Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2014-04-02 17:54:45
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Ultralight C - in testing
Hi
I only have the following docs to work from:
* http://www.skyetek.com/docs/m2/ultralightc.pdf (BEST)
* http://www.nxp.com/documents/short_data_sheet/MF0ICU2_SDS.pdf (same as the one in the files folder).
Currently working on moving the ultralight commands into its only sub menu
proxmark3> hf mfu
help This help
dbg Set default debug mode
urdbl Read MIFARE Ultralight block
urdcard Read MIFARE Ultralight Card
udump Dump MIFARE Ultralight tag to binary file
uwrbl Write MIFARE Ultralight block
ucrdbl Read MIFARE Ultralight C block
ucrdcard Read MIFARE Ultralight C Card
ucdump Dump MIFARE Ultralight C tag to binary file
auth Authenticate to Ultralight C tagCurrently I can only read unlocked/unencrypted blocks on ultralight C cards (in addition to standard mifare ultralight previously added).
Also I can write to unprotected/unencrypted blocks using the standard uwrbl command (see below block 7 is ffffffff)
example read (note blocks 2c + are not readable):
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C...
#db# READ CARD FINISHED
isOk:01
Block 00:04 0e 6b e9
Block 01:ca 0b 28 80
Block 02:69 48 00 00
Block 03:00 00 00 00 [0]
Block 04:02 00 00 10 [0]
Block 05:00 06 01 10 [0]
Block 06:11 ff 00 00 [0]
Block 07:ff ff ff ff [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
Block 10:00 00 00 00 [0]
Block 11:00 00 00 00 [0]
Block 12:00 00 00 00 [0]
Block 13:00 00 00 00 [0]
Block 14:00 00 00 00 [0]
Block 15:00 00 00 00 [0]
Block 16:00 00 00 00 [0]
Block 17:00 00 00 00 [0]
Block 18:00 00 00 00 [0]
Block 19:00 00 00 00 [0]
Block 1a:00 00 00 00 [0]
Block 1b:00 00 00 00 [0]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [0]
Block 21:00 00 00 00 [0]
Block 22:00 00 00 00 [0]
Block 23:00 00 00 00 [0]
Block 24:00 00 00 00 [0]
Block 25:00 00 00 00 [0]
Block 26:00 00 00 00 [0]
Block 27:00 00 00 00 [0]
Block 28:00 00 00 00 [0]
Block 29:00 00 00 00 [0]
Block 2a:00 00 00 00 [0]
Block 2b:00 00 00 00 [0] UPDATE:
If anyone else wants to help, initial code (branch) can be found here:
* https://github.com/PenturaLabs/proxmark3/tree/Ultralight-Mod
Last edited by pentura_prox (2014-04-10 14:14:06)
Offline
#2 2014-04-02 18:20:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
When I get hold of my Ultralight cards I will give it a shot. They are supposed to be delivered before the weekend
Offline
#3 2014-04-04 15:16:18
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
bit closer, not sure if this WUPA "0x52" reponse is messing up the authentication
proxmark3> hf mfu auth
#db# Auth1 Resp: af069d66d2a8ce584ebda6
#db# Can't select card, something went wrong before auth
#db# AUTH 1 FINISHED
enc(RndB):06 9d 66 d2 a8 ce 58 4e
RndB:fc e8 16 c2 1f bc 26 a4
RndA:00 00 00 00 00 00 00 00
RA+B:00 00 00 00 00 00 00 00 fc e8 16 c2 1f bc 26 a4
enc(RA+B):c2 af 3f e2 05 bb ad 47 55 4d cf e3 39 3f 2f 9b
#db# Sending c2af3fe205bbad47554dcfe3393f2f9b
#db# Data command: af
#db# Data R: afc2af3fe205bbad47554dcfe3393f2f9bc6e9
#db# Authentication failed. Card timeout.
#db# Auth2 Resp: 0
#db# Auth2 Resp: 0
#db# Auth2 Resp: af069d66d2a8ce584ebd
#db# AUTH 2 FINISHED
isOk:88 Resonse:00 00 00 00 00 00 00 00
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
2404 | 4772 | Tag | 44 00
7040 | 9504 | Rdr | 93 20
10852 | 16740 | Tag | 88 04 0e 6b e9
18816 | 29280 | Rdr | 93 70 88 04 0e 6b e9 2c 90
30692 | 34212 | Tag | 04 da 17
35456 | 37920 | Rdr | 95 20
39268 | 45092 | Tag | ca 0b 28 80 69
47232 | 57760 | Rdr | 95 70 ca 0b 28 80 69 69 f1
59108 | 62692 | Tag | 00 fe 51
66176 | 70944 | Rdr | 1a 00 41 76
82660 | 95396 | Tag | af 06 9d 66 d2 a8 ce 58 4e bd a6
120960 | 121952 | Rdr | 52
1446016 | 1468064 | Rdr | af c2 af 3f e2 05 bb ad 47 55 4d cf e3 39 3f 2f 9b c6 e9 Offline
#4 2014-04-07 21:40:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
I gotten my order of cards now, so if I can be of some assistance please don't hesitate to ask.
Is there any chance that you might have commited your current progress to the githubs unstable branch?
