Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-08-08 15:42:39

MaBi
Contributor
Registered: 2016-11-06
Posts: 24

Next step with MIFARE Ultralight and no keys

Hi! I'm trying to explore inside my car wash card but I can't find any valid key.

hw versio command:

[usb] pm3 --> hw versio

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:40
  compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:26
       os: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:34
  compiled with GCC 10.1.0

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

hf search command:

[usb] pm3 --> hf search
[-] Searching for ISO14443-A tag...
[+]  UID: 04 7F 27 C2 9C 4C 80
[+] ATQA: 00 44
[+]  SAK: 00 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Ultralight
[+]    MIFARE Ultralight C
[+]    MIFARE Ultralight EV1
[+]    MIFARE Ultralight Nano
[+]    MIFARE Hospitality
[+]    NTAG 2xx
[=] proprietary non iso14443-4 card found, RATS not supported
[?] Hint: try `hf mfu info`


[+] Valid ISO 14443-A tag found

hf mfu info command:

[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight (MF0ICU1)
[+]        UID: 04 7F 27 C2 9C 4C 80
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: D4 (ok)
[+]       BCC1: 92 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 09 00  - 90
[+] OneTimePad: F3 13 10 A3  - #C@Ë
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

hf mf chk --1k -f mfc_default_keys command:

[usb] pm3 --> hf mf chk --1k -f mfc_default_keys
[+] Loaded 1142 keys from mfc_default_keys
[=] Start check for keys...
[=] ............................................................................
................................................................................
................................................................................
................................................................................
................................................................................
.....................................................
[=] time in checkkeys 559 seconds

[=] testing to read key B...

[+] found keys:

[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A          |res| key B          |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ------------   | 0 | ------------   | 0 |
[+] | 001 | ------------   | 0 | ------------   | 0 |
[+] | 002 | ------------   | 0 | ------------   | 0 |
[+] | 003 | ------------   | 0 | ------------   | 0 |
[+] | 004 | ------------   | 0 | ------------   | 0 |
[+] | 005 | ------------   | 0 | ------------   | 0 |
[+] | 006 | ------------   | 0 | ------------   | 0 |
[+] | 007 | ------------   | 0 | ------------   | 0 |
[+] | 008 | ------------   | 0 | ------------   | 0 |
[+] | 009 | ------------   | 0 | ------------   | 0 |
[+] | 010 | ------------   | 0 | ------------   | 0 |
[+] | 011 | ------------   | 0 | ------------   | 0 |
[+] | 012 | ------------   | 0 | ------------   | 0 |
[+] | 013 | ------------   | 0 | ------------   | 0 |
[+] | 014 | ------------   | 0 | ------------   | 0 |
[+] | 015 | ------------   | 0 | ------------   | 0 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )

Unfortunately no keys were found.



hf mfu dump -k FFFFFFFF command:

[usb] pm3 -->  hf mfu dump -k FFFFFFFF
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 00 00 00 00 00 00 00
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | 00
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | 00
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 7F 27 D4 |   | ..'.
[=]   1/0x01 | C2 9C 4C 80 |   | ..L.
[=]   2/0x02 | 92 48 09 00 |   | .H..
[=]   3/0x03 | F3 13 10 A3 | 1 | ....
[=]   4/0x04 | 01 01 C8 00 | 0 | ....
[=]   5/0x05 | 03 00 0C 0F | 0 | ....
[=]   6/0x06 | 02 00 0A 08 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | D0 07 01 17 | 0 | ....
[=]   9/0x09 | 92 0E 00 5D | 0 | ...]
[=]  10/0x0A | 6C 07 01 97 | 0 | l...
[=]  11/0x0B | D2 0E 00 21 | 0 | ...!
[=]  12/0x0C | 08 07 01 97 | 0 | ....
[=]  13/0x0D | 32 0F 00 A4 | 0 | 2...
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-047F27C29C4C80-dump-3.bin
[+] saved to json file hf-mfu-047F27C29C4C80-dump-3.json

hf list command:

