Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-05-05 22:11:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

[FINISHED] Changes to: HF MFU INFO

Just to give a teaser, but the current output from "hf mfu info" looks like this:

Tested tags:  UL-Ev1, UL-C (magic), UL,  UL (magic), NTAG 216, NTAG 213, my-d move

- detection works pretty good now.  @marshmellow also added a call from "hf 14a read" to benefit from the detection.
- added a help text
- added possibilty to use authentication key

pm3 --> hf mfu i h
It gathers information about the tag and tries to detect what kind it is.
Sometimes the tags are locked down, and you may need a key to be able to read the information
The following tags can be identified:

Ultralight, Ultralight-C, Ultralight EV1
NTAG 213, NTAG 215, NTAG 216
my-d, my-d NFC, my-d move, my-d move NFC

Usage:  hf mfu info k <key>
  Options :
  k <key> : key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]

   sample : hf mfu info
          : hf mfu info k 11223344

ULTRALIGHT EV1

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 B7 80 9A F8 38 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : BB, Ok
      BCC1 : DA, Ok
  Internal : 48, default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 00 00 00
                    - BD tearing Ok
       [1] : 00 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : D8 50 05 90 9A DA B6 E0 EF 5D 0D F2 9C BF 9E FC 03 E2 F1 36 CA 54 23 7E 80 0B FA DB 4B 9A AA 16


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 FF
                    - pages don't need authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: 00 05 00 00
                    - Unlimited password attempts
                    - user configuration writeable
                    - write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

--- Trying some known EV1/NTAG passwords.
Found default password: ff ff ff ff
Got PACK : 00 00 a0 1e

ULTRALIGHT (magic)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight (MF0ICU1)
       UID : 04 11 22 33 44 55 66
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0xBF - Ok
      BCC1 : 0x44 - Ok
  Internal : 0x00 - not default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

ULTRALIGHT (normal)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight (MF0ICU1)
       UID : 04 46 ad 62 83 34 80
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0x67 - Ok
      BCC1 : 0x55 - Ok
  Internal : 0x48 - default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

ULTRALIGHT-C (magic)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 11 22 33 44 55 66
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0xBF - Ok
      BCC1 : 0x44 - Ok
  Internal : 0x48 - default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-C Configuration
 Higher Lockbits [40/0x28]: 00 00 00 00  0000000000000000
         Counter [41/0x29]: 00 00 00 00  0000000000000000
           Auth0 [42/0x2A]: 30 00 00 00  - Pages above 48 needs authentication
           Auth1 [43/0x2B]: 01 00 00 00  - write access restricted
         deskey1 [44/0x2C]: 77 66 55 44
         deskey1 [45/0x2D]: 33 22 11 00
         deskey2 [46/0x2E]: ff ee dd cc
         deskey2 [47/0x2F]: bb aa 99 88
 3des key : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff

----------------
----------------
SAMPLE calling without authentication key

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 00 00 00 00 00 00 00
    UID[0] : 00, Manufacturer: no tag-info available
      BCC0 : 00, crc should be 88
      BCC1 : 00, Ok
  Internal : 00, not default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 00 00 00
                    - 00 tearing failure
       [1] : 00 00 00
                    - 00 tearing failure
       [2] : 00 00 00
                    - 00 tearing failure
Error: tag didn't answer to READ SIGNATURE

SAMPLE calling with authentication key.

pm3 --> hf mfu i k 4af84b19

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 57 B6 E2 05 3F 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 6D, Ok
      BCC1 : 58, Ok
  Internal : 48, default
      Lock : 70 00  - 0000000001110000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 09 00 00
                    - BD tearing Ok
       [1] : 09 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 79 69 D1 13 02 85 CB CE 8E AB 68 C9 BB D7 67 49 0A 41 4F 0D FA 4C 7F CD 9F 0A A0 B7 89 4A C3 3E


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 00
                    - pages above 0 needs authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: C0 05 00 00
                    - Unlimited password attempts
                    - user configuration permanently locked
                    - read and write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

Last edited by iceman (2015-05-25 10:19:48)

Offline

#2 2015-05-06 15:43:13

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: [FINISHED] Changes to: HF MFU INFO

Brilliant.

Offline

#3 2015-05-06 16:19:13

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Very good improvement !

Offline

#4 2015-05-11 19:34:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

And thanks to @Marshmellow and @Asper,  there is even more tags identified.

