Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-03-13 20:31:47

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

[SOLVED] Problem for read ultralight chinese card with PM3

Hello everybody,

It's my first post, I hope I won't be off topic, and in advance sorry for my bad english :-)
I have some ultralight chinese card in my possession, but for a unknown reason I am unable to read with my PM3, I explain.

with my PM3, I can read all others cards I have (mifare classic, ultralight normal/ev1/c, desfire, iclass, etc) ... except this ultralight chinese card !

pm3 --> hf mfu info
iso14443a card select failed
pm3 -->

but if I put simultaneously 2 card (one over the other) on the HF antenna I can read anyway, PM3 detect collision but give me a output

pm3 --> hf mfu info
#db# Multiple tags detected. Collision after Bit 16
#db# Multiple tags detected. Collision after Bit 16
#db# Multiple tags detected. Collision after Bit 16
--- Tag Information ---------

-------------------------------------------------------------
 TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Multiple tags detected. Collision after Bit 16
 UID : 04 15 91 BA 45 03 11
 UID[0] : 04, NXP Semiconductors Germany
 BCC0 : 08, Ok
 BCC1 : ED, Ok
 Internal : 48, default
 Lock : 00 00 - 00
OneTimePad : 00 00 00 00 - 0000

Error: tag didn't answer to READ magic
pm3 -->

BUT... ! if I try with my mobile phone or my ACR122u reader, I don't have any issue with this cards, I can read (and write (and change uid)) without problem, no need to put 2 cards together for read.

I don't think it's a problem with my HF Antenna because I can normally read each others cards I have (mifare classic, ultralight normal/ev1/c, desfire, iclass, etc), and I'm not sure my chinese ultralight is defective, because I can read without problem with my phone mobile and ACR122u reader.

Someone have already had this issue ? any idea on my problem ?
PS : on mobile phone, cards is recognized as MF0ICU2
and PM3 with 2 cards one over the other, it's MF0ULC

my PM3 version (I use last compiled PM3 iceman)

 [ ARM ]
 bootrom: iceman// 2018-03-06 19:51:24
      os: iceman// 2018-03-06 19:52:03
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 234953 bytes (45%) Free: 289335 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Thanks a lot

Last edited by Shashadow (2018-04-02 22:15:59)

Offline

#2 2018-03-13 21:27:12

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Try different distances.    Is it keyfob or card?

and what's your antenna voltages?


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#3 2018-03-13 21:53:02

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Noooooo !!! I don't believe it !
it's a card, and you're right, I put my card away from my antenna (1 inche about) and ... surprise ! it's working

so... for my first post I'm feeling like a fool... :-(

my antenna voltages :

pm3 --> hw tune

measuring antenna characteristics, please wait...
...
LF antenna: 30,02 V - 125.00 kHz
LF antenna: 21,81 V - 134.00 kHz
LF optimal: 30,02 V - 123,71 kHz
[+] LF antenna is OK

HF antenna: 19,90 V - 13.56 MHz
[+] HF antenna is OK

[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

So issue is resolved, I just don't know why PM3 told me "Error: tag didn't answer to READ magic" because I can change UID, but it's ok for me.

Very Thanks a lot iceman !
David

Offline

#4 2018-03-13 22:34:52

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

You learn something new every day,  you should read my first 100 posts and get a good laugh at my mistakes smile

Magic detection for  hf 14a info  doesn't look at MFU based cards.
hf mfu info should detect if its a magic MFU card.   

However new cards can have arrived and the detection doesn't know of it yet.


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#5 2018-03-13 22:50:07

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Yes, I will take the time, but I will really read your first 100 posts :-)

Otherwise, neither "hf mfu info", nor "hf 14a info" detect magic commands, but card is really UID modifiable (we just have a <magic> on TYPE), so it's surely a new kind of magic card.

pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 15 91 BA 45 03 11
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 08, Ok
      BCC1 : ED, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 00 00 00 00  - 0000

Error: tag didn't answer to READ magic
pm3 -->
pm3 --> hf 14a info
 UID : 04 15 91 BA 45 03 11
ATQA : 00 44
 SAK : 00 [2]
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
MANUFACTURER : NXP Semiconductors Germany
SAK incorrectly claims that card doesn't support RATS
 ATS : 85 00 00 A0 0A 00 0A B0 00 00 00 00 00 00 00 00 18 4D
       -  TL : length is 133 bytes
ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
       -  T0 : TA1 is NOT present, TB1 is NOT present, TC1 is NOT present, FSCI is 0 (FSC = 4294967280)
       -  HB : 00 A0 0A 00 0A B0 00 00 00 00 00 00 00 00 18 4D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Answers to magic commands: NO
pm3 -->

We just have a strange ATS may be corrupted for hf 14a info, I don't know if normal or not.

Offline

#6 2018-03-13 23:06:59

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

arrghhh !!!
so ... finaly I'm not sure this card work correctly with PM3.
After a simple "hf mfu setuid 11223344556677", card is breakdown, I don't have any output from card, neither with PM3, nor with mobile phone, card is unusable, I'm sad  :-(

pm3 --> hf mfu info
iso14443a card select failed
pm3 -->
pm3 -->
pm3 --> hf search

timeout while waiting for reply.
ATQA : 00 44
Tag doesn't support the Topaz protocol.
no known/supported 13.56 MHz tags found

however, this kind of card (I have another card) work with my phone and all is working correctly.
How is possible ?

