This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=35372#p35372
Useful docs:
When a magic card configuration is really messed up and the card is not labeled, it may be hard to find out which type of card it is.
Here are some tips if the card doesn't react or gives error on a simple hf 14a reader
:
Let's force a 4b UID anticollision and see what happens:
hf 14a config a 1 b 2 2 2 r 2
hf 14a reader
It it responds, we know it's a TypeA card. But maybe it's a 7b UID, so let's force a 7b UID anticollision:
hf 14a config a 1 b 2 2 1 3 2 r 2
hf 14a reader
At this stage, you know if it's a TypeA 4b or 7b card and you can check further on this page how to reconfigure different types of cards.
To restore anticollision config of the Proxmark3:
hf 14a config a 0 b 0 2 0 3 0 r 0
Referred as M1, S50 (1k), S70 (4k)
UID 4b: (actually NUID as there are no more "unique" IDs on 4b)
11223344440804006263646566676869
^^^^^^^^ UID
^^ BCC
^^ SAK(*)
^^^^ ATQA
^^^^^^^^^^^^^^^^ Manufacturer data
(*) some cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
Computing BCC on UID 11223344: hf analyse lcr 11223344
= 44
UID 7b:
04112233445566884400c82000000000
^^ Manufacturer byte
^^^^^^^^^^^^^^ UID
^^ SAK(*)
^^^^ ATQA
^^^^^^^^^^^^ Manufacturer data
(*) all? cards have a different SAK in their anticollision and in block0: +0x80 in the block0 (e.g. 08->88, 18->98)
hf 14a info
...
[+] Magic capabilities : Gen 1a
- Wipe:
40(7)
,41
(use 2000ms timeout) - Read:
40(7)
,43
,30xx
+crc - Write:
40(7)
,43
,A0xx
+crc,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+crc
- UID: Only 4b versions
- ATQA:
- all cards play blindly the block0 ATQA bytes, beware!
- SAK:
- some cards play blindly the block0 SAK byte, beware!
- some cards use a fix "08" in anticollision, no matter the block0
- some cards use a fix "08" in anticollision, unless SAK in block0 has most significant bit "80" set, in which case SAK="88"
- BCC:
- all cards play blindly the block0 BCC byte, beware!
- ATS:
- no card with ATS
- SAK: play blindly the block0 SAK byte, beware!
- PRNG: static 01200145
- Wipe: filled with 0xFF
- SAK: play blindly the block0 SAK byte, beware!
- PRNG: static 01200145
- Wipe: filled with 0x00
- SAK: 08
- PRNG: static 01200145
- Wipe: filled with 0xFF
- SAK: 08
- PRNG: weak
- Wipe: timeout, no wipe
- SAK: 08
- PRNG: weak
- Wipe: reply ok but no wipe performed
- SAK: 08 or 88 if block0_SAK most significant bit is set
- PRNG: weak
- Wipe: timeout, no wipe
- SAK: 08 or 88 if block0_SAK most significant bit is set
- PRNG: weak
- Wipe: filled with 0x00
hf mf csetuid
hf mf cwipe
hf mf csetblk
hf mf cgetblk
hf mf cgetsc
hf mf cload
hf mf csave
hf mf cview
When "soft-bricked" (by writing invalid data in block0), these ones may help:
# MFC Gen1A 1k:
hf mf cwipe -u 11223344 -a 0004 -s 08
# MFC Gen1A 4k:
hf mf cwipe -u 11223344 -a 0044 -s 18
or just fixing block0:
# MFC Gen1A 1k:
hf mf csetuid 11223344 0004 08
# MFC Gen1A 4k:
hf mf csetuid 11223344 0044 18
script run run hf_mf_magicrevive
To execute commands manually:
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c A000
hf 14a raw -c -t 1000 11223344440804006263646566676869
wipe:
hf 14a raw -a -k -b 7 40
hf 14a raw -t 1000 41
nfc-mfsetuid
nfc-mfclassic R a u mydump
nfc-mfclassic W a u mydump
Similar to Gen1A, but supports directly read/write after command 40
hf 14a info
...
[+] Magic capabilities : Gen 1b
- Read:
40(7)
,30xx
- Write:
40(7)
,A0xx
+crc,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+crc
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
Not all Gen2 cards can be identified with hf 14a info
, only those replying to RATS.
To identify the other ones, you've to try to write to block0 and see if it works...
Android compatible
- issue regular write to block0
- UID: 4b and 7b versions
- ATQA:
- some cards play blindly the block0 ATQA bytes, beware!
- some cards use a fix ATQA in anticollision, no matter the block0. Including all 7b.
- SAK:
- some cards play blindly the block0 SAK byte, beware!
