Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
The magic card i have is reacting to the commands of the privacy mode. e.g. sending random numbers for the xor generation of the password.
Thats why i think that these cards can handle the privacy mode.
Is there a way that someone could ask the manufactor?
@Iceman: within your iso15_magic.lua script there iss an option "-a" for using it with the official repo. Therefor I copied the iso15_magic.lua script and the read15.lua lib from your Repo into the official Repo, because I couldn't find these in there.
After using the magic script my ISO15693 Magic Card has an UID of "00 00 00 00 00 00 00 00". It looks like that the last two commands of your script do not work in this constellation which should write the two half of the UID.
With your Repo it was not a problem at all to change the UID back to a correct value (if the position of the tag is correct towards the proxmark3, which is kind of a hassle.).
What needs to be done, do get the magic script working within the official Repo?
Regards,
Gambrius
Last edited by Gambrius (2019-11-23 12:50:12)
almost correct, buggy code on Offical repo leads to unwanted behavior like not shutting off rf power field. As I said, once Piwis code becomes stable, we have a look at what is reusable. Offical repo has been slacking off in being stable the last years.
The "magic" commands are just write block commands to blocks 0x3e, 0x3f, 0x38, 0x39. The latter two write the UID (and the tag responds like to any other write block command). The tag however doesn't answer on the first two write block commands and the UID can be changed without them. Any idea what their purpose is?
@piwi:
Because I am away from home (from my hardware) right now i am not 100% sure, but i think one of the first two comands is zeroing the uid. I had an incident where I ended up with a uid filled just with 00 and my script did not run the ...38 and ...39 comand.
You could give it a try.
Regards,
Gambrius
Hallo,
The magic cards I have tested so far (e.g. from RFx) are all iso15693 SLIX cards. Because SLIX is not supporting PRIVACY MODE at all, i am looking for SLIX2 or SLIX-L cards with changeable UIDs.
Does anyone know wether there are any other cards available?
Regards,
Gambrius
Hallo,
The magic cards I have tested so far (e.g. from RFx) are all iso15693 SLIX cards. Because SLIX is not supporting PRIVACY MODE at all, i am looking for SLIX2 or SLIX-L cards with changeable UIDs.Does anyone know wether there are any other cards available?
Regards,
Gambrius
Hi! I've just received a magic 15693 card from RFxSecure.com which claims to be Sli/Slix.
I was able to change its UID just with 2 blocks (38h for LSB of UID; 39h for MSB of UID). However none of NXP propietary commands worked. I have tried the following:
ABh - get nxp system info
DBh - read signature
A3h - reset EAS
B2h - get random number
For me it looks like generic 15693 card with 28x4 memory
UPD: Ok. It looks like SLI to me with EAS locked from the beginning. Only reponds to A0h
Last edited by papuaoshi (2021-02-04 23:09:08)
i bought 2 cards sold as "15693 UID changeable" and physically marked as "15693 iCode Sli/Slix Modifiable" at Shop910686014 on AliExpress for a semi-reasonable price of $25 incl shipping.
I was able to change the UID using the "hf 15 csetuid" command and it was possible clone a 15693 card using "hf 15 dump" and "hf 15 restore". The clone card seems to be identical.
Btw, "hf 15 findafi" does nothing, just outputs the help text.
However, I have not enough experience and knowledge about this type of card to know what additional properties it should have.
So let me know what I should test with this card (as the price is better than at other shops), and give the precise commands for that. Note: My macOS client does no have data plot capability.
Good call, iceman! I love it! It does this:
[=] click pm3 button or press Enter to exit
[#] NoAFI UID = <redacted>
[#] AFI = 0 UID = <redacted>
[#] AFI Bruteforcing done.
and waits and waits, until the Enter key is pressed.
Is that intentional? If so, maybe it could tell the user to press Enter?