Ultraligh otp - lockbits

iceman · 2014-10-18 07:16:54

I just read
https://www.defcon.org/images/defcon-21 … pdated.pdf

and was thinking if it would be kind of fun to have bitfiddeling UL functions.

But then, I've seen very many ultralight implementations at all, for it to be interesting.

iceman · 2014-10-18 07:24:28

Latest progress? With a new release emmient on black hat.

https://bughardy.me/you-found-wonkas-golden-ticket/

Should be suiteable using lua-script.. hm...

asper · 2014-10-18 10:25:51

Those "vulnerabilities" (better "bad implementations) are known since 1 year (almost) and yeah, with a lua script you can add it to pm3 in an easy way.

iceman · 2014-10-18 13:03:27

one these days I will learn to spellcheck/proofread before posting...

"I've NOT seen very many.."

When it comes to making a script, it is always easier when you have an actually target implementation to focus upon.

Ie: otp is used, how about try to lock that block? I wonder if my UL magic cards doesn't honour the lockbits (so I dont freeze a card forever)...

iceman · 2014-10-18 13:09:17

Does someone have any dumps from the mentioned cards used ?? And are willing to share them?

tristanik · 2015-02-15 10:39:50

hello to everone , this is my dump of a virgin Ul of a bus thicket .

proxmark3> hf mf urdcard
Attempting to Read Ultralight...
#db# Cmd Error: 00
#db# Read block 0 error
#db# READ CARD FINISHED
isOk:01
Block 0:0a ee 44 82
Block 1:dd 84 b7 95
Block 3:f9 18 53 65 [1]
Block 4:59 8a c4 ab [0]
Block 5:c6 3a fb 34 [0]
Block 6:ac 7f 14 92 [0]
Block 7:d1 a1 ed 5d [1]
Block 8:2a 8e 8e ab [0]
Block 9:46 23 78 50 [1]
Block 10:00 00 fb ff [1]
Block 11:81 80 00 00 [1]
Block 12:50 00 20 00 [0]
Block 13:01 0b 00 00 [0]
Block 14:01 00 00 00 [0]

block 2 is not visible, do not know the reason

Block 15:00 02 00 00 [0]

tristanik · 2015-02-22 21:04:06

you know why it is hidden?

iceman · 2015-02-22 21:25:04

If you are using the compile-environment and are compiling it yoursself, you can debug where the read fails on device-side. If I remember it right, there was up to 4 different reasons for a read to fail in the code.

tristanik · 2015-02-27 10:16:15

i use proxmark3 on client windows pm007

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 839 2013-12-05 07:11:23
#db# os: svn 852 2014-04-01 19:42:32
#db# FPGA image built on 2014/03/21 at 19:45:15
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

now i see all blocks , but at each reading some data change and I can not write block
proxmark3> hf mfu wrbl 15 01010101
--block no:0f
--data: 01 01 01 01
#db# Cmd Addr Error: 00
#db# Write block error
#db# WRITE BLOCK FINISHED
isOk:00

marshmellow · 2015-02-27 13:46:37

You're proxmark is running very dated firmware. You need to flash bootrom, FPGA, and os.

tristanik · 2015-03-02 10:17:37

ok, i have flash

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2015-01-31 07:13:30
#db# os: /-suspect 2015-01-31 07:13:36
#db# HF FPGA image built on 2015/01/15 at 12:19:06
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

but now :

proxmark3> hf mfu dump
Dumping Ultralight Card Data...
#db# Pages 16
#db# Cmd Error: 00
#db# Read block 0 error
Command execute timeout

help me, please

tristanik · 2015-03-02 10:18:56

if I try with a magic ultralight ,this work good

proxmark3> hf mfu dump
Dumping Ultralight Card Data...
#db# Pages 16
#db# Pages read 16
Block 00:00 00 00 00
Block 01:77 77 77 77
Block 02:00 00 00 00
Block 03:00 00 00 00 [0]
Block 04:00 00 00 00 [0]
Block 05:00 00 00 00 [0]
Block 06:00 00 00 00 [0]
Block 07:00 00 00 00 [0]
Block 08:00 00 00 00 [0]
Block 09:00 00 00 00 [0]
Block 0a:00 00 00 00 [0]
Block 0b:00 00 00 00 [0]
Block 0c:00 00 00 00 [0]
Block 0d:00 00 00 00 [0]
Block 0e:00 00 00 00 [0]
Block 0f:00 00 00 00 [0]
Dumped 16 pages, wrote 64 bytes to 00000077777777.bin

iceman · 2015-03-02 10:51:21

If I remember correct, the cmd error 0x00 means "can't select the tag". Try holding the tag differently over the antenna.

tristanik · 2015-03-02 12:50:58

but if i send:

proxmark3> hf 14a read
ATQA : 00 44
UID : 04 57 b6 e2 05 3f 80
SAK : 00 [2]
MANUFACTURER : NXP Semiconductors Germany
TYPE : NXP MIFARE Ultralight | Ultralight C
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

so, antenna is good ...

iceman · 2015-03-02 13:25:32

its not about the antenna.. its about how to place the tag.
But if the "hf 14a read" works, then you should be able to "hf mfu dump", with another errorcode than 0x00.

tristanik · 2015-03-02 19:30:28

I begin to think that it is a new MIFARE Ultralight EV1 with 32 bit password

http://www.nxp.com/documents/leaflet/MIFARE_Ultralight_EV1_v21.pdf

iceman · 2015-03-02 22:32:26

have you tried different default passwords?

tristanik · 2015-03-03 00:31:52

how can I do? what commands I have to send the card for the passwords?

iceman · 2015-03-03 00:58:35

you can always test the..."hf mfu cauth" command..
most of the commands implement the 'h' help parameter

tristanik · 2015-03-04 00:34:31

ok , is a MF0UL11 because if i send raw command 60h i received :
received 10 octets
00 04 03 01 01 00 0B 03 FD F7
so, from datasheet is MIFARE Ultralight EV1

tristanik · 2015-03-04 00:35:35

can I sniff password with proxmark?

iceman · 2015-03-04 10:03:36

Don't know how the password is transfered for the UL EV1. But if it is a des/3des/aes , then normally no. That kind of password is never transfered over the rfid. Its based on the notion of a shared secret.

Proxmark3 community

Announcement

#1 2014-10-18 07:16:54

Ultraligh otp - lockbits

#2 2014-10-18 07:24:28

Re: Ultraligh otp - lockbits

#3 2014-10-18 10:25:51

Re: Ultraligh otp - lockbits

#4 2014-10-18 13:03:27

Re: Ultraligh otp - lockbits

#5 2014-10-18 13:09:17

Re: Ultraligh otp - lockbits

#6 2015-02-15 10:39:50

Re: Ultraligh otp - lockbits

#7 2015-02-22 21:04:06

Re: Ultraligh otp - lockbits

#8 2015-02-22 21:25:04

Re: Ultraligh otp - lockbits

#9 2015-02-27 10:16:15

Re: Ultraligh otp - lockbits

#10 2015-02-27 13:46:37

Re: Ultraligh otp - lockbits

#11 2015-03-02 10:17:37

Re: Ultraligh otp - lockbits

#12 2015-03-02 10:18:56

Re: Ultraligh otp - lockbits

#13 2015-03-02 10:51:21

Re: Ultraligh otp - lockbits

#14 2015-03-02 12:50:58

Re: Ultraligh otp - lockbits

#15 2015-03-02 13:25:32

Re: Ultraligh otp - lockbits

#16 2015-03-02 19:30:28

Re: Ultraligh otp - lockbits

#17 2015-03-02 22:32:26

Re: Ultraligh otp - lockbits

#18 2015-03-03 00:31:52

Re: Ultraligh otp - lockbits

#19 2015-03-03 00:58:35

Re: Ultraligh otp - lockbits

#20 2015-03-04 00:34:31

Re: Ultraligh otp - lockbits

#21 2015-03-04 00:35:35

Re: Ultraligh otp - lockbits

#22 2015-03-04 10:03:36

Re: Ultraligh otp - lockbits

Board footer