MF_Attack_hardnestedDialogHardnested AttackHardnested攻击Known Block:已知块:Block:块:ABTarget Block:目标块:MF_Sim_simDialogSimulate模拟uUID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used4或7字节的UID,如果不指定,则使用模拟器内存中的4字节UID--atqaProvide explicit ATQA (2 bytes)指定ATQA(2个字节)--sakProvide explicit SAK (1 byte)指定SAK(1个字节)nAutomatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite在读卡器读取<n>个块后自动退出模拟,n为0或不指定时永远不退出iInteractive, means that console will not be returned until simulation finishes or is aborted交互模式,勾选后PM3客户端将在模拟完成或者模拟中断后才可继续使用xCrack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)破解,对读卡器进行攻击,通过nr/ar攻击来钓出密码(无卡嗅探)eset keys found from 'reader attack' to emulator memory (implies x(--crack) and i)在获得密码后自动将密码写入模拟器内存(自动勾选x(--crack)和i)-vverbose output更多输出内容fget UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)从<filename.txt>当中获取用于破解读卡器的UID(批量模拟)(自动勾选x和i)rGenerate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works生成随机nonce而不是顺序的nonce,这种情况下PM3将不对读卡器进行标准攻击,只进行moebius攻击MF_UID_parameterDialogSet Parameter设置卡参数UID:卡号:ATQA:SAK:MF_trailerDecoderDialogTrailer DecoderTrailer解码Blocks块大小416Trailer Data:
(like "FF0780" or "FF 07 80")输入控制位数据
(形如“FF0780”或“FF 07 80”)Or set bits manually手动设置访问情况:Cx0Cx1Cx2Cx3Data Block Permission:数据块访问权限:Block0块0Block1块1Block2块2Read读Write写Increase增加Decrease/Transfer/Restore减少/从缓冲区写入/读入至缓冲区Trailer Block Permission:Trailer访问权限:KeyA密钥AAccess Bits控制位KeyB密钥BReference:
MF1S70YYX_V1 Product data sheet
Rev. 3.2 — 23 November 2017参考资料:
MF1S70YYX_V1 Product data sheet
Rev. 3.2 — 23 November 2017Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly.注意:Access Bits一般包含4个字节(8个16进制字符),但只有前3个字节决定访问情况,最后一个字节可任意设置。Invalid!
It could make the whole sector blocked irreversibly!无效!
可能导致整个扇区被不可逆转地锁定!Valid有效MainWindowProxmark3GUIConnect连接Disconnect断开MifareMifare(IC)卡Select Trailer选中密码块Card Type卡片类型MINI3201K10242K20484K4096File文件Load加载Save保存Data数据Key密钥Attack破解Card Info读卡信息Check Default验证默认密码NestedNested攻击HardnestedHardested攻击DarksideDarkside攻击Read/Write读/写Block:块:Key:密钥:Key Type:密钥类型:List Data列出嗅探数据Data:数据:Normal(Require Password)普通卡(需要密码)DumpDump命令RestoreRestore命令Chinese Magic Card(Without Password)UID卡(不需要密码)Lock UFUID Card锁定UFUID卡About UID Card关于UID卡Set Parameter设置卡参数Wipe擦除Simulate模拟Clear清空Client Path:客户端路径:Port:端口:Refresh Ports刷新端口Select All全选KeyBlocks->Key密码区->密码KeyBlocks<-Key密码区<-密码Fill Keys填充密码Trailer DecoderTrailer解码Set Fonts设置字体Read One读取单个块Write One写入单个块Read Selected读取选中块Write Selected写入选中块Sniff嗅探Sniff(14a)嗅探(14a)LF/DataLF ConfigFrequency125k134kBitRate:Decimation:Averaging:Threshold:Skips:GetSetT55xxRawCommand原始命令History:命令历史:ClearHistory清空历史Send发送ClearOutput清空输出Settings设置Client客户端Preload script path:预加载脚本路径:Note:
If the client requires some enviroment variables, you can make a script file(*.bat on Windows or *.sh on Linux) to configure them,
then put the path of the script there注意:
如果客户端需要配置环境变量才能正常运行,可以将配置环境变量所需的脚本文件(Windows系统内为*.bat,linux系统内为*.sh)路径填入此处Client working directory:客户端工作路径:../dataNote:
On Windows, the client working directory should not be identical to the path of GUI, otherwise the client will use the wrong .dll file.注意:
在Windows系统中,客户端工作路径与GUI程序所在路径不能相同,否则客户端会使用错误的.dll文件。Start arguments启动参数<port> -fNote:
-f is necessary because the GUI need to handle the output in time
In some cases the arguments should be set to "-p /dev/<port> -f"
or "-p <port> -f"注意:
-f选项用于使客户端实时返回命令回显,必须添加
部分情况下启动参数需设置为"-p /dev/<port> -f"
或"-p <port> -f"Language: 语言: Choose Language选择语言(Restart this app to use new language)(重启此程序以使用新语言)Keep buttons enabled even the client is running or disconnected保持所有按钮可点击,即使未连接客户端或有任务正在运行GUI图形化界面Info信息Plz choose a port first请先选择端口Connected已连接Not Connected未连接Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml);;All Files(*.*)二进制数据文件(*.bin *.dump);;文本数据文件(*.txt *.eml);;所有文件(*.*)Failed to open无法打开Continue?确定?Check Update检查更新Some of the data and key will be cleared.部分数据和密码将被清除Plz select the font of data widget and key widget请选择数据窗口和密钥窗口的字体Data must consists of 32 Hex symbols(Whitespace is allowed)数据必须由32个十六进制字符组成(中间可含有空格)Key must consists of 12 Hex symbols(Whitespace is allowed)密钥必须由12个十六进制字符组成(中间可含有空格)Plz select the data file:请选择数据文件:Plz select the key file:请选择密钥文件:Binary Key Files(*.bin *.dump);;Binary Data Files(*.bin *.dump);;All Files(*.*)二进制密钥文件(*.bin *.dump)二进制密钥文件(*.bin *.dump);所有文件(*.*)Plz select the location to save data file:请选择数据文件保存的位置:Binary Data Files(*.bin *.dump);;Text Data Files(*.txt *.eml)二进制数据文件(*.bin *.dump);文本数据文件(*.txt *.eml)Failed to save to无法保存至Plz select the location to save key file:请选择密钥文件保存的位置:Binary Key Files(*.bin *.dump)二进制密码文件(*.bin *.dump) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. 普通Mifare卡的块0无法写入,卡号也不能更改 Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it. UID卡(在国外叫Chinese Magic Card)的块0可写,卡号可变。There are two versions of Chinese Magic Cards, the Gen1 and the Gen2.国外把UID卡分为Chinese Magic Card Gen1和Gen2 Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. 指通常所说的UID卡,可以通过后门指令直接读写块而无需密码,在PM3和此GUI中有特殊命令处理这类卡片 Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands. 这个叫法在国内比较罕见,在国外指CUID/FUID/UFUID这类对后门指令不响应的卡(防火墙卡)There are some types of Chinese Magic Card Gen2.以下是Gen2卡的详细介绍 CUID Card: CUID卡: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. 可通过普通的写块命令来写块0,可重复擦写 (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) (hf mf wrbl 0 A FFFFFFFFFFFF <待写入数据>) FUID Card: FUID卡: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). 块0只能写入一次 (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) (更高级的穿防火墙卡,可以过一些能识别出CUID卡的读卡器) UFUID Card: UFUID卡: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). 锁卡前和普通UID/CUID卡一样可以反复读写块0,用特殊命令锁卡后就和FUID卡一样了 Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key). 所有UID卡都似乎更容易被Nested攻击破解Plz select the trace file:请选择trace文件:Trace Files(*.trc);;All Files(*.*)Trace文件(*.trc);;所有文件(*.*)Plz select the location to save trace file:请选择trace文件保存的位置:Trace Files(*.trc)Trace文件(*.trc)Idle空闲Stop停止Sec扇区Blk块KeyA密钥AKeyB密钥BHW Version:固件版本:PM3:连接状态:State:运行状态:Running正在运行MifareSuccess!成功!Info信息Plz provide at least one known key请至少提供一个已知密码Failed!失败!The Access Bits is invalid!
It could make the whole sector blocked irreversibly!
Continue to write?控制位无效!
使用该控制位可能导致目标扇区损坏且无法恢复!
确定要写入吗?Successful!成功!Failed to write to these blocks:写入以下块失败:Select them?选中这些块?Failed to read card.读卡失败。