Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Turns out that my Bose QuietComfort 35 headset has NFC capabilities.
Just take your smartphone and start up NXP taginfo app and you can scan your headset.
Its a simple NTAG203 with a NDEF record.
So reading/writing/simulation is easy.
[usb] pm3 --> hf mfu in
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: NTAG 203 144bytes (NT2H0301F0DT)
[+] UID: 04 66 D6 5F 00 50 9C
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 3C (ok)
[+] BCC1: 93 (ok)
[+] Internal: 48 (default)
[+] Lock: 00 00 - 00
[+] OneTimePad: E1 10 12 00 - 2110
[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+] E1: NDEF Magic Number
[+] 10: version 0.1 supported by tag
[+] : Read access granted without any security / Write access granted without any security
[+] 12: Physical Memory Size: 144 bytes
[+] 12: NDEF Memory Size: 144 bytes
[+] Additional feature information
[+] 00
[+] 00000000
[+] xxx - 00: RFU (ok)
[+] x - 00: don't support special frame
[+] x - 00: don't support lock block
[+] xx - 00: RFU (ok)
[+] x - 00: IC don't support multiple block reads
[usb] pm3 --> hf mfu ndef
[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+] E1: NDEF Magic Number
[+] 10: version 0.1 supported by tag
[+] : Read access granted without any security / Write access granted without any security
[+] 12: Physical Memory Size: 144 bytes
[+] 12: NDEF Memory Size: 144 bytes
[+] Additional feature information
[+] 00
[+] 00000000
[+] xxx - 00: RFU (ok)
[+] x - 00: don't support special frame
[+] x - 00: don't support lock block
[+] xx - 00: RFU (ok)
[+] x - 00: IC don't support multiple block reads
[=] Tag reported size vs NDEF reported size mismatch. Using smallest value
[=]
[=] NDEF parsing
[=] -----------------------------------------------------
[+] Found NDEF message (67 bytes)
[+] Record 1
[=] -----------------------------------------------------
[=] Header:
[+] Message Begin: +
[+] Message End: +
[+] Chunk Flag: -
[+] Short Record Bit: +
[+] ID Len Present: +
[+] Type Name Format: [0x02] MIME Media Record
[+] Header length : 4
[+] Type length : 32
[+] Payload length : 30
[+] ID length : 1
[+] Record length : 67
[=] Type data:
00: 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e |application/vnd.
10: 62 6c 75 65 74 6f 6f 74 68 2e 65 70 2e 6f 6f 62 |bluetooth.ep.oob
[=] ID data:
00: 30 |0
[=] Payload data:
00: 1e 00 8f 08 00 0e 02 00 15 09 42 6f 73 65 20 51 |..........Bose Q
10: 75 69 65 74 43 6f 6d 66 6f 72 74 20 33 35 |uietComfort 35
[=] MIME Media Record
[=] -to be impl-
[=] -----------------------------------------------------
[+] -- NDEF Terminator. Done.
Dumping no issue,
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 04 66 D6 3C | | .f.<
1/0x01 | 5F 00 50 9C | | _.P.
2/0x02 | 93 48 00 00 | | .H..
3/0x03 | E1 10 12 00 | 0 | ....
4/0x04 | 03 43 DA 20 | 0 | .C.
5/0x05 | 1E 01 61 70 | 0 | ..ap
6/0x06 | 70 6C 69 63 | 0 | plic
7/0x07 | 61 74 69 6F | 0 | atio
8/0x08 | 6E 2F 76 6E | 0 | n/vn
9/0x09 | 64 2E 62 6C | 0 | d.bl
10/0x0A | 75 65 74 6F | 0 | ueto
11/0x0B | 6F 74 68 2E | 0 | oth.
12/0x0C | 65 70 2E 6F | 0 | ep.o
13/0x0D | 6F 62 30 1E | 0 | ob0.
14/0x0E | 00 8F 08 00 | 0 | ....
15/0x0F | 0E 02 00 15 | 0 | ....
16/0x10 | 09 42 6F 73 | 0 | .Bos
17/0x11 | 65 20 51 75 | 0 | e Qu
18/0x12 | 69 65 74 43 | 0 | ietC
19/0x13 | 6F 6D 66 6F | 0 | omfo
20/0x14 | 72 74 20 33 | 0 | rt 3
21/0x15 | 35 FE 00 00 | 0 | 5...
22/0x16 | 00 00 00 00 | 0 | ....
23/0x17 | 00 00 00 00 | 0 | ....
24/0x18 | 00 00 00 00 | 0 | ....
25/0x19 | 00 00 00 00 | 0 | ....
26/0x1A | 00 00 00 00 | 0 | ....
27/0x1B | 00 00 00 00 | 0 | ....
28/0x1C | 00 00 00 00 | 0 | ....
29/0x1D | 00 00 00 00 | 0 | ....
30/0x1E | 00 00 00 00 | 0 | ....
31/0x1F | 00 00 00 00 | 0 | ....
32/0x20 | 00 00 00 00 | 0 | ....
33/0x21 | 00 00 00 00 | 0 | ....
34/0x22 | 00 00 00 00 | 0 | ....
35/0x23 | 00 00 00 00 | 0 | ....
36/0x24 | 00 00 00 00 | 0 | ....
37/0x25 | 00 00 00 00 | 0 | ....
38/0x26 | 00 00 00 00 | 0 | ....
39/0x27 | 00 00 00 00 | 0 | ....
40/0x28 | 00 00 00 00 | 0 | ....
41/0x29 | 00 00 00 00 | 0 | ....
---------------------------------
Writing is no issue,
[usb] pm3 --> hf mfu wrbl b 28 d 1ce1cebb
Block: 28 (0x1C) [ 1C E1 CE BB ]
[+] isOk:01
[usb] pm3 --> hf mfu rdbl b 28
Block# | Data | Ascii
-----------------------------
28/0x1C | 1C E1 CE BB | ....
Simulation is no issue,
hf mfu dump
script run dump2emul-mfu -i hf-mfu-0466D65F00509C-dump.bin -o hf-mfu-0466D65F00509C-dump.eml
hf mfu eload hf-mfu-0466D65F00509C-dump
hf 14a sim t 2