Merge pull request #2742 from team-orangeBlue/mf4

Document MF4 tags
RfidResearchGroup · Feb 3, 2025 · 0d054c6 · 0d054c6
2 parents 53a1d5b + 2714012
commit 0d054c6
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Changed `doc/magic_cards_notes.md` - now contains documentation for iKey LLC's MF4 tag (@team-orangeBlue)
 - Changed `hf mf cload` - now accepts MFC Ev1 sized dumps (@iceman1001)
 - Changed `hf mfu info` - now properly identify ULEv1 AES 50pF (@iceman1001)
 - Changed `hf mf info` - now differentiates between full USCUID and cut down ZUID chips (@nvx)

diff --git a/doc/magic_cards_notes.md b/doc/magic_cards_notes.md
@@ -29,6 +29,7 @@ Useful docs:
   * [MIFARE Classic Gen1B](#mifare-classic-gen1b)
   * [Mifare Classic Direct Write OTP](#mifare-classic-direct-write-otp)
   * [MIFARE Classic OTP 2.0](#mifare-classic-otp-20)
+  * [MIFARE Classic MF4](#mifare-classic-mf4)
   * [MIFARE Classic DirectWrite aka Gen2 aka CUID](#mifare-classic-directwrite-aka-gen2-aka-cuid)
   * [MIFARE Classic Gen3 aka APDU](#mifare-classic-gen3-aka-apdu)
   * [MIFARE Classic USCUID](#mifare-classic-uscuid)
@@ -642,6 +643,92 @@ hf mf info
 
 * Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
 
+## MIFARE Classic MF4
+
+^[Top](#top)
+
+Similar to OTP 2.0, but now additional configuration is possible.
+Were manufactured by iKey LLC as a replacement for MF3.
+
+### Characteristics
+
+* Initial UID is 00000000
+* BCC: unknown
+* SAK/ATQA: configurable
+* ATS: configurable
+* PPS: configurable (fake response)
+* All bytes are 00 from factory wherever possible.
+
+### Identify
+
+^[Top](#top)
+
+Only possible before personalization.
+
+```
+hf mf info
+...
+[=] --- Magic Tag Information
+[+] Magic capabilities... Gen 1a
+
+[=] --- PRNG Information
+[+] Prng................. hard
+
+hf mf cgetblk --blk 3
+hf mf rdbl --blk 3
+[ If the ACLs do not match, this is an MF4 ]
+```
+
+### Magic commands
+
+^[Top](#top)
+
+Warning: changing the UID from 00000000 will disable all of these commands permanently.
+
+* Read backdoor: `40(7)`, `43`, `30xx`+crc
+* Write: `40(7)`, `43`, `A0xx`+crc, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`+crc
+
+### Magic configuration
+
+^[Top](#top)
+
+By accessing trailers of sectors 11-15 using gen1 mode, it is possible to re-configure the tag.
+
+The layout for a sector is below:
+* block 0: data
+* block 1: data
+* block 2: data
+* block 3[0-5] - key A
+* block 3[6] - configuration byte
+* block 3[7] - ACL byte [bits 7-4], configuration[3-0]/RFU
+* block 3[8] - ACL byte
+* block 3[9] - ACL user byte
+* block 3[10-15] - key B
+
+Any data set in one mode will be mirrored to the other, as such be careful when configuring from gen1 mode to avoid unintentionally changing access conditions, keys or configurations.
+
+Here is how the IC can be configured:
+* ATS
+  * Maximum length is 16 bytes inclduing TL
+  * Stored in trailers of sectors 0-10 (bytes 0-10: byte 6 of the matching sector; bytes 11-15: byte 7 lower half of sectors `(byte num.-11) (is lower half? +1 if yes)`)
+  * To avoid issues, please set unused bytes to 00
+  * **Example** - to make the 15th byte `AF` you should set block 31 to `FFFFFFFFFFFF 00 0 A 8000 FFFFFFFFFFFF` and block 35 to `FFFFFFFFFFFF 00 0 F 8000 FFFFFFFFFFFF`
+* ATQA/SAK
+  * If the values are changed from defaults, the custom values will be used during anticollision.
+  * SAK (CL2/final select, default 0x08): sector 11 trailer, byte 6
+  * SAK (7b intermediate, default 0x04): sector 12 trailer, byte 6
+  * ATQA (higher half (transmission), default 0x44): sector 13 trailer, byte 6
+  * ATQA (lower half (transmission), default 0x00): sector 14 trailer, byte 6
+  * **Example** - to make the SAK `28`, you should set block 47 to `FFFFFFFFFFFF 28 0 0 8000 FFFFFFFFFFFF`
+* Anticollision behavior
+  * PPS support: sector 14 trailer, byte 7, bit 2 (from least significant); 0: off, 1: on
+  * RATS support: sector 14 trailer, byte 7, bit 0 (from least significant); 0: off; 1: on
+  * CL2 (7 byte UID) support: sector 15 trailer, byte 7, bit 3 (from least significant); 0: 4 bytes, 1: 7 bytes
+  * **Example** - to enable 7 byte UIDs, you should set block 63 to `FFFFFFFFFFFF 00 0 8 8000 FFFFFFFFFFFF`
+* Locking the IC, i.e. removing magic wakeup
+  * In block 63, set byte 7 bits 2 and 0 to `0b1`, resulting in byte 7 containing at least `05`.
+  * Write your UID.
+
 ## MIFARE Classic DirectWrite aka Gen2 aka CUID
 
 ^[Top](#top)
@@ -650,8 +737,8 @@ hf mf info
 
 * Other names:
   * MF-8 (RU)
-  * MF-3 (RU)
-    * What's so special about this chip in particular..?
+  * MF-3 (RU) - not susceptible to "field reset bug", a way to detect [OTP](#mifare-classic-direct-write-otp) chips.
+  * MF-3.2 (RU) - static nonce `01200145`, helps avoid magic detection.
 
 ### Identify