[usb] pm3 --> hf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 145 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer

      Start |        End | Src | Data (! denotes parity error)
                         | CRC | Annotation
------------+------------+-----+------------------------------------------------
-------------------------+-----+--------------------
          0 |        992 | Rdr |52
                         |     |
       2100 |       4468 | Tag |44  00
                         |     |
       7040 |       9504 | Rdr |93  20
                         |     |
      10548 |      16372 | Tag |88  04  7f  27  d4
                         |     |
      19072 |      29600 | Rdr |93  70  88  04  7f  27  d4  88  4f
                         |     |
      30644 |      34164 | Tag |04  da  17
                         |     |
      35584 |      38048 | Rdr |95  20
                         |     |
      39092 |      44980 | Tag |c2  9c  4c  80  92
                         |     |
      47616 |      58144 | Rdr |95  70  c2  9c  4c  80  92  d7  3d
                         |     |
      59188 |      62772 | Tag |00  fe  51
                         |     |
     347136 |     350752 | Rdr |60  f8  32
                         |     |


Which is the next step for me? What can I do now?
I have no idea...

Many thanks

Offline

#2 2021-08-08 17:54:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Next step with MIFARE Ultralight and no keys

Maybe read a dataasheet about MIFARE Ultralight?
And maybe start looking at the data you dump to file?

Offline

#3 2021-08-09 05:36:50

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Next step with MIFARE Ultralight and no keys

LOL Pal , you have already successfully get the dump file of hf-mfu-047F27C29C4C80-dump-3.bin

now the question is what kind of magic ultralight card to write to

Last edited by yukihama (2021-08-09 05:37:03)

Offline

#4 2021-08-11 21:47:12

MaBi
Contributor
Registered: 2016-11-06
Posts: 24

Re: Next step with MIFARE Ultralight and no keys

iceman wrote:

Maybe read a datasheet about MIFARE Ultralight?
And maybe start looking at the data you dump to file?

Yes, you are right. I realize I probably didn't explain myself well...

I started to analyze data and compare differend dumps to understand byte values.
I have found that it is a easy scheme. Last 4 operations are stored since page 8 (8-9 | 10-11 | 12-13 | 14-15).
2 bytes for credit, day, fixed value (0x97), 4 bytes to be still interpreted (probabily date or time).
Index of last two operations are alternatively stored at Byte 1 page 5 and Byte 1 page 6.


I was wrong with dump command because I believe that without a correct key I couldn't obtein a valid dump and I couldn't restore a dump file too...


yukihama wrote:

LOL Pal , you have already successfully get the dump file of hf-mfu-047F27C29C4C80-dump-3.bin

Yes!! Many thanks

Offline

#5 2021-09-10 20:20:39

MaBi
Contributor
Registered: 2016-11-06
Posts: 24

Re: Next step with MIFARE Ultralight and no keys

I'm continuing to study data scheme...
I don't understand why I can't restore a dump file completely.

[usb] pm3 --> hf mfu restore -f 1800.bin
[+] loaded 120 bytes from binary file 1800.bin
[=] Restoring 1800.bin to card
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 00 00 00 00 00 00 00
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | 00
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | 00
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 7F 27 D4 |   | ..'.
[=]   1/0x01 | C2 9C 4C 80 |   | ..L.
[=]   2/0x02 | 92 48 09 00 |   | .H..
[=]   3/0x03 | F3 13 10 A3 | 1 | ....
[=]   4/0x04 | 01 01 C8 00 | 0 | ....
[=]   5/0x05 | 03 00 0C 0F | 0 | ....
[=]   6/0x06 | 02 00 0A 08 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | D0 07 01 17 | 0 | ....
[=]   9/0x09 | 92 0E 00 5D | 0 | ...]
[=]  10/0x0A | 6C 07 01 97 | 0 | l...
[=]  11/0x0B | D2 0E 00 21 | 0 | ...!
[=]  12/0x0C | 08 07 01 97 | 0 | ....
[=]  13/0x0D | 32 0F 00 A4 | 0 | 2...
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Restoring data blocks.
[=] ........
[=] Restore finished

