Proxmark3 community

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Ultralight EV1 valid dump?

Hi,

today I'm playing with an EV1 tag but the dump is with almost 00. Is this correct?

proxmark3> hf mfu dump k ffffffff
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
Reading tag memory...

 Block#  | Data        |lck| Ascii
---------+-------------+---+------
  0/0x00 | 04 51 XX 3b |   |
  1/0x01 | XX XX XX 81 |   |
  2/0x02 | 17 48 00 00 |   |
  3/0x03 | 00 00 00 00 | 0 | ....
  4/0x04 | 00 00 00 00 | 0 | ....
  5/0x05 | 00 00 00 00 | 0 | ....
  6/0x06 | 00 00 00 00 | 0 | ....
  7/0x07 | 00 00 00 00 | 0 | ....
  8/0x08 | 00 00 00 00 | 0 | ....
  9/0x09 | 00 00 00 00 | 0 | ....
 10/0x0A | 00 00 00 00 | 0 | ....
 11/0x0B | 00 00 00 00 | 0 | ....
 12/0x0C | 00 00 00 00 | 0 | ....
 13/0x0D | 00 00 00 00 | 0 | ....
 14/0x0E | 00 00 00 00 | 0 | ....
 15/0x0F | 00 00 00 00 | 0 | ....
 16/0x10 | 00 00 00 ff | 0 | ....
 17/0x11 | 00 05 00 00 | 0 | ....
 18/0x12 | ff ff ff ff | 0 | ....
 19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Dumped 20 pages, wrote 80 bytes to 0451EXXXXXX281.bin

Why is all zero?

Thanks!

Last edited by pablomf (2019-05-27 16:23:16)

piwi

Contributor

Registered: 2013-06-04

Posts: 704

Re: Ultralight EV1 valid dump?

Looks like a perfect dump of an empty card.

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

How is possible? It is a vending machine tag charged with 50 cent €.... Maybe... when you add money to the tag they store the card balance in the cloud and the tag is only used to identify the user... amazing!

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Ultralight EV1 valid dump?

maybe,  could also be using the counters on EV1 for it.   Dunno how that would actually work with recharging your balance.
Which pm3 do you use?

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

For recharging you must enter the money on the vending machine and then put the tag on the reader. Then the balance is "linked" to the tag. We have 2 vending machines in the same building so I moved to the other machine and the balance is showed correctly when I put the tag in the new reader but as you saw in the dump I posted above all the content is filled with 0.

I'm using a PM3 Easy.

The only way to play with this IMHO is cloning or simulating another user tags because the balance is not here ... or maybe changing the UID (simulating it with out PM3) will enable the machine show the balance from another user tag...

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Ultralight EV1 valid dump?

yup,  try simulating it with your pm3 and see what happens.
Like with only uid,  then with a dump

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

I've just received a Chamelon mini RevE and I uploaded the dump using "MF_ULTRALIGHT_EV1_80B" but I can see 2 important differences when I read it using the PM3:

Original Tag:

--- Tag Counters
       [0] : 00 00 00
                    - BD tearing Ok
       [1] : 00 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

Chameleon Mini Tag:

--- Tag Counters
       [0] : 1a 1a 1a
                    - BD tearing Ok
       [1] : 1a 1a 1a
                    - BD tearing Ok
       [2] : 1a 1a 1a
                    - BD tearing Ok

and the second difference:

Original Tag:

Tag ECC Signature : 85 ab 4f 5d a3 af 46 69 ee 89 d6 c5 fb ec 55 ... etc...

Chamelen Mini Tag:

Tag ECC Signature : ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ... etc...

How can I edit this values?

Thanks!

