For speed, just dump a working UL card, and take its three first blocks to make your magic UL work again
]]>but
proxmark3> hf mf cgetblk 0
--block number: 0
block data:04 01 02 8f ff ff ff ff ff ff ff ff ff ff ff ff
revive commands doesn`t help to get back tag.
How i can restore to work condition?
Which raw command must send?
]]>I've also been curious on these backdoor commands, trying to understand what they do.
We know since before that:
0x40 is init.
0x41 is wipe
0x43 is not keys needed for reading and writing. it just runs the commands given afterwards.
0x40, init backdoor mode
0x41, wipe fills card with 0xFF
0x42, fills card with 0x00
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
0x44, fills card with 0x55
0x45, fills card with 0xAA
0x46, fills card with 0x00
0x47, ??
0x48, ??
0x49, ??
used commands:
pm3 --> hf 14a raw -p -a -b 7 40
pm3 --> hf 14a raw -p -a 44
If you screwed up block 0,1,2 (where the uid is located) then just don't use the select option in raw cmd.
and write 3 new blocks with correct BBC and CRC
I got one from xpfga and ruin it the same way above.
]]>the "hf mfu setuid" doesn't work either.
]]>pm3 --> hf mf cgetblk 0
--block number: 0
data: 53 80 71 2A 02 00 D9 80 5B 48 00 00 00 00 00 00
pm3 --> hf mf cgetblk 1
--block number: 1
data: 02 00 D9 80 5B 48 00 00 00 00 00 00 00 00 00 00
pm3 --> hf mf cgetblk 2
--block number: 2
data: 5B 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00
pm3 -->
pm3 --> hf 14a raw -p -b 7 40
received 1 octets
0A
pm3 --> hf 14a raw -p 43
received 1 octets
0A
pm3 --> hf 14a raw -p -c a20059982120
received 1 octets
0A
pm3 --> hf li 14a
Recorded Activity (TraceLen = 266 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 53 98 21 62 | |
18688 | 29152 | Rdr |93 70 88 53 98 21 62 76 cc | ok | SELECT_UID
30388 | 33908 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38836 | 44724 | Tag |20 00 79 80 d9 | |
46848 | 57312 | Rdr |95 70 20 00 79 80 d9 86 3a | ok | ANTICOLL-2
58548 | 62132 | Tag |00 fe 51 | |
1047168 | 1051936 | Rdr |e0 80 31 73 | ok | RATS
2333440 | 2334432 | Rdr |40 | | MAGIC WUPC1
2335924 | 2336500 | Tag |0a! | |
2340480 | 2341792 | Rdr |43 | | MAGIC WUPC2
2342964 | 2343540 | Tag |0a! | |
2347520 | 2352288 | Rdr |50 00 57 cd | ok | HALT
3609728 | 3610720 | Rdr |40 | | MAGIC WUPC1
3612340 | 3612916 | Tag |0a! | |
4859904 | 4861216 | Rdr |43 | | MAGIC WUPC2
4862516 | 4863092 | Tag |0a! | |
24320384 | 24329760 | Rdr |a2 00 59 98 21 20 00 c7 | ok | WRITEBLOCK(0)
24372532 | 24373108 | Tag |0a! | |
hf 14a read
pm3 --> hf 14a re
UID : 53 98 21 20 00 79 80
ATQA : 00 44
SAK : 00 [2]
TYPE : MIFARE Ultralight (MF0ICU1)
MANUFACTURER : no tag-info available
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES <--- look here!
hf mfu info
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight (MF0ICU1) <--- currently not identified as magic in our imp.
UID : 53 98 21 20 00 79 80
UID[0] : 53, no tag-info available
BCC0 : 62, Ok
BCC1 : D9, Ok
Internal : 48, default
Lock : 00 00 - 0
OneTimePad : 00 00 00 00 - 000
hf list 14a
pm3 --> hf list 14a
Recorded Activity (TraceLen = 199 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 53 98 21 62 | |
18688 | 29152 | Rdr |93 70 88 53 98 21 62 76 cc | ok | SELECT_UID
30388 | 33908 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38836 | 44724 | Tag |20 00 79 80 d9 | |
46848 | 57312 | Rdr |95 70 20 00 79 80 d9 86 3a | ok | ANTICOLL-2
58548 | 62132 | Tag |00 fe 51 | |
1047168 | 1051936 | Rdr |e0 80 31 73 | ok | RATS
2333568 | 2334560 | Rdr |40 | | MAGIC WUPC1
2336052 | 2336628 | Tag |0a! | |
2340608 | 2341920 | Rdr |43 | | MAGIC WUPC2
2343092 | 2343668 | Tag |0a! | |
2347648 | 2352416 | Rdr |50 00 57 cd | ok | HALT
pm3 -->