Offline

#7 2018-03-13 23:08:22

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

nop,   the mfu info has identified it as <magic>   all is correct.

the 14a magic detection looks for the chinese magic backcommands,  which your tag doesn't have.   hence the "Answers to magic command: NO"..

*but*

there is a bug,  since the  ATS is wrong,  the decoding of it goes nuts.
TL  (length)  133 bytes is wrong
meaning the HB becomes even more crazy.


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#8 2018-03-13 23:19:19

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

I pushed a fix,  can you test it with your card?


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#9 2018-03-13 23:23:20

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

yes of course, but when you speak about a fix, is it for recovery my breaking card after my "hf mfu setuid"
or a fix for ATS bug ?
Should I compiled last github version ? Is it a command to pass ?

Offline

#10 2018-03-13 23:27:27

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

that would be for the ATS bug.

I think you can write to the tag anyway,  don't use hf search,   use  14a or mfu commands.
depending on where you bought the card,  it could be using other commands to set uid..

and don't forget the distance...


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#11 2018-03-13 23:45:07

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

so, I really think I lost my ultralight card, each command fail

pm3 --> hf mfu wrbl b 0 d 01234567
iso14443a card select failed

pm3 --> hf mfu restore f 046239F2BF4E80.bin
Restoring 046239F2BF4E80.bin to card
*special* data

DataType  | Data                    | Ascii

----------+-------------------------+---------
Version   | 00 00 00 00 00 00 00 00 | ........
...blablabla...
Restoring data blocks.
#db# Can't select card
failed to write block 4
.#db# Can't select card
failed to write block 5
.#db# Can't select card
failed to write block 6
.#db# Can't select card
failed to write block 7
...blablabla...

I will try another recovery process, but meanwhile, I have another card, so for fix the bug I'm ok for testing.
Just tell me what I can do for it, just update my proxmark3-iceman from github ?

Offline

#12 2018-03-13 23:52:08

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

yes, do a normal pull from iceman fork, compile, and run the client....

I also suggest you stop writing random data to your sensitive blocks like the UID blocks. They follow a certain structure and will 100% brick your tag if you do not use the dedicated commands or know what you are doing.

When you bought the cards, you should have asked the seller about how to change uid.  If there is a special command or, software to do it.


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#13 2018-03-14 00:55:23

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Re,

It's the same bug for ATS with last release. I compile client and update bootrom and os for my pm3

██████╗ ███╗   ███╗ ████╗     ...iceman fork
██╔══██╗████╗ ████║   ══█║
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║   ══█║    iceman@icesql.net
██║     ██║ ╚═╝ ██║ ████╔╝  https://github.com/iceman1001/proxmark3
╚═╝     ╚═╝     ╚═╝ ╚═══╝ v3.1.0

Keep iceman fork alive with a donation!           https://paypal.me/iceman1001/
MONERO: 43mNJLpgBVaTvyZmX9ajcohpvVkaRy1kbZPm8tqAb7itZgfuYecgkRF36rXrKFUkwEGeZedPsASRxgv4HPBHvJwyJdyvQuP


Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-728-gfd7acc7 2018-03-14 00:03:48
      os: iceman/master/ice_v3.1.0-728-gfd7acc7 2018-03-14 00:03:51
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 255749 bytes (49%) Free: 268539 bytes (51%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf 14a info
 UID : 04 15 91 BA 45 03 11
ATQA : 00 44
 SAK : 00 [2]
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
MANUFACTURER : NXP Semiconductors Germany
SAK incorrectly claims that card doesn't support RATS
 ATS : 85 00 00 A0 0A 00 0A B0 00 00 00 00 00 00 00 00 18 4D
       -  TL : length is 133 bytes
ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
       -  T0 : TA1 is NOT present, TB1 is NOT present, TC1 is NOT present, FSCI is 0 (FSC = 4294967280)
Answers to magic commands: NO
pm3 -->

Just I don't have anymore the HB line.

Offline

#14 2018-03-14 07:33:36

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

well,  it does not write the wrong length HB,  which was the fix.

Next step,  getting the trace data from the ATS call,   don't remember if the trace is not clear with all calls inside "14a info".

