MF_Attack_hardnestedDialogHardnested AttackKnown Block:Block:ABTarget Block:MF_Sim_simDialogSimulateuUID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be usednAutomatically exit simulation after <numreads> blocks have been read by reader. 0 = infiniteiInteractive, means that console will not be returned until simulation finishes or is abortedxCrack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)eset keys found from 'reader attack' to emulator memory (implies x and i)fget UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)rGenerate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack worksMF_UID_parameterDialogSet ParameterUID:ATQA:SAK:MF_trailerDecoderDialogTrailer DecoderBlocks416Trailer Data:
(like "FF0780" or "FF 07 80")Or set bits manuallyCx0Cx1Cx2Cx3Data Block Permission:Block0Block1Block2ReadWriteIncreaseDecrease/Transfer/RestoreTrailer Block Permission:KeyAAccess BitsKeyBReference:
MF1S70YYX_V1 Product data sheet
Rev. 3.2 — 23 November 2017Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly.Invalid!
It could make the whole sector blocked irreversibly!ValidMainWindowProxmark3GUIPath:RefreshConnectDisconnectMifareSelect TrailerCard TypeMINI3201K10242K20484K4096FileLoadSaveDataKeyAttackCard InfoCheck DefaultNestedHardnestedRead/WriteBlock:Key:Key Type:SnoopList DataData:Normal(Require Password)DumpRestoreChinese Magic Card(Without Password)Lock UFUID CardAbout UID CardSet ParameterWipeSimulateClearSelect AllKeyBlocks->KeyKeyBlocks<-KeyFill KeysTrailer DecoderSet FontsRead OneWrite OneRead SelectedWrite SelectedSniffRawCommandHistory:ClearHistorySendClearOutputInfoPlz choose a port firstConnectedNot ConnectedBinary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml);;All Files(*.*)Failed to openContinue?Check UpdateSome of the data and key will be cleared.Plz select the font of data widget and key widgetData must consists of 32 Hex symbols(Whitespace is allowed)Key must consists of 12 Hex symbols(Whitespace is allowed)Plz select the data file:Plz select the key file:Binary Key Files(*.bin *.dump);;Binary Data Files(*.bin *.dump);;All Files(*.*)Plz select the location to save data file:Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml)Failed to save toPlz select the location to save key file:Binary Key Files(*.bin *.dump) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it.There are two versions of Chinese Magic Cards, the Gen1 and the Gen2. Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands.There are some types of Chinese Magic Card Gen2. CUID Card: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) FUID Card: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) UFUID Card: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key).Plz select the trace file:Trace Files(*.trc);;All Files(*.*)Plz select the location to save trace file:Trace Files(*.trc)IdleSecBlkKeyAKeyBHW Version:PM3:State:RunningMifareSuccess!InfoPlz provide at least one known keyFailed!Failed to read card.