MF_Attack_hardnestedDialog Hardnested Attack Hardnested攻击 Known Block: 已知块: Block: 块: A B Target Block: 目标块: MF_Sim_simDialog Simulate 模拟 u UID 4 or 7 bytes. If not specified, the UID 4B from emulator memory will be used 4或7字节的UID,如果不指定,则使用模拟器内存中的4字节UID --atqa Provide explicit ATQA (2 bytes) 指定ATQA(2个字节) --sak Provide explicit SAK (1 byte) 指定SAK(1个字节) n Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite 在读卡器读取<n>个块后自动退出模拟,n为0或不指定时永远不退出 i Interactive, means that console will not be returned until simulation finishes or is aborted 交互模式,勾选后PM3客户端将在模拟完成或者模拟中断后才可继续使用 x Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s) 破解,对读卡器进行攻击,通过nr/ar攻击来钓出密码(无卡嗅探) e set keys found from 'reader attack' to emulator memory (implies x(--crack) and i) 在获得密码后自动将密码写入模拟器内存(自动勾选x(--crack)和i) -v verbose output 更多输出内容 f get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i) 从<filename.txt>当中获取用于破解读卡器的UID(批量模拟)(自动勾选x和i) r Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works 生成随机nonce而不是顺序的nonce,这种情况下PM3将不对读卡器进行标准攻击,只进行moebius攻击 MF_UID_parameterDialog Set Parameter 设置卡参数 UID: 卡号: ATQA: SAK: MF_trailerDecoderDialog Trailer Decoder Trailer解码 Blocks 块大小 4 16 Trailer Data: (like "FF0780" or "FF 07 80") 输入控制位数据 (形如“FF0780”或“FF 07 80”) Or set bits manually 手动设置访问情况: Cx0 Cx1 Cx2 Cx3 Data Block Permission: 数据块访问权限: Block0 块0 Block1 块1 Block2 块2 Read Write Increase 增加 Decrease/Transfer/Restore 减少/从缓冲区写入/读入至缓冲区 Trailer Block Permission: Trailer访问权限: KeyA 密钥A Access Bits 控制位 KeyB 密钥B Reference: MF1S70YYX_V1 Product data sheet Rev. 3.2 — 23 November 2017 参考资料: MF1S70YYX_V1 Product data sheet Rev. 3.2 — 23 November 2017 Note:the Access Bits usually contains 4 bytes(8 hex symbols), but only the first 3 bytes matters. You can set the 4th byte randomly. 注意:Access Bits一般包含4个字节(8个16进制字符),但只有前3个字节决定访问情况,最后一个字节可任意设置。 Invalid! It could make the whole sector blocked irreversibly! 无效! 可能导致整个扇区被不可逆转地锁定! Valid 有效 Block KeyA+B 密钥A+B MainWindow Proxmark3GUI Connect 连接 Disconnect 断开 Mifare Mifare(IC)卡 Select Trailer 选中密码块 Card Type 卡片类型 MINI 320 1K 1024 2K 2048 4K 4096 File 文件 Load 加载 Save 保存 Data 数据 Key 密钥 Attack 破解 Card Info 读卡信息 Check Default 验证默认密码 Nested Nested攻击 Hardnested Hardested攻击 Darkside Darkside攻击 Read/Write 读/写 Block: 块: Key: 密钥: Key Type: 密钥类型: List Data 列出嗅探数据 Data: 数据: Normal(Require Password) 普通卡(需要密码) Dump Dump命令 Restore Restore命令 Chinese Magic Card(Without Password) UID卡(不需要密码) Lock UFUID Card 锁定UFUID卡 About UID Card 关于UID卡 Set Parameter 设置卡参数 Wipe 擦除 Simulate 模拟 Clear 清空 Client Path: 客户端路径: Port: 端口: Refresh Ports 刷新端口 Select All 全选 KeyBlocks->Key 密码区->密码 KeyBlocks<-Key 密码区<-密码 Fill Keys 填充密码 Trailer Decoder Trailer解码 Set Fonts 设置字体 Read One 读取单个块 Write One 写入单个块 Read Selected 读取选中块 Write Selected 写入选中块 Sniff 嗅探 Sniff(14a) 嗅探(14a) LF Config 低频配置 Frequency 频率 125k 134k You might need a modified LF antenna if the freq is not 125k/134k. When setting the freq, the "hw setlfdivisor" will also be called. 如果频率不为125k/134k,则原装天线可能不适用。 设置频率后GUI会使用"hw setlfdivisor"改变底层分频系数。 Bits per sample: 采样精度(Bits per sample): Decimation: 抽取(Decimation): Averaging: 平均化(Averaging): Reset 重置 LF Operation 低频操作 Search 搜索 Read and search for valid known tag. 读卡并寻找已知类型的卡 Read 读取 Sniff low frequency signal with LF field ON. Use this to get raw data from a tag. 