Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Just to give a teaser, but the current output from "hf mfu info" looks like this:
Tested tags: UL-Ev1, UL-C (magic), UL, UL (magic), NTAG 216, NTAG 213, my-d move
- detection works pretty good now. @marshmellow also added a call from "hf 14a read" to benefit from the detection.
- added a help text
- added possibilty to use authentication key
pm3 --> hf mfu i h
It gathers information about the tag and tries to detect what kind it is.
Sometimes the tags are locked down, and you may need a key to be able to read the information
The following tags can be identified:
Ultralight, Ultralight-C, Ultralight EV1
NTAG 213, NTAG 215, NTAG 216
my-d, my-d NFC, my-d move, my-d move NFC
Usage: hf mfu info k <key>
Options :
k <key> : key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]
sample : hf mfu info
: hf mfu info k 11223344
ULTRALIGHT EV1
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
UID : 04 B7 80 9A F8 38 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : BB, Ok
BCC1 : DA, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00
--- UL-EV1 Counters
[0] : 00 00 00
- BD tearing Ok
[1] : 00 00 00
- BD tearing Ok
[2] : 00 00 00
- BD tearing Ok
--- UL-EV1 Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : D8 50 05 90 9A DA B6 E0 EF 5D 0D F2 9C BF 9E FC 03 E2 F1 36 CA 54 23 7E 80 0B FA DB 4B 9A AA 16
--- UL-EV1 Configuration
cfg0 [16/0x10]: 00 00 00 FF
- pages don't need authentication
- strong modulation mode disabled
cfg1 [17/0x11]: 00 05 00 00
- Unlimited password attempts
- user configuration writeable
- write access is protected with password
05 - Virtual Card Type Identifier is default
PWD [18/0x12]: 00 00 00 00
PACK [19/0x13]: 00 00 00 00
--- UL-EV1 / NTAG Version
Raw bytes : 00 04 03 01 01 00 0B 03
Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
Product type : 03, Ultralight
Product subtype : 01, 17 pF
Major version : 01
Minor version : 00
Size : 0B (64 <-> 32 bytes)
Protocol type : 03
--- Trying some known EV1/NTAG passwords.
Found default password: ff ff ff ff
Got PACK : 00 00 a0 1e
ULTRALIGHT (magic)
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight (MF0ICU1)
UID : 04 11 22 33 44 55 66
UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 0xBF - Ok
BCC1 : 0x44 - Ok
Internal : 0x00 - not default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00
ULTRALIGHT (normal)
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight (MF0ICU1)
UID : 04 46 ad 62 83 34 80
UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 0x67 - Ok
BCC1 : 0x55 - Ok
Internal : 0x48 - default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00
ULTRALIGHT-C (magic)
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
UID : 04 11 22 33 44 55 66
UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 0xBF - Ok
BCC1 : 0x44 - Ok
Internal : 0x48 - default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00
--- UL-C Configuration
Higher Lockbits [40/0x28]: 00 00 00 00 0000000000000000
Counter [41/0x29]: 00 00 00 00 0000000000000000
Auth0 [42/0x2A]: 30 00 00 00 - Pages above 48 needs authentication
Auth1 [43/0x2B]: 01 00 00 00 - write access restricted
deskey1 [44/0x2C]: 77 66 55 44
deskey1 [45/0x2D]: 33 22 11 00
deskey2 [46/0x2E]: ff ee dd cc
deskey2 [47/0x2F]: bb aa 99 88
3des key : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
----------------
----------------
SAMPLE calling without authentication key
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
UID : 00 00 00 00 00 00 00
UID[0] : 00, Manufacturer: no tag-info available
BCC0 : 00, crc should be 88
BCC1 : 00, Ok
Internal : 00, not default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00
--- UL-EV1 Counters
[0] : 00 00 00
- 00 tearing failure
[1] : 00 00 00
- 00 tearing failure
[2] : 00 00 00
- 00 tearing failure
Error: tag didn't answer to READ SIGNATURE
SAMPLE calling with authentication key.
