Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-05-27 16:17:38

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Ultralight EV1 valid dump?

Hi,

today I'm playing with an EV1 tag but the dump is with almost 00. Is this correct?

proxmark3> hf mfu dump k ffffffff
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
Reading tag memory...

 Block#  | Data        |lck| Ascii
---------+-------------+---+------
  0/0x00 | 04 51 XX 3b |   |
  1/0x01 | XX XX XX 81 |   |
  2/0x02 | 17 48 00 00 |   |
  3/0x03 | 00 00 00 00 | 0 | ....
  4/0x04 | 00 00 00 00 | 0 | ....
  5/0x05 | 00 00 00 00 | 0 | ....
  6/0x06 | 00 00 00 00 | 0 | ....
  7/0x07 | 00 00 00 00 | 0 | ....
  8/0x08 | 00 00 00 00 | 0 | ....
  9/0x09 | 00 00 00 00 | 0 | ....
 10/0x0A | 00 00 00 00 | 0 | ....
 11/0x0B | 00 00 00 00 | 0 | ....
 12/0x0C | 00 00 00 00 | 0 | ....
 13/0x0D | 00 00 00 00 | 0 | ....
 14/0x0E | 00 00 00 00 | 0 | ....
 15/0x0F | 00 00 00 00 | 0 | ....
 16/0x10 | 00 00 00 ff | 0 | ....
 17/0x11 | 00 05 00 00 | 0 | ....
 18/0x12 | ff ff ff ff | 0 | ....
 19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Dumped 20 pages, wrote 80 bytes to 0451EXXXXXX281.bin

Why is all zero?

Thanks!

Last edited by pablomf (2019-05-27 16:23:16)

Offline

#2 2019-05-28 07:08:37

piwi
Contributor
Registered: 2013-06-04
Posts: 641

Re: Ultralight EV1 valid dump?

Looks like a perfect dump of an empty card.

Offline

#3 2019-05-28 07:47:29

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

How is possible? It is a vending machine tag charged with 50 cent €.... Maybe... when you add money to the tag they store the card balance in the cloud and the tag is only used to identify the user... amazing!

Offline

#4 2019-05-28 08:33:45

iceman
Administrator
Registered: 2013-04-25
Posts: 5,675
Website

Re: Ultralight EV1 valid dump?

maybe,  could also be using the counters on EV1 for it.   Dunno how that would actually work with recharging your balance.
Which pm3 do you use?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2019-05-28 12:11:32

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

For recharging you must enter the money on the vending machine and then put the tag on the reader. Then the balance is "linked" to the tag. We have 2 vending machines in the same building so I moved to the other machine and the balance is showed correctly when I put the tag in the new reader but as you saw in the dump I posted above all the content is filled with 0.

I'm using a PM3 Easy.

The only way to play with this IMHO is cloning or simulating another user tags because the balance is not here ... or maybe changing the UID (simulating it with out PM3) will enable the machine show the balance from another user tag...

Offline

#6 2019-05-28 12:30:23

iceman
Administrator
Registered: 2013-04-25
Posts: 5,675
Website

Re: Ultralight EV1 valid dump?

yup,  try simulating it with your pm3 and see what happens.
Like with only uid,  then with a dump


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2019-05-28 21:18:28

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

I've just received a Chamelon mini RevE and I uploaded the dump using "MF_ULTRALIGHT_EV1_80B" but I can see 2 important differences when I read it using the PM3:

Original Tag:

--- Tag Counters
       [0] : 00 00 00
                    - BD tearing Ok
       [1] : 00 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

Chameleon Mini Tag:

--- Tag Counters
       [0] : 1a 1a 1a
                    - BD tearing Ok
       [1] : 1a 1a 1a
                    - BD tearing Ok
       [2] : 1a 1a 1a
                    - BD tearing Ok

and the second difference:

Original Tag:

Tag ECC Signature : 85 ab 4f 5d a3 af 46 69 ee 89 d6 c5 fb ec 55 ... etc...

Chamelen Mini Tag:

Tag ECC Signature : ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ... etc...

How can I edit this values?

Thanks!