- some cards use a fix "08" or "18" in anticollision, no matter the block0. Including all 7b.
- BCC:
- some cards play blindly the block0 BCC byte, beware!
- some cards compute a proper BCC in anticollision. Including all 7b computing their BCC0 and BCC1.
- ATS:
- some cards don't reply to RATS
- some reply with an ATS
- UID 4b
- ATQA: play blindly the block0 ATQA bytes, beware!
- SAK: play blindly the block0 SAK byte, beware!
- BCC: play blindly the block0 BCC byte, beware!
- ATS: no
- PRNG: weak
- UID 4b
- ATQA: fixed
- SAK: fixed
- BCC: computed
- ATS: 0978009102DABC1910F005
- PRNG: weak
- UID 4b
- ATQA: play blindly the block0 ATQA bytes, beware!
- SAK: fixed
- BCC: play blindly the block0 BCC byte, beware!
- ATS: no
- PRNG: weak
- UID 7b
- ATQA: fixed
- SAK: fixed
- BCC: computed
- ATS: 0978009102DABC1910F005
- PRNG: static 00000000
- UID 4b
- ATQA: fixed
- SAK: play blindly the block0 SAK byte, beware!
- BCC: computed
- ATS: no
- PRNG: weak
TODO need more info
- UID 7b
- ATS: 0D780071028849A13020150608563D
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869
When "soft-bricked" (by writing invalid data in block0), these ones may help:
hf 14a config h
e.g. for 4b UID:
hf 14a config a 1 b 2 2 2 r 2
hf mf wrbl 0 A FFFFFFFFFFFF 11223344440804006263646566676869 # for 1k
hf mf wrbl 0 A FFFFFFFFFFFF 11223344441802006263646566676869 # for 4k
hf 14a config a 0 b 0 2 0 r 0
hf 14a reader
e.g. for 7b UID:
hf 14a config a 1 b 2 2 1 3 2 r 2
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566084400626364656667 # for 1k
hf mf wrbl 0 A FFFFFFFFFFFF 04112233445566184200626364656667 # for 4k
hf 14a config a 0 b 0 2 0 3 0 r 0
hf 14a reader
Same as MIFARE Classic DirectWrite, but block0 can be written only once.
Initial UID is AA55C396
Only possible before personalization.
hf 14a info
...
[+] Magic capabilities : Write Once / FUID
Same as MIFARE Classic DirectWrite, but block0 can be locked with special command.
TODO
To lock definitively block0:
hf 14a raw -a -k -b 7 40
hf 14a raw -k 43
hf 14a raw -k -c e000
hf 14a raw -c 85000000000000000000000000000008
TODO
- ZXUID, EUID, ICUID ?
- Some cards exhibit a specific SAK=28 ??
hf 14a info
...
[+] Magic capabilities : Gen 3 / APDU
Android compatible
- issue special APDUs
cla ins p1 p2 len
90 F0 CC CC 10 <block0> - write block 0
90 FB CC CC 07 <uid> - change uid (independently of block0 data)
90 FD 11 11 00 - lock permanently
It seems the length byte gets ignored anyway.
Note: it seems some cards only accept the "change UID" command.
It accepts direct read of block0 (and only block0) without prior auth.
- UID: 4b and 7b versions
- ATQA/SAK: fixed
- BCC: auto
- ATS: none
# change just UID:
hf mf gen3uid
# write block0:
hf mf gen3blk
# lock (uid/block0?) forever:
hf mf gen3freeze
See also
script run hf_mf_gen3_writer -h
Equivalent:
# change just UID:
hf 14a raw -s -c -t 2000 90FBCCCC07 11223344556677
# write block0:
hf 14a raw -s -c -t 2000 90F0CCCC10 041219c3219316984200e32000000000
# lock (uid/block0?) forever:
hf 14a raw -s -c 90FD111100
It behaves like DirectWrite but records reader auth attempts.
To change UID: same commands as for MFC DirectWrite
To do reader-only attack: at least two versions exist.
- type 1: https://github.com/nfc-tools/nfc-supercard for card with ATS: 0978009102DABC1910F005
- type 2: https://github.com/netscylla/super-card/blob/master/libnfc-1.7.1/utils/nfc-super.c for ??
Only type 1 at the moment:
hf 14a info
...
[+] Magic capabilities : super card
SN0 SN1 SN2 BCC0
SN3 SN4 SN5 SN6
BCC1 Int LCK0 LCK1
UID is made of SN0..SN6 bytes
Computing BCC0 on UID 04112233445566: analyse lcr 88041122
= bf
Computing BCC1 on UID 04112233445566: analyse lcr 33445566
= 44
Int is internal, typically 0x48
Anticol shortcut (CL1/3000) is supported for UL, ULC, NTAG except NTAG I2C
TODO
TODO
Only 7b versions
TODO need more tests
script run hf_mfu_setuid -h
When "soft-bricked" (by writing invalid data in block0), these ones may help:
hf 14a config h
script run run hf_mf_magicrevive -u
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
It seems so far that all MFUL DW have an ATS.
Issue three regular MFU write commands in a row to write first three blocks.
- UID: Only 7b versions
- ATQA:
- all cards play fix ATQA
- SAK:
- all cards play fix SAK
- BCC:
- some cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- some cards compute proper BCC0 and BCC1 in anticollision
- ATS:
- all cards reply with an ATS
- BCC: computed
- ATS: 0A78008102DBA0C119402AB5
- Anticol shortcut (CL1/3000): fails
- BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS: 850000A00A000AB00000000000000000184D
- Anticol shortcut (CL1/3000): succeeds
hf mfu setuid
Equivalent: don't use hf mfu wrbl
as you need to write three blocks in a row, but do, with proper BCCx:
hf 14a raw -s -c -k a2 00 041122bf
hf 14a raw -c -k a2 01 33445566
hf 14a raw -c a2 02 44480000
When "soft-bricked" (by writing invalid data in block0), these ones may help:
hf 14a config h
E.g.:
hf 14a config a 1 b 2 2 1 3 2 r 2
hf mfu setuid 04112233445566
hf 14a config a 0 b 0 2 0 3 0 r 0
hf 14a reader
nfc-mfultralight -h
See --uid
and --full
- MIFARE++ Ultralight
Similar to MFUL DirectWrite
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
- UID: Only 7b versions
- ATQA:
- all cards play fix ATQA
- SAK:
- all cards play fix SAK
- BCC:
- cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS:
- all cards reply with an ATS
- BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS: 850000A000000AC30004030101000B0341DF
- BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS: 850000A00A000AC30004030101000B0316D7
Similar to MFUL Gen1A
Similar to MFUL DirectWrite
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
- UID: Only 7b versions
- ATQA:
- all cards play fix ATQA
- SAK:
- all cards play fix SAK
- BCC:
- cards compute proper BCC0 and BCC1 in anticollision
- ATS:
- all cards reply with an ATS
- BCC: computed
- ATS: 0A78008102DBA0C119402AB5
- Anticol shortcut (CL1/3000): fails
Similar to MFUL DirectWrite
hf 14a info
...
[+] Magic capabilities : Gen 2 / CUID
- UID: Only 7b versions
- ATQA:
- all cards play fix ATQA
- SAK:
- all cards play fix SAK
- BCC:
- cards play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS:
- all cards reply with an ATS
- BCC: play blindly the block0 BCC0 and block2 BCC1 bytes, beware!
- ATS: 0A78008102DBA0C119402AB5
- Anticol shortcut (CL1/3000): succeeds
hf 14a info
...
[+] Magic capabilities : NTAG21x
Emulates fully NTAG213, 213F, 215, 216, 216F
Emulates partially UL EV1 48k/128k, NTAG210, NTAG212, NTAGI2C 1K/2K, NTAGI2C 1K/2K PLUS
Anticol shortcut (CL1/3000): fails
script run hf_mfu_magicwrite -h
TODO
Android compatible
- issue special APDUs
- ATQA: 0344
- SAK: 20
- ATS: 0675338102005110 or 06757781028002F0
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
UID 04112233445566
hf 14a raw -s -c 0200ab00000704112233445566
or equivalently
hf 14a apdu -s 00ab00000704112233445566
pn53x-tamashell
4a0100
420200ab00000704112233445566
Android compatible
- issue special APDUs
- ATQA: 0008 ??? This is not DESFire, 0008/20 doesn't match anything
- SAK: 20
- ATS: 0675338102005110 or 06757781028002F0
Only mimics DESFire anticollision (but wrong ATS), no further DESFire support
UID 04112233445566
hf 14a raw -s -c 0200ab00000411223344
or equivalently
hf 14a apdu -s 00ab00000411223344
It accepts longer UID but that doesn't affect BCC/ATQA/SAK
4a0100
420200ab00000411223344
The same effect (with better ATQA!) can be obtained with a MFC Gen1A that uses SAK defined in block0:
hf mf csetblk 0 1122334444204403A1A2A3A4A5A6A7A8
hf 14a info
[+] UID: 11 22 33 44
[+] ATQA: 03 44
[+] SAK: 20 [1]
[+] Possible types:
[+] MIFARE DESFire MF3ICD40
No such card is available.
Some vendor allow to specify an ID (PUPI) when ordering a card.
TODO
Always set a UID starting with E0
.
hf 15 csetuid E011223344556677
or (ignore errors):
script run hf_15_magic -u E004013344556677