Proxmark3 community

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Corectly identify NFC tags

To correctly identify an NFC tag we must read the tag infos and analyze bytes:

this is an NTAG203 partial dump with analyzed "information" bytes:

page0: 04F5ED94
page1: F21C2380
page2: 4D480000
page3: E1101200

04 = Manufacturer Code (04 = NXP)

F5ED[94]F21C2380 = UID
94 = Check byte0 (BCC0); [94 is not part of the UID]
4D = Check byte1 (BCC1)
48 = Internal

00 = Lock byte 0 [page and block locking]
00 = Lock byte 1 [page locking]

page3 = CC = Capability Container (bits of that page, once set to 1, cannot be reversed to 0):
E1 = Magic Byte (it indicates an NDEF data structure inside the tag)
10 = 1.0 Version of NFCForum Specifications
12 = User Memory Size (12Hex -> 18Dec; 18x8 = 144 Bytes) - Total = 168 Bytes
00 = read and write access granted without security (divided in 2 parts: MSB+LSB; page 20-21 of NFCForum-TS-Type-2-Tag_1.1.pdf)

What we must read in particular to identify the tag is the SIZE (bolded line):
NTAG203/F = 168 Bytes (144 bytes user area)
NTAG210    = 80 Bytes (48 bytes user area)
NTAG212    = 164 Bytes (128 bytes user area)
NTAG213    = 180 Bytes (144 bytes user area)
NTAG215/215F  = 540 Bytes (504 bytes user area)
NTAG216/216F  = 924 Bytes (888 bytes user area)

Luckily there is a specific command to read NTAG infos (except for NTAG203) and it is 60+2bytes ISO14443A_CRC; 8 bytes answer is parsed as follows (snooped NFC Tag Info log can be found here and it uses the 06 command):

NTAG213/NTAG216
0 = fixed Header 00h / 00h
1 = vendor ID 04h / 04h = NXP Semiconductors
2 = product type 04h / 04h = NTAG
3 = product subtype 01h / 01h = 50 pF
4 = major product version 01h / 01h = 1
5 = minor product version 00h / 00h = V0
6 = storage size 0Fh / 12h (see description below)
7 = protocol type 03h / 03h = ISO/IEC 14443-3 compliant

The most significant 7 bits of the storage size byte are interpreted as a unsigned integer value n. As a result, it codes the total available user memory size as 2^n.
If the least significant bit is 0b, the user memory size is exactly 2^n.
If the least significant bit is 1b, the user memory size is between 2n and 2^(n+1).

The user memory for NTAG213F is 144 bytes. This memory size is between 128 bytes (27) and 256 bytes (28). Therefore, the most significant 7 bits of the value 0Fh are interpreted as 7d and the least significant bit is 1b.

The user memory for NTAG216F is 888 bytes. This memory size is between 512 bytes (29) and 1024 bytes (210). Therefore, the most significant 7 bits of the value 12h are interpreted as 9d and the least significant bit is 1b.

NTAG210/NTAG212
0 = fixed Header 00h / 00h
1 = vendor ID 04h / 04h = NXP Semiconductors
2 = product type 04h / 04h = NTAG
3 = product subtype 01h / 01h = 17 pF
4 = major product version 01h / 01h = 1
5 = minor product version 00h / 00h = V0
6 = storage size 0Bh / 0Eh (see description below)
7 = protocol type 03h / 03h = ISO/IEC 14443-3 compliant

The most significant 7 bits of the storage size byte are interpreted as a unsigned integer value n. As a result, it codes the total available user memory size as 2n.
If the least significant bit is 0b, the user memory size is exactly 2^n.
If the least significant bit is 1b, the user memory size is between 2n and 2^(n+1).

The user memory for NTAG210 is 48 bytes. This memory size is between 32 bytes and 64 bytes. Therefore, the most significant 7 bits of the value 0Bh, are interpreted as 5d and the least significant bit is 1b.

The user memory for NTAG212 is 128 bytes. This memory size is exactly 128 bytes. Therefore, the most significant 7 bits of the value 0Eh, are interpreted as 7d and the least significant bit is 0b.

EDIT:
also the snooped command "60" should be named "AUTH-A" / "GET_VERSION", not only AUTH-A.

Last edited by asper (2015-03-15 12:33:16)