Offline
#5 2014-04-07 22:41:46
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Ultralight C - in testing
iceman, its not in unstable just yet the code is very messy & experimental
email me <now removed>
Last edited by midnitesnake (2014-04-10 23:05:34)
Offline
#6 2014-04-08 16:51:36
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
UPDATE: Got rid of the stray WUPA packet - but now recieve a NAK '0x00' Authentication Fail
proxmark3> hf mfu auth
#db# Auth1 Resp: af12df2ac0c492eb80af9d
#db# AUTH 1 FINISHED
enc(RndB):12 df 2a c0 c4 92 eb 80
RndB:ca 0e 4c b4 93 7a 88 8b
RndA:00 00 00 00 00 00 00 00
RA+B:00 00 00 00 00 00 00 00 ca 0e 4c b4 93 7a 88 8b
enc(RA+B):19 62 df 9b b6 8d a6 6a 19 61 ca 4c 6e 48 af 02
#db# NAK - Authentication failed.
#db# Authentication part2: Fail...
#db# AUTH 2 FINISHED
isOk:00
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
2404 | 4772 | Tag | 44 00
7040 | 9504 | Rdr | 93 20
10852 | 16740 | Tag | 88 04 0e 6b e9
18816 | 29280 | Rdr | 93 70 88 04 0e 6b e9 2c 90
30692 | 34212 | Tag | 04 da 17
35456 | 37920 | Rdr | 95 20
39268 | 45092 | Tag | ca 0b 28 80 69
47232 | 57760 | Rdr | 95 70 ca 0b 28 80 69 69 f1
59108 | 62692 | Tag | 00 fe 51
66176 | 70944 | Rdr | 1a 00 41 76
82660 | 95460 | Tag | af 12 df 2a c0 c4 92 eb 80 af 9d
1041408 | 1063392 | Rdr | af 19 62 df 9b b6 8d a6 6a 19 61 ca 4c 6e 48 af 02 7e e4
1075172 | 1075812 | Tag | 00! Offline
#7 2014-04-08 17:39:59
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
Cracked it! Forgot to Rotate RndB' left 8 bits.
Cleaning up the code, and will issue a pull request once this is done
proxmark3> hf mfu auth
#db# Auth1 Resp: af1eae15f85b05e32d99b5
#db# AUTH 1 FINISHED
enc(RndB):1e ae 15 f8 5b 05 e3 2d
RndB:13 46 86 a9 4b f7 94 cd
RndA:9b 75 fe 7f 5b 9e ba 79
RA+B:9b 75 fe 7f 5b 9e ba 79 46 86 a9 4b f7 94 cd 13
enc(RA+B):62 7a b7 02 0c fe c7 8b a2 4e 6b 43 5e 0f a0 b7
#db# len b
#db# Auth2 Resp: 00fcb27f6e3d5db88b8e
#db# AUTH 2 FINISHED
isOk:88 Resonse:00 00 00 00 00 00 00 00
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
2404 | 4772 | Tag | 44 00
7040 | 9504 | Rdr | 93 20
10852 | 16740 | Tag | 88 04 0e 6b e9
18816 | 29280 | Rdr | 93 70 88 04 0e 6b e9 2c 90
30692 | 34212 | Tag | 04 da 17
35456 | 37920 | Rdr | 95 20
39268 | 45092 | Tag | ca 0b 28 80 69
47232 | 57760 | Rdr | 95 70 ca 0b 28 80 69 69 f1
59108 | 62692 | Tag | 00 fe 51
66176 | 70944 | Rdr | 1a 00 41 76
82660 | 95460 | Tag | af 1e ae 15 f8 5b 05 e3 2d 99 b5
1031296 | 1053344 | Rdr | af 62 7a b7 02 0c fe c7 8b a2 4e 6b 43 5e 0f a0 b7 96 df
1065060 | 1077796 | Tag | 00 fc b2 7f 6e 3d 5d b8 8b 8e cc Offline
#8 2014-04-08 18:28:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Nice work!
Offline
#9 2014-04-08 22:19:25
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Superb! Now ypu have improved skills 
Offline
#10 2014-04-10 11:28:30
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
You got mail, Midnitesnake.
Offline
#11 2014-04-10 13:46:56
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
For those interested a branch of the code (for testing purposes) is here:
* https://github.com/PenturaLabs/proxmark3/tree/Ultralight-Mod
before I issue the pull request into the main repo.
Offline
#12 2014-04-10 15:55:10
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
I'm compiling as we speak. Will give it at go right now. 
-- hmm.. compiling issues..
-------------------------------------
cmdhfmfu.c:12:25: error: openssl/des.h: No such file or directory
cmdhfmfu.c: In function 'CmdHF14AMfucAuth':
cmdhfmfu.c:442: error: 'DES_cblock' undeclared (first use in this function)
cmdhfmfu.c:442: error: (Each undeclared identifier is reported only once
cmdhfmfu.c:442: error: for each function it appears in.)
cmdhfmfu.c:442: error: expected ';' before 'RndA'
cmdhfmfu.c:443: error: expected ';' before 'iv'
cmdhfmfu.c:444: error: 'DES_key_schedule' undeclared (first use in this function)
cmdhfmfu.c:444: error: expected ';' before 'ks1'
cmdhfmfu.c:445: error: expected ';' before 'key1'
cmdhfmfu.c:474: error: 'key1' undeclared (first use in this function)
cmdhfmfu.c:475: error: 'key2' undeclared (first use in this function)
cmdhfmfu.c:476: warning: implicit declaration of function 'DES_set_key'
cmdhfmfu.c:476: error: expected expression before ')' token
cmdhfmfu.c:477: error: expected expression before ')' token
cmdhfmfu.c:497: warning: implicit declaration of function 'DES_random_key'
cmdhfmfu.c:497: error: 'RndA' undeclared (first use in this function)
cmdhfmfu.c:498: warning: implicit declaration of function 'DES_ede2_cbc_encrypt'
cmdhfmfu.c:498: error: 'RndB' undeclared (first use in this function)
cmdhfmfu.c:498: error: 'ks1' undeclared (first use in this function)
cmdhfmfu.c:498: error: 'ks2' undeclared (first use in this function)
cmdhfmfu.c:498: error: 'iv' undeclared (first use in this function)
make[1]: *** [obj/cmdhfmfu.o] Error 1
make[1]: Leaving directory `/pm3/client'
make: *** [client/all] Error 2
Offline
#13 2014-04-10 18:29:41
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
hmm, what system are you trying to compile on?
Looks like its not finding the openssl development libraries.
I'm using openssl to manage the crypto data-structures and methods for providing the 3DES encryption (or in this case authentication).
Depending on your system (Gentoo Linux, OSX with Mac ports or brew) you need to install openssl; this will compile the necessary libraries and install the appropriate header files.
The Makefile in my Ultralight branch appears to work ok on my systems but that maybe partly due to how I've set up my systems.
Debian based systems you may need to "apt get install libssl-dev openssl-dev" to get the appropriate libraries and headers; you make also need to change the LDLIBS and CFLAGS variables in the client/Makefile in order for it to compile correctly.
Last edited by pentura_prox (2014-04-10 18:42:39)
Offline
#14 2014-04-10 19:02:56
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Well, I'm on Win7 with the cygwin solution you can download from somewhere on this site.
Doesn't have all the good stuff Linux has..
Offline
#15 2014-04-10 20:45:06
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
Virtualbox and Kali linux?
Maybe another Windows Wizard could help you?
I got this far:
c:\cygwin64\home\D\proxmark3\client/cmdhfmfu.c:476: undefined reference
to `DES_set_key'
c:\cygwin64\home\D\proxmark3\client/cmdhfmfu.c:477: undefined reference
to `DES_set_key'
c:\cygwin64\home\D\proxmark3\client/cmdhfmfu.c:497: undefined reference
to `DES_random_key'
c:\cygwin64\home\D\proxmark3\client/cmdhfmfu.c:498: undefined reference
to `DES_ede3_cbc_encrypt'
c:\cygwin64\home\D\proxmark3\client/cmdhfmfu.c:505: undefined reference
to `DES_ede3_cbc_encrypt'
collect2: ld returned 1 exit status
make: *** [proxmark3] Error 1Which means it found my openssl files (I had to click the source box on the cygwin installer). This now comes down to a linker problem - not locating/using the statically compiled libssl.a libraries I created.
UPDATE:
I was using the wrong version of cygwin. Swapping to cygwin 32-bit allowed me to compile adding -static-libgcc to the makefile. However, it still doesnt want to run.
Suggest using Virtualbox and Kali linux for a quick fix.
Last edited by pentura_prox (2014-04-11 17:27:23)
Offline
#16 2014-04-10 23:27:28
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
I was able to add openssl to MinGW using this guide from page 12 to page 16 - (after installing it also copy this folder inside the proxmark3 \client folder) but when I reach this point I find hard to go further:
The problem seems to be here [\client\makefile]:
LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread -lssl ../liblua/liblua.aMy openssl folder is here: C:\OpenSSL-Win64; any other hint to overcome this problem ? I don't know which \ssl folder must be "Located" by the above string (there are more than one \sll folder inside my MinGW after openssl installation).
Last edited by asper (2014-04-10 23:32:38)
Offline
#17 2014-04-11 11:20:29
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Well, I managed to bypass the above error and now I am stuck at midnite's problem, missing references (both on win and android):
For windows users: if you installed openssl as explained in this guide (page 12 to 16) extract this file in your proxmark source folder and it will "see" openssl.
Still working on missing references.
Last edited by asper (2014-04-11 11:21:07)
Offline
#18 2014-04-11 12:15:00
- thefkboss
- Contributor
- Registered: 2008-10-26
- Posts: 198
Re: Ultralight C - in testing
This mod recover the key from a ultralight c or you have to know the key?
I think the anwers is you have to know the key i read the source code and i can see some bruteforcing.
could you explain about the cracking process?
I ask this question because i'm looking for somehting similar for desfire card ( d40) des keys.
thanks
Last edited by thefkboss (2014-04-11 12:20:16)
Offline
#19 2014-04-11 12:26:00
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Thanks to midnite suggestion (using static libssl.a and libcrypto.a libraries) I managed to bypass the above error but now stick at this one:
Any hint ? Holiman ?
Last edited by asper (2014-04-11 13:11:11)
Offline
#20 2014-04-11 12:45:52
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Found the problem reading this thread.
If you wan to compile under windows uncompress this file under your proxmark3 branch (supporting ultralightc) source.
Last edited by asper (2014-04-11 12:50:58)
Offline
#21 2014-04-11 13:03:10
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
This mod recover the key from a ultralight c or you have to know the key?
I think the anwers is you have to know the key i read the source code and i can see some bruteforcing.
could you explain about the cracking process?
I ask this question because i'm looking for somehting similar for desfire card ( d40) des keys.thanks
The UltraC-Crack.c in the tools folder is a current PoC; Given a valid trace of a successful authentication, replace the cuid,e_RndB, and RndARndB.
The program will first test all default keys, then try diversified default keys (based off card id), lastly it will try a bruteforce (which is unlikely to succeed).
Offline
#22 2014-04-11 15:53:50
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
asper, I tried your rar-file, but I got this:
g++ -I/qt/include -I/qt/include/QtCore -I/qt/include/QtGui obj/proxmark3.o obj/uart.o obj/util.o obj/sleep.o obj/nonce2key/crapto1
.o obj/nonce2key/crypto1.o obj/nonce2key/nonce2key.o obj/mifarehost.o obj/crc16.o obj/iso14443crc.o obj/iso15693tools.o obj/data.o
obj/graph.o obj/ui.o obj/cmddata.o obj/cmdhf.o obj/cmdhf14a.o obj/cmdhf14b.o obj/cmdhf15.o obj/cmdhfepa.o obj/cmdhflegic.o obj/cm
dhficlass.o obj/cmdhfmf.o obj/cmdhfmfu.o obj/cmdhw.o obj/cmdlf.o obj/cmdlfhid.o obj/cmdlfio.o obj/cmdlfem4x.o obj/cmdlfhitag.o obj
/cmdlfti.o obj/cmdparser.o obj/cmdmain.o obj/cmdlft55xx.o obj/cmdlfpcf7931.o obj/pm3_binlib.o obj/scripting.o obj/cmdscript.o obj/
pm3_bitlib.o obj/proxgui.o obj/proxguiqt.o obj/proxguiqt.moc.o -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread ../liblua/li
blua.a ../ssl/libssl.a ../ssl/libcrypto.a -lgdi32 -L/qt/lib -lQtCore4 -lQtGui4 -o proxmark3
../ssl/libcrypto.a(cryptlib.o):cryptlib.c:(.text+0x53d): undefined reference to `__chkstk_ms'
../ssl/libcrypto.a(bss_file.o):bss_file.c:(.text+0x75d): undefined reference to `__chkstk_ms'
../ssl/libcrypto.a(bn_exp.o):bn_exp.c:(.text+0x74b): undefined reference to `__chkstk_ms'
../ssl/libcrypto.a(bn_prime.o):bn_prime.c:(.text+0xeb): undefined reference to `__chkstk_ms'
../ssl/libcrypto.a(err_prn.o):err_prn.c:(.text+0x8b): undefined reference to `__chkstk_ms'
../ssl/libcrypto.a(err_prn.o):err_prn.c:(.text+0x1ca): more undefined references to `__chkstk_ms' follow
collect2: ld returned 1 exit status
make[1]: *** [proxmark3] Error 1
make[1]: Leaving directory `/pm3/client'
make: *** [client/all] Error 2
Offline
#23 2014-04-12 07:19:15
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Did you install openssl ? It compiles for me.
Try to replace the .a files in \ssl folder with those 2; they are oldery compiled libraries (the ones you can found in my previous packet are latest version compiled by me but my compiler works with both of them).
Alternatively here it is my already compiled version.
Please test and tell us if ultralightc support works for you!
Last edited by asper (2014-04-12 07:49:57)
Offline
#24 2014-04-12 13:05:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Compiled:
----------------------------------
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 0 2014-04-12 07:52:30
#db# os: svn 0 2014-04-12 07:52:46
#db# FPGA image built on 2014/02/25 at 07:43:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
--------------
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 0.13 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 4.67 V @ 13.56 MHz
# Your LF antenna is unusable.
# Your HF antenna is marginal.
------------------
This Hardware is the RadioWar's modded one.
The first thing I noted with his modded version is that my antenna voltage dropped very much.
Same antenna on the regulare PM3 hardware, gives much higher voltage.
------------------
Firmware:
SSL-version: using the new HF MFU commands, is not successful. Can't select card UL-C anymore.
unstable-version: I can read via HF MF URDBL ... But this version don't support UL-C..
Offline
#25 2014-04-12 13:09:33
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
BTW, Asper thanks for the ssl-files that was missing. It helped.