Lets see what these commands outputs

hf 14a info
hf list 14a

hf mfu info
hf list 14a

&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#15 2018-03-14 09:04:30

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

hello

here the ouput for command
I do it a "hw reset" between command

pm3 --> hf 14a info
 UID : 04 15 91 BA 45 03 11
ATQA : 00 44
 SAK : 00 [2]
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
MANUFACTURER : NXP Semiconductors Germany
SAK incorrectly claims that card doesn't support RATS
 ATS : 85 00 00 A0 0A 00 0A B0 00 00 00 00 00 00 00 00 18 4D
       -  TL : length is 133 bytes
ATS may be corrupted. Length of ATS (18 bytes incl. 2 Bytes CRC) doesn't match TL
       -  T0 : TA1 is NOT present, TB1 is NOT present, TC1 is NOT present, FSCI is 0 (FSC = 4294967280)
Answers to magic commands: NO
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 198 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |88  04  15  91  08                                                       |     |
      19072 |      29536 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      30788 |      34308 | Tag |04  da  17                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39236 |      45060 | Tag |ba  45  03  11  ed                                                       |     |
      47616 |      58080 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      59332 |      62916 | Tag |00  fe  51                                                               |     |
     501248 |     506016 | Rdr |e0  80  31  73                                                           |  ok | RATS
     507204 |     528004 | Tag |85  00  00  a0  0a  00  0a  b0  00  00  00  00  00  00  00  00  18  4d   |  ok |
          0 |        992 | Rdr |40                                                                       |     | MAGIC WUPC1
     138496 |     143264 | Rdr |50  00  57  cd                                                           |  ok | HALT
pm3 -->


pm3 --> hw reset

pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 15 91 BA 45 03 11
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 08, Ok
      BCC1 : ED, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 00 00 00 00  - 0000

Error: tag didn't answer to READ magic
pm3 --> 
pm3 --> hf list 14a
Recorded Activity (TraceLen = 211 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |88  04  15  91  08                                                       |     |
      19072 |      29536 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      30788 |      34308 | Tag |04  da  17                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39236 |      45060 | Tag |ba  45  03  11  ed                                                       |     |
      47616 |      58080 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      59332 |      62916 | Tag |00  fe  51                                                               |     |
     496768 |     501536 | Rdr |30  00  02  a8                                                           |  ok | READBLOCK(0)
     502724 |     523588 | Tag |04  15  91  08  ba  45  03  11  ed  48  00  00  00  00  00  00  43  83   |  ok |
     958592 |     963296 | Rdr |30  28  48  05                                                           |  ok | READBLOCK(40)
     964548 |     965188 | Tag |00!                                                                      |     |
    1399424 |    1404192 | Rdr |30  2c  6c  43                                                           |  ok | READBLOCK(44)
pm3 -->

Offline

#16 2018-03-14 10:19:18

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

It seems that alright.  The ATS is wrong from the card but the PM3 client tries its best to decode it.

Your card is just acting strange,  where did you buy it?


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#17 2018-03-14 16:17:19

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

I found it on Ebay, seller told me card comes from china but the manufacturing is recent, december 2017.
Manufacturing defect, card too recent, new kind of magic card ? I don't know.
All I know is with "MIFARE++ Ultralight" app for android, read/write/uid is OK.

Offline

#18 2018-03-14 16:49:00

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

hm..
...
with distance,  try

hf mfu info
hf mfu dump
hf mfu setuid 11223344556677
hf list 14a
hf mfu info
hf mfu dump

&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#19 2018-03-14 23:23:31

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Hello

I'm sorry, but I already launch "hf mfu setuid 11223344556677" and the result has been to brick the tag, the effect is immediate.

I launch (with distance of course) :
hf mfu info
hf mfu dump
hf list 14a


Below the output

If you want the dump, I put here : http://lufia.konyxia.com/041591BA450311.bin

pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 15 91 BA 45 03 11
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 08, Ok
      BCC1 : ED, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 00 00 00 00  - 0000

Error: tag didn't answer to READ magic
pm3 -->
pm3 -->
pm3 --> hf mfu dump
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
Reading tag memory...
#db# Cmd Error: 00
#db# Read block 24 error
*special* data

DataType  | Data                    | Ascii

----------+-------------------------+---------
Version   | 00 00 00 00 00 00 00 00 | ........
TBD       | 00 00                   | ..
Tearing   | 00 00 00                | ...
Pack      | 00 00                   | ..
TBD       | 00                      | .
Signature1| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Signature2| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
-------------------------------------------------------------
Block#   | Data        |lck| Ascii