Offline

#8 2019-05-28 22:26:34

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

I can reply myself smile

For the first question: I've just added more 00 to the dump and now the tag counters are 00

And for the second question I edited the MifareUltralight.c:

            case CMD_READ_SIG:
                /* Hardcoded response */
                memset(Buffer, 0xCA, SIGNATURE_LENGTH);
                Buffer[0] = 0x85;  //Ugly but working code
                Buffer[1] = 0xAB;  //Ugly but working code
                ...
                Buffer[31] = 0xD1;  //Ugly but working code
                ISO14443AAppendCRCA(Buffer, SIGNATURE_LENGTH);
                return (SIGNATURE_LENGTH + ISO14443A_CRCA_SIZE) * 8;

I will try to test tomorrow if the chameleon mini can simulate my EV1 tag and I've configured both buttons to increment and/or decrement the UID.

Nice tools!

Offline

#9 2019-05-28 22:47:53

mwalker
Contributor
Registered: 2019-05-11
Posts: 140

Re: Ultralight EV1 valid dump?

Is there a restriction on how credit as applied to the card? E.g. in multiples of x.
What I would do is add credit and dump the card including counters.  Then use some credit and dump again.  Compare the dumps.

Offline

#10 2019-05-29 16:18:51

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

I've tested it today with my Chameleon mini RevE and it worked! So I can confirm it: The tag balance is not in the tag

Another test I made: I changed the UID with the buttons (I incremented the UID one by one until 8 steps) and nothing happened. I mean the card was detected and the balance was not printed in the machine. I'm not sure if the signature is important here. I will configure 2 tags in the Chameleon: one with the working UID and signature (already tested and working) and another tag with the same UID but with different signature. Let's see what happens...

One question about sniffing... why the Chameleon mini RevE from IceMan does not include the command ISO14443A_SNIFF? Is not possible sniff with this version?

Thanks!

Offline

#11 2019-06-06 20:07:54

bogito
Contributor
Registered: 2017-10-18
Posts: 43

Re: Ultralight EV1 valid dump?

Good to hear that someone actually tried successfully the ULEV1 capabilities of Chameleon RevE.
Have you got results from the tests you mentioned? Signature should remain static, independent of the UID.
As for you question, Chameleon RevE can only be used for emulation, thus no sniffing.

Offline

#12 2019-06-10 11:13:15

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

Yes, the vending machine does not check the signature. I modified the signature with the same UID and I can use the money without any issues. And using the Chameleon I simulated the tag with a different UID and I charged 10 cents to the new UID with success. Now I can swap between both and see the money loaded on both tags. This is crazy because if I find another user UID I can use his/her money. The security is poor.

Last edited by pablomf (2019-06-10 11:18:46)

Offline

#13 2019-06-10 11:18:28

pablomf
Contributor
Registered: 2019-04-07
Posts: 12

Re: Ultralight EV1 valid dump?

bogito wrote:

Good to hear that someone actually tried successfully the ULEV1 capabilities of Chameleon RevE.
Have you got results from the tests you mentioned? Signature should remain static, independent of the UID.
As for you question, Chameleon RevE can only be used for emulation, thus no sniffing.

Then I don't understand why the Chameleon web page shows this feature (sniff):

Feature 		RevE: Rebooted 	RevE 	RevG
Buttons 		2 		1 	2
LED 			8 		1 	2
Battery 		High Energy 	No 	Possible
Standby 		3 Years 	N/A 	3 Months
Auto Scan Wakeup 	Yes 		No 	No
Case 			Yes (ABS) 	No 	No
Scan Range 		High 		Medium 	Medium
Read without original 	Yes 		No 	No
UID to Activate Card 	Yes 		No 	No
Sniff 			Yes		Yes	Yes

https://lab401.com/products/chameleon-m … e-rebooted

Offline

#14 2019-07-25 03:10:36

cds333
Contributor
Registered: 2019-04-06
Posts: 17

Re: Ultralight EV1 valid dump?

Just out of curiosity what happens when you temporarily block the internet connectivity of the vending machine? I would be interested to know if it completely suspends transactions until connectivity is reestablished, or if it has some kind of on-board memory which stores users' balances for just such an occasion.

Offline

Board footer

Powered by FluxBB