When all is done,  it will detect:

Ultralight  *
Ultralight-C  *
Ultralight-EV1 (48)
Ultralight-EV1 (128)
NTAG 213
NTAG 215
NTAG 216
MY-D
MY-D NFC
MY-D MOVE
MY-D MOVE NFC

* also special test to detect if tag is UID changeable

Last edited by iceman (2015-05-11 19:35:35)

Offline

#5 2015-05-18 21:08:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

I talked with @Mashmellow,  and we both agree that its time to make a PR and get it all into PM3 master now.

After that is done, we will start fixing "hf mfu read/write" then the  "hf mfu" commands is done with its remake.

Kind of nice that we got both kinds of authentication UL-C (0x1A) &&  ULEV1/NTAG (0x1B)  into this makeover.

Offline

#6 2015-05-19 10:03:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

For those who test this PR,  I'll remind you that you will need to flash the firmware

Offline

#7 2015-05-19 19:47:53

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

Summary of new stuff:

Ultralight Specific:  (mostly iceman's contributions)

New Commands:
hf mfu setpwd <pwd (32 hex symbols)>  - Set 3des password - Ultralight-C
hf mfu setuid <uid (14 hex symbols)>  - Set UID - MAGIC tags only
hf mfu gen                            - Generate 3des mifare diversified keys (testing)

Modified Commands:
hf mfu rdbl b <block number> k <key> l   - Read block any UL / NTAG
hf mfu wrbl b <block number> k <key> l   - Write block any UL / NTAG
hf mfu dump k <key> n <filename> l    - Dump Ultralight / Ultralight-C / NTAG / MY-D tag to binary file and screen
hf mfu info k <key>                   - Get Tag information

Works With:
Mifare Ultralight
Mifare Ultralight C
Mifare Ultralight EV1
NTAG 203
NTAG 210
NTAG 212
NTAG 213
NTAG 215
NTAG 216
NTAG I2C
INFINEON MY_D(tm)
INFINEON MY_D(tm) NFC
INFINEON MY_D(tm) Move
INFINEON MY_D(tm) Move Lean
INFINEON MY_D(tm) Move NFC

Removed duplicate commands:
hf mfu crdbl
hf mfu cwrbl

also included:

hf search                             - search for valid HF tags (14a/MF, iclass, 15693)

still needed:

hf mfu ...           - allow key diversifications
hf search                             - add 14b tags to search

Last edited by marshmellow (2015-06-05 04:32:46)

Offline

#8 2015-05-19 20:46:34

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Hi marsh, I have troubles compiling your code, here it is the error:
Jm0JSd0.jpg

Offline

#9 2015-05-19 20:52:11

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

sorry...  missed the protocols.h file in a previous commit.... all fixed..

Offline

#10 2015-05-19 21:24:15

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

It worked, thanx wink

Offline

#11 2015-05-19 21:41:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

@Asper just told me that NTAG203 is not identified.  Which seems to be a hard tag to seperate from UL ..
It has the same atqa & sak,  and doesn't have a GET_VERSION command,..   it does have a NDEF CC message..

REF: http://www.nxp.com/documents/data_sheet/NTAG203F.pdf

Offline

#12 2015-05-19 22:49:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

@asper, on the ntag 203 can you do a:
hf mfu dump q 46

a couple times and tell me what the last page it ever reads is?

thanks.

Last edited by marshmellow (2015-05-19 22:49:58)

Offline

#13 2015-05-19 23:34:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Tested at various distances (tag<->antenna); here is the log.
They seems to be 29(hex).

Last edited by asper (2015-05-19 23:35:25)

Offline

#14 2015-05-19 23:56:21

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

As I expected.  I don't suppose you could post the trace?  I'm curious what NAK on the higher blocks is.

Edit: never mind   the NAK was 00...  It is in the output

Last edited by marshmellow (2015-05-20 00:36:24)

Offline

#15 2015-05-20 07:25:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

@Asper,  can you test to see if the NTAG 203 answers to  0x1B command?

Offline

#16 2015-05-20 17:21:18

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

@asper, i pushed a patch, can you see if it correctly identifies the ntag203 now?

Offline

#17 2015-05-20 18:57:25

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

What exact raw command ice?

Offline

#18 2015-05-20 19:17:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

hf 14a raw -s -c 1b00000000


But first download the latest changes I pushed to my fork and recompile.

Offline

#19 2015-05-20 19:19:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

They will also be in my fork in 5 min tongue

Offline

#20 2015-05-20 19:23:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

That's good Marsh!

if only I could put so much effort into , say something like getting the diversification of keys correct or figuring out a key-gen-algo... instead of correctly identifying tags....