---------+-------------+---+------
  0/0x00 | 04 15 91 08 |   | ....
  1/0x01 | BA 45 03 11 |   | .E..
  2/0x02 | ED 48 00 00 |   | .H..
  3/0x03 | 00 00 00 00 | 0 | ....
  4/0x04 | 00 00 00 00 | 0 | ....
  5/0x05 | 00 00 00 00 | 0 | ....
  6/0x06 | 00 00 00 00 | 0 | ....
  7/0x07 | 00 00 00 00 | 0 | ....
  8/0x08 | 00 00 00 00 | 0 | ....
  9/0x09 | 00 00 00 00 | 0 | ....
 10/0x0A | 00 00 00 00 | 0 | ....
 11/0x0B | 00 00 00 00 | 0 | ....
 12/0x0C | 00 00 00 00 | 0 | ....
 13/0x0D | 00 00 00 00 | 0 | ....
 14/0x0E | 00 00 00 00 | 0 | ....
 15/0x0F | 00 00 00 00 | 0 | ....
 16/0x10 | 00 00 00 00 | 0 | ....
 17/0x11 | 00 00 00 00 | 0 | ....
 18/0x12 | 00 00 00 00 | 0 | ....
 19/0x13 | 00 00 00 00 | 0 | ....
 20/0x14 | 00 00 00 00 | 0 | ....
 21/0x15 | 00 00 00 00 | 0 | ....
 22/0x16 | 00 00 00 00 | 0 | ....
 23/0x17 | 00 00 00 00 | 0 | ....
---------------------------------
Dumped 36 pages, wrote 144 bytes to 041591BA450311.bin
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 1177 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |88  04  15  91  08                                                       |     |
      19072 |      29536 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      30788 |      34308 | Tag |04  da  17                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39236 |      45060 | Tag |ba  45  03  11  ed                                                       |     |
      47616 |      58080 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      59332 |      62916 | Tag |00  fe  51                                                               |     |
      67456 |      72224 | Rdr |30  00  02  a8                                                           |  ok | READBLOCK(0)
      73412 |      94276 | Tag |04  15  91  08  ba  45  03  11  ed  48  00  00  00  00  00  00  43  83   |  ok |
     108288 |     113056 | Rdr |30  01  8b  b9                                                           |  ok | READBLOCK(1)
     114244 |     135108 | Tag |ba  45  03  11  ed  48  00  00  00  00  00  00  00  00  00  00  4c  cd   |  ok |
     149120 |     153824 | Rdr |30  02  10  8b                                                           |  ok | READBLOCK(2)
     155076 |     175940 | Tag |ed  48  00  00  00  00  00  00  00  00  00  00  00  00  00  00  57  8c   |  ok |
     189952 |     194656 | Rdr |30  03  99  9a                                                           |  ok | READBLOCK(3)
     195908 |     216772 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     230784 |     235488 | Rdr |30  04  26  ee                                                           |  ok | READBLOCK(4)
     236740 |     257604 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     271616 |     276320 | Rdr |30  05  af  ff                                                           |  ok | READBLOCK(5)
     277572 |     298436 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     312448 |     317216 | Rdr |30  06  34  cd                                                           |  ok | READBLOCK(6)
     318404 |     339268 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     353280 |     358048 | Rdr |30  07  bd  dc                                                           |  ok | READBLOCK(7)
     359236 |     380100 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     394112 |     398816 | Rdr |30  08  4a  24                                                           |  ok | READBLOCK(8)
     400068 |     420932 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     434944 |     439648 | Rdr |30  09  c3  35                                                           |  ok | READBLOCK(9)
     440900 |     461764 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     475776 |     480544 | Rdr |30  0a  58  07                                                           |  ok | READBLOCK(10)
     481732 |     502596 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     516608 |     521376 | Rdr |30  0b  d1  16                                                           |  ok | READBLOCK(11)
     522564 |     543428 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     557440 |     562208 | Rdr |30  0c  6e  62                                                           |  ok | READBLOCK(12)
     563396 |     584260 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     598272 |     603040 | Rdr |30  0d  e7  73                                                           |  ok | READBLOCK(13)
     604228 |     625092 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     639104 |     643808 | Rdr |30  0e  7c  41                                                           |  ok | READBLOCK(14)
     645060 |     665924 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     679936 |     684640 | Rdr |30  0f  f5  50                                                           |  ok | READBLOCK(15)
     685892 |     706756 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     720768 |     725472 | Rdr |30  10  83  b8                                                           |  ok | READBLOCK(16)
     726724 |     747588 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     761600 |     766304 | Rdr |30  11  0a  a9                                                           |  ok | READBLOCK(17)
     767556 |     788420 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     802432 |     807200 | Rdr |30  12  91  9b                                                           |  ok | READBLOCK(18)
     808388 |     829252 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     843264 |     848032 | Rdr |30  13  18  8a                                                           |  ok | READBLOCK(19)
     849220 |     870084 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     884096 |     888864 | Rdr |30  14  a7  fe                                                           |  ok | READBLOCK(20)
     890052 |     910916 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
     924928 |     929696 | Rdr |30  15  2e  ef                                                           |  ok | READBLOCK(21)
     930884 |     951748 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  04  15  91  08  3e  0b   |  ok |
     965760 |     970464 | Rdr |30  16  b5  dd                                                           |  ok | READBLOCK(22)
     971716 |     992516 | Tag |00  00  00  00  00  00  00  00  04  15  91  08  ba  45  03  11  03  aa   |  ok |
    1006592 |    1011296 | Rdr |30  17  3c  cc                                                           |  ok | READBLOCK(23)
    1012548 |    1033412 | Tag |00  00  00  00  04  15  91  08  ba  45  03  11  ed  48  00  00  5d  6e   |  ok |
    1047424 |    1052192 | Rdr |30  18  cb  34                                                           |  ok | READBLOCK(24)
    1053380 |    1054020 | Tag |00!                                                                      |     |
    1080064 |    1084832 | Rdr |50  00  57  cd                                                           |  ok | HALT
pm3 -->

Last edited by Shashadow (2018-03-14 23:24:34)

Offline

#20 2018-03-15 05:14:38

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

hm... Im  curious of this one.

#db# Cmd Error: 00
#db# Read block 24 error

I curious since a UL-C cards should have 43 (0x2B) blocks


Test your acr-reader / android to set UID,   then dump / list  with pm3 ,  post output here.


