Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-04-18 12:50:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

New Mifare Ultralight tag and backdoor commands.

I got some magic Midare Ultralight keyfobs from a forum user,  stating that they respondes to the chinese magic backdoor commands.  S/he also said they needed to be sent before modifications to Block0,1..

hf 14a read

pm3 --> hf 14a re
 UID : 53 98 21 20 00 79 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : MIFARE Ultralight (MF0ICU1)
MANUFACTURER : no tag-info available
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES                              <--- look here!

hf mfu info

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight (MF0ICU1)                       <--- currently not identified as magic in our imp.
       UID : 53 98 21 20 00 79 80
    UID[0] : 53, no tag-info available
      BCC0 : 62, Ok
      BCC1 : D9, Ok
  Internal : 48, default
      Lock : 00 00  - 0
OneTimePad : 00 00 00 00  - 000

hf list 14a

pm3 --> hf list 14a
Recorded Activity (TraceLen = 199 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10676 |      16564 | Tag |88  53  98  21  62                                               |     |
      18688 |      29152 | Rdr |93  70  88  53  98  21  62  76  cc                               |  ok | SELECT_UID
      30388 |      33908 | Tag |04  da  17                                                       |     |
      35200 |      37664 | Rdr |95  20                                                           |     | ANTICOLL-2
      38836 |      44724 | Tag |20  00  79  80  d9                                               |     |
      46848 |      57312 | Rdr |95  70  20  00  79  80  d9  86  3a                               |  ok | ANTICOLL-2
      58548 |      62132 | Tag |00  fe  51                                                       |     |
    1047168 |    1051936 | Rdr |e0  80  31  73                                                   |  ok | RATS
    2333568 |    2334560 | Rdr |40                                                               |     | MAGIC WUPC1
    2336052 |    2336628 | Tag |0a!                                                              |     |
    2340608 |    2341920 | Rdr |43                                                               |     | MAGIC WUPC2
    2343092 |    2343668 | Tag |0a!                                                              |     |
    2347648 |    2352416 | Rdr |50  00  57  cd                                                   |  ok | HALT
pm3 -->

Offline

#2 2016-04-18 13:02:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

Writing to block 0,  using the raw commands works.

pm3 --> hf 14a raw -p -b 7 40
received 1 octets
0A
pm3 --> hf 14a raw -p 43
received 1 octets
0A
pm3 --> hf 14a raw -p -c a20059982120
received 1 octets
0A
pm3 --> hf li 14a
Recorded Activity (TraceLen = 266 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10676 |      16564 | Tag |88  53  98  21  62                                               |     |
      18688 |      29152 | Rdr |93  70  88  53  98  21  62  76  cc                               |  ok | SELECT_UID
      30388 |      33908 | Tag |04  da  17                                                       |     |
      35200 |      37664 | Rdr |95  20                                                           |     | ANTICOLL-2
      38836 |      44724 | Tag |20  00  79  80  d9                                               |     |
      46848 |      57312 | Rdr |95  70  20  00  79  80  d9  86  3a                               |  ok | ANTICOLL-2
      58548 |      62132 | Tag |00  fe  51                                                       |     |
    1047168 |    1051936 | Rdr |e0  80  31  73                                                   |  ok | RATS
    2333440 |    2334432 | Rdr |40                                                               |     | MAGIC WUPC1
    2335924 |    2336500 | Tag |0a!                                                              |     |
    2340480 |    2341792 | Rdr |43                                                               |     | MAGIC WUPC2
    2342964 |    2343540 | Tag |0a!                                                              |     |
    2347520 |    2352288 | Rdr |50  00  57  cd                                                   |  ok | HALT
    3609728 |    3610720 | Rdr |40                                                               |     | MAGIC WUPC1
    3612340 |    3612916 | Tag |0a!                                                              |     |
    4859904 |    4861216 | Rdr |43                                                               |     | MAGIC WUPC2
    4862516 |    4863092 | Tag |0a!                                                              |     |
   24320384 |   24329760 | Rdr |a2  00  59  98  21  20  00  c7                                   |  ok | WRITEBLOCK(0)
   24372532 |   24373108 | Tag |0a!                                                              |     |

Offline

#3 2016-04-18 13:20:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

The "hf mf cgetblk"  works,  but remember these commands works on 16bytes size,  not 4 like the UL has.

pm3 --> hf mf cgetblk 0
--block number: 0
data: 53 80 71 2A 02 00 D9 80 5B 48 00 00 00 00 00 00
pm3 --> hf mf cgetblk 1
--block number: 1
data: 02 00 D9 80 5B 48 00 00 00 00 00 00 00 00 00 00
pm3 --> hf mf cgetblk 2
--block number: 2
data: 5B 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00
pm3 -->

Offline

#4 2016-04-18 13:21:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

Don't use the "hf mf csetuid",  that will ruin it.

the "hf mfu setuid"  doesn't work either.

Offline

#5 2016-04-20 09:26:53

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: New Mifare Ultralight tag and backdoor commands.

Great so where do you suggest we get ultralight Chinese cards and the only commands we should use in order not to ruin it ?

I got one from xpfga and ruin it the same way above.

Offline

#6 2016-04-20 10:25:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

You are lucky that it is based on backdoor commands.
You can easily re-write it the raw commands as seen above.

If you screwed up block 0,1,2  (where the uid is located)  then just don't use the select option in raw cmd.
and write 3 new blocks with correct BBC and CRC

Offline

#7 2016-05-15 18:53:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

I changed my 'remagic.luc' script to revive these cards also.   "script run remagic -u"

I've also been curious on these backdoor commands,    trying to understand what they do.
We know since before that:
0x40 is init.
0x41 is wipe
0x43 is not keys needed for reading and writing. it just runs the commands given afterwards.   


  0x40, init backdoor mode
  0x41, wipe fills card with 0xFF
  0x42, fills card with 0x00
  0x43, no authentication needed.  issue a 0x3000 to read block 0, or write block.
  0x44, fills card with 0x55
  0x45, fills card with 0xAA
  0x46, fills card with 0x00
  0x47, ??
  0x48, ??
  0x49, ??
  

used commands:

pm3 --> hf 14a raw -p -a -b 7 40
pm3 --> hf 14a raw -p -a 44

Offline

#8 2016-05-15 18:54:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

The 0x47, 0x48, 0x49 is accepted with a  0x0A but what to do next?

Offline

#9 2017-03-24 00:35:10

clayer
Contributor
Registered: 2013-12-22
Posts: 45

Re: New Mifare Ultralight tag and backdoor commands.

i`ve killed down magic UL tag
proxmark3> hf 14a re
iso14443a card select failed

but
proxmark3> hf mf cgetblk 0
--block number: 0
block data:04 01 02 8f ff ff ff ff ff ff ff ff ff ff ff ff

revive commands doesn`t help to get back tag.

How i can restore to work condition?

Which raw command must send?

Offline

#10 2017-03-24 03:24:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: New Mifare Ultralight tag and backdoor commands.

which software are you using?
which version of magic ul was it?  Looks like magic UL which answers to backdoor cmds.
if it is,  you can use hf 14a raw or hf mf csetbl commands to write new data to the first three blocks. ie blocks 0,1,2


For speed, just dump a working UL card, and take its three first blocks to make your magic UL work again wink

Offline

#11 2017-04-11 00:35:30

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: New Mifare Ultralight tag and backdoor commands.

I've dump it block by block last year on UL magic card .. worked perfectly ! didn't use csetuid or mfu set.

Offline

Board footer

Powered by FluxBB