Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2021-08-08 15:42:39
- MaBi
- Contributor
- Registered: 2016-11-06
- Posts: 24
Next step with MIFARE Ultralight and no keys
Hi! I'm trying to explore inside my car wash card but I can't find any valid key.
hw versio command:
[usb] pm3 --> hw versio
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:40
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64
[ PROXMARK3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:26
os: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 13:32:34
compiled with GCC 10.1.0
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 53% used )hf search command:
[usb] pm3 --> hf search
[-] Searching for ISO14443-A tag...
[+] UID: 04 7F 27 C2 9C 4C 80
[+] ATQA: 00 44
[+] SAK: 00 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Ultralight
[+] MIFARE Ultralight C
[+] MIFARE Ultralight EV1
[+] MIFARE Ultralight Nano
[+] MIFARE Hospitality
[+] NTAG 2xx
[=] proprietary non iso14443-4 card found, RATS not supported
[?] Hint: try `hf mfu info`
[+] Valid ISO 14443-A tag foundhf mfu info command:
[usb] pm3 --> hf mfu info
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] UID: 04 7F 27 C2 9C 4C 80
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: D4 (ok)
[+] BCC1: 92 (ok)
[+] Internal: 48 (default)
[+] Lock: 09 00 - 90
[+] OneTimePad: F3 13 10 A3 - #C@Ë
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------hf mf chk --1k -f mfc_default_keys command:
[usb] pm3 --> hf mf chk --1k -f mfc_default_keys
[+] Loaded 1142 keys from mfc_default_keys
[=] Start check for keys...
[=] ............................................................................
................................................................................
................................................................................
................................................................................
................................................................................
.....................................................
[=] time in checkkeys 559 seconds
[=] testing to read key B...
[+] found keys:
[+] |-----|----------------|---|----------------|---|
[+] | Sec | key A |res| key B |res|
[+] |-----|----------------|---|----------------|---|
[+] | 000 | ------------ | 0 | ------------ | 0 |
[+] | 001 | ------------ | 0 | ------------ | 0 |
[+] | 002 | ------------ | 0 | ------------ | 0 |
[+] | 003 | ------------ | 0 | ------------ | 0 |
[+] | 004 | ------------ | 0 | ------------ | 0 |
[+] | 005 | ------------ | 0 | ------------ | 0 |
[+] | 006 | ------------ | 0 | ------------ | 0 |
[+] | 007 | ------------ | 0 | ------------ | 0 |
[+] | 008 | ------------ | 0 | ------------ | 0 |
[+] | 009 | ------------ | 0 | ------------ | 0 |
[+] | 010 | ------------ | 0 | ------------ | 0 |
[+] | 011 | ------------ | 0 | ------------ | 0 |
[+] | 012 | ------------ | 0 | ------------ | 0 |
[+] | 013 | ------------ | 0 | ------------ | 0 |
[+] | 014 | ------------ | 0 | ------------ | 0 |
[+] | 015 | ------------ | 0 | ------------ | 0 |
[+] |-----|----------------|---|----------------|---|
[+] ( 0:Failed / 1:Success )Unfortunately no keys were found.
hf mfu dump -k FFFFFFFF command:
[usb] pm3 --> hf mfu dump -k FFFFFFFF
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 7F 27 D4 | | ..'.
[=] 1/0x01 | C2 9C 4C 80 | | ..L.
[=] 2/0x02 | 92 48 09 00 | | .H..
[=] 3/0x03 | F3 13 10 A3 | 1 | ....
[=] 4/0x04 | 01 01 C8 00 | 0 | ....
[=] 5/0x05 | 03 00 0C 0F | 0 | ....
[=] 6/0x06 | 02 00 0A 08 | 0 | ....
[=] 7/0x07 | 00 00 00 00 | 0 | ....
[=] 8/0x08 | D0 07 01 17 | 0 | ....
[=] 9/0x09 | 92 0E 00 5D | 0 | ...]
[=] 10/0x0A | 6C 07 01 97 | 0 | l...
[=] 11/0x0B | D2 0E 00 21 | 0 | ...!
[=] 12/0x0C | 08 07 01 97 | 0 | ....
[=] 13/0x0D | 32 0F 00 A4 | 0 | 2...
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-047F27C29C4C80-dump-3.bin
[+] saved to json file hf-mfu-047F27C29C4C80-dump-3.jsonhf list command:
[usb] pm3 --> hf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 145 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
Start | End | Src | Data (! denotes parity error)
| CRC | Annotation
------------+------------+-----+------------------------------------------------
-------------------------+-----+--------------------
0 | 992 | Rdr |52
| |
2100 | 4468 | Tag |44 00
| |
7040 | 9504 | Rdr |93 20
| |
10548 | 16372 | Tag |88 04 7f 27 d4
| |
19072 | 29600 | Rdr |93 70 88 04 7f 27 d4 88 4f
| |
30644 | 34164 | Tag |04 da 17
| |
35584 | 38048 | Rdr |95 20
| |
39092 | 44980 | Tag |c2 9c 4c 80 92
| |
47616 | 58144 | Rdr |95 70 c2 9c 4c 80 92 d7 3d
| |
59188 | 62772 | Tag |00 fe 51
| |
347136 | 350752 | Rdr |60 f8 32
| |Which is the next step for me? What can I do now?
I have no idea...
Many thanks
Offline
#2 2021-08-08 17:54:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Next step with MIFARE Ultralight and no keys
Maybe read a dataasheet about MIFARE Ultralight?
And maybe start looking at the data you dump to file?
Offline
#3 2021-08-09 05:36:50
- yukihama
- Contributor
- Registered: 2018-05-13
- Posts: 133
Re: Next step with MIFARE Ultralight and no keys
LOL Pal , you have already successfully get the dump file of hf-mfu-047F27C29C4C80-dump-3.bin
now the question is what kind of magic ultralight card to write to
Last edited by yukihama (2021-08-09 05:37:03)
Offline
#4 2021-08-11 21:47:12
- MaBi
- Contributor
- Registered: 2016-11-06
- Posts: 24
Re: Next step with MIFARE Ultralight and no keys
iceman wrote:
Maybe read a datasheet about MIFARE Ultralight?
And maybe start looking at the data you dump to file?
Yes, you are right. I realize I probably didn't explain myself well...
I started to analyze data and compare differend dumps to understand byte values.
I have found that it is a easy scheme. Last 4 operations are stored since page 8 (8-9 | 10-11 | 12-13 | 14-15).
2 bytes for credit, day, fixed value (0x97), 4 bytes to be still interpreted (probabily date or time).
Index of last two operations are alternatively stored at Byte 1 page 5 and Byte 1 page 6.
I was wrong with dump command because I believe that without a correct key I couldn't obtein a valid dump and I couldn't restore a dump file too...
yukihama wrote:
LOL Pal , you have already successfully get the dump file of hf-mfu-047F27C29C4C80-dump-3.bin
Yes!! Many thanks
Offline
#5 2021-09-10 20:20:39
- MaBi
- Contributor
- Registered: 2016-11-06
- Posts: 24
Re: Next step with MIFARE Ultralight and no keys
I'm continuing to study data scheme...
I don't understand why I can't restore a dump file completely.
[usb] pm3 --> hf mfu restore -f 1800.bin
[+] loaded 120 bytes from binary file 1800.bin
[=] Restoring 1800.bin to card
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 7F 27 D4 | | ..'.
[=] 1/0x01 | C2 9C 4C 80 | | ..L.
[=] 2/0x02 | 92 48 09 00 | | .H..
[=] 3/0x03 | F3 13 10 A3 | 1 | ....
[=] 4/0x04 | 01 01 C8 00 | 0 | ....
[=] 5/0x05 | 03 00 0C 0F | 0 | ....
[=] 6/0x06 | 02 00 0A 08 | 0 | ....
[=] 7/0x07 | 00 00 00 00 | 0 | ....
[=] 8/0x08 | D0 07 01 17 | 0 | ....
[=] 9/0x09 | 92 0E 00 5D | 0 | ...]
[=] 10/0x0A | 6C 07 01 97 | 0 | l...
[=] 11/0x0B | D2 0E 00 21 | 0 | ...!
[=] 12/0x0C | 08 07 01 97 | 0 | ....
[=] 13/0x0D | 32 0F 00 A4 | 0 | 2...
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Restoring data blocks.
[=] ........
[=] Restore finishedLock byte 0 = 9 ('0000 1001')
Lock byte 1 = 0 ('0000 0000')
The only locked page is OTP page (0x03) but if now I try to read my card I can see only first 11 pages (0x00-0x10) have been restored:
[usb] pm3 --> hf mfu dump -f X.bin
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 7F 27 D4 | | ..'.
[=] 1/0x01 | C2 9C 4C 80 | | ..L.
[=] 2/0x02 | 92 48 09 00 | | .H..
[=] 3/0x03 | F3 13 10 A3 | 1 | ....
[=] 4/0x04 | 01 01 C8 00 | 0 | ....
[=] 5/0x05 | 03 00 0C 0F | 0 | ....
[=] 6/0x06 | 02 00 0A 08 | 0 | ....
[=] 7/0x07 | 00 00 00 00 | 0 | ....
[=] 8/0x08 | D0 07 01 17 | 0 | ....
[=] 9/0x09 | 92 0E 00 5D | 0 | ...]
[=] 10/0x0A | 6C 07 01 97 | 0 | l...
[=] 11/0x0B | 0B 0B 00 52 | 0 | ...R
[=] 12/0x0C | 78 05 1C 97 | 0 | x...
[=] 13/0x0D | 8B 0B 00 76 | 0 | ...v
[=] 14/0x0E | 14 05 21 97 | 0 | ..!.
[=] 15/0x0F | F4 09 00 5A | 0 | ...Z
[=] ---------------------------------
[+] saved 120 bytes to binary file X-6.bin
[+] saved to json file X.bin-6.jsonWhy?
Last edited by MaBi (2021-09-10 20:21:09)
Offline
#6 2021-09-12 20:40:22
- MaBi
- Contributor
- Registered: 2016-11-06
- Posts: 24
Re: Next step with MIFARE Ultralight and no keys
OK, I suppose it's a SW problem of client (pm3).
I tryed to write a single block with relative command:
hf mfu wrbl -b 11 -dD20E0021and I read again the card:
[usb] pm3 --> hf mfu dump -f X.bin
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 7F 27 D4 | | ..'.
[=] 1/0x01 | C2 9C 4C 80 | | ..L.
[=] 2/0x02 | 92 48 09 00 | | .H..
[=] 3/0x03 | F3 13 10 A3 | 1 | ....
[=] 4/0x04 | 01 01 C8 00 | 0 | ....
[=] 5/0x05 | 03 00 0C 0F | 0 | ....
[=] 6/0x06 | 02 00 0A 08 | 0 | ....
[=] 7/0x07 | 00 00 00 00 | 0 | ....
[=] 8/0x08 | D0 07 01 17 | 0 | ....
[=] 9/0x09 | 92 0E 00 5D | 0 | ...]
[=] 10/0x0A | 6C 07 01 97 | 0 | l...
[=] 11/0x0B | D2 0E 00 21 | 0 | ...!
[=] 12/0x0C | 00 00 00 00 | 0 | ....
[=] 13/0x0D | 00 00 00 00 | 0 | ....
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------Block number 11 it's written now.
I don't understand why it can't write blocks from 11 to 15 when I use restore command.
Offline
#7 2021-09-19 19:54:12
- MaBi
- Contributor
- Registered: 2016-11-06
- Posts: 24
Re: Next step with MIFARE Ultralight and no keys
Finally I have found the source point of this problem.
File cmdhfmfu.c:
// write all other data
// Skip block 0,1,2,3 (only magic tags can write to them)
// Skip last 5 blocks usually is configuration
for (uint8_t b = 4; b < pages - 5; b++) {
//Send write Block
memcpy(data, mem->data + (b * 4), 4);
clearCommandBuffer();
SendCommandMIX(CMD_HF_MIFAREU_WRITEBL, b, keytype, 0, data, sizeof(data));
wait4response(b);
PrintAndLogEx(NORMAL, "." NOLF);
fflush(stdout);
}// Skip last 5 blocks usually is configuration
In my case this isn't configuration but data. Maybe it should be better to insert a parameter that could indicate or not how many pages skip from last page...
Offline