Proxmark3 community

Cowasuar

Contributor

Registered: 2018-09-02

Posts: 3

Help starting from the bottom.

So I have the least knowledge about rfid possible but Im hoping to learn by trying. Side note I havent changed the firmware or anything because I cant seem to figure out how.

To start I have a ultralight ev1 card that I would like to clone.

proxmark3> hf mfu info 
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)         
       UID : 04 fe 4c ca 34 5c 84           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : 3E, Ok         
      BCC1 : 26, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000
--- Tag Counters         
       [0] : 00 00 00           
                    - BD tearing Ok         
       [1] : 00 00 00           
                    - BD tearing Ok         
       [2] : 00 00 00           
                    - BD tearing Ok         
--- Tag Signature         
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61         
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : d8 e6 41 b1 3c c4 d2 36 04 62 b4 00 3b ab 8f b2 d9 36 a8 63 f8 6a 3a be 5f 1a 96 24 4d 75 a9 f2           
--- Tag Version         
       Raw bytes : 00 04 03 01 01 00 0b 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 03, Ultralight         
Product subtype : 01, 17 pF         
   Major version : 01         
   Minor version : 00         
            Size : 0B, (64 <-> 32 bytes)         
   Protocol type : 03         
--- Tag Configuration         
  cfg0 [16/0x10] : 00 00 00 ff           
                    - pages don't need authentication         
                    - strong modulation mode disabled         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00 - (cannot be read)         
  PACK [19/0x13] : 00 00       - (cannot be read)         
  RFU  [19/0x13] :       00 00 - (cannot be read)         
--- Known EV1/NTAG passwords.         
Found a default password: ff ff ff ff  || Pack: 00 00

I also have this uid changable ultralight tag BUT it is not an ev1.

TYPE : MIFARE Ultralight (MF0ICU1)           
       UID : 53 6c b7 60 00 aa 40           
    UID[0] : 53, no tag-info available         
      BCC0 : 00, Ok         
      BCC1 : 8A, Ok         
  Internal : 48, default         
      Lock : 00 00  - 0000000000000000         
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

So the question is can the ultalight uid changeable fob I have be used to clone the original.
If it cannot what type of card could be used to do so. From what I can tell from reading other posts ev1 magic cards are hard to find or dont exist.

The second question is, if the reader only checks the uid would my writeable card work?

Last edited by Cowasuar (2018-09-21 03:42:28)

bogito

Contributor

Registered: 2017-10-18

Posts: 52

Re: Help starting from the bottom.

Well, theoretically, if the reader only selects the UID after REQA,WUPA,ANTICOL and it doesn't check the version (0x60), tearing events and/or the counters etc, then it could be possible to use your simple ultralight fob.
There are UL-EV1 magic cards available, but they lack counters and tearing support.
You can always use your PM3 to simulate your card.

Cowasuar

Contributor

Registered: 2018-09-02

Posts: 3

Re: Help starting from the bottom.

Thank you.