @@
],
"usage": "data shiftgraphzero [-h] -n <dec>"
},
"data test_ss32": {
"command": "data test_ss32",
"description": "Tests the implementation of Buffer Save States (32-bit buffer)",
"notes": [
"data test_ss32"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss32 [-h]"
},
"data test_ss32s": {
"command": "data test_ss32s",
"description": "Tests the implementation of Buffer Save States (32-bit signed buffer)",
"notes": [
"data test_ss32s"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss32s [-h]"
},
"data test_ss8": {
"command": "data test_ss8",
"description": "Tests the implementation of Buffer Save States (8-bit buffer)",
"notes": [
"data test_ss8"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "data test_ss8 [-h]"
},
"data timescale": {
"command": "data timescale",
"description": "Set cursor display timescale. Setting the timescale makes the differential `dt` reading between the yellow and purple markers meaningful. once the timescale is set, the differential reading between brackets can become a time duration.",
@ -1386,6 +1422,18 @@
],
"usage": "hf 14b apdu [-hskte] [--decode] [-m <hex>] [-l <int>] -d <hex> [--timeout <dec>]"
},
"hf 14b calypso": {
"command": "hf 14b calypso",
"description": "Reads out the contents of a ISO14443B Calypso card",
"notes": [
"hf 14b calypso"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf 14b calypso [-h]"
},
"hf 14b dump": {
"command": "hf 14b dump",
"description": "This command dumps the contents of a ISO-14443-B tag and save it to file Tries to autodetect cardtype, memory size defaults to SRI4K",
@ -1404,7 +1452,7 @@
},
"hf 14b help": {
"command": "hf 14b help",
"description": "--------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- view Display content from tag dump file valid SRIX4 checksum test --------------------------------------------------------------------------------------- hf 14b list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"description": "--------- ----------------------- General ----------------------- help This help list List ISO-14443-B history --------- ----------------------- Operations ----------------------- view Display content from tag dump file valid SRIX4 checksum test --------- ------------------ Calypso / Mobib ------------------ --------------------------------------------------------------------------------------- hf 14b list available offline: yes Alias of `trace list -t 14b -c` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"hf 14b list --frame -> show frame delay times",
"hf 14b list -1 -> use trace buffer"
@ -1437,6 +1485,18 @@
],
"usage": "hf 14b info [-hsv]"
},
"hf 14b mobib": {
"command": "hf 14b mobib",
"description": "Reads out the contents of a ISO14443B Mobib card",
"notes": [
"hf 14b mobib"
],
"offline": false,
"options": [
"-h, --help This help"
],
"usage": "hf 14b mobib [-h]"
},
"hf 14b ndefread": {
"command": "hf 14b ndefread",
"description": "Print NFC Data Exchange Format (NDEF)",
@ -1501,10 +1561,11 @@
"offline": false,
"options": [
"-h, --help This help",
"--plot show anticollision signal trace in plot window",
"-v, --verbose verbose output",
"-@ optional - continuous reader mode"
],
"usage": "hf 14b reader [-hv@]"
"usage": "hf 14b reader [-hv@] [--plot]"
},
"hf 14b restore": {
"command": "hf 14b restore",
@ -3102,7 +3163,7 @@
"description": "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag",
"notes": [
"hf iclass chk -f iclass_default_keys.dic",
"hf iclass chk -f iclass_default_keys.dic --elite"
"hf iclass chk -f iclass_elite_keys.dic --elite"
],
"offline": false,
"options": [
@ -8925,7 +8986,8 @@
"description": "Authenticate against an EM4x70 by sending random number (RN) and F(RN) If F(RN) is incorrect based on the tag key, the tag will not respond If F(RN) is correct based on the tag key, the tag will give a 20-bit response",
"notes": [
"lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 -> (using pm3 test key)",
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)"