pm3 --> hf mfu i k 4af84b19
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
UID : 04 57 B6 E2 05 3F 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 6D, Ok
BCC1 : 58, Ok
Internal : 48, default
Lock : 70 00 - 0000000001110000
OneTimePad : 00 00 00 00
--- UL-EV1 Counters
[0] : 09 00 00
- BD tearing Ok
[1] : 09 00 00
- BD tearing Ok
[2] : 00 00 00
- BD tearing Ok
--- UL-EV1 Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 79 69 D1 13 02 85 CB CE 8E AB 68 C9 BB D7 67 49 0A 41 4F 0D FA 4C 7F CD 9F 0A A0 B7 89 4A C3 3E
--- UL-EV1 Configuration
cfg0 [16/0x10]: 00 00 00 00
- pages above 0 needs authentication
- strong modulation mode disabled
cfg1 [17/0x11]: C0 05 00 00
- Unlimited password attempts
- user configuration permanently locked
- read and write access is protected with password
05 - Virtual Card Type Identifier is default
PWD [18/0x12]: 00 00 00 00
PACK [19/0x13]: 00 00 00 00
--- UL-EV1 / NTAG Version
Raw bytes : 00 04 03 01 01 00 0B 03
Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
Product type : 03, Ultralight
Product subtype : 01, 17 pF
Major version : 01
Minor version : 00
Size : 0B (64 <-> 32 bytes)
Protocol type : 03
Last edited by iceman (2015-05-25 10:19:48)
And thanks to @Marshmellow and @Asper, there is even more tags identified.
When all is done, it will detect:
Ultralight *
Ultralight-C *
Ultralight-EV1 (48)
Ultralight-EV1 (128)
NTAG 213
NTAG 215
NTAG 216
MY-D
MY-D NFC
MY-D MOVE
MY-D MOVE NFC
* also special test to detect if tag is UID changeable
Last edited by iceman (2015-05-11 19:35:35)
I talked with @Mashmellow, and we both agree that its time to make a PR and get it all into PM3 master now.
After that is done, we will start fixing "hf mfu read/write" then the "hf mfu" commands is done with its remake.
Kind of nice that we got both kinds of authentication UL-C (0x1A) && ULEV1/NTAG (0x1B) into this makeover.
Summary of new stuff:
Ultralight Specific: (mostly iceman's contributions)
New Commands:
hf mfu setpwd <pwd (32 hex symbols)> - Set 3des password - Ultralight-C
hf mfu setuid <uid (14 hex symbols)> - Set UID - MAGIC tags only
hf mfu gen - Generate 3des mifare diversified keys (testing)
Modified Commands:
hf mfu rdbl b <block number> k <key> l - Read block any UL / NTAG
hf mfu wrbl b <block number> k <key> l - Write block any UL / NTAG
hf mfu dump k <key> n <filename> l - Dump Ultralight / Ultralight-C / NTAG / MY-D tag to binary file and screen
hf mfu info k <key> - Get Tag information
Works With:
Mifare Ultralight
Mifare Ultralight C
Mifare Ultralight EV1
NTAG 203
NTAG 210
NTAG 212
NTAG 213
NTAG 215
NTAG 216
NTAG I2C
INFINEON MY_D(tm)
INFINEON MY_D(tm) NFC
INFINEON MY_D(tm) Move
INFINEON MY_D(tm) Move Lean
INFINEON MY_D(tm) Move NFC
Removed duplicate commands:
hf mfu crdbl
hf mfu cwrbl
also included:
hf search - search for valid HF tags (14a/MF, iclass, 15693)
still needed:
hf mfu ... - allow key diversifications
hf search - add 14b tags to search
Last edited by marshmellow (2015-06-05 04:32:46)
sorry... missed the protocols.h file in a previous commit.... all fixed..
@Asper just told me that NTAG203 is not identified. Which seems to be a hard tag to seperate from UL ..
It has the same atqa & sak, and doesn't have a GET_VERSION command,.. it does have a NDEF CC message..
@asper, on the ntag 203 can you do a:
hf mfu dump q 46
a couple times and tell me what the last page it ever reads is?
thanks.
Last edited by marshmellow (2015-05-19 22:49:58)
Tested at various distances (tag<->antenna); here is the log.
They seems to be 29(hex).
Last edited by asper (2015-05-19 23:35:25)
As I expected. I don't suppose you could post the trace? I'm curious what NAK on the higher blocks is.
Edit: never mind the NAK was 00... It is in the output
Last edited by marshmellow (2015-05-20 00:36:24)
@asper, i pushed a patch, can you see if it correctly identifies the ntag203 now?