Offline
#26 2014-04-12 13:35:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
------------------------------------------------------------------------
HW: Old
FW: UNSTABLE
CLIENT: UNSTABLE
------------------------------------------------------------------------
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2014-04-12 12:05:28
#db# os: /-suspect 2014-04-12 12:05:31
#db# FPGA image built on 2014/03/24 at 21:54:44
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 0.13 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 11.47 V @ 13.56 MHz
# Your LF antenna is unusable.
proxmark3> hf 14a reader
ATQA : 44 00
UID : 00 00 00 00 00 00 00
SAK : 00 [2]
TYPE : NXP MIFARE Ultralight | Ultralight C
proprietary non iso14443a-4 card found, RATS not supported
proxmark3> hf mf urdbl 0
--block no:00
#db# READ BLOCK FINISHED
isOk:01 data:00 00 00 00
proxmark3>
------------------------------------------------------------------------
HW: Old
FW: UNSTABLE
CLIENT: ULC_MOD
------------------------------------------------------------------------
proxmark3> hf mfu
help This help
dbg Set default debug mode
urdbl Read MIFARE Ultralight block
urdcard Read MIFARE Ultralight Card
udump Dump MIFARE Ultralight tag to binary file
uwrbl Write MIFARE Ultralight block
ucrdbl Read MIFARE Ultralight C block
ucrdcard Read MIFARE Ultralight C Card
ucdump Dump MIFARE Ultralight C tag to binary file
ucwrbl Write MIFARE Ultralight C block
auth Ultralight C Authentication
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C...
#db# READ CARD FINISHED
isOk:01
Block 00:00 00 00 00
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:01 02 03 04 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
Block 10:00 00 00 00 [0]
Block 11:00 00 00 00 [0]
Block 12:00 00 00 00 [0]
Block 13:00 00 00 00 [0]
Block 14:00 00 00 00 [0]
Block 15:00 00 00 00 [0]
Block 16:00 00 00 00 [0]
Block 17:00 00 00 00 [0]
Block 18:00 00 00 00 [0]
Block 19:00 00 00 00 [0]
Block 1a:00 00 00 00 [0]
Block 1b:00 00 00 00 [0]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [0]
Block 21:00 00 00 00 [0]
Block 22:00 00 00 00 [0]
Block 23:00 00 00 00 [0]
Block 24:00 00 00 00 [0]
Block 25:00 00 00 00 [0]
Block 26:00 00 00 00 [0]
Block 27:00 00 00 00 [0]
Block 28:00 00 00 00 [0]
Block 29:00 00 00 00 [0]
Block 2a:00 00 00 00 [0]
Block 2b:00 00 00 00 [0]
proxmark3>
ULC-WRITING BLOCK 4:
proxmark3> hf mfu ucwrbl 4 11223344
--block no:04
--data: 11 22 33 44
#db# WRITE BLOCK FINISHED
isOk:01
ULC-READING BLOCK 4
proxmark3> hf mfu ucrdbl 4
--block no:04
#db# READ BLOCK FINISHED
isOk:01 data:11 22 33 44
proxmark3>
UL-WRITING BLOCK 4:
proxmark3> hf mfu uwrbl 4 44332211
--block no:04
--data: 44 33 22 11
#db# WRITE BLOCK FINISHED
isOk:01
UL-READING BLOCK 4
proxmark3> hf mfu urdbl 4
--block no:04
#db# READ BLOCK FINISHED
isOk:01 data:44 33 22 11
proxmark3>
ULC-AUTH
proxmark3> hf mfu auth k ffffffffffffff
#db# unknown command:: 0x0724
Command execute timeout
RndB:78 5e 02 5c f6 2a e0 e1
RndA:fb 43 23 d9 f8 46 7f fb
RA+B:fb 43 23 d9 f8 46 7f fb 5e 02 5c f6 2a e0 e1 78
enc(RA+B):ad 0e 38 31 9b 56 a5 dc ed af c8 e3 cc bd 6f b1
#db# unknown command:: 0x0725
Command execute timeout
proxmark3> hf mfu auth k 0000000000000000
#db# unknown command:: 0x0724
Command execute timeout
RndB:8a 57 ce 87 c9 a6 1b 31
RndA:ab 19 67 2f 1f f8 91 ba
RA+B:ab 19 67 2f 1f f8 91 ba 57 ce 87 c9 a6 1b 31 8a
enc(RA+B):14 a5 7e d5 57 9d 1b 5d 99 ff 26 29 33 d5 bd 5b
#db# unknown command:: 0x0725
Command execute timeout
CHANGE UID: (is it magic)
------------------------
proxmark3> hf mfu uwrbl 0 12345678 w
--specialblock no:00
--data: 12 34 56 78
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu urdbl 0
--block no:00
#db# READ BLOCK FINISHED
isOk:01 data:12 34 56 78
proxmark3>
proxmark3> hf mfu ucwrbl 0 87654321 w
--specialblock no:00
--data: 87 65 43 21
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu ucrdbl 0
--block no:00
#db# READ BLOCK FINISHED
isOk:01 data:87 65 43 21
proxmark3>
---------------------
proxmark3> hf mfu urdcard
Attempting to Read Ultralight...
#db# READ CARD FINISHED
isOk:01
Block 00:87 65 43 21
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:44 33 22 11 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C..
