Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-04-06 21:30:09

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Mifare Ultralight EV1 1101 and 2101 blank cards:

I acquired a few MFUL1101 and MF0UL2101 at Piswords store on Ali Express.

They come with hf mfu info -> "Signature verification ( fail )" (see below for the full information)

I was hoping that this would go away when I restore a dump to a card. The dump was seemingly complete and it was also using the same password and it did have a valid signature. Unfortunately after restoring the dump, the signature error was not gone.

Actually everything in the clone card seems to be identical with the original card, except for the crypto key and signature part.

Is that normal or is this a deficiency of these cards?
Would the reader accept such clones or are the blank cards basically useless? I cannot test it because I will not be close to the reader for a very long time.

The original card:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) 
[+]        UID: <redacted>
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 2F (ok)
[+]       BCC1: 38 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: <redacted>
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: <redacted>
[+]        Signature verification ( successful )

[=] --- Tag Version
[=]        Raw bytes: <redacted>
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 00 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [17/0x11]: 00 05 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [18/0x12]: 00 00 00 00 - (cannot be read)
[=]   PACK [19/0x13]: 00 00       - (cannot be read)
[=]   RFU  [19/0x13]:       00 00 - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------


hf mfu dump -k ffffffff
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) 
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | <redacted>
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | <redacted>
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | BD
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | BD
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | BD
[=] Max data page | 18 (76 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
redacted
[=] ---------------------------------
[=] Using UID as filename
[+] saved 136 bytes to binary file hf-mfu-redacted-dump-1.bin
[+] saved to json file hf-mfu-redacted-dump-1.json


A blank 1101 card:

hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) 
[+]        UID: re da ct ed re da ct
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 08 (ok)
[+]       BCC1: EF (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: <redacted>
[+]        Signature verification ( fail )

[=] --- Tag Version
[=]        Raw bytes: <redacted>
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 04 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [17/0x11]: 00 00 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 00, Virtual Card Type Identifier is not default
[=]   PWD  [18/0x12]: 00 00 00 00 - (cannot be read)
[=]   PACK [19/0x13]: 00 00       - (cannot be read)
[=]   RFU  [19/0x13]:       00 00 - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

A blank 2101 card:

hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101) 
[+]        UID: <redacted>
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 08 (ok)
[+]       BCC1: AC (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: <redacted>
[+]        Signature verification ( fail )

[=] --- Tag Version
[=]        Raw bytes: <redacted>
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0E, (128 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [37/0x25]: 04 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [38/0x26]: 00 00 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 00, Virtual Card Type Identifier is not default
[=]   PWD  [39/0x27]: 00 00 00 00 - (cannot be read)
[=]   PACK [40/0x28]: 00 00       - (cannot be read)
[=]   RFU  [40/0x28]:       00 00 - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------


hf mfu restore -f hf-mfu-redacted-dump.bin -k ffffffff -s
[+] loaded 136 bytes from binary file hf-mfu-redacted-dump.bin
[=] Restoring hf-mfu-redacted-dump.bin to card
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | redacted
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | redacted
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | BD
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | BD
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | BD
[=] Max data page | 18 (76 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
redacted
[=] ---------------------------------
[=] Restoring data blocks.
[=] ............
[=] Restoring configuration blocks.

[=] authentication with keytype[2]  FF FF FF FF

[=] special block written 3

[=] special block written 0

[=] special block written 1

[=] special block written 2

[=] special block written 15

[=] special block written 16

[=] special block written 17

[=] Restore finished
[fpc] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) 
[+]        UID: matches original UID
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 2F (ok)
[+]       BCC1: 38 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: <redacted>
[+]        Signature verification ( fail )

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0B 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 00 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [17/0x11]: 00 05 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [18/0x12]: 00 00 00 00 - (cannot be read)
[=]   PACK [19/0x13]: 00 00       - (cannot be read)
[=]   RFU  [19/0x13]:       00 00 - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

Last edited by zeppi (2021-04-06 21:48:47)

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB