MF_Attack_hardnestedDialog Hardnested Attack Known Block: Block: A B Target Block: MF_Sim_simDialog Simulate u UID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used --atqa Provide explicit ATQA (2 bytes) --sak n Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite i Interactive, means that console will not be returned until simulation finishes or is aborted x Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s) e set keys found from 'reader attack' to emulator memory (implies x(--crack) and i) -v verbose output f Provide explicit SAK (1 byte) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i) r Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works MF_UID_parameterDialog Set Parameter UID: ATQA: SAK: MF_trailerDecoderDialog Trailer Decoder Blocks 4 16 Trailer Data: (like "FF0780" or "FF 07 80") Or set bits manually Cx0 Cx1 Cx2 Cx3 Data Block Permission: Block0 Block1 Block2 Read Write Increase Decrease/Transfer/Restore Trailer Block Permission: KeyA Access Bits KeyB Reference: MF1S70YYX_V1 Product data sheet Rev. 3.2 — 23 November 2017 Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly. Invalid! It could make the whole sector blocked irreversibly! Valid Block KeyA+B MainWindow Proxmark3GUI Connect Disconnect Mifare Select Trailer Card Type MINI 320 1K 1024 2K 2048 4K 4096 File Load Save Data Key Attack Card Info Check Default Nested Hardnested Darkside Read/Write Block: Key: Key Type: List Data LF other Divisor: Actural Freq: 125.000kHz Trigger threshold: Samples to skip: Get Config Set Config Data: Normal(Require Password) Dump Restore Chinese Magic Card(Without Password) Lock UFUID Card About UID Card Set Parameter Wipe Simulate Clear Client Path: Port: Refresh Ports Select All KeyBlocks->Key KeyBlocks<-Key Fill Keys Trailer Decoder Set Fonts Read One Write One Read Selected Write Selected Sniff Sniff(14a) LF Config Frequency 125k 134k You might need a modified LF antenna if the freq is not 125k/134k. When setting the freq, the "hw setlfdivisor" will also be called. Bits per sample: Decimation: Averaging: Reset LF Operation Search Read and search for valid known tag. Read Sniff low frequency signal with LF field ON. Use this to get raw data from a tag. Tune Measure LF antenna tuning. If the antenna voltage has a obvious drop after putting card on the antenna, it is likely that the tag is a LF tag. On Iceman/RRG repo, press the button on PM3 to stop measuring Sniff low frequency signal with LF field OFF. Use this to get raw data from a reader or the communication between a tag and a reader. T55xx Basic Configuration(Page 0 Block 0) Hex: Bin: Get from Data Set to Data Locked: Master Key: Data Bit Rate: eXtended Mode: Modulation: PSK Clock Freq: Answer on Request: One Time Pad: Max Block: Password: Seq. Terminator: Seq. Start Marker: Fast Downlink: Inverse Data: Init-Delay: Analog Front-End Option(Page 1 Block 3) Option Key: Soft Modulation: Clamp Voltage: Modulation Voltage: Clock Detection Threshold: Gap Detection Threshold: Write Dampling: Demod Delay: Downlink Protocol: T55xx Read Config Bit Rate: Seq. Term. Offset: Inverted: T5577 T5555 RawCommand History: ClearHistory Send ClearOutput Settings Client Preload script path(Reconnect to apply): If the client requires some enviroment variables, you can make a script file(*.bat on Windows or *.sh on Linux) to configure them, then put the path of the script there. Client working directory(Reconnect to apply): On Windows, the client working directory should not be identical to the path of GUI, otherwise the client will use the wrong .dll file. Start arguments(Reconnect to apply): -f is necessary because the GUI need to handle the output in time. In some cases, the arguments should be set to "-p /dev/<port> -f" or "-p <port> -f". Config file path(Reconnect to apply): config.json Different clients require different config files. You can change the content of config file if the command format changes. Keep the client active even the PM3 hardware is disconnected.(Experimental) ../data <port> -f Keep buttons enabled even the client is running or disconnected GUI Language: Choose Language (Restart this app to use new language) Info Plz choose a port first Connected Not Connected Failed to open Continue? Dock all windows Ver: Check Update Failed to load config file Some of the data and key will be cleared. Plz select the font of data widget and key widget Data must consists of 32 Hex symbols(Whitespace is allowed) Key must consists of 12 Hex symbols(Whitespace is allowed) Plz select the data file: Binary Data Files(*.bin *.dump) All Files(*.*) Plz select the key file: Plz select the location to save data file: Failed to save to Plz select the location to save key file: Binary Key Files(*.bin *.dump) Text Data Files(*.txt *.eml) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it. There are two versions of Chinese Magic Cards, the Gen1 and the Gen2. Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands. There are some types of Chinese Magic Card Gen2. CUID Card: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) FUID Card: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) UFUID Card: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key). Plz select the trace file: Plz select the location to save trace file: Trace Files(*.trc) Idle Stop Sec Blk KeyA KeyB HW Version: PM3: State: Running Actural Freq: Mifare Success! Info Plz provide at least one known key Failed! The Access Bits is invalid! It could make the whole sector blocked irreversibly! Continue to write? Successful! Failed to write to these blocks: Select them? Failed to read card.