#db# READ CARD FINISHED
isOk:01
Block 00:87 65 43 21
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:44 33 22 11 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
Block 10:00 00 00 00 [0]
Block 11:00 00 00 00 [0]
Block 12:00 00 00 00 [0]
Block 13:00 00 00 00 [0]
Block 14:00 00 00 00 [0]
Block 15:00 00 00 00 [0]
Block 16:00 00 00 00 [0]
Block 17:00 00 00 00 [0]
Block 18:00 00 00 00 [0]
Block 19:00 00 00 00 [0]
Block 1a:00 00 00 00 [0]
Block 1b:00 00 00 00 [0]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [0]
Block 21:00 00 00 00 [0]
Block 22:00 00 00 00 [0]
Block 23:00 00 00 00 [0]
Block 24:00 00 00 00 [0]
Block 25:00 00 00 00 [0]
Block 26:00 00 00 00 [0]
Block 27:00 00 00 00 [0]
Block 28:00 00 00 00 [0]
Block 29:00 00 00 00 [0]
Block 2a:00 00 00 00 [0]
Block 2b:00 00 00 00 [0]
proxmark3>
Offline
#27 2014-04-12 13:59:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Not very much difference with between the Ultralight cmds and Ultralight-C cmds.
The auth.cmd doesnt seem to work.
I'm curious if I can read block 2d,2e,2f.. Where the des-key is located.
I will change test in cmdhfmfu.c..
Offline
#28 2014-04-12 14:15:30
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Iceman can I have the link where you bought the ultralightc with changeable UID ?
EDIT:
can you also test to write blocks after 0f (ex. 15 or 22) and see if you can read them back ? After the write command try to read with single block and all card please ! I suppose your card is not an ultralightc but a simple ultralight with changeable uid.
Last edited by asper (2014-04-12 14:32:54)
Offline
#29 2014-04-12 15:53:09
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
I am bound to agree with you.
Offline
#30 2014-04-12 16:27:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
"tha card can simulate mifare ultralightc of some functions and timing to ensure that the use of acr122u reader, normal read and write commands, but can not guarantee, and mifare ultralightc exactly the same."
Hm, what to make from that. The card simulates UL-C...
Offline
#31 2014-04-12 16:49:57
- app_o1
- Contributor
- Registered: 2013-06-22
- Posts: 247
Re: Ultralight C - in testing
Iceman can I have the link where you bought the ultralightc with changeable UID ?
I know where to buy the UL and UL-C UID for cheap.
The 25$ one from xfpga.com and clonemykey.com is just a rip off... Those guys are on this forum to ask questions and then sell you guys' answers for a profit.
Send me an email, I will let you know where to find those UID UL cards.
6368696e77616368696e67 @ 676d61696c .com
Last edited by app_o1 (2014-04-12 16:54:27)
Offline
#32 2014-04-12 17:06:38
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Ultralight C - in testing
Not very much difference with between the Ultralight cmds and Ultralight-C cmds.
The auth.cmd doesnt seem to work.
I'm curious if I can read block 2d,2e,2f.. Where the des-key is located.
I will change test in cmdhfmfu.c..
No you can't, those blocks are write only!
The auth.cmd doesnt seem to work.
currently the code is hardest to 1 of 4 keys (default 3des form nfc forum), i think your key may be 00000...., you can change this in the source; and you may get a valid auth response
Looks like pentura_prox & myself have given us the basic building blocks - the rest is up to the community; unless they continue to develop, but i myself am distracted with different card types iClass,Desfire EV1,....
ULC-AUTH
proxmark3> hf mfu auth k ffffffffffffff
#db# unknown command:: 0x0724
1. you haven't flashed the proxmark with new firmware mod
2. hf mfu auth k [integer]
number 2. my bad for not making it obvious chose between 0-3 default keys (3 being the default 3des key, 0-null, 1=010203... 2=one from the the nfc forum)
Last edited by midnitesnake (2014-04-12 18:29:19)
Offline
#33 2014-04-12 17:36:35
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Hm, write-only you say.
I wonder if there is a way to make the card leak out information about it.
The card itself must be able to read thoose blocks.
Offline
#34 2014-04-12 18:16:02
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Ultralight C - in testing
Hm, write-only you say.
I wonder if there is a way to make the card leak out information about it.
The card itself must be able to read thoose blocks.
So far - i have not found a way - other than decapping the chip!
Offline
#35 2014-04-12 18:55:11
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Midnitesnake, indeed, I wasn't on your firmware..
proxmark3> hf mfu auth 0
#db# Can't select card, something went wrong before auth
#db# Authentication part1: Fail.
#db# AUTH 1 FINISHED
enc(RndB):00 20 00 03 0b 00 00 01
RndB:8b 87 8a 35 f2 47 72 39
RndA:2f 1c d3 3e 57 13 f2 8f
RA+B:2f 1c d3 3e 57 13 f2 8f 87 8a 35 f2 47 72 39 8b
enc(RA+B):f6 19 d2 db 90 c3 04 a9 6a 47 4c fb 15 6a 19 aa
#db# Authentication failed. Card timeout.
#db# Authentication part2: Fail...
#db# AUTH 2 FINISHED
enc(RndA'):00 20 00 01 0b 00 00 01
proxmark3>
Offline
#36 2014-04-12 19:01:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
app_o1
The 25$ one from xfpga.com and clonemykey.com is just a rip off... Those guys are on this forum to ask questions and then sell you guys' answers for a profit.
Send me an email, I will let you know where to find those UID UL cards.