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#21 2018-03-15 05:27:10

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

What is the output from the Android tag identification or  ACR-reader (nfctools)  ?


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#22 2018-03-15 05:57:28

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

There seem to be locked blocks,  if its because they are locked or (not existing) is another question.

lets try with some default key.

hf mfu info k ffffffffffffffff
hf list 14a

And try to get the output from a UL-C authentication command..

hf 14a raw -s -3 1a00
hf list 14a

Fudan UL-C clone?

hf 14a raw -s -3 -c a00
hf list 14a

hf 14a raw -s -3 -c 30
hf list 14a

&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#23 2018-03-15 16:15:56

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Hello,

for hf mfu info k ffffffffffffffff, PM3 told me the key is incorrect length
I try with ffffffff and 00112233445566778899AABBCCDDEEFF, but no success, it's the first code bloc

for UL-C authen it's the second code bloc

and for "Fundan UL-C clone" the third code bloc


I tried a "hf mfu cauth" command (because with another official Ultralight C I have a result), but here it's not the case
pm3 --> hf mfu cauth
#db# Cmd Error: 00
#db# Authentication failed
Authentication failed
pm3 -->


I take some screenshot from my android (NXP TagInfo and NFC TagInfo), card is recognized as Ultralight C (MF0ICU2), I put file here :
http://lufia.konyxia.com/screenshot/
We can see it's ok up to bloc 24, but not after.

I will make more test this evening with acr122u reader, I will tell you, but as of now I really wonder what kind of ultralight is it...


pm3 --> hf mfu info k ffffffffffffffff
[!] ERROR: Key is incorrect length

It gathers information about the tag and tries to detect what kind it is.
Sometimes the tags are locked down, and you may need a key to be able to read the information
The following tags can be identified:

Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,
NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K
my-d, my-d NFC, my-d move, my-d move NFC

Usage:  hf mfu info k <key> l
  Options :
  k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]
  l       : (optional) swap entered key's endianness

Examples:
       hf mfu info
       hf mfu info k 00112233445566778899AABBCCDDEEFF
       hf mfu info k AABBCCDDD
pm3 --> 
pm3 --> 
pm3 --> hf mfu info k ffffffff
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C
pm3 --> 
pm3 --> 
pm3 --> hf mfu info k 00112233445566778899AABBCCDDEEFF
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C
pm3 -->
pm3 --> 
pm3 --> hf list 14a
Recorded Activity (TraceLen = 232 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------    
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2228 |       4596 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10676 |      16564 | Tag |88  04  15  91  08                                                       |     |
      19072 |      29536 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      30772 |      34292 | Tag |04  da  17                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39220 |      45044 | Tag |ba  45  03  11  ed                                                       |     |
      47616 |      58080 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      59316 |      62900 | Tag |00  fe  51                                                               |     |
      66816 |      71584 | Rdr |1a  00  41  76                                                           |  ok | AUTH
      86580 |      99316 | Tag |af  37  d0  db  29  21  a2  a4  e7  a4  95                               |  ok |
     627840 |     649888 | Rdr |af  77  86  cf  d4  85  d2  f0  48  07  3a  3c  df  87  3c  b2  b6  fc   |     |
            |            |     |e6                                                                       |  ok | AUTH_ANSW
     699444 |     700084 | Tag |00!                                                                      |     |
     734720 |     738272 | Rdr |c2  e0  b4                                                               |  ok | RESTORE(224)
     741760 |     746528 | Rdr |50  00  57  cd                                                           |  ok | HALT
pm3 -->
pm3 --> hf 14a raw -s -3 1a00
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 11 bytes:
AF 3B B9 C4 DD 59 A0 BA 76 3D F5
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 165 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------    
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2228 |       4596 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10676 |      16564 | Tag |88  04  15  91  08                                                       |     |
      56960 |      67424 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      68660 |      72180 | Tag |04  da  17                                                               |     |
      73472 |      75936 | Rdr |95  20                                                                   |     | ANTICOLL-2
      77108 |      82932 | Tag |ba  45  03  11  ed                                                       |     |
      85504 |      95968 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      97204 |     100788 | Tag |00  fe  51                                                               |     |
     112768 |     115168 | Rdr |1a  00                                                                   |     | AUTH
     130228 |     142964 | Tag |af  3b  b9  c4  dd  59  a0  ba  76  3d  f5                               | !crc|
pm3 -->
pm3 --> hf 14a raw -s -3 -c a00
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 0 bytes:
pm3 --> 
pm3 --> 
pm3 --> hf list 14a
Recorded Activity (TraceLen = 145 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------    
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2228 |       4596 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10676 |      16564 | Tag |88  04  15  91  08                                                       |     |
      56960 |      67424 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      68660 |      72180 | Tag |04  da  17                                                               |     |
      73472 |      75936 | Rdr |95  20                                                                   |     | ANTICOLL-2
      77108 |      82932 | Tag |ba  45  03  11  ed                                                       |     |
      85504 |      95968 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      97204 |     100788 | Tag |00  fe  51                                                               |     |
     114304 |     117920 | Rdr |a0  f4  f4                                                               |  ok | WRITEBLOCK(244)        

