[Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

Shashadow · 2018-05-03 19:15:08

Hello,

Another problem with my NTAG21X from Lab401.
When I change type to NTAG216 with iceman script (https://lab401.com/blogs/academy/magic-ntag-21x-getting-started) :
(script run mfu_magic.lua -t 7)
I can't change UID after, regarless of way I use

pm3 --> hf 14a info
 UID : 04 11 22 33 44 55 66
ATQA : 00 44
 SAK : 00 [2]
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO

pm3 --> script run mfu_magic.lua -u 04123456789012
[+] Executing: mfu_magic.lua, args '-u 04123456789012'

----------------------------------------
----------------------------------------

Writing
new UID | 04123456789012
Blk#    |
    00  |041234AA
    01  |56789012
    02  |AC480000
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes:
04
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes:
04
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes:
04

[+] Finished

pm3 -->
pm3 --> hf 14a info
 UID : 04 11 22 33 44 55 66
ATQA : 00 44
 SAK : 00 [2]
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO

I try with ul_uid, but no more success

pm3 --> script run ul_uid -b -u 04123456789012
[+] Executing: ul_uid.lua, args '-b -u 04123456789012'

----------------------------------------
----------------------------------------

new UID | 04123456789012
Using BRICKABLE Magic tag function
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes:
04
received 1 bytes:
04
received 1 bytes:
04
received 0 bytes:

[+] Finished

BUT... however if I change my type for UL_EV1 48k (script run mfu_magic.lua -t 1)

I have no issue for change UID, with ul_uid.lua or mfu_magic.lua, all is done.
and if I switch from UL_EV1 48k to NTAG216, UID stay, but after switch, unable to change UID.

I try with a smartphone for change data, but impossible, it seems to be locked when we are with NTAG216 type.
and it's a little problem for make a dump even partial from my genuine tag.
any idea ?
Thanks

Last edited by Shashadow (2018-05-04 07:16:30)

iceman · 2018-05-03 19:28:18

there are some youtube videos where I covered most of current functionality in the script. I belive you will find it useful.

link to channel
https://www.youtube.com/channel/UCwukH1 … DuT18dE1RA

meanwhile, gather some info about the script/card.

script run mfu_magic -h

script run mfu_magic -c

Shashadow · 2018-05-03 19:42:35

I am looking for YouTube video.
meanwhile here output for -c with mfu_magic

pm3 --> script run mfu_magic -c
[+] Executing: mfu_magic.lua, args '-c'

----------------------------------------
----------------------------------------

Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 37 CB
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF FF FF FF FF 00 04 04 02 BD 1F
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF FF FF FF FF 00 04 04 02 01 00 13 03 D9 B4
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
FF FF FF FF 00 04 04 02 01 00 13 03 02 00 00 00 0F D1
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
00 04 04 02 01 00 13 03 02 00 00 00 FF FF FF FF F2 94
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
01 00 13 03 02 00 00 00 FF FF FF FF FF FF FF FF E7 19
Card selected. UID[7]:
04 11 22 33 44 55 66
received 18 bytes:
02 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF C5 D9

[+] Finished

pm3 -->

iceman · 2018-05-03 19:43:50

hm.. run the -h , I want to see which version you are using

Shashadow · 2018-05-03 19:48:14

oki

for -h

pm3 --> script run mfu_magic -h
[+] Executing: mfu_magic.lua, args '-h'

----------------------------------------
----------------------------------------

Copyright (c) 2017 IceSQL AB. All rights reserved.
v1.0.5
This script enables easy programming of a MAGIC NTAG 21* card
script run mfu_magic -h -c -w -k <passwd> -u <uid> -t <type> -p <passwd> -a <pack> -s <signature> -o <otp> -v <version>

Arguments:
        -h              this help
        -c              read magic configuration
        -u              UID (14 hexsymbols), set UID on tag
        -t              tag type to impersonate
                                 1 = UL_EV1 48k
                                 2 = UL_EV1 128k
                                 3 = NTAG 210
                                 4 = NTAG 212
                                 5 = NTAG 213 (true)
                                 6 = NTAG 215 (true)
                                 7 = NTAG 216 (true)
                                 8 = NTAG I2C 1K
                                 9 = NTAG I2C 2K
                                10 = NTAG I2C 1K PLUS
                                11 = NTAG I2C 2K PLUS
        -p              password (8 hexsymbols),  set password on tag.
        -a              pack ( 4 hexsymbols), set pack on tag.
        -s              signature data (64 hexsymbols), set signature data on tag.
        -o              OTP data (8 hexsymbols), set one-time-pad data on tag.
        -v              version data (16 hexsymbols), set version data on tag.
        -w              wipe tag. You can specify password if the tag has been locked down. Fills tag with zeros and put default values for NTAG213 (like -t 5)
        -k              pwd to use with the wipe option

Example usage
        -- wipe tag
        script run mfu_magic -w

        -- wipe a locked down tag by giving the password
        script run mfu_magic -w -k ffffffff

        --read magic tag configuration
        script run mfu_magic -c

        -- set uid
        script run mfu_magic -u 04112233445566

        -- set pwd / pack
        script run mfu_magic -p 11223344 -a 8080

        -- set version to NTAG213
        script run mfu_magic -v 0004040201000f03

        -- set signature
        script run mfu_magic -s 1122334455667788990011223344556677889900112233445566778899001122


[+] Finished

pm3 -->

iceman · 2018-05-03 22:06:03

is this one also still problematic?

Shashadow · 2018-05-03 22:34:28

no it's not really problematic.
my true problem was the dump of ntag216, which you have resolved just before.
When I restore my dump, all is ok and UID too, I just believed this issue was related.

anyway, I don't understand ... but I think last release has something to do with this, because now all is working !!!
I can change UID with "mfu_magic", it's wasn't the case before I update your last PM3.
so this issue is also solved.

just a question, After watching your video, I saw you use a v1.1.0 version of mfu_magic, mine is only v1.0.5.
is last version it available ?

iceman · 2018-05-04 06:25:36

Ask your retailer if they have an updated script.

And also, I suggest you update your first post and add the prefix "solved" to your title.

Proxmark3 community

Announcement

#1 2018-05-03 19:15:08

[Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#2 2018-05-03 19:28:18

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#3 2018-05-03 19:42:35

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#4 2018-05-03 19:43:50

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#5 2018-05-03 19:48:14

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#6 2018-05-03 22:06:03

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#7 2018-05-03 22:34:28

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

#8 2018-05-04 06:25:36

Re: [Solved] can't change UID for NTAG21X (emulate NTAG216) from Lab401

Board footer