"lf em 4x70 auth --rnd 3FFE1FB6CC513F --frn F355F1A0 -> (using research paper key)",
"lf em 4x70 auth --rnd 7D5167003571F8 --frn 982DBCC0 -> (autorecovery test key)"
],
"offline": false,
"options": [
@ -8941,7 +9003,8 @@
"description": "This command will perform automatic recovery of the key from a writable tag. All steps are possible to do manually. The corresponding sequence, if done manually, is as follows: 1. Verify passed parameters authenticate with the tag (safety check) lf em 4x70 auth --rnd <rnd_1> --frn <frn_1> 2. Brute force the key bits in block 9 lf em 4x70 write -b 9 -d 0000 lf em 4x70 recover -b 9 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 9 -d <key_block_9> 3. Brute force the key bits in block 8 lf em 4x70 write -b 8 -d 0000 lf em 4x70 recover -b 8 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 8 -d <key_block_8> 4. Brute force the key bits in block 7 lf em 4x70 write -b 7 -d 0000) lf em 4x70 recover -b 7 --rnd <rnd_1> --frn <frn_1> lf em 4x70 write -b 7 -d <key_block_7> 5. Recover potential values of the lower 48 bits of the key lf em 4x70 recover --key <key_block_9><key_block_8><key_block_7> --rnd <rnd_1> --frn <frn_1> 6. Verify which potential key is actually on the tag (using a different rnd/frn combination) lf em 4x70 auth --rnd <rnd_2> --frn <frn_N> 7. Print the validated key This command simply requires the rnd/frn/grn from a single known-good authentication.",
"notes": [
"lf em 4x70 autorecover --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
"lf em 4x70 autorecover --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)",
"lf em 4x70 autorecover --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)"
],
"offline": false,
"options": [
@ -8953,11 +9016,29 @@
],
"usage": "lf em 4x70 autorecover [-h] [--par] --rnd <hex> --frn <hex> --grn <hex>"
},
"lf em 4x70 calc": {
"command": "lf em 4x70 calc",
"description": "Calculates both the reader and tag challenge for a user-provided key and rnd.",
"notes": [
"lf em 4x70 calc --key F32AA98CF5BE4ADFA6D3480B --rnd 45F54ADA252AAC (pm3 test key)",
"lf em 4x70 calc --key A090A0A02080000000000000 --rnd 3FFE1FB6CC513F (research paper key)",
"lf em 4x70 calc --key 022A028C02BE000102030405 --rnd 7D5167003571F8 (autorecovery test key)"
],
"offline": true,
"options": [
"-h, --help This help",
"--key <hex> Key 96-bit as 12 hex bytes",
"--rnd <hex> 56-bit random value sent to tag for authentication"
],
"usage": "lf em 4x70 calc [-h] --key <hex> --rnd <hex>"
},
"lf em 4x70 help": {
"command": "lf em 4x70 help",
"description": "help This help recover Recover remaining key from partial key --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'",
"description": "help This help calc Calculate EM4x70 challenge and response recover Recover remaining key from partial key --------------------------------------------------------------------------------------- lf em 4x70 brute available offline: no Optimized partial key-update attack of 16-bit key block 7, 8 or 9 of an EM4x70 This attack does NOT write anything to the tag. Before starting this attack, 0000 must be written to the 16-bit key block: 'lf em 4x70 write -b 9 -d 0000'. After success, the 16-bit key block have to be restored with the key found: 'lf em 4x70 write -b 9 -d c0de'",
"notes": [
"lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80"
"lf em 4x70 brute -b 9 --rnd 45F54ADA252AAC --frn 4866BB70 -> bruteforcing key bits k95...k80 (pm3 test key)",
"lf em 4x70 brute -b 8 --rnd 3FFE1FB6CC513F --frn F355F1A0 -> bruteforcing key bits k79...k64 (research paper key)",
"lf em 4x70 brute -b 7 --rnd 7D5167003571F8 --frn 982DBCC0 -> bruteforcing key bits k63...k48 (autorecovery test key)"
],
"offline": true,
"options": [
@ -8989,7 +9070,8 @@
"description": "After obtaining key bits 95..48 (such as via 'lf em 4x70 brute'), this command will recover key bits 47..00. By default, this process does NOT require a tag to be present. By default, the potential keys are shown (typically 1-6) along with a corresponding 'lf em 4x70 auth' command that will authenticate, if that potential key is correct. The user can copy/paste these commands when the tag is present to manually check which of the potential keys is correct.",