Sorry, I'm not associated with either xfpga or clonemykey. However I can tell you and Asper, that I got my supposed "UL-C magic" via a contact in china, who knew someone on the it-department, who bought them somewere only god knows. The first times I searched for UL-C magic ones, I found some ads on Alibaba but they were not serious. So, right now I'm very curious about if the ones I got is what they claims to be.
Offline
#37 2014-04-12 19:17:53
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
midnitesnake,
with your FW, I can't select a UL-card anymore.
hf 14a reader fails...
Offline
#38 2014-04-12 20:01:48
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Ultralight C - in testing
thats odd.. didn't touch that part of the code. With the firmware I just added two new calls 0x724 0x725 auth_part1 and auth_part2 as i need to pass the variables upto the client. and a third procedure that puts the bytes of these calls in the right order.
Even odder, is that it works fine in linux, and osx - even the hf 14a reader and hf 14a list which i was using to debug the card and card traces?
Maybe its to do with your Chinese UID changeable cards?
Last edited by midnitesnake (2014-04-12 20:02:17)
Offline
#39 2014-04-13 01:54:08
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
It's what Asper has been saying all along, that there is no such thing as a "magic" UL-C card..
And the translation hints that the card simulates a UL-C card. Which makes me think that it is similar to Mifare classic s50 generation 1 magic cards. The Gen-1 uses a special cmd (byte) for changing the UID... It might complay the same to the card I got.
What do you think?
Is there someone on the forum that heard of it before?
Offline
#40 2014-04-13 14:53:01
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
Thanks to Asper, some bugs have been detected and fixed within ucrdcard. Affected Branch has been updated.
Double checked the hf 14a reader issue ; command works fine with both my ultralight and ultralight C cards.
Offline
#41 2014-04-13 18:42:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Heureka!
I found the problem with the hf 14a reader- Turns out that the codebase you use, Midnitesnake, for your tests was the old version of fgpa code where the timings (sniff problem?) was way off.
After a successful merge between that the unstable-codebase and your changes, it works like a charm..
-------------
proxmark3> hf mfu ucwrbl 22 feeddeef
--block no:16
--data: fe ed de ef
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C...
#db# Pages 44
#db# Pages read 44
#db# READ CARD FINISHED
isOk:01
Block 00:87 65 43 21
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:44 33 22 11 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:11 22 33 44 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:11 22 33 44 [0]
Block 10:00 00 00 00 [0]
Block 11:00 00 00 00 [0]
Block 12:00 00 00 00 [0]
Block 13:00 00 00 00 [0]
Block 14:00 00 00 00 [0]
Block 15:00 00 00 00 [0]
Block 16:fe ed de ef [0]
Block 17:00 00 00 00 [0]
Block 18:00 00 00 00 [0]
Block 19:00 00 00 00 [0]
Block 1a:11 22 33 44 [0]
Block 1b:00 00 00 00 [0]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [0]
Block 21:00 00 00 00 [0]
Block 22:00 00 00 00 [0]
Block 23:00 00 00 00 [0]
Block 24:00 00 00 00 [0]
Block 25:00 00 00 00 [0]
Block 26:00 00 00 00 [0]
Block 27:00 00 00 00 [0]
Block 28:00 00 00 00 [0]
Block 29:00 00 00 00 [0]
Block 2a:00 00 00 00 [0]
Block 2b:00 00 00 00 [0]
proxmark3> hf mfu ucwrbl 40 feeddeef
--block no:28
--data: fe ed de ef
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C...
#db# Pages 44
#db# Pages read 44
#db# READ CARD FINISHED
isOk:01
Block 00:87 65 43 21
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:44 33 22 11 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:11 22 33 44 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:11 22 33 44 [0]
Block 10:00 00 00 00 [1]
Block 11:00 00 00 00 [1]
Block 12:00 00 00 00 [1]
Block 13:00 00 00 00 [1]
Block 14:00 00 00 00 [1]
Block 15:00 00 00 00 [1]
Block 16:fe ed de ef [1]
Block 17:00 00 00 00 [1]
Block 18:00 00 00 00 [1]
Block 19:00 00 00 00 [1]
Block 1a:11 22 33 44 [1]
Block 1b:00 00 00 00 [1]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [1]
Block 21:00 00 00 00 [1]
Block 22:00 00 00 00 [1]
Block 23:00 00 00 00 [1]
Block 24:00 00 00 00 [1]
Block 25:00 00 00 00 [1]
Block 26:00 00 00 00 [1]
Block 27:00 00 00 00 [1]
Block 28:fe ed de ef [1]
Block 29:00 00 00 00 [0]
Block 2a:00 00 00 00 [1]
Block 2b:00 00 00 00 [1]
proxmark3> hf mfu ucwrbl 0 feeddeef
Access Denied
proxmark3> hf mfu ucwrbl
Usage: hf mfu ucwrbl <block number> <block data (8 hex symbols)> [w]
sample: hf mfu uwrbl 0 01020304
proxmark3> hf mfu
help This help
dbg Set default debug mode
urdbl Read MIFARE Ultralight block
urdcard Read MIFARE Ultralight Card
udump Dump MIFARE Ultralight tag to binary file
uwrbl Write MIFARE Ultralight block
ucrdbl Read MIFARE Ultralight C block
ucrdcard Read MIFARE Ultralight C Card
ucdump Dump MIFARE Ultralight C tag to binary file
ucwrbl Write MIFARE Ultralight C block
auth Ultralight C Authentication
proxmark3>
Offline
#42 2014-04-13 18:49:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Hf Mf Auth - works:
proxmark3> hf mfu auth k 0
#db# Auth1 Resp: af89b07b35a1b3f47e6c4c
#db# AUTH 1 FINISHED
enc(RndB):89 b0 7b 35 a1 b3 f4 7e
RndB:11 11 11 11 11 11 11 11
RndA:25 73 20 6e 89 75 16 51
RA+B:25 73 20 6e 89 75 16 51 11 11 11 11 11 11 11 11
enc(RA+B):23 38 07 e3 9b 99 91 fc ec aa 4b 11 1b 24 3d d3
#db# Auth2 Resp: 00207a422b269b454c3d
#db# AUTH 2 FINISHED
enc(RndA'):20 7a 42 2b 26 9b 45 4c
proxmark3>
Interesting, when I used old code (semi-working) I actually managed to change uid to 87654321...
