Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-09-17 15:29:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

classic ev1 new commands

anyone know what commands were added with the new Mifare Classic EV1 1K?  I see mention of an originality check but can't find the documentation for that command.  is it the same as the Ultralight EV1?  (sorry I don't have a full EV1 datasheet available).

did they make a Get_Version?

Thanks.

ps. Ultralight Read_Sig command is 0x3C00

Offline

#2 2015-09-17 17:06:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

The new commands looks to be:

Personalize UID Usage   0x40
SET_MOD_TYPE            0x43

Last edited by iceman (2015-09-17 17:06:41)

Offline

#3 2015-09-17 17:10:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

Thx,  there must be a Read_Sig command.

Offline

#4 2015-09-17 17:12:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

Possible identification would be to test the extra commands in my previous post.

MODEL         UID   ATQA      SAK
1k 
MF1S500yXDyy  7byte 0x00 0x44 0x08
MF1S503yXDyy  4byte 0x00 0x04 0x08

4k 
MF1S700yXDyy  7byte 0x00 0x42 0x18
MF1S703yXDyy  4byte 0x00 0x02 0x18  

Last edited by iceman (2015-09-17 17:23:59)

Offline

#5 2015-09-17 17:20:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

In the datasheet I just read there was no hints towards a read_sig command. But if you have one of these new tags, the PM3 doesn't identify them correct..   Try sending some raw commands and try the 0x3000 command..

Last edited by iceman (2015-09-17 17:24:12)

Offline

#6 2015-09-17 17:50:28

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

the personalized uid usage was in the older classic cards.  (used to adjust the 7 byte uid to 4 byte uid anticollision)

the set_mod_type looks new though. (not sure if it was on the mifare plus cards or not...)

Offline

#7 2015-09-17 18:08:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

The desfire ev1 cards has read_sign...

Offline

#8 2015-09-17 18:16:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

Nasty choice of commands on part of Mifare since its the same ones as for the Chinese magic backdoor...

Offline

#9 2015-09-17 18:19:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

You have to authenticate with sector 0 before they work...

What is the desfire read Sig cmd?

Offline

#10 2015-09-17 18:25:19

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

I have two tags that ack to the set_mod_type, one is brand new and claims to be ev1, the other is a bit over 1 year old and I did not expect it to be ev1...  Maybe it is but I'd like to be sure and I think the only way is with the read Sig cmd, which according to promotional sheets on the mifare classic ev1 it should have one...

I confirmed old classic cards nack to that set_mod_type.

Last edited by marshmellow (2015-09-17 18:27:04)

Offline

#11 2015-09-18 07:29:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

I missed the auth before running it..

Offline

#12 2015-10-17 03:50:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

BTW, on a mifare ev1 1k the signature is contained in sector 17 (block 45 and 46).  the keys for that sector are not default and cannot be changed.

(1k should end at sector 15)  makes me wonder if there is a sector 16, or others?...

Last edited by marshmellow (2015-10-17 03:53:06)

Offline

#13 2019-07-18 11:37:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

Which datasheet for Mifare 1k Ev1 states the originiality signature to be on a sector 16, 17?
https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf

Offline

#14 2019-07-18 12:14:35

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: classic ev1 new commands

No public ones I find show it.  So I sniffed the nxp app.

Offline

#15 2019-07-18 12:40:19

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: classic ev1 new commands

It is sector 17 only. The purpose of sector 16 is unclear. The Chameleon Mini code has it implemented including the SIG_READ command (which is same as RESTORE but without a parameter). According to this implementation the SIG_READ does nothing except indicating that a signature is available in sector 17.

Offline

#16 2019-07-18 13:07:12

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: classic ev1 new commands

What did it smell like @marshmellow?
How much sniffing did you do?

Offline

#17 2019-07-18 13:50:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: classic ev1 new commands

Only mentions in offical datasheet is a changenot at p.33...    Seems only to apply for 1K cards,  not 4K cards.

But not in the link I gave before but in another one...

Offline

#18 2019-07-25 07:41:41

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: classic ev1 new commands

I have started working on the Originality Signature Checks. A first PR (not yet merged) on official repo implements it in 'hf mfu info' because I found more info on the Ultralight signature checks than for the Classic EV1.

Tested and works for NTAG213. The Ultralight EV1 is said to use another Public/Private Key pair. I have added a check for this type as well but I couldn't test it (no card of this type in my portfolio). If someone has access to an Ultralight EV1, can you please run 'hf mfu info' and look for

Originality signature check : signature is valid

Offline

#19 2019-07-25 08:56:57

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: classic ev1 new commands

thx piwi for your work on the originality check,
I sucessfully tested your "originality_check" branch
- MF UL EV1 48B
- MF UL EV1 128B
- NTAG 213

TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
--- Tag Originality Signature
         Signature public key : 90 93 3b dc d6 e9 9b 4e 25 5e 3d a5 53 89 a8 27 56 4e 11 71 8e 01 72 92 fa f2 32 26 a9 66 14 b8
  Originality signature check : signature is valid

TYPE : MIFARE Ultralight EV1 128bytes (MF0UL2101)

--- Tag Originality Signature
         Signature public key : 90 93 3b dc d6 e9 9b 4e 25 5e 3d a5 53 89 a8 27 56 4e 11 71 8e 01 72 92 fa f2 32 26 a9 66 14 b8
  Originality signature check : signature is valid

TYPE : NTAG 213 144bytes (NT2H1311G0DU)
--- Tag Originality Signature
         Signature public key : 49 4e 1a 38 6d 3d 3c fe 3d c1 0e 5d e6 8a 49 9b 1c 20 2d b5 b1 32 39 3e 89 ed 19 fe 5b e8 bc 61
  Originality signature check : signature is valid

Offline

Board footer

Powered by FluxBB