Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2023-09-04 19:51:53

AlanSbor
Contributor
Registered: 2023-08-28
Posts: 7

Mifare Ultralight Emulating ISO/IEC 14443 type A tag

Hi all.

Making a Mifare Ultralight card simulation

local json = require("dkjson")
print(json)

local os = require('os')
local sleep = os.sleep


local f = io.open("hf-mfu-04CF698A014A80-dump.json", "r")

local json_string = f:read("*all")

f:close()

local json_data = json.decode(json_string)

-- Extracting blocks of data

local blocks = json_data.blocks


-- Request date
print("Enter old date:")
print("Day:")
ex_day = io.read()

print("Month:")  
ex_month = io.read()

print("Year:")
ex_year = io.read()

--Let's convert to numbers
ex_day = tonumber(ex_day)
ex_month = tonumber(ex_month)
ex_year = tonumber(ex_year)

ex_day =  string.format("%02X", ex_day)
ex_month = string.format("%02X",ex_month)
-- Split year into 2 parts in HEX
year1 = string.format("%02X", math.floor(ex_year / 256))
year2 = string.format("%02X", ex_year % 256)

-- Displaying the date 
print("Old Date:")
print("Date: ",ex_day)
print("Month:",ex_month)
print("Year1:",year1)
print("Year2:",year2)

----------------------------------
--Write data
    --"6": "1308E507",
    --"7": "1606E707",
    --"8": "00000000",
    --"9": "00007817",
    --"10": "14000300",
    --"11": "1308E507",
    --"12": "1A07E707",
    --"13": "00000000",
    --"14": "0000B5B8",
	
-- in blocks 6 and 11 we write yesterday's date DD-MM-year2-year1
-- in blocks 7 and 12 we write today's date DD-MM-year2-year1
-- in blocks 9 and 14 we write enumeration (in a loop) data from 0x0000 to 0xFFFF

-- Update data in JSON
json_data.blocks["6"] = ex_day..ex_month..year2..year1
json_data.blocks["11"] = ex_day..ex_month..year2..year1
	
----------------------------------
-- Loading data into the simulator
--hf mfu eload -f hf-mfu-04CF698A014A80-dump.json
--wait until the emulator runs for 100ms

-- save the json file under the loop name 0000.json ... FFFF.json,
--hf mfu esave

-- change the data from 0x0000 to 0xFFFF in blocks 9 and 14, save the json file with the same name as it was.
-- go back to Loading data into the simulator

 
 -- Loop with block data update
for i = 0x0000, 0xF do

  --Data generation for blocks
  local data9 = string.format("%08X", i)
  local data14 = string.format("%08X", i)  
  
   
 -- Update JSON
  json_data.blocks["9"] = data9
  json_data.blocks["14"] = data14
  
 -- Save JSON to file
  local new_json = json.encode(json_data)
  local fname = string.format("%04X.json", i) 
  local f = io.open(fname, "w")
  f:write(new_json)
  f:close()
  
 -- Loading data into the emulator
  --os.execute("hf mfu eload -f " .. fname)
  core.console("hf mfu eload -f " .. fname)
  -- Card emulation
 --hf mfu sim -t 2 --uid 11223344556677
  
  core.console("hf mfu sim -t 2 --uid 04CF698A014A80")

--Press the relay contact and move on through the cycle
  
  print("Mogem rabobtat dalshe:",year2)
  
  -- Delay

  os.sleep(1)
  
  -- Saving JSON to file
  local new_json = json.encode(json_data)
  local fname1 = string.format("out_%04X.json", i) 
  local f = io.open(fname1, "w")
  f:write(new_json)
  f:close()
  
end
 
---------------

Here is such a code.

Enter old date:
Day:
25
Month:
02
Year:
2023
Old Date:
Date:   19
Month:  02
Year1:  07
Year2:  E7
[=] 255 blocks ( 1020 bytes ) to upload
[+] loaded from JSON file 0000.json
[=] detected new mfu dump format

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 14 ( 60 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 CF 69 2A |   | ..i*
[=]   1/0x01 | 8A 01 4A 80 |   | ..J.
[=]   2/0x02 | 41 48 00 00 |   | AH..
[=]   3/0x03 | 00 00 00 00 | 0 | ....
[=]   4/0x04 | 00 00 00 00 | 0 | ....
[=]   5/0x05 | 14 00 03 00 | 0 | ....
[=]   6/0x06 | 19 02 E7 07 | 0 | ....
[=]   7/0x07 | 16 06 E7 07 | 0 | ....
[=]   8/0x08 | 00 00 00 00 | 0 | ....
[=]   9/0x09 | 00 00 00 00 | 0 | ....
[=]  10/0x0A | 14 00 03 00 | 0 | ....
[=]  11/0x0B | 19 02 E7 07 | 0 | ....
[=]  12/0x0C | 1A 07 E7 07 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] MIFARE Ultralight override, will use 30 blocks ( 120 bytes )
[=] Uploading to emulator memory
[=] ...............................
[?] You are ready to simulate. See `hf mfu sim -h`
[=] Done!
[?] Try `hf mfu sim -t 7` to simulate an Amiibo.
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 CF 69 8A 01 4A 80 )
[=] Press pm3-button to abort simulation
[#] Emulator stopped. Trace length: 31

But it is impossible to emulate Mifare Ultralight. Please tell me what am I doing wrong?

Offline

#2 2023-09-05 09:26:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Mifare Ultralight Emulating ISO/IEC 14443 type A tag

maybe you should emulate Mifare Ultralight  and not Mifare Ultralight EV1 ?

Offline

#3 2023-09-05 18:18:57

AlanSbor
Contributor
Registered: 2023-08-28
Posts: 7

Re: Mifare Ultralight Emulating ISO/IEC 14443 type A tag

The description says to emulate with a deuce.
I do with a deuce

 core.console("hf mfu sim -t 2 --uid 04CF698A014A80")

My X-copy defines the label as Mifare Ultralight, but not as Mifare Ultralight EV1. Please tell me where I went wrong?

Is there an example where it is correctly described how to emulate exactly Mifare Ultralight?

[usb] pm3 --> hf mfu sim

Simulate MIFARE Ultralight family type based upon
ISO/IEC 14443 type A tag with 4,7 or 10 byte UID
from emulator memory.  See `hf mfu eload` first.
The UID from emulator memory will be used if not specified.
See `hf 14a sim -h` to see available types. You want 2 or 7 usually.

usage:
    hf mfu sim [-hv] -t <1..10>  [-u <hex>] [-n <dec>]

options:
    -h, --help                     This help
    -t, --type <1..10>             Simulation type to use
    -u, --uid <hex>                <4|7|10> hex bytes UID
    -n, --num <dec>                Exit simulation after <numreads> blocks. 0 = infinite
    -v, --verbose                  Verbose output

examples/notes:
    hf mfu sim -t 2 --uid 11223344556677             -> MIFARE Ultralight
    hf mfu sim -t 7 --uid 11223344556677 -n 5        -> MFU EV1 / NTAG 215 Amiibo
    hf mfu sim -t 7                                  -> MFU EV1 / NTAG 215 Amiibo

Offline

#4 2023-09-05 18:45:54

AlanSbor
Contributor
Registered: 2023-08-28
Posts: 7

Re: Mifare Ultralight Emulating ISO/IEC 14443 type A tag

Replaced the line

 core.console("hf mfu sim -t 2")

Everything worked, it is defined as Mifare Ultralight.

Offline

Board footer

Powered by FluxBB