pm3 --> 

------

pm3 --> hf 14a raw -s -3 -c 30
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 0 bytes:
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 145 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------    
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2228 |       4596 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10676 |      16564 | Tag |88  04  15  91  08                                                       |     |
      56960 |      67424 | Rdr |93  70  88  04  15  91  08  e0  4b                                       |  ok | SELECT_UID
      68660 |      72180 | Tag |04  da  17                                                               |     |
      73472 |      75936 | Rdr |95  20                                                                   |     | ANTICOLL-2
      77108 |      82932 | Tag |ba  45  03  11  ed                                                       |     |
      85504 |      95968 | Rdr |95  70  ba  45  03  11  ed  5b  b4                                       |  ok | ANTICOLL-2
      97204 |     100788 | Tag |00  fe  51                                                               |     |
     112896 |     116448 | Rdr |30  7d  60                                                               |  ok | READBLOCK(125)         

pm3 --> 

Offline

#24 2018-03-15 16:32:07

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

ok,  its a UL-C    It reacts correct to the Auth command.

    66816 |      71584 | Rdr |1a  00  41  76                                                           |  ok | AUTH
     86580 |      99316 | Tag |af  37  d0  db  29  21  a2  a4  e7  a4  95  

As seen in your tag-it,   the Auth is set from block 18,   meaning you need a successful authentication in order to read all those blocks.
The PM3 drops,  and doesn't read the rest.  The function could be improved.


So,  ask where you bought it from for the correct key, in order to unlock it.

You can try these keys aswell,
https://github.com/iceman1001/proxmark3 … fmfu.c#L36

 hf mfu info k  ...16 bytes..

&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#25 2018-03-15 18:22:19

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

none of the key is good, each give me the same output :

example :

pm3 --> hf mfu info k 49454D4B41455242214E4143554F5946
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C

ok, so because it's a UL-C we need the key, I will ask to my dealer.

Offline

#26 2018-03-30 22:54:19

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Hello,

I come back after a little break on my ultralight C chinese
My dealer didn't succeed to provide a key... :-( so I have to deal with.

I have a question about UID with proxmark, I don't know why but each time I try to change UID (with "hf mfu setuid 11223344556677"), I brick my card.

After some research, I learnt that BBC0 and BBC1 must to be re-calculate for not bricking the card.
So I have concluded PM3 don't re-calculate right BBC, is it true ?
If it's the case, so why the "hf mfu setuid" command ?

and above all, do you know how I can re-calculate BBC0 and BBC1 ?
example, if I want change UID 04 15 91 BA 3B 9B 11 to 04 15 91 BA 3B 9B 22, how can get right value for BBC ?

Thanks

here my UID Card :

pm3 --> hf mfu dump

  0/0x00 | 04 15 91 08
  1/0x01 | BA 3B 9B 11
  2/0x02 | 0B 48 00 00

...

pm3 --> hf mfu info

        UID : 04 15 91 BA 3B 9B 11
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 08, Ok
      BCC1 : 0B, Ok
  Internal : 48, default
...

Offline

#27 2018-03-30 23:40:14

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

update

I found this thread :
http://www.proxmark.org/forum/viewtopic.php?id=2946
so as Danz I tried to write block by block with a true UID, but unfortunately ... I (again) brick one card :-(

pm3 --> hf mfu wrbl b 0 d 04BE5B69
Special Block: 0 (0x00) [ 04 BE 5B 69 ]
isOk:01

pm3 --> hf mfu wrbl b 1 d 5AF44580
Special Block: 1 (0x01) [ 5A F4 45 80 ]
isOk:01

pm3 --> hf mfu wrbl b 2 d 6B48FFFF
iso14443a card select failed

pm3 --> hf mfu info
iso14443a card select failed
pm3 -->

I think card has bricked after second block.
Is it really impossible to change UID ?

Offline

#28 2018-04-02 22:14:55

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

Hello,

I have understood.
I confirm, PM3 write block by block for ultralight when it changes UID, whatever the commande we use (hf mfu setuid, hf mfu restore ...)

here my output with restore option

pm3 --> hf mfu dump
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
Reading tag memory...
Authentication Failed UL-EV1/NTAG
*special* data

DataType  | Data                    | Ascii

----------+-------------------------+---------
Version   | 00 04 03 01 01 00 0B 03 | ........
TBD       | 00 00                   | ..
Tearing   | BD BD BD                | ...
Pack      | 00 00                   | ..
TBD       | 00                      | .
Signature1| 16 06 C3 1F B1 FD C1 78 BF 5D 7C E5 5D EE EB EB | .......x.]|.]...
Signature2| 41 0A B5 45 D5 30 5A A6 2C 7A 42 39 98 E3 62 63 | A..E.0Z.,zB9..bc
-------------------------------------------------------------
Block#   | Data        |lck| Ascii