Well, when the SHA-1 comes into the PM3,  then another toy token will be able to get dumped smile

Offline

#21 2015-05-20 19:57:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

smile  ok maybe a little longer than 5 minutes.  had a few bugs to work out.  but posted now.

Offline

#22 2015-05-21 13:44:20

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

@ice (with your compiled build+firmware flashed):

pm3 --> hf 14a raw -s -c 1b00000000
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

@marsh (with iceman build with his firmware flashed):

pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

Last edited by asper (2015-05-21 14:08:54)

Offline

#23 2015-05-21 13:45:43

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

With your (marshmellow) client (without reflashing iceman's firmware):

proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 f2 6e e2 0d 29 80           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: e1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
proxmark3>

proxmark3> hf list 14a
Recorded Activity (TraceLen = 175 bytes)         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|         
         0 |       992 | Rdr | 52                                                              |     | WUPA         
      2228 |      4596 | Tag | 44  00                                                          |     |           
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL         
     10676 |     16564 | Tag | 88  04  f2  6e  10                                              |     |           
     18688 |     29216 | Rdr | 93  70  88  04  f2  6e  10  4d  ad                              |     | SELECT_UID         
     30388 |     33908 | Tag | 04  da  17                                                      |     |           
     35200 |     37664 | Rdr | 95  20                                                          |     | ANTICOLL-2         
     38836 |     44724 | Tag | e2  0d  29  80  46                                              |     |           
     46848 |     57312 | Rdr | 95  70  e2  0d  29  80  46  6b  03                              |     | ANTICOLL-2         
     58548 |     62132 | Tag | 00  fe  51                                                      |     |           
    469376 |    474144 | Rdr | 30  00  02  a8                                                  |     | READBLOCK(0)         
    475316 |    496116 | Tag | 04  f2  6e  10  e2  0d  29  80  46  48  00  00  e1  10  12  00  |     |           
           |           |     | 73  47                                                          |     |           
proxmark3>

NOTE: the above tag is the NTAG203.

Last edited by asper (2015-05-21 14:09:13)

Offline

#24 2015-05-21 13:59:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

This is an mfu info of ntag216 and ntag213:

proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 216 888bytes (NT2H1611G0DU)         
       UID : 04 37 9f aa 16 3c 81           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 24, Ok         
      BCC1 : 01, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 6d 00  - 00000000011011010001000011100001
--- NDEF Message         
Capability Container: e1 10 6d 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  6D : Physical Memory Size: 880 bytes         
  6D : NDEF Memory Size: 872 bytes         
  00 : Read access granted without any security / Write access granted without any security         
--- Tag Signature         
IC signature public key name  : NXP NTAG21x 2013         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 96 84 64 91 6c f5 19 27 ce 4f a9 1b 3b c9 fa d1 9b d5 bf 1f fe ae e8 61 97 9f 3e 2a 67 74 c7 60           
--- Tag Version         
       Raw bytes : 00 04 04 02 01 00 13 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 04, NTAG         
Product subtype : 02, 50pF         
   Major version : 01         
   Minor version : 00         
            Size : 13 (1024 <-> 512 bytes)         
   Protocol type : 03         
--- Tag Configuration         
  cfg0 [16/0x10] : 04 00 00 ff           
                    - pages don't need authentication         
                    - strong modulation mode disabled         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00           
  PACK [19/0x13] : 00 00 00 00           
--- Known EV1/NTAG passwords.         
Found a default password: ff ff ff ff  || Pack: 00 00         
proxmark3>
proxmark3> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 213 144bytes (NT2H1311G0DU)         
       UID : 04 c4 37 32 a1 3e 80           
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany         
      BCC0 : 7F, Ok         
      BCC1 : 2D, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : e1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: e1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
--- Tag Signature         
IC signature public key name  : NXP NTAG21x 2013         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 2f 27 66 0a d9 cf f6 67 df a0 c8 55 c0 b1 92 d4 58 f3 6b 1c 69 80 34 ca a5 eb 16 0b 30 49 1e 81           
--- Tag Version         
       Raw bytes : 00 04 04 02 01 00 0f 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 04, NTAG         
Product subtype : 02, 50pF         
   Major version : 01         
   Minor version : 00         
            Size : 0F (256 <-> 128 bytes)         
   Protocol type : 03         
--- Tag Configuration         
  cfg0 [16/0x10] : 04 00 00 ff           
                    - pages don't need authentication         
                    - strong modulation mode disabled         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00           
  PACK [19/0x13] : 00 00 00 00           
--- Known EV1/NTAG passwords.         
Found a default password: ff ff ff ff  || Pack: 00 00         
proxmark3>