激活低频电磁场并读取原始信号。 该功能用于获取卡片原始数据。 Tune 调谐 Measure LF antenna tuning. If the antenna voltage has a obvious drop after putting card on the antenna, it is likely that the tag is a LF tag. On Iceman/RRG repo, press the button on PM3 to stop measuring 测量低频天线谐振频率。 如果天线电压在放置卡片后明显下降,则该卡片很可能是低频卡。 在冰人版固件下,如果需要停止测量,请按下PM3侧面的按钮 Sniff low frequency signal with LF field OFF. Use this to get raw data from a reader or the communication between a tag and a reader. 直接读取低频信号。 该功能用于获取读卡器的数据 或者卡片与读卡器的交互过程。 T55xx Basic Configuration(Page 0 Block 0) 基本配置区(页0 块0) Hex: 16进制: Bin: 2进制: Get from Data 从数据区导入 Set to Data 导出到数据区 Locked: 锁定(Locked): Master Key: Data Bit Rate: 数据比特率(Data Bit Rate): eXtended Mode: 扩展模式(eXtended Mode): Modulation: 调制方式(Modulation): PSK Clock Freq: Answer on Request: One Time Pad: Max Block: Password: 密码(Password): Seq. Terminator: Seq. Start Marker: Fast Downlink: Inverse Data: Init-Delay: Analog Front-End Option(Page 1 Block 3) 模拟前端选项区(页1 块3) Option Key: Soft Modulation: Clamp Voltage: Modulation Voltage: Clock Detection Threshold: Gap Detection Threshold: Write Dampling: Demod Delay: Downlink Protocol: T55xx Read Config T55xx读卡配置区 Bit Rate: 比特率(Bit Rate): Seq. Term. Offset: Inverted: T5577 T5555 RawCommand 原始命令 History: 命令历史: ClearHistory 清空历史 Send 发送 ClearOutput 清空输出 Settings 设置 Client 客户端 ../data <port> -f Language: 语言: Choose Language 选择语言 (Restart this app to use new language) (重启此程序以使用新语言) Keep buttons enabled even the client is running or disconnected 保持所有按钮可点击,即使未连接客户端或有任务正在运行 LF 低频 other 其它 Divisor: 分频系数(Divisor): Actural Freq: 125.000kHz 实际频率: 125.000kHz Trigger threshold: 触发阈值(Trigger threshold): Samples to skip: 跳过前n个采样(Samples to skip): Get Config 获取当前配置 Set Config 改变当前配置 Preload script path(Reconnect to apply): 预加载脚本路径(重连后生效): If the client requires some enviroment variables, you can make a script file(*.bat on Windows or *.sh on Linux) to configure them, then put the path of the script there. 如果客户端需要配置环境变量才能正常运行,可以将配置环境变量所需的脚本文件(Windows系统内为*.bat,linux系统内为*.sh)路径填入此处。 Client working directory(Reconnect to apply): 客户端工作路径(重连后生效): On Windows, the client working directory should not be identical to the path of GUI, otherwise the client will use the wrong .dll file. 在Windows系统中,客户端工作路径与GUI程序所在路径不能相同,否则客户端会使用错误的.dll文件。 Start arguments(Reconnect to apply): 启动参数(重连后生效): -f is necessary because the GUI need to handle the output in time. In some cases, the arguments should be set to "-p /dev/<port> -f" or "-p <port> -f". -f选项用于使客户端实时返回命令回显,必须添加。部分情况下启动参数需设置为"-p /dev/<port> -f"或"-p <port> -f"。 Config file path(Reconnect to apply): 配置文件路径(重连后生效): config.json Different clients require different config files. You can change the content of config file if the command format changes. 不同客户端需要使用不同的配置文件。若命令格式发生改变,你可以尝试手动修改配置文件以适配。 Keep the client active even the PM3 hardware is disconnected.(Experimental) 在PM3断开后保持客户端运行(实验性功能) GUI 图形化界面 Info 信息 Plz choose a port first 请先选择端口 Connected 已连接 Not Connected 未连接 Failed to open 无法打开 Continue? 确定? Dock all windows 吸附所有悬浮窗口 Ver: 版本: Check Update 检查更新 Failed to load config file 无法打开配置文件 Some of the data and key will be cleared. 