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

I can reply myself

For the first question: I've just added more 00 to the dump and now the tag counters are 00

And for the second question I edited the MifareUltralight.c:

            case CMD_READ_SIG:
                /* Hardcoded response */
                memset(Buffer, 0xCA, SIGNATURE_LENGTH);
                Buffer[0] = 0x85;  //Ugly but working code
                Buffer[1] = 0xAB;  //Ugly but working code
                ...
                Buffer[31] = 0xD1;  //Ugly but working code
                ISO14443AAppendCRCA(Buffer, SIGNATURE_LENGTH);
                return (SIGNATURE_LENGTH + ISO14443A_CRCA_SIZE) * 8;

I will try to test tomorrow if the chameleon mini can simulate my EV1 tag and I've configured both buttons to increment and/or decrement the UID.

Nice tools!

mwalker

Moderator

Registered: 2019-05-11

Posts: 318

Re: Ultralight EV1 valid dump?

Is there a restriction on how credit as applied to the card? E.g. in multiples of x.
What I would do is add credit and dump the card including counters.  Then use some credit and dump again.  Compare the dumps.

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

I've tested it today with my Chameleon mini RevE and it worked! So I can confirm it: The tag balance is not in the tag

Another test I made: I changed the UID with the buttons (I incremented the UID one by one until 8 steps) and nothing happened. I mean the card was detected and the balance was not printed in the machine. I'm not sure if the signature is important here. I will configure 2 tags in the Chameleon: one with the working UID and signature (already tested and working) and another tag with the same UID but with different signature. Let's see what happens...

One question about sniffing... why the Chameleon mini RevE from IceMan does not include the command ISO14443A_SNIFF? Is not possible sniff with this version?

Thanks!

bogito

Contributor

Registered: 2017-10-18

Posts: 52

Re: Ultralight EV1 valid dump?

Good to hear that someone actually tried successfully the ULEV1 capabilities of Chameleon RevE.
Have you got results from the tests you mentioned? Signature should remain static, independent of the UID.
As for you question, Chameleon RevE can only be used for emulation, thus no sniffing.

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

Yes, the vending machine does not check the signature. I modified the signature with the same UID and I can use the money without any issues. And using the Chameleon I simulated the tag with a different UID and I charged 10 cents to the new UID with success. Now I can swap between both and see the money loaded on both tags. This is crazy because if I find another user UID I can use his/her money. The security is poor.

Last edited by pablomf (2019-06-10 11:18:46)

pablomf

Contributor

Registered: 2019-04-07

Posts: 16

Re: Ultralight EV1 valid dump?

Good to hear that someone actually tried successfully the ULEV1 capabilities of Chameleon RevE.
Have you got results from the tests you mentioned? Signature should remain static, independent of the UID.
As for you question, Chameleon RevE can only be used for emulation, thus no sniffing.

Then I don't understand why the Chameleon web page shows this feature (sniff):

Feature 		RevE: Rebooted 	RevE 	RevG
Buttons 		2 		1 	2
LED 			8 		1 	2
Battery 		High Energy 	No 	Possible
Standby 		3 Years 	N/A 	3 Months
Auto Scan Wakeup 	Yes 		No 	No
Case 			Yes (ABS) 	No 	No
Scan Range 		High 		Medium 	Medium
Read without original 	Yes 		No 	No
UID to Activate Card 	Yes 		No 	No
Sniff 			Yes		Yes	Yes

https://lab401.com/products/chameleon-m … e-rebooted

cds333

Contributor

Registered: 2019-04-06

Posts: 18

Re: Ultralight EV1 valid dump?

Just out of curiosity what happens when you temporarily block the internet connectivity of the vending machine? I would be interested to know if it completely suspends transactions until connectivity is reestablished, or if it has some kind of on-board memory which stores users' balances for just such an occasion.

Akisame

Contributor

Registered: 2020-03-22

Posts: 8

Re: Ultralight EV1 valid dump?

I know this is an old post but I'm having the same signature issue with my chameleon revG. How did you solve it in the end?
Edit: nvm. I missed you hard coding your signature onto your chameleon firmware

Last edited by Akisame (2020-07-18 16:41:11)