"notes": [
"lf em 4x70 recover --key F32AA98CF5BE --rnd 45F54ADA252AAC --frn 4866BB70 --grn 9BD180 (pm3 test key)",
"lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)"
"lf em 4x70 recover --key A090A0A02080 --rnd 3FFE1FB6CC513F --frn F355F1A0 --grn 609D60 (research paper key)",
"lf em 4x70 recover --key 022A028C02BE --rnd 7D5167003571F8 --frn 982DBCC0 --grn 36C0E0 (autorecovery test key)"
],
"offline": true,
"options": [
@ -9007,7 +9089,8 @@
"description": "Write new 96-bit key to tag",
"notes": [
"lf em 4x70 setkey -k F32AA98CF5BE4ADFA6D3480B (pm3 test key)",
"lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)"
"lf em 4x70 setkey -k A090A0A02080000000000000 (research paper key)",
"lf em 4x70 setkey -k 022A028C02BE000102030405 (autorecovery test key)"
],
"offline": false,
"options": [
@ -9443,6 +9526,19 @@
],
"usage": "lf hitag chk [-h] [-f <fn>] [--pwd] [--crypto]"
},
"lf hitag crack2": {
"command": "lf hitag crack2",
"description": "This command tries to recover 2048 bits of Hitag2 crypto stream data.",
"notes": [
"lf hitag crack2 --nrar 73AA5A62EAB8529C"
],
"offline": false,
"options": [
"-h, --help This help",
"--nrar <hex> specify nonce / answer as 8 hex bytes"
],
"usage": "lf hitag crack2 [-h] [--nrar <hex>]"
},
"lf hitag dump": {
"command": "lf hitag dump",
"description": "Read all Hitag 2 card memory and save to file Crypto mode key format: ISK high + ISK low, 4F4E4D494B52 (ONMIKR) Password mode, default key 4D494B52 (MIKR)",
@ -9497,7 +9593,7 @@
},
"lf hitag help": {
"command": "lf hitag help",
"description": "help This help list List Hitag trace history selftest Perform self test view Display content from tag dump file lookup Uses authentication trace to check for key in dictionary file --------------------------------------------------------------------------------------- lf hitag list available offline: yes Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"description": "help This help list List Hitag trace history test Perform self tests view Display content from tag dump file lookup Uses authentication trace to check for key in dictionary file --------------------------------------------------------------------------------------- lf hitag list available offline: yes Alias of `trace list -t hitag2` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
"notes": [
"lf hitag list --frame -> show frame delay times",
"lf hitag list -1 -> use trace buffer"
@ -9576,17 +9672,19 @@
],
"usage": "lf hitag read [-hs2] [--pwd] [--nrar <hex>] [--crypto] [-k <hex>]"
},
"lf hitag selftest": {
"command": "lf hitag selftest",
"description": "Perform selftest of Hitag crypto engine",
"lf hitag reader": {
"command": "lf hitag reader",
"description": "Act as a Hitag2 reader. Look for Hitag2 tags until Enter or the pm3 button is pressed",
"notes": [
"lf hitag selftest"
"lf hitag reader",
"lf hitag reader -@ -> Continuous mode"
],
"offline": true,
"offline": false,
"options": [
"-h, --help This help"
"-h, --help This help",
"-@ continuous reader mode"
],
"usage": "lf hitag selftest [-h]"
"usage": "lf hitag reader [-h@]"
},
"lf hitag sim": {
"command": "lf hitag sim",
@ -9615,6 +9713,18 @@
],
"usage": "lf hitag sniff [-h]"
},
"lf hitag test": {
"command": "lf hitag test",
"description": "Perform self tests of Hitag crypto engine",
"notes": [
"lf hitag test"
],
"offline": true,
"options": [
"-h, --help This help"
],
"usage": "lf hitag test [-h]"
},
"lf hitag view": {
"command": "lf hitag view",
"description": "Print a HITAG dump file (bin/eml/json)",
@ -12622,8 +12732,8 @@
}
},
"metadata": {
"commands_extracted": 729,
"commands_extracted": 737,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-04-22T14:35:02"
"extracted_on": "2024-05-27T13:38:05"
}
}

10
doc/commands.md
View file

@ -137,6 +137,9 @@ Check column "offline" for their availability.
