MF_Attack_hardnestedDialogHardnested AttackHardnested攻击Known Block:已知块:Block:块:ABTarget Block:目标块:MF_Sim_simDialogSimulate模拟uUID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used4或7字节的UID,如果不指定,则使用模拟器内存中的4字节UIDnAutomatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite在读卡器读取<n>个块后自动退出模拟,n为0或不指定时永远不退出iInteractive, means that console will not be returned until simulation finishes or is aborted交互模式,勾选后PM3客户端将在模拟完成或者模拟中断后才可继续使用xCrack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)破解,对读卡器进行攻击,通过nr/ar攻击来钓出密码(无卡嗅探)eset keys found from 'reader attack' to emulator memory (implies x and i)在获得密码后自动将密码写入模拟器内存(自动勾选x和i)fget UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)从<filename.txt>当中获取用于破解读卡器的UID(批量模拟)(自动勾选x和i)rGenerate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works生成随机nonce而不是顺序的nonce,这种情况下PM3将不对读卡器进行标准攻击,只进行moebius攻击MF_UID_parameterDialogSet Parameter设置卡参数UID:ATQA:SAK:MF_trailerDecoderDialogTrailer DecoderTrailer解码Blocks块大小416Trailer Data:
(like "FF0780" or "FF 07 80")输入Access Bits
(形如“FF0780”或“FF 07 80”)Or set bits manually手动设置访问情况:Cx0Cx1Cx2Cx3Data Block Permission:数据Block访问权限:Block0Block1Block2Read读Write写Increase增加Decrease/Transfer/Restore减少/从缓冲区写入/读入至缓冲区Trailer Block Permission:Trailer访问权限:KeyAAccess BitsAccess BitsKeyBReference:
MF1S70YYX_V1 Product data sheet
Rev. 3.2 — 23 November 2017参考资料:
MF1S70YYX_V1 Product data sheet
Rev. 3.2 — 23 November 2017Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly.注意:Access Bits一般包含4个字节(8个16进制字符),但只有前3个字节决定访问情况,最后一个字节可任意设置。Invalid!
It could make the whole sector blocked irreversibly!无效!
可能导致整个扇区被不可逆转地锁定!Valid有效MainWindowProxmark3GUIPath:路径:Refresh刷新端口Connect连接Disconnect断开MifareMifare(IC)卡Select Trailer选中密码块Card Type卡类型MINI3201K10242K20484K4096File文件Load加载Save保存DataKeyAttack破解Card Info读卡片信息Check Default验证默认密码NestedNested攻击HardnestedHardested攻击Read/Write读/写Block:Key:Key Type:Key类型:Snoop嗅探(Snoop)List Data列出嗅探数据Data:Normal(Require Password)普通卡(需要密码)DumpDump命令RestoreRestore命令Chinese Magic Card(Without Password)UID卡(不需要密码)Lock UFUID Card锁定UFUID卡About UID Card关于UID卡Set Parameter设置卡参数Wipe擦除Simulate模拟Clear清空Select All全选KeyBlocks->Key密码区->密码KeyBlocks<-Key密码区<-密码Fill Keys填充密码Trailer DecoderTrailer解码Set Fonts设置字体Read One读取单个区Write One写入单个区Read Selected读取选中块Write Selected写入选中块Sniff嗅探RawCommand原始命令History:命令历史:ClearHistory清空历史Send发送ClearOutput清空输出Info信息Plz choose a port first请先选择端口Connected已连接Not Connected未连接Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml);;All Files(*.*)二进制Data文件(*.bin *.dump);;文本Data文件(*.txt *.eml);;所有文件(*.*)Failed to open无法打开Continue?确定?Check Update检查更新Some of the data and key will be cleared.部分数据和密码将被清除Plz select the font of data widget and key widget请选择Data窗口和Key窗口的字体Data must consists of 32 Hex symbols(Whitespace is allowed)Data必须由32个十六进制字符组成(中间可含有空格)Key must consists of 12 Hex symbols(Whitespace is allowed)Key必须由12个十六进制字符组成(中间可含有空格)Plz select the data file:请选择data文件:Plz select the key file:请选择key文件:Binary Key Files(*.bin *.dump);;Binary Data Files(*.bin *.dump);;All Files(*.*)二进制Key文件(*.bin *.dump)二进制Data文件(*.bin *.dump);;所有文件(*.*)Plz select the location to save data file:请选择文件保存的位置:Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml)二进制Data文件(*.bin *.dump);;文本Data文件(*.txt *.eml)Failed to save to无法保存至Plz select the location to save key file:请选择key文件保存的位置:Binary Key Files(*.bin *.dump)二进制Key文件(*.bin *.dump) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. 普通Mifare卡的Block0无法写入,UID也不能更改 Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it. UID卡(在国外叫Chinese Magic Card)的Block0可写,UID可变There are two versions of Chinese Magic Cards, the Gen1 and the Gen2.国外把UID卡分为Chinese Magic Card Gen1和Gen2 Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. 指通常所说的UID卡,可以通过后门指令直接读写块而无需密码,在PM3和此GUI中有特殊命令处理这类卡片 Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands. 这个叫法在国内比较罕见,在国外指CUID/FUID/UFUID这类对后门指令不响应的卡(防火墙卡)There are some types of Chinese Magic Card Gen2.以下是Gen2卡的详细介绍 CUID Card: CUID卡: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. 可通过普通的写块命令来写Block0,可重复擦写 (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) (hf mf wrbl 0 A FFFFFFFFFFFF <待写入数据>) FUID Card: FUID卡: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). Block0只能写入一次 (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) (更高级的穿防火墙卡,可以过一些能识别出CUID卡的读卡器) UFUID Card: UFUID卡: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). 锁卡前和普通UID/CUID卡一样可以反复读写Block0,用特殊命令锁卡后就和FUID卡一样了 Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key). 所有UID卡都似乎更容易被Nested攻击破解Plz select the trace file:请选择trace文件:Trace Files(*.trc);;All Files(*.*)Trace文件(*.trc);;所有文件(*.*)Plz select the location to save trace file:请选择trace文件保存的位置:Trace Files(*.trc)Trace文件(*.trc)Idle空闲SecBlkKeyAKeyBHW Version:固件版本:PM3:连接状态:State:运行状态:Running运行中MifareSuccess!成功!Info信息Plz provide at least one known key请至少提供一个已知密码Failed!失败!Failed to read card.读卡失败。