But now with the working new code, it doesn't work anymore
Offline
#43 2014-04-13 18:59:35
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
Can confirm now that the cards I have is Magic...
proxmark3> hf mfu uwrbl 0 01010101 w
--specialblock no:00
--data: 01 01 01 01
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu ucwrbl 42 0102030
--block no:2a
--data: 01 02 03 04
#db# WRITE BLOCK FINISHED
isOk:01
proxmark3> hf mfu ucrdcard
Attempting to Read Ultralight C...
#db# Pages 44
#db# Pages read 44
#db# READ CARD FINISHED
isOk:01
Block 00:01 01 01 01
Block 01:00 00 00 00
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:00 00 00 00 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
Block 10:00 00 00 00 [0]
Block 11:00 00 00 00 [0]
Block 12:00 00 00 00 [0]
Block 13:00 00 00 00 [0]
Block 14:00 00 00 00 [0]
Block 15:00 00 00 00 [0]
Block 16:00 00 00 00 [0]
Block 17:00 00 00 00 [0]
Block 18:00 00 00 00 [0]
Block 19:00 00 00 00 [0]
Block 1a:00 00 00 00 [0]
Block 1b:00 00 00 00 [0]
Block 1c:00 00 00 00 [0]
Block 1d:00 00 00 00 [0]
Block 1e:00 00 00 00 [0]
Block 1f:00 00 00 00 [0]
Block 20:00 00 00 00 [0]
Block 21:00 00 00 00 [0]
Block 22:00 00 00 00 [0]
Block 23:00 00 00 00 [0]
Block 24:00 00 00 00 [0]
Block 25:00 00 00 00 [0]
Block 26:00 00 00 00 [0]
Block 27:00 00 00 00 [0]
Block 28:00 00 00 00 [0]
Block 29:00 00 00 00 [0]
Block 2a:01 02 03 04 [0]
Block 2b:00 00 00 00 [0]
proxmark3>
-----------------------
To Answer Asper's questions:
1. Can write to block > 16 . See block 2a.
2. Can change UID. See block 0
3. Is UL-C with succesfull Hf Mf Auth - see previous post.
Cool!
Offline
#44 2014-04-13 19:12:28
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: Ultralight C - in testing
Good!
Offline
#45 2014-04-13 19:48:23
- midnitesnake
- Contributor
- Registered: 2012-05-11
- Posts: 151
Re: Ultralight C - in testing
Great Guys! We make a Good Team!
Offline
#46 2014-05-02 14:16:50
- thefkboss
- Contributor
- Registered: 2008-10-26
- Posts: 198
Re: Ultralight C - in testing
hi
could you implement this code for desfire card with 3DES ???
Offline
#47 2014-05-02 14:29:49
- pentura_prox
- Contributor
- From: England,UK
- Registered: 2014-03-11
- Posts: 22
- Website
Re: Ultralight C - in testing
Trying... Have completed a simple authentication for DES in Desfire v0.6 + have a PoC for EV1; but my EV1 card is empty and currently also defaults to DES, its just getting time, extra support to help code the ISO-7816-4 commands for accessing the file structure
Last edited by pentura_prox (2014-05-02 15:31:06)
Offline
#48 2014-05-02 15:18:12
- thefkboss
- Contributor
- Registered: 2008-10-26
- Posts: 198
Re: Ultralight C - in testing
if you need the full datasheet for desfire write me an email.
my email is my forum nickname @ gmail.com
you could reduce the attack to desfire card (3des)if you read the key number you could guess if is a even or odd key this reduce to half possible keys
Offline
#49 2014-05-02 19:14:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Ultralight C - in testing
if you give a copy of the datasheet for desfire , I will try to give you a hand with a implementation.
However I'm having a slight problem with the different codebases from pentura_prox, midnitesnake & holiman...
Offline
#50 2014-05-02 20:52:50
- holiman
- Contributor
- Registered: 2013-05-03
- Posts: 566
Re: Ultralight C - in testing
Hey, I'd be happy to take a look aswell, please send me the datasheets: martin at the domain swende dot se.
@iceman: What different codebases? Are you using different git branches or are you doing local cut'n'pastes?
Offline