MF_Attack_hardnestedDialog Hardnested Attack Known Block: Block: A B Target Block: MF_Sim_simDialog Simulate u UID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used n Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite i Interactive, means that console will not be returned until simulation finishes or is aborted x Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s) e set keys found from 'reader attack' to emulator memory (implies x and i) f get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i) r Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works MF_UID_parameterDialog Set Parameter UID: ATQA: SAK: MF_trailerDecoderDialog Trailer Decoder Blocks 4 16 Trailer Data: (like "FF0780" or "FF 07 80") Or set bits manually Cx0 Cx1 Cx2 Cx3 Data Block Permission: Block0 Block1 Block2 Read Write Increase Decrease/Transfer/Restore Trailer Block Permission: KeyA Access Bits KeyB Reference: MF1S70YYX_V1 Product data sheet Rev. 3.2 — 23 November 2017 Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly. Invalid! It could make the whole sector blocked irreversibly! Valid MainWindow Proxmark3GUI Path: Refresh Connect Disconnect Mifare Select Trailer Card Type MINI 320 1K 1024 2K 2048 4K 4096 File Load Save Data Key Attack Card Info Check Default Nested Hardnested Darkside Read/Write Block: Key: Key Type: Snoop List Data Data: Normal(Require Password) Dump Restore Chinese Magic Card(Without Password) Lock UFUID Card About UID Card Set Parameter Wipe Simulate Clear Select All KeyBlocks->Key KeyBlocks<-Key Fill Keys Trailer Decoder Set Fonts Read One Write One Read Selected Write Selected Sniff LF/Data LF Config Frequency 125k 134k BitRate: Decimation: Averaging: Threshold: Skips: Get Set T55xx RawCommand History: ClearHistory Send ClearOutput Settings Client Preload environment variables Value Add Delete Note: If the variable name already exists, this app will add the new value to the head of the existing one, so these new values have higher priority when calling Proxmark3 client. The environment variables added here won't affect other apps. Start arguments <port> -f Note: -f is necessary because the GUI need to handle the output in time In some cases the arguments should be set to "-p /dev/<port> -f" or "-p <port> -f" Keep buttons enabled even the client is running or disconnected GUI Language Info Plz choose a port first Connected Not Connected Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml);;All Files(*.*) Failed to open Continue? Check Update Some of the data and key will be cleared. Plz select the font of data widget and key widget Data must consists of 32 Hex symbols(Whitespace is allowed) Key must consists of 12 Hex symbols(Whitespace is allowed) Plz select the data file: Plz select the key file: Binary Key Files(*.bin *.dump);;Binary Data Files(*.bin *.dump);;All Files(*.*) Plz select the location to save data file: Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml) Failed to save to Plz select the location to save key file: Binary Key Files(*.bin *.dump) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it. There are two versions of Chinese Magic Cards, the Gen1 and the Gen2. Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands. There are some types of Chinese Magic Card Gen2. CUID Card: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) FUID Card: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) UFUID Card: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key). Plz select the trace file: Trace Files(*.trc);;All Files(*.*) Plz select the location to save trace file: Trace Files(*.trc) Idle Stop Sec Blk KeyA KeyB HW Version: PM3: State: Running Mifare Success! Info Plz provide at least one known key Failed! The Access Bits is invalid! It could make the whole sector blocked irreversibly! Continue to write? Successful! Failed to write to these blocks: Select them? Failed to read card.