Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I've been looking into how to detect if a UL / UL-C tag is magic (ie UID changeable)
Together with Marshmellow, we found that a decent detection between Ul-EV1 (both sizes), UL-C, UL tag quite well,, and implemented these "tricks" in the "HF MFU INFO" command.
However, the magic test is harder. So far I noticed that the nonce on a UL-C Magic tag (when requesting a AUTH (0x1A) ) stays the same. So the procedure to detect a UL-C (magic) is to do two auth requests and see if the nonce is the same.
Here is the current problem, we don't have a way to detect if a UL tag is magic.
One way would be read block 0, try write block 0, (if success, then magic) re-write the old block 0.
however this is a doubtful way of detection, since is means actually change the UID.
What do the community suggest? Is there a good way of detection?
Last edited by iceman (2015-05-25 10:20:12)
Change uid with a specific rule (example: uid+1) to make the original old value determinated even if the owner doesn't know it and the procedure goes someway wrong.
Other way: study magic timing answer to specific commands, it can be different from original nxp tags (need some tests on original cards).
Also Ultralight EV1 has the signature feature (AN11349.pdf page 20). I do not have the command set right here but this can be a method to identify it. Here a specific thread.
Last edited by asper (2015-05-01 22:01:58)
I think I found it.
----------------------
I did look at a UL magic test, and when I fiddled around I kind of got a solution (better then the one which is presently implemented).
If I send a "0xA0" read, which is a comp_write thingy, that works in two steps sending packages. However when I was looking at it, i didnt realise it needed two steps..
but the interesting part is the different answers to this request. with just one minor request, we can detect if a tag is MAGIC or not super easy. And it's the same for a UL-C MAGIC.. But I haven't tested it against a proper UL-C.
UL MAGIC tag
pm3 --> hf 14a raw -s -c a000
received 7 octets
05 01 02 05 06 07 08
received 1 octets
0A ---->> ACK
Normal UL tag
pm3 --> hf 14a raw -s -c a000
received 7 octets
04 46 AD 62 83 34 80
received 1 octets
00 --->> NACK
My is normal tag EV1
proxmark3> hf 14a raw -c -p -s 1b 33 6b a1 19
received 7 octets
04 BD 25 E2 05 3F 80
received 4 octets
9C 2D BA 54
proxmark3>
proxmark3> hf 14a raw -c a000
received 1 octets
00
exists a magic ultralight ev1 ?
I never heard of a magic ultralight ev1.
There is little money in making a tag magic for obvious reasons, A tag needs to be well spread for the interest to rise.. or pay the money. There is another thread on the forum about it.
In your case you must start collecting UID/pwd ( simulating and sniffing ) and see if you can figure out the pwd diversification algo..
cool,
However, can you keep to the right thread? this one is about Magic detection on UL/ULC
I started a new thread for you
http://www.proxmark.org/forum/viewtopic.php?id=2445
Last edited by iceman (2015-05-07 21:13:45)