Offline

#25 2015-05-21 15:30:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

@asper,   interesting, the 203 answers a nack for the 0x1b try.
Can you test with the default key as below?

 hf 14a raw -s -c 1bffffffff

Offline

#26 2015-05-21 15:36:17

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : Unknown 000000         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

Last edited by asper (2015-05-21 15:38:17)

Offline

#27 2015-05-21 15:51:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

Does that tag always answer with a NACK on other unsupported commands?  like GETVERSION?

hf 14a raw -s -c 60

Offline

#28 2015-05-21 17:01:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Yeah:

pm3 --> hf 14a raw -s -c 60
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 69
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 73
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c 99
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->
pm3 --> hf 14a raw -s -c FF
received 7 octets         
04 F2 6E E2 0D 29 80           
received 1 octets         
00           
pm3 -->

Offline

#29 2015-05-21 17:05:23

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

oy..  there is a bug in the ntag203 detection.  i am reading block 30 instead of 0x30 to find the end of the memory...

just fixed it in my fork

Offline

#30 2015-05-21 19:58:06

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

I will test tomorrow.

Offline

#31 2015-05-22 13:57:14

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Yeah:

pm3 --> hf mfu info
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : NTAG 203 144bytes (NT2H0301F0DT)         
       UID : 04 F2 6E E2 0D 29 80           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 10, Ok         
      BCC1 : 46, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : E1 10 12 00  - 00000000000100100001000011100001
--- NDEF Message         
Capability Container: E1 10 12 00           
  E1 : NDEF Magic Number         
  10 : version 1.0 supported by tag         
  12 : Physical Memory Size: 152 bytes         
  12 : NDEF Memory Size: 144 bytes         
  00 : Read access granted without any security / Write access granted without any security         
pm3 -->

Offline

#32 2015-05-22 14:00:11

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

Sweet...

Offline

#33 2015-05-22 14:29:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

Well done @Marshmellow!

Offline

#34 2015-06-02 20:10:59

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

smile  our info command now can detect things nxp's tag info can't.  a locked UL_C card shows as an UL in nxp's tag info, but shows correctly in ours smile

Offline

#35 2015-06-02 20:15:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

Finally,  the PM3 client is better than nxp tag info!   Do you have a sample of the outputs?

and lets make it even better!!  ...(14b, 15)...

Offline

#36 2015-06-02 20:32:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

TagInfo on read/write locked tag

** TagInfo scan (version 3.0) 2015-05-22 11:27:54 **

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
MIFARE Ultralight (MF0ICU1)

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 46 bytes

-- EXTRA ------------------------------

# Memory size:
64 bytes total memory
* 16 pages, with 4 bytes per page
* 48 bytes user memory (12 pages)

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms


# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00

--------------------------------------

hf mfu info of same tag:

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC)  [2]
       UID : 04 09 a9 7a e0 2b 80  
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 2C - Ok
      BCC1 : 31 - Ok
  Internal : 48 -  default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

Trying some default 3des keys
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
Found default 3des key: 
         deskey1 [44/0x2C]: 42 52 45 41  [BREA]
         deskey1 [45/0x2D]: 4b 4d 45 49  [KMEI]
         deskey2 [46/0x2E]: 46 59 4f 55  [FYOU]
         deskey2 [47/0x2F]: 43 41 4e 21  [CAN!]

3des key : 49 45 4d 4b 41 45 52 42 21 4e 41 43 55 4f 59 46 
Tag appears to be locked, try using the key to get more info

TagInfo on tag before locked:

** TagInfo scan (version 3.0) 2015-04-28 12:33:55 **

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
MIFARE Ultralight C (MF0ICU2)

