Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-10-18 07:16:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Ultraligh otp - lockbits

I just read
https://www.defcon.org/images/defcon-21 … pdated.pdf

and was thinking if it would be kind of fun to have bitfiddeling UL functions.

But then, I've seen very many ultralight implementations at all, for it to be interesting.

Offline

#2 2014-10-18 07:24:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

Latest progress? With a new release emmient on black hat.

https://bughardy.me/you-found-wonkas-golden-ticket/

Should be suiteable using lua-script.. hm...

Offline

#3 2014-10-18 10:25:51

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Ultraligh otp - lockbits

Those "vulnerabilities" (better "bad implementations) are known since 1 year (almost) and yeah, with a lua script you can add it to pm3 in an easy way.

Offline

#4 2014-10-18 13:03:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

one these days I will learn to spellcheck/proofread before posting...

"I've NOT seen very many.."

When it comes to making a script, it is always easier when you have an actually target implementation to focus upon.

Ie:  otp is used,  how about try to lock that block?  I wonder if my UL magic cards doesn't honour the lockbits (so I dont freeze a card forever)...

Offline

#5 2014-10-18 13:09:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

Does someone have any dumps from the mentioned cards used ?? And are willing to share them?

Offline

#6 2015-02-15 10:39:50

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

hello to everone , this is my dump of a virgin Ul of a bus thicket .

proxmark3> hf mf urdcard
Attempting to Read Ultralight...           
#db# Cmd Error: 00                 
#db# Read block 0 error                 
#db# READ CARD FINISHED                 
isOk:01         
Block   0:0a ee 44 82           
Block   1:dd 84 b7 95           
Block   3:f9 18 53 65  [1]         
Block   4:59 8a c4 ab  [0]         
Block   5:c6 3a fb 34  [0]         
Block   6:ac 7f 14 92  [0]         
Block   7:d1 a1 ed 5d  [1]         
Block   8:2a 8e 8e ab  [0]         
Block   9:46 23 78 50  [1]         
Block  10:00 00 fb ff  [1]         
Block  11:81 80 00 00  [1]         
Block  12:50 00 20 00  [0]         
Block  13:01 0b 00 00  [0]         
Block  14:01 00 00 00  [0] 

block 2 is not visible, do not know the reason
       
Block  15:00 02 00 00  [0]

Offline

#7 2015-02-22 21:04:06

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

you know why it is hidden?

Offline

#8 2015-02-22 21:25:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

If you are using the compile-environment and are compiling it yoursself,  you can debug where the read fails on device-side.  If I remember it right, there was up to 4 different reasons for a read to fail in the code.

Offline

#9 2015-02-27 10:16:15

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

i use proxmark3 on client windows pm007

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 839 2013-12-05 07:11:23                 
#db# os: svn 852 2014-04-01 19:42:32                 
#db# FPGA image built on 2014/03/21 at 19:45:15                 
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory

now i see all blocks , but at each reading some data change and I can not write block
proxmark3> hf mfu wrbl 15 01010101
--block no:0f         
--data: 01 01 01 01           
#db# Cmd Addr Error: 00                 
#db# Write block error                 
#db# WRITE BLOCK FINISHED                 
isOk:00

Offline

#10 2015-02-27 13:46:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Ultraligh otp - lockbits

You're proxmark is running very dated firmware.  You need to flash bootrom, FPGA, and os.

Offline

#11 2015-03-02 10:17:37

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

ok, i have flash

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-01-31 07:13:30                 
#db# os: /-suspect 2015-01-31 07:13:36                 
#db# HF FPGA image built on 2015/01/15 at 12:19:06                 
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory

but now :

proxmark3> hf mfu dump 
Dumping Ultralight Card Data...         
#db# Pages 16                 
#db# Cmd Error: 00                 
#db# Read block 0 error                 
Command execute timeout

help me, please

Offline

#12 2015-03-02 10:18:56

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

if I try with a magic ultralight ,this work good

proxmark3> hf mfu dump 
Dumping Ultralight Card Data...         
#db# Pages 16                 
#db# Pages read 16                 
Block 00:00 00 00 00           
Block 01:77 77 77 77           
Block 02:00 00 00 00           
Block 03:00 00 00 00  [0]         
Block 04:00 00 00 00  [0]         
Block 05:00 00 00 00  [0]         
Block 06:00 00 00 00  [0]         
Block 07:00 00 00 00  [0]         
Block 08:00 00 00 00  [0]         
Block 09:00 00 00 00  [0]         
Block 0a:00 00 00 00  [0]         
Block 0b:00 00 00 00  [0]         
Block 0c:00 00 00 00  [0]         
Block 0d:00 00 00 00  [0]         
Block 0e:00 00 00 00  [0]         
Block 0f:00 00 00 00  [0]         
Dumped 16 pages, wrote 64 bytes to 00000077777777.bin

Offline

#13 2015-03-02 10:51:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

If I remember correct,  the cmd error 0x00 means "can't select the tag".   Try holding the tag differently over the antenna.

Offline

#14 2015-03-02 12:50:58

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

but if i send:

proxmark3> hf 14a read
ATQA : 00 44         
UID : 04 57 b6 e2 05 3f 80           
SAK : 00 [2]         
MANUFACTURER : NXP Semiconductors Germany         
TYPE : NXP MIFARE Ultralight | Ultralight C         
proprietary non iso14443-4 card found, RATS not supported         
Answers to chinese magic backdoor commands: NO

so, antenna is good ...

Offline

#15 2015-03-02 13:25:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

its not about the antenna..  its about how to place the tag.
But if the "hf 14a read" works,  then you should be able to  "hf mfu dump", with another errorcode than 0x00.

Offline

#16 2015-03-02 19:30:28

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

I begin to think that it is a new MIFARE Ultralight EV1  sad    with 32 bit password

http://www.nxp.com/documents/leaflet/MIFARE_Ultralight_EV1_v21.pdf

Offline

#17 2015-03-02 22:32:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

have you tried different default passwords?

Offline

#18 2015-03-03 00:31:52

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

how can I do? what commands I have to send the card for the passwords?

Offline

#19 2015-03-03 00:58:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

you can always test the..."hf mfu cauth" command..
most of the commands implement the 'h' help parameter

Offline

#20 2015-03-04 00:34:31

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

ok , is a MF0UL11 because if i send raw command  60h  i received :
received 10 octets         
00 04 03 01 01 00 0B 03 FD F7
so, from datasheet is MIFARE Ultralight EV1 sad sad sad sad

Offline

#21 2015-03-04 00:35:35

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Ultraligh otp - lockbits

can I sniff password with proxmark?

Offline

#22 2015-03-04 10:03:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Ultraligh otp - lockbits

Don't know how the password is transfered for the UL EV1.   But if it is a des/3des/aes , then normally no.  That kind of password is never transfered over the rfid.   Its based on the notion of a shared secret.

Offline

Board footer

Powered by FluxBB