---------+-------------+---+------
  0/0x00 | 04 D5 D2 8B |   | ....
  1/0x01 | 5A 57 58 80 |   | ZWX.
  2/0x02 | D5 48 00 00 |   | .H..
  3/0x03 | 12 34 56 78 | 0 | .4Vx
  4/0x04 | 12 34 56 78 | 0 | .4Vx
  5/0x05 | 12 34 56 78 | 0 | .4Vx
  6/0x06 | 12 34 56 78 | 0 | .4Vx
  7/0x07 | 12 34 56 78 | 0 | .4Vx
  8/0x08 | 12 34 56 78 | 0 | .4Vx
  9/0x09 | 12 34 56 78 | 0 | .4Vx
 10/0x0A | 12 34 56 78 | 0 | .4Vx
 11/0x0B | 12 34 56 78 | 0 | .4Vx
 12/0x0C | 12 34 56 78 | 0 | .4Vx
 13/0x0D | 12 34 56 78 | 0 | .4Vx
 14/0x0E | 12 34 56 78 | 0 | .4Vx
 15/0x0F | 12 34 56 78 | 0 | .4Vx
 16/0x10 | 12 34 56 78 | 0 | .4Vx
 17/0x11 | 12 34 56 78 | 0 | .4Vx
 18/0x12 | 00 00 00 00 | 0 | ....
 19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Dumped 32 pages, wrote 128 bytes to 04D5D25A575880.bin
pm3 -->



change the card for dump


pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 15 91 BA 51 42 11
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 08, Ok
      BCC1 : B8, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 00 00 00 00  - 0000

Error: tag didn't answer to READ magic
pm3 -->



----- restore bin data -----

pm3 --> hf mfu restore s r f 04D5D25A575880.bin
Restoring 04D5D25A575880.bin to card
*special* data

DataType  | Data                    | Ascii

----------+-------------------------+---------
Version   | 00 04 03 01 01 00 0B 03 | ........
TBD       | 00 00                   | ..
Tearing   | BD BD BD                | ...
Pack      | 00 00                   | ..
TBD       | 00                      | .
Signature1| 16 06 C3 1F B1 FD C1 78 BF 5D 7C E5 5D EE EB EB | .......x.]|.]...
Signature2| 41 0A B5 45 D5 30 5A A6 2C 7A 42 39 98 E3 62 63 | A..E.0Z.,zB9..bc
-------------------------------------------------------------
Block#   | Data        |lck| Ascii

---------+-------------+---+------
  0/0x00 | 04 D5 D2 8B |   | ....
  1/0x01 | 5A 57 58 80 |   | ZWX.
  2/0x02 | D5 48 00 00 |   | .H..
  3/0x03 | 12 34 56 78 | 0 | .4Vx
  4/0x04 | 12 34 56 78 | 0 | .4Vx
  5/0x05 | 12 34 56 78 | 0 | .4Vx
  6/0x06 | 12 34 56 78 | 0 | .4Vx
  7/0x07 | 12 34 56 78 | 0 | .4Vx
  8/0x08 | 12 34 56 78 | 0 | .4Vx
  9/0x09 | 12 34 56 78 | 0 | .4Vx
 10/0x0A | 12 34 56 78 | 0 | .4Vx
 11/0x0B | 12 34 56 78 | 0 | .4Vx
 12/0x0C | 12 34 56 78 | 0 | .4Vx
 13/0x0D | 12 34 56 78 | 0 | .4Vx
 14/0x0E | 12 34 56 78 | 0 | .4Vx
 15/0x0F | 12 34 56 78 | 0 | .4Vx
 16/0x10 | 12 34 56 78 | 0 | .4Vx
 17/0x11 | 12 34 56 78 | 0 | .4Vx
 18/0x12 | 00 00 00 00 | 0 | ....
 19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Restoring data blocks.
...........
Restoring configuration blocks.

authentication with keytype[0]  00 00 00 00

special block written 3 - 12 34 56 78

special block written 0 - 04 D5 D2 8B

special block written 1 - 5A 57 58 80

#db# Can't select card
failed to write block 2
special block written 2 - D5 48 00 00

#db# Can't select card
failed to write block 15
special block written 15 - 12 34 56 78

#db# Can't select card
failed to write block 16
special block written 16 - 12 34 56 78

#db# Can't select card
failed to write block 17
special block written 17 - 12 34 56 78

pm3 -->


... card is bricked ...
:-(

and if card is not protect from bad UID iso, the card is bricked.

card is bricked because block 1 is write (contain second part of UID), but block 2 (where we find BCC1) is not consonant with block 1.

and iso UID is for first part :
SN0+SN1+SN2+CT = BCC0
here we have all data in block 0, so no problem we can't brick the card if we put the good BCC0

but for second part UID...
SN3+SN4+SN5+SN6=BCC1
and second UID is on block 1
and BCC1 is on block 2

so if we change second part of UID (in block 1) and we don't do it in the same time the block 2 for BCC1, it's bricked

in conclusion we have 2 kind of card :
- card not brickable, like this one : https://lab401.com/collections/rfid-badges/products/ultralight-uid-modifiable#full_description
(write •Impossible to block / brick)
- and brickable card, as mine, where if you put a bad BBC0 or BBC1 you brick the card

(we can find BCC value with "BCC Calculator" to Android)

The only app I found for change UID with my UID changeable card is "MIFARE++ UltraLight" on Android, none other app doesn't work, not even PM3
Even if I don't know it do it,  MIFARE++ surely write in one time block 0, 1 and 2.
Too bad PM3 doesn't do it :-(
So maybe in a futur update ? with a re-calcul of BCC on the fly ?

My issue is OK, I can close this thread.
Thanks a lot for help me.

See you :-)
David

Last edited by Shashadow (2018-04-02 22:19:04)

Offline

#29 2018-04-03 09:15:17

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

You should be able to write those two blocks (1,2) in the same session with raw commands.

Current impl of hf mfu setuid uses three individual writes with anti-coll, selection.


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#30 2018-04-03 10:30:14

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

lets see if this works on your tags.   I'm not sure  but its worth a try. 

I modified this script.
https://github.com/iceman1001/proxmark3 … ul_uid.lua


pm3 --> sc r ul_uid -h
[+]Executing: ul_uid.lua, args '-h'
----------------------------------------
----------------------------------------

Iceman
v1.0.0
This script tries to set UID on a mifare Ultralight magic card which either
 - answers to chinese backdoor commands
 - brickable magic tag  (must write in one session)

Example usage
         -- backdoor magic tag
         script run ul_uid -u 11223344556677

         -- brickable magic tag
         script run ul_uid -b -u 11223344556677

[+]Finished

&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#31 2018-04-03 19:03:25

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

hello,

it works :-)

pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 BE 5B 5A F4 45 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 69, Ok
      BCC1 : 6B, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 12 34 56 78  - 158120

Error: tag didn't answer to READ magic
pm3 -->


pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'

----------------------------------------
----------------------------------------

new UID | 11223344556677
Using BRICKABLE Magic tag function
Card selected. UID[7]:
04 BE 5B 5A F4 45 80
received 1 bytes:
0A
received 1 bytes:
0A
received 1 bytes:
0A
received 0 bytes:

[+]Finished

pm3 -->


pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 11 22 33 44 55 66 77
    UID[0] : 11, Emosyn-EM Microelectronics USA
      BCC0 : 88, Ok
      BCC1 : 00, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 12 34 56 78  - 158120

Error: tag didn't answer to READ magic
pm3 -->

I can now change my uid without brick my card, it's nice.
So, I think this card is like gen2 for mifare classic (or FUID as someone would say) no magic backdoor, brick if invalid BCC, but not easily detectable as a clone by reader.

Anyway, all is working  correctly now, with your last script for UID no more brick card for me :-)
thanks a lot Iceman

Last edited by Shashadow (2018-04-03 19:06:04)

Offline

#32 2018-04-03 19:30:54

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

All well,   no more bricking tags.   Question is if you can put a genuine normal tag together with one bricked magic tag  over antenna and run script.  If you are luckly the bricked tag accepts the write commands ...


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#33 2018-04-03 20:18:38

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

I'm not Lucky for old bricked magic tag, even with a genuine normal tag he doesn't accept write commands.

anyway, script can read first block (block 0 so)... but only the third data (so uid1, uid2, uid3, here the 04 62 39), and stop for the fourth data (so the bcc0, which is a wrong bcc)
and no need to put with a genuine normal tag, with or without normal tag output is the same (exception or multiple tags detected. Collision after Bit xx), example :

pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'

----------------------------------------
----------------------------------------

new UID | 11223344556677
Using BRICKABLE Magic tag function
#db# Multiple tags detected. Collision after Bit 10
Card selected. UID[3]:
04 62 39
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:

[+]Finished

pm3 -->

Offline

#34 2018-04-03 20:49:03

iceman
Administrator
Registered: 2013-04-25
Posts: 4,555
Website

Re: [SOLVED] Problem for read ultralight chinese card with PM3

hm..
try two magic cards,  one bricked,  and one with same uid as bricked but with correct bcc..


&#20912;&#20154;
modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Nothing says thank you as much as a donation!

Online

#35 2018-04-03 21:25:53

Shashadow
Contributor
Registered: 2018-03-13
Posts: 24

Re: [SOLVED] Problem for read ultralight chinese card with PM3

no more success.
I took a magic card with 11223344556677 UID, and a bricked card where I put the same UID.
and even together it's not OK

I tried others combinaison as :
genuine card with same UID than bricked card before changed;
genuine card with UID consistent with BCC on block 0 of bricked card
none has been worked

I'm think it's really dead, but I relieved that their sacrifice wasn't in vain :-)

my magic card

pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 11 22 33 44 55 66 77
    UID[0] : 11, Emosyn-EM Microelectronics USA
      BCC0 : 88, Ok
      BCC1 : 00, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : 00 00 00 00  - 0000

Error: tag didn't answer to READ magic
pm3 -->


my bricked card

pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'

----------------------------------------
----------------------------------------

new UID | 11223344556677
Using BRICKABLE Magic tag function
Card selected. UID[3]:
11 22 33
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:

[+]Finished

pm3 -->



and cards together 

pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'

----------------------------------------
----------------------------------------

new UID | 11223344556677
Using BRICKABLE Magic tag function
#db# Multiple tags detected. Collision after Bit 8
Card selected. UID[3]:
11 22 33
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:

[+]Finished

pm3 --> 

Offline

Board footer

Powered by FluxBB