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 137 bytes

-- EXTRA ------------------------------

# Memory size:
192 bytes total memory
* 48 pages, with 4 bytes per page
* 144 bytes user memory (36 pages)

# Authentication information:
Default sample key

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms


# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00

# Memory content:
[00] *  04:09:A9 2C (UID0-UID2, BCC0)
[01] *  7A:E0:2B:80 (UID3-UID6)
[02] .  31 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .  00:00:00:00 (OTP0-OTP3)
[04] .  02 00 00 10 |....|
[05] .  00 06 01 10 |....|
[06] .  11 FF 00 00 |....|
[07] .  00 00 00 00 |....|
[08] .  00 00 00 00 |....|
[09] .  00 00 00 00 |....|
[0A] .  00 00 00 00 |....|
[0B] .  00 00 00 00 |....|
[0C] .  00 00 00 00 |....|
[0D] .  00 00 00 00 |....|
[0E] .  00 00 00 00 |....|
[0F] .  00 00 00 00 |....|
[10] .  00 00 00 00 |....|
[11] .  00 00 00 00 |....|
[12] .  00 00 00 00 |....|
[13] .  00 00 00 00 |....|
[14] .  00 00 00 00 |....|
[15] .  00 00 00 00 |....|
[16] .  00 00 00 00 |....|
[17] .  00 00 00 00 |....|
[18] .  00 00 00 00 |....|
[19] .  00 00 00 00 |....|
[1A] .  00 00 00 00 |....|
[1B] .  00 00 00 00 |....|
[1C] .  00 00 00 00 |....|
[1D] .  00 00 00 00 |....|
[1E] .  00 00 00 00 |....|
[1F] .  00 00 00 00 |....|
[20] .  00 00 00 00 |....|
[21] .  00 00 00 00 |....|
[22] .  00 00 00 00 |....|
[23] .  00 00 00 00 |....|
[24] .  00 00 00 00 |....|
[25] .  00 00 00 00 |....|
[26] .  00 00 00 00 |....|
[27] .  00 00 00 00 |....|
[28] .  00 00 -- -- (LOCK2-LOCK3)
[29] .  00 00 -- -- (CNT0-CNT1, value: 0)
[2A] .  30 -- -- -- (AUTH0)
[2B] .  00 -- -- -- (AUTH1)
[2C] .- 42 52 45 41 |BREA|
[2D] .- 4B 4D 45 49 |KMEI|
[2E] .- 46 59 4F 55 |FYOU|
[2F] .- 43 41 4E 21 |CAN!|

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only

--------------------------------------

Last edited by marshmellow (2015-06-02 20:37:34)

Offline

#37 2015-06-02 20:42:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

interesting to see their dump layout..  with -- and only hex..

Offline

#38 2015-06-03 07:46:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Changes to: HF MFU INFO

Fantastic! If you need help in getting 14443B and 15693 info just ask !

Last edited by asper (2015-06-03 08:04:30)

Offline

#39 2015-06-03 13:35:27

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: [FINISHED] Changes to: HF MFU INFO

It is like Christmas! Awesome job lads!

Offline

#40 2015-06-18 23:10:52

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

added another one:

proxmark3> hf mfu info

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : FUDAN Ultralight Compatible (or other compatible)
       UID : 04 64 9d 1a 54 00 00
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 75, Ok
      BCC1 : 4E, Ok
  Internal : 48, default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

Offline

#41 2015-06-19 14:33:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

Great!  Fudan UL compatible,  is it special in some kind of way like magic or has different commands? or responses?

Offline

#42 2015-06-19 14:36:35

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

Nope, just an attempt to pass as a true UL. And it does fool just about every reader I know.  Except the pm3 now smile

Offline

#43 2015-06-19 14:37:43

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

But it doesn't have all the same error responses as the original.

Offline

#44 2015-06-19 14:39:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

I skimmed the code, but the detection is based on?

Offline

#45 2015-06-19 15:09:55

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

00 error instead of 01 error to crc error.  I believe there are other imitations that have a similar issue which is why I labelled it or other compatible

Last edited by marshmellow (2015-06-19 15:19:29)

Offline

#46 2015-06-19 15:11:25

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [FINISHED] Changes to: HF MFU INFO

But I know the tags I'm testing are a fudan.  If I find a better test I'll implement it.

Offline

#47 2015-06-19 15:18:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

ok,  I saw the faulty crc and was thinking that I havn't test for that on tags..

Offline

#48 2017-02-23 22:08:37

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: [FINISHED] Changes to: HF MFU INFO

@iceman, is this in your branch as well?  I was running something trying to look at this and the command format looks a little different.

Offline

#49 2017-02-23 22:12:29

my_fair_cats_sick
Contributor
Registered: 2016-03-15
Posts: 81

Re: [FINISHED] Changes to: HF MFU INFO

also, is there anything out there to brute force the 8 byte key or crack these for reading?

Offline

#50 2017-02-23 23:03:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] Changes to: HF MFU INFO

This is in PM3 master.  (and of course in mine)

You need to know what the tag is and if there is some limits on faulty auths. If there is you may permalock.

Feel free to add a bruteforce wink

Offline

Board footer

Powered by FluxBB