|`data diff `|Y |`Diff of input files`
|`data hexsamples `|N |`Dump big buffer as hex bytes`
|`data samples `|N |`Get raw samples for graph window ( GraphBuffer )`
|`data test_ss8 `|N |`Test the implementation of Buffer Save States (8-bit buffer)`
|`data test_ss32 `|N |`Test the implementation of Buffer Save States (32-bit buffer)`
|`data test_ss32s `|N |`Test the implementation of Buffer Save States (32-bit signed buffer)`
### emv
@ -221,6 +224,8 @@ Check column "offline" for their availability.
|`hf 14b wrbl `|N |`Write data to a SRI512/SRIX4 tag`
|`hf 14b view `|Y |`Display content from tag dump file`
|`hf 14b valid `|Y |`SRIX4 checksum test`
|`hf 14b calypso `|N |`Read contents of a Calypso card`
|`hf 14b mobib `|N |`Read contents of a Mobib card`
### hf 15
@ -974,6 +979,7 @@ Check column "offline" for their availability.
|`lf em 4x70 auth `|N |`Authenticate EM4x70`
|`lf em 4x70 setpin `|N |`Write PIN`
|`lf em 4x70 setkey `|N |`Write key`
|`lf em 4x70 calc `|Y |`Calculate EM4x70 challenge and response`
|`lf em 4x70 recover `|Y |`Recover remaining key from partial key`
|`lf em 4x70 autorecover `|N |`Recover entire key from writable tag`
@ -1041,7 +1047,8 @@ Check column "offline" for their availability.
|`lf hitag help `|Y |`This help`
|`lf hitag list `|Y |`List Hitag trace history`
|`lf hitag info `|N |`Hitag 2 tag information`
|`lf hitag selftest `|Y |`Perform self test`
|`lf hitag reader `|N |`Act line an Hitag 2 reader`
|`lf hitag test `|Y |`Perform self tests`
|`lf hitag dump `|N |`Dump Hitag 2 tag`
|`lf hitag read `|N |`Read Hitag memory`
|`lf hitag sniff `|N |`Eavesdrop Hitag communication`
@ -1051,6 +1058,7 @@ Check column "offline" for their availability.
|`lf hitag eview `|N |`View emulator memory`
|`lf hitag sim `|N |`Simulate Hitag transponder`
|`lf hitag cc `|N |`Hitag S: test all provided challenges`
|`lf hitag crack2 `|N |`Recover 2048bits of crypto stream`
|`lf hitag chk `|N |`Check keys`
|`lf hitag lookup `|Y |`Uses authentication trace to check for key in dictionary file`
|`lf hitag ta `|N |`Hitag 2: test all recorded authentications`

195
doc/magic_cards_notes.md
View file

@ -51,6 +51,7 @@ Useful docs:
* [ULtra](#ultra)
* [UL-5](#ul-5)
* [UL, other chips](#ul-other-chips)
* [MIFARE Ultralight USCUID-UL](#mifare-ultralight-uscuid-ul)
* [NTAG](#ntag)
* [NTAG213 DirectWrite](#ntag213-directwrite)
* [NTAG21x](#ntag21x)
@ -823,7 +824,7 @@ hf 14a raw -s -c 90FD111100
^[Top](#top)
TLDR: These magic cards have a 16 byte long configuration page, which usually starts with 0x85.
All of the known tags using this, except for Ultralight tags, are listed here.