They will also be in my fork in 5 min
That's good Marsh!
if only I could put so much effort into , say something like getting the diversification of keys correct or figuring out a key-gen-algo... instead of correctly identifying tags....
Well, when the SHA-1 comes into the PM3, then another toy token will be able to get dumped
ok maybe a little longer than 5 minutes. had a few bugs to work out. but posted now.
@ice (with your compiled build+firmware flashed):
pm3 --> hf 14a raw -s -c 1b00000000
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
@marsh (with iceman build with his firmware flashed):
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->
Last edited by asper (2015-05-21 14:08:54)
With your (marshmellow) client (without reflashing iceman's firmware):
proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 f2 6e e2 0d 29 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: e1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
proxmark3>
proxmark3> hf list 14a
Recorded Activity (TraceLen = 175 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 44 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16564 | Tag | 88 04 f2 6e 10 | |
18688 | 29216 | Rdr | 93 70 88 04 f2 6e 10 4d ad | | SELECT_UID
30388 | 33908 | Tag | 04 da 17 | |
35200 | 37664 | Rdr | 95 20 | | ANTICOLL-2
38836 | 44724 | Tag | e2 0d 29 80 46 | |
46848 | 57312 | Rdr | 95 70 e2 0d 29 80 46 6b 03 | | ANTICOLL-2
58548 | 62132 | Tag | 00 fe 51 | |
469376 | 474144 | Rdr | 30 00 02 a8 | | READBLOCK(0)
475316 | 496116 | Tag | 04 f2 6e 10 e2 0d 29 80 46 48 00 00 e1 10 12 00 | |
| | | 73 47 | |
proxmark3>
NOTE: the above tag is the NTAG203.
Last edited by asper (2015-05-21 14:09:13)
This is an mfu info of ntag216 and ntag213:
proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
UID : 04 37 9f aa 16 3c 81
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 24, Ok
BCC1 : 01, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 6d 00 - 00000000011011010001000011100001
--- NDEF Message
Capability Container: e1 10 6d 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
6D : Physical Memory Size: 880 bytes
6D : NDEF Memory Size: 872 bytes
00 : Read access granted without any security / Write access granted without any security
--- Tag Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 96 84 64 91 6c f5 19 27 ce 4f a9 1b 3b c9 fa d1 9b d5 bf 1f fe ae e8 61 97 9f 3e 2a 67 74 c7 60
--- Tag Version
Raw bytes : 00 04 04 02 01 00 13 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 04, NTAG
Product subtype : 02, 50pF
Major version : 01
Minor version : 00
Size : 13 (1024 <-> 512 bytes)
Protocol type : 03
--- Tag Configuration
cfg0 [16/0x10] : 04 00 00 ff
- pages don't need authentication
- strong modulation mode disabled
cfg1 [17/0x11] : 00 05 00 00
- Unlimited password attempts
- user configuration writeable
- write access is protected with password
- 05, Virtual Card Type Identifier is default
PWD [18/0x12] : 00 00 00 00
PACK [19/0x13] : 00 00 00 00
--- Known EV1/NTAG passwords.
Found a default password: ff ff ff ff || Pack: 00 00
proxmark3>
proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 213 144bytes (NT2H1311G0DU)
UID : 04 c4 37 32 a1 3e 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 7F, Ok
BCC1 : 2D, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: e1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
--- Tag Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 2f 27 66 0a d9 cf f6 67 df a0 c8 55 c0 b1 92 d4 58 f3 6b 1c 69 80 34 ca a5 eb 16 0b 30 49 1e 81
--- Tag Version
Raw bytes : 00 04 04 02 01 00 0f 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 04, NTAG
Product subtype : 02, 50pF
Major version : 01
Minor version : 00
Size : 0F (256 <-> 128 bytes)
Protocol type : 03
--- Tag Configuration
cfg0 [16/0x10] : 04 00 00 ff
- pages don't need authentication
- strong modulation mode disabled
cfg1 [17/0x11] : 00 05 00 00
- Unlimited password attempts
- user configuration writeable
- write access is protected with password
- 05, Virtual Card Type Identifier is default
PWD [18/0x12] : 00 00 00 00
PACK [19/0x13] : 00 00 00 00
--- Known EV1/NTAG passwords.