Lock byte 0 = 9 ('0000 1001')
Lock byte 1 = 0 ('0000 0000')
The only locked page is OTP page (0x03) but if now I try to read my card I can see only first 11 pages (0x00-0x10) have been restored:

[usb] pm3 --> hf mfu dump -f X.bin
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 00 00 00 00 00 00 00
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | 00
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | 00
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 7F 27 D4 |   | ..'.
[=]   1/0x01 | C2 9C 4C 80 |   | ..L.
[=]   2/0x02 | 92 48 09 00 |   | .H..
[=]   3/0x03 | F3 13 10 A3 | 1 | ....
[=]   4/0x04 | 01 01 C8 00 | 0 | ....
[=]   5/0x05 | 03 00 0C 0F | 0 | ....
[=]   6/0x06 | 02 00 0A 08 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | D0 07 01 17 | 0 | ....
[=]   9/0x09 | 92 0E 00 5D | 0 | ...]
[=]  10/0x0A | 6C 07 01 97 | 0 | l...
[=]  11/0x0B | 0B 0B 00 52 | 0 | ...R
[=]  12/0x0C | 78 05 1C 97 | 0 | x...
[=]  13/0x0D | 8B 0B 00 76 | 0 | ...v
[=]  14/0x0E | 14 05 21 97 | 0 | ..!.
[=]  15/0x0F | F4 09 00 5A | 0 | ...Z
[=] ---------------------------------
[+] saved 120 bytes to binary file X-6.bin
[+] saved to json file X.bin-6.json

Why?

Last edited by MaBi (2021-09-10 20:21:09)

Offline

#6 2021-09-12 20:40:22

MaBi
Contributor
Registered: 2016-11-06
Posts: 24

Re: Next step with MIFARE Ultralight and no keys

OK, I suppose it's a SW problem of client (pm3).
I tryed to write a single block with relative command:

hf mfu wrbl -b 11 -dD20E0021

and I read again the card:

[usb] pm3 --> hf mfu dump -f X.bin
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 00 00 00 00 00 00 00
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | 00
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | 00
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 7F 27 D4 |   | ..'.
[=]   1/0x01 | C2 9C 4C 80 |   | ..L.
[=]   2/0x02 | 92 48 09 00 |   | .H..
[=]   3/0x03 | F3 13 10 A3 | 1 | ....
[=]   4/0x04 | 01 01 C8 00 | 0 | ....
[=]   5/0x05 | 03 00 0C 0F | 0 | ....
[=]   6/0x06 | 02 00 0A 08 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | D0 07 01 17 | 0 | ....
[=]   9/0x09 | 92 0E 00 5D | 0 | ...]
[=]  10/0x0A | 6C 07 01 97 | 0 | l...
[=]  11/0x0B | D2 0E 00 21 | 0 | ...!
[=]  12/0x0C | 00 00 00 00 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------

Block number 11 it's written now.
I don't understand why it can't write blocks from 11 to 15 when I use restore command.

Offline

#7 2021-09-19 19:54:12

MaBi
Contributor
Registered: 2016-11-06
Posts: 24

Re: Next step with MIFARE Ultralight and no keys

Finally I have found the source point of this problem.

File cmdhfmfu.c:

    // write all other data
    // Skip block 0,1,2,3 (only magic tags can write to them)
    // Skip last 5 blocks usually is configuration
    for (uint8_t b = 4; b < pages - 5; b++) {

        //Send write Block
        memcpy(data, mem->data + (b * 4), 4);
        clearCommandBuffer();
        SendCommandMIX(CMD_HF_MIFAREU_WRITEBL, b, keytype, 0, data, sizeof(data));
        wait4response(b);
        PrintAndLogEx(NORMAL, "." NOLF);
        fflush(stdout);
    }

// Skip last 5 blocks usually is configuration
In my case this isn't configuration but data. Maybe it should be better to insert a parameter that could indicate or not how many pages skip from last page...

Offline

Board footer

Powered by FluxBB