All of the known tags are using this, except for Ultralight tags, are listed here.
You cannot turn a Classic tag into an Ultralight and vice-versa!
@ -1142,8 +1143,6 @@ All commands are available before sealing. After the sealing acts as a Mifare Cl
* Magic wakeup: `40(7)`, `43`
* Backdoor read main block: `30xx+crc`
* Backdoor write main block: `A0xx+crc`, `[16 bytes data]+crc`
* Read hidden block: `38xx+crc`
* Write hidden block: `A8xx+crc`, `[16 bytes data]+crc`
* Read configuration: `E000+crc`
* Write configuration: `E100+crc`
* Example of the sealing, performed by Chinese copiers in raw commands:
@ -1607,7 +1606,7 @@ hf 14a info
[+] Magic capabilities : Gen 2 / CUID
```
It seems so far that all MFUL DW have an ATS.
It seems so far that all MFUL DW have an ATS response in factory configuration.
### Magic commands
@ -1638,14 +1637,6 @@ Issue three regular MFU write commands in a row to write first three blocks.
* ATS: 0A78008102DBA0C119402AB5
* Anticol shortcut (CL1/3000): fails
#### MIFARE Ultralight DirectWrite flavour 2
^[Top](#top)
* BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
* ATS: 850000A00A000AB00000000000000000184D
* Anticol shortcut (CL1/3000): succeeds
### Proxmark3 commands
^[Top](#top)
@ -1977,6 +1968,186 @@ The manufacturer confirmed unpersonalized tags could be identified by first 3 by
UL-X, UL-Z - ?
## MIFARE Ultralight USCUID-UL
^[Top](#top)
TLDR: These magic cards, like the MFC USCUIDs have a 16 byte long configuration page, comprised of 4 blocks of 4 bytes each. This usually starts with 0x85. All of the known tags use the same format config page.
The cards will respond to a RATS with the config page in the factory configuration.
As with the MFC USCUIDs, one cannot turn a Classic tag into an Ultralight and vice-versa!
### Characteristics
^[Top](#top)
* UID: 7 bytes
* ATQA: always read from hidden block `F6`
* SAK: always read from hidden block `F6`
* BCC: read from blocks 0-1 per Ultralight specification
* ATS: These respond to an ATS request with the config page in factory mode.
### Identify
^[Top](#top)
In factory config state:
```
hf 14a info
...
[=] -------------------------- ATS --------------------------
[!] ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
[+] ATS: 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
If config has been modified to not display config block as ATS response:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43
OR (depending on the magic wakeup method set)
hf 14a raw -akb 7 20; hf 14a raw -k 23
THEN
hf 14a raw -c e100
[+] 85 00 85 A0 00 00 0A A5 00 04 04 02 01 00 0F 03 [ 07 00 ]
```
Possible tag wakeup mechanisms are:
* Gen1 Magic Wakeup
* Alt Magic Wakeup
### Magic commands
^[Top](#top)
* Magic wakeup (A: 00): `40(7)`, `43`
* Magic wakeup (B: 85): `20(7)`, `23`
* Backdoor read main and hidden block: `30xx+crc`
* Backdoor write main and hidden block: `A2xx[4 bytes data]+crc`
* Read configuration: `E050+crc`
* Write configuration: `E2[offset*4, 1b][data, 4b]+crc`
* **DANGER**
* Set memory and config to 00 `F000+crc`
* Set memory and config to FF `F100+crc`
* Set memory and config to 55 (no 0A response) `F600+crc`
### USCUID-UL configuration guide
^[Top](#top)
1. Configuration
```
0 1 2 3
850000A0 00000AC3 00040301 01000B03
^^ >> ??? Mystery ???