Found a default password: ff ff ff ff || Pack: 00 00
proxmark3>
pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->
Last edited by asper (2015-05-21 15:38:17)
Yeah:
pm3 --> hf 14a raw -s -c 60
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 69
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 73
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 99
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c FF
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
oy.. there is a bug in the ntag203 detection. i am reading block 30 instead of 0x30 to find the end of the memory...
just fixed it in my fork
Yeah:
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 203 144bytes (NT2H0301F0DT)
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->
Sweet...
our info command now can detect things nxp's tag info can't. a locked UL_C card shows as an UL in nxp's tag info, but shows correctly in ours
TagInfo on read/write locked tag
** TagInfo scan (version 3.0) 2015-05-22 11:27:54 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE Ultralight (MF0ICU1)
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 46 bytes
-- EXTRA ------------------------------
# Memory size:
64 bytes total memory
* 16 pages, with 4 bytes per page
* 48 bytes user memory (12 pages)
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms
# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00
--------------------------------------
hf mfu info of same tag:
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) [2]
UID : 04 09 a9 7a e0 2b 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 2C - Ok
BCC1 : 31 - Ok
Internal : 48 - default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00 - 00000000000000000000000000000000
Trying some default 3des keys
#db# NAK - Authentication failed.
#db# Cmd Error: 00
#db# Authentication failed
#db# NAK - Authentication failed.
#db# Cmd Error: 00
#db# Authentication failed
#db# NAK - Authentication failed.
#db# Cmd Error: 00
#db# Authentication failed
Found default 3des key:
deskey1 [44/0x2C]: 42 52 45 41 [BREA]
deskey1 [45/0x2D]: 4b 4d 45 49 [KMEI]
deskey2 [46/0x2E]: 46 59 4f 55 [FYOU]
deskey2 [47/0x2F]: 43 41 4e 21 [CAN!]
3des key : 49 45 4d 4b 41 45 52 42 21 4e 41 43 55 4f 59 46
Tag appears to be locked, try using the key to get more info
TagInfo on tag before locked:
** TagInfo scan (version 3.0) 2015-04-28 12:33:55 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE Ultralight C (MF0ICU2)
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 137 bytes
-- EXTRA ------------------------------
# Memory size:
192 bytes total memory
* 48 pages, with 4 bytes per page
* 144 bytes user memory (36 pages)
# Authentication information:
Default sample key
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms
# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00
# Memory content:
[00] * 04:09:A9 2C (UID0-UID2, BCC0)
[01] * 7A:E0:2B:80 (UID3-UID6)
[02] . 31 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] . 00:00:00:00 (OTP0-OTP3)
[04] . 02 00 00 10 |....|
[05] . 00 06 01 10 |....|
[06] . 11 FF 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 00 00 00 00 |....|
[1D] . 00 00 00 00 |....|
[1E] . 00 00 00 00 |....|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 -- -- (LOCK2-LOCK3)
[29] . 00 00 -- -- (CNT0-CNT1, value: 0)
[2A] . 30 -- -- -- (AUTH0)
[2B] . 00 -- -- -- (AUTH1)
[2C] .- 42 52 45 41 |BREA|
[2D] .- 4B 4D 45 49 |KMEI|
[2E] .- 46 59 4F 55 |FYOU|
[2F] .- 43 41 4E 21 |CAN!|
*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only
--------------------------------------
Last edited by marshmellow (2015-06-02 20:37:34)
added another one:
proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : FUDAN Ultralight Compatible (or other compatible)
UID : 04 64 9d 1a 54 00 00
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 75, Ok
BCC1 : 4E, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00 - 00000000000000000000000000000000
Nope, just an attempt to pass as a true UL. And it does fool just about every reader I know. Except the pm3 now
But it doesn't have all the same error responses as the original.
00 error instead of 01 error to crc error. I believe there are other imitations that have a similar issue which is why I labelled it or other compatible
Last edited by marshmellow (2015-06-19 15:19:29)
But I know the tags I'm testing are a fudan. If I find a better test I'll implement it.
@iceman, is this in your branch as well? I was running something trying to look at this and the command format looks a little different.
also, is there anything out there to brute force the 8 byte key or crack these for reading?