部分数据和密码将被清除 Plz select the font of data widget and key widget 请选择数据窗口和密钥窗口的字体 Data must consists of 32 Hex symbols(Whitespace is allowed) 数据必须由32个十六进制字符组成(中间可含有空格) Key must consists of 12 Hex symbols(Whitespace is allowed) 密钥必须由12个十六进制字符组成(中间可含有空格) Plz select the data file: 请选择数据文件: Binary Data Files(*.bin *.dump) 二进制数据文件(*.bin *.dump) All Files(*.*) 所有文件(*.*) Plz select the key file: 请选择密钥文件: Plz select the location to save data file: 请选择数据文件保存的位置: Failed to save to 无法保存至 Plz select the location to save key file: 请选择密钥文件保存的位置: Binary Key Files(*.bin *.dump) 二进制密码文件(*.bin *.dump) Text Data Files(*.txt *.eml) 文本数据文件(*.txt *.eml) Text Key Files(*.txt *.eml) 文本密码文件(*.txt *.eml) Normally, the Block 0 of a typical Mifare card, which contains the UID, is locked during the manufacture. Users cannot write anything to Block 0 or set a new UID to a normal Mifare card. 普通Mifare卡的块0无法写入,卡号也不能更改 Chinese Magic Cards(aka UID Cards) are some special cards whose Block 0 are writeable. And you can change UID by writing to it. UID卡(在国外叫Chinese Magic Card)的块0可写,卡号可变。 There are two versions of Chinese Magic Cards, the Gen1 and the Gen2. 国外把UID卡分为Chinese Magic Card Gen1和Gen2 Gen1: also called UID card in China. It responses to some backdoor commands so you can access any blocks without password. The Proxmark3 has a bunch of related commands(csetblk, cgetblk, ...) to deal with this type of card, and my GUI also support these commands. 指通常所说的UID卡,可以通过后门指令直接读写块而无需密码,在PM3和此GUI中有特殊命令处理这类卡片 Gen2: doesn't response to the backdoor commands, which means that a reader cannot detect whether it is a Chinese Magic Card or not by sending backdoor commands. 这个叫法在国内比较罕见,在国外指CUID/FUID/UFUID这类对后门指令不响应的卡(防火墙卡) There are some types of Chinese Magic Card Gen2. 以下是Gen2卡的详细介绍 CUID Card: CUID卡: the Block 0 is writeable, you can write to this block repeatedly by normal wrbl command. 可通过普通的写块命令来写块0,可重复擦写 (hf mf wrbl 0 A FFFFFFFFFFFF <the data you want to write>) (hf mf wrbl 0 A FFFFFFFFFFFF <待写入数据>) FUID Card: FUID卡: you can only write to Block 0 once. After that, it seems like a typical Mifare card(Block 0 cannot be written to). 块0只能写入一次 (some readers might try changing the Block 0, which could detect the CUID Card. In that case, you should use FUID card.) (更高级的穿防火墙卡,可以过一些能识别出CUID卡的读卡器) UFUID Card: UFUID卡: It behaves like a CUID card(or UID card? I'm not sure) before you send some special command to lock it. Once it is locked, you cannot change its Block 0(just like a typical Mifare card). 锁卡前和普通UID/CUID卡一样可以反复读写块0,用特殊命令锁卡后就和FUID卡一样了 Seemingly, these Chinese Magic Cards are more easily to be compromised by Nested Attack(it takes little time to get an unknown key). 所有UID卡都似乎更容易被Nested攻击破解 Plz select the trace file: 请选择trace文件: Plz select the location to save trace file: 请选择trace文件保存的位置: Trace Files(*.trc) Trace文件(*.trc) Idle 空闲 Stop 停止 Sec 扇区 Blk KeyA 密钥A KeyB 密钥B HW Version: 固件版本: PM3: 连接状态: State: 运行状态: Running 正在运行 Actural Freq: 实际频率: Mifare Success! 成功! Info 信息 Plz provide at least one known key 请至少提供一个已知密码 Failed! 失败! The Access Bits is invalid! It could make the whole sector blocked irreversibly! Continue to write? 控制位无效! 使用该控制位可能导致目标扇区损坏且无法恢复! 确定要写入吗? Successful! 成功! Failed to write to these blocks: 写入以下块失败: Select them? 选中这些块? Failed to read card. 读卡失败。 T55xxTab Clone to T55xx 复制到T55xx卡 Target Type: 目标卡片类型: T5555 T55x7 EM410x Read 读卡 Clone 复制