^^^^ >> Gen1a mode (works with bitflip)
^^ >> Magic wakeup command (00 for 40-43; 85 for 20-23)
^^ >> Config available using regular mode (ON: A0)
^^ >> Do not reply to 1B, making auth impossible
^^ >> Do not enforce OTP properties (ON: A0)
^^ >> Maximum memory configuration*
^^^^^^^^ ^^^^^^^^ >> Version info
* This isn't a customizable value - it's a preset. So far:
C3 = UL11
3C = UL21
00 = UL-C
A5 = NTAG 213
5A = NTAG 215
AA = NTAG 216
55 = Unknown IC w/ 238 pgs.
```
* Gen1a mode: Allow using custom wakeup commands, like real gen1a chip, to run backdoor commands, as well as some extras.
* Magic wakeup command: Use different wakeup commands for entering Gen1a mode. A) 00 - 40(7), 43; B) 85 - 20(7), 23.
* Config available using regular mode: If this option is turned on via A0, the tag will reply to RATS with the config block and the config block can be modified without doing a magic wakeup.
To write config:
You must send config info in E2 packets of 4 bytes each (format: `E2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -sck E200850000A0; hf 14a raw -ck E20100000AC3; hf 14a raw -ck E20200040301; hf 14a raw -c E20301000B03
```
2. Hidden blocks
```
F0: 00000000
^^^^^^^^ >> Unknown, usually always 00
F1: 00000000
^^^^^^^^ >> Unknown, usually always 00
F2: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F3: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F4: 000000BD
^^^^^^ >> Unknown, usually always 00
^^ >> Unknown, usually always BD, possible tearing counter value?
F5: 00000000
^^^^^^^^ >> Unknown, usually always 00
F6: 44000400
^^^^ >> ATQA in byte reverse order. 4400 = ATQA of 0044
^^ >> Unknown, usually always set to 04. Changing this value also has something to do with the SAK value in the next byte
^^ >> SAK, if previous byte set to 04
F7: 88AF0000
^^ >> First byte of UID BCC calculation, for Ultralight family is always 88 per the datasheet
^^ >> Unknown, usually always AF.
^^^^ >> Unknown, usually always 00
F8 - FF: xxxxxxxx >> signature
```
To read / write hidden blocks:
A config block beginning with `7AFF` must be set to enable a `40:43` / `20:23` magic wakeup. From limited testing, the `20:23` magic wakeup is not guaranteed to work, however the `40:43` wakeup works 100% of the time.
You must send config info in A2 packets of 4 bytes each (format: `A2[offset*4, 1b][data, 4b]`), eg for a UL-11 tag:
```
hf 14a raw -akb 7 40; hf 14a raw -k 43; hf 14a raw -ck A2F2000000BD; hf 14a raw -ck A2F3000000BD; hf 14a raw -ck A2F4000000BD; hf 14a raw -ck A2F644000400; hf 14a raw -c A2F888AF0000
```
### Proxmark3 commands
^[Top](#top)
No implemented commands at time of writing
### libnfc commands
^[Top](#top)
No implemented commands at time of writing
### Variations
^[Top](#top)
| Factory configuration | Name |
| --- | --- |
| 850000A0 00000AC3 00040301 01000B03 | UL-11 |
| 850000A0 00000A3C 00040301 01000E03 | UL-21 |
| 850000A0 0A000A00 00000000 00000000 | UL-C |
| 850085A0 00000AA5 00040402 01000F03 | NTAG213 |
| 850000A0 00000A5A 00040402 01001103 | NTAG215 |
| 850000A0 00000AAA 00040402 01001303 | NTAG216 |
# DESFire
^[Top](#top)

2
doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
View file

@ -127,7 +127,7 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo
| HF_14ASNIFF | 14a sniff storing to flashmem - Micolous
| HF_14BSNIFF | 14b sniff - jacopo-j
| HF_15SNIFF | 15693 sniff storing to flashmem - Glaser
| HF_15SNIFF | 15693 simulator - lnv42
| HF_15SIM | 15693 simulator - lnv42
| HF_AVEFUL | MIFARE Ultralight read/simulation - Ave Ozkal
| HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito
| HF_CARDHOPPER | Long distance (over IP) relay of 14a protocols - Sam Haskins