Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-06-04 11:20:50

iceman
Administrator
Registered: 2013-04-25
Posts: 6,473
Website

Bose QuietComfort 35 headset

Turns out that my Bose QuietComfort 35 headset has NFC capabilities.
Just take your smartphone and start up NXP taginfo app and you can scan your headset.
Its a simple NTAG203 with a NDEF record.

So reading/writing/simulation is easy.



[usb] pm3 --> hf mfu in

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: NTAG 203 144bytes (NT2H0301F0DT)
[+]        UID: 04 66 D6 5F 00 50 9C
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 3C (ok)
[+]       BCC1: 93 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: E1 10 12 00  - 2110

[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   12: Physical Memory Size: 144 bytes
[+]   12: NDEF Memory Size: 144 bytes
[+]   Additional feature information
[+]   00
[+]   00000000
[+]   xxx      - 00: RFU (ok)
[+]      x     - 00: don't support special frame
[+]       x    - 00: don't support lock block
[+]        xx  - 00: RFU (ok)
[+]          x - 00: IC don't support multiple block reads
[usb] pm3 --> hf mfu ndef

[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   12: Physical Memory Size: 144 bytes
[+]   12: NDEF Memory Size: 144 bytes
[+]   Additional feature information
[+]   00
[+]   00000000
[+]   xxx      - 00: RFU (ok)
[+]      x     - 00: don't support special frame
[+]       x    - 00: don't support lock block
[+]        xx  - 00: RFU (ok)
[+]          x - 00: IC don't support multiple block reads
[=] Tag reported size vs NDEF reported size mismatch. Using smallest value
[=]
[=] NDEF parsing
[=] -----------------------------------------------------
[+] Found NDEF message (67 bytes)

[+] Record 1
[=] -----------------------------------------------------
[=] Header:
[+]     Message Begin:    +
[+]     Message End:      +
[+]     Chunk Flag:       -
[+]     Short Record Bit: +
[+]     ID Len Present:   +
[+]     Type Name Format: [0x02] MIME Media Record
[+]     Header length    : 4
[+]     Type length      : 32
[+]     Payload length   : 30
[+]     ID length        : 1
[+]     Record length    : 67
[=] Type data:
        00: 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e |application/vnd.
        10: 62 6c 75 65 74 6f 6f 74 68 2e 65 70 2e 6f 6f 62 |bluetooth.ep.oob
[=] ID data:
        00: 30                                              |0
[=] Payload data:
        00: 1e 00 8f 08 00 0e 02 00 15 09 42 6f 73 65 20 51 |..........Bose Q
        10: 75 69 65 74 43 6f 6d 66 6f 72 74 20 33 35       |uietComfort 35
[=] MIME Media Record
[=]      -to be impl-
[=] -----------------------------------------------------
[+] -- NDEF Terminator. Done.

Dumping no issue,

Block#   | Data        |lck| Ascii
---------+-------------+---+------
  0/0x00 | 04 66 D6 3C |   | .f.<
  1/0x01 | 5F 00 50 9C |   | _.P.
  2/0x02 | 93 48 00 00 |   | .H..
  3/0x03 | E1 10 12 00 | 0 | ....
  4/0x04 | 03 43 DA 20 | 0 | .C.
  5/0x05 | 1E 01 61 70 | 0 | ..ap
  6/0x06 | 70 6C 69 63 | 0 | plic
  7/0x07 | 61 74 69 6F | 0 | atio
  8/0x08 | 6E 2F 76 6E | 0 | n/vn
  9/0x09 | 64 2E 62 6C | 0 | d.bl
 10/0x0A | 75 65 74 6F | 0 | ueto
 11/0x0B | 6F 74 68 2E | 0 | oth.
 12/0x0C | 65 70 2E 6F | 0 | ep.o
 13/0x0D | 6F 62 30 1E | 0 | ob0.
 14/0x0E | 00 8F 08 00 | 0 | ....
 15/0x0F | 0E 02 00 15 | 0 | ....
 16/0x10 | 09 42 6F 73 | 0 | .Bos
 17/0x11 | 65 20 51 75 | 0 | e Qu
 18/0x12 | 69 65 74 43 | 0 | ietC
 19/0x13 | 6F 6D 66 6F | 0 | omfo
 20/0x14 | 72 74 20 33 | 0 | rt 3
 21/0x15 | 35 FE 00 00 | 0 | 5...
 22/0x16 | 00 00 00 00 | 0 | ....
 23/0x17 | 00 00 00 00 | 0 | ....
 24/0x18 | 00 00 00 00 | 0 | ....
 25/0x19 | 00 00 00 00 | 0 | ....
 26/0x1A | 00 00 00 00 | 0 | ....
 27/0x1B | 00 00 00 00 | 0 | ....
 28/0x1C | 00 00 00 00 | 0 | ....
 29/0x1D | 00 00 00 00 | 0 | ....
 30/0x1E | 00 00 00 00 | 0 | ....
 31/0x1F | 00 00 00 00 | 0 | ....
 32/0x20 | 00 00 00 00 | 0 | ....
 33/0x21 | 00 00 00 00 | 0 | ....
 34/0x22 | 00 00 00 00 | 0 | ....
 35/0x23 | 00 00 00 00 | 0 | ....
 36/0x24 | 00 00 00 00 | 0 | ....
 37/0x25 | 00 00 00 00 | 0 | ....
 38/0x26 | 00 00 00 00 | 0 | ....
 39/0x27 | 00 00 00 00 | 0 | ....
 40/0x28 | 00 00 00 00 | 0 | ....
 41/0x29 | 00 00 00 00 | 0 | ....
---------------------------------

Writing is no issue,

[usb] pm3 --> hf mfu wrbl b 28 d 1ce1cebb
Block: 28 (0x1C) [ 1C E1 CE BB ]
[+] isOk:01
[usb] pm3 --> hf mfu rdbl b 28

Block#  | Data        | Ascii
-----------------------------
28/0x1C | 1C E1 CE BB | ....

Simulation is no issue, 

hf mfu dump
script run dump2emul-mfu -i hf-mfu-0466D65F00509C-dump.bin -o hf-mfu-0466D65F00509C-dump.eml
hf mfu eload hf-mfu-0466D65F00509C-dump
hf 14a sim t 2

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB