[FINISHED] Ultralight Ev1 commands

iceman · 2015-03-27 16:50:57

Ultralight Ev1:
Two version of Ev-1 exists, A) MF0UL11 B) MF0UL21. they differ in available memorysize.
You can read the blocks, A has 0x13 blocks and B has 0x28 blocks, with the "hf mfu rdbl" command.

The Ultralight-Ev1 has an expanded commandset than its brothers UL / UL-C.
It's easy to run some commands against the tag.

GET_VERSION

pm3 --> hf 14a raw -s -c 60

received 7 octets
04 B7 80 9A F8 38 80

received 10 octets
00 04 03 01 01 00 0B 03 FD F7

PWD_AUTH 

pm3 --> hf 14a raw -s -c 1b ff ff ff ff

received 7 octets
04 B7 80 9A F8 38 80   --<UID

received 4 octets
00 00 A0 1E               --<PACK ok

AUTHENTICATE  &  FAST READ  all user memory on  EV1 tag.

hf 14a raw -p -s -c 1bxxxxxxxx
hf 14a raw -c 3a040f

It gonna be easy to add this tag to the current codebase.

Last edited by iceman (2015-05-25 10:20:28)

tristanik · 2015-03-31 23:26:38

"ff ff ff ff" is default psw?

iceman · 2015-04-01 07:28:27

Could be a factory default "0xff 0xff 0xff 0xff", for the tag I tested that was the case.

tristanik · 2015-04-02 21:56:24

if i send

proxmark3> hf 14a raw -c -p -s 1b ff ff ff ff
received 7 octets
00 04 03 01 01 00 0B
received 0 octets

iceman · 2015-04-02 23:17:32

try sent it without "-p"

tristanik · 2015-04-03 08:07:59

proxmark3> hf 14a raw -c -s 1b ff ff ff ff
received 7 octets
04 57 B6 E2 05 3F 80
received 0 octets
proxmark3>

tristanik · 2015-04-03 08:11:24

password is wrong, right?

iceman · 2015-04-03 16:34:59

yes try some other default pwds?

tristanik · 2015-04-03 21:33:01

what are the default passwords?

iceman · 2015-04-05 12:04:07

one default pwd from factory is all zeros.
another one, like the one I tested above, is all 0xff's

Use your imagination to test maybe all 0x01, or 0x40,0x41,0x42, 0x43
The simplest pwd's to come up with.

tristanik · 2015-04-06 15:57:59

I tried the passwords more 'simple and does not work. I would not want to block the card, if it is enabled the AUTHLIM , for the max nunber of usucessful

iceman · 2015-04-06 16:00:29

then you are out-of-luck. Can you sniff the traffic between tag and reader?

tristanik · 2015-04-06 16:11:24

I should be able to bring the pc with me for sniff, I can not do it without a PC. however I bought hydrabus, I must get from china. will come in a month

iceman · 2015-04-06 16:15:59

Or hook the pm3 up to an android (rooted?) Asper has a distro for it.
Or hook it up to a laptop?

tristanik · 2015-04-07 19:36:52

i have a 7 inch mini laptop ,and samsung s2 rooted .
I might try

iceman · 2015-04-07 20:52:37

Go for it! Wardriving-ncf

tristanik · 2015-04-21 20:44:30

ok, i have sniff :

proxmark3> hf 14a snoop
proxmark3>
proxmark3> #db# cancelled by button
proxmark3> #db# COMMAND FINISHED
proxmark3> #db# maxDataLen=5, Uart.state=0, Uart.len=0
proxmark3> #db# traceLen=1929, Uart.output[0]=00000095
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC
-----------|-----------|-----|-----------------------------------------------------------------------
0 | 1056 | Rdr | 26 |
2244 | 4612 | Tag | 44 00 |
14192 | 16656 | Rdr | 93 20 |
17844 | 23732 | Tag | 88 04 57 b6 6d |
34000 | 44528 | Rdr | 93 70 88 04 57 b6 6d be a2 |
45716 | 49236 | Tag | 04 da 17 |
59248 | 61712 | Rdr | 95 20 |
62900 | 68788 | Tag | e2 05 3f 80 58 |
79056 | 89584 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
90772 | 94356 | Tag | 00 fe 51 |
232944 | 241104 | Rdr | 1b 4a f8 4b 19 9b 5c |
242356 | 247092 | Tag | e5 be 74 d5 |
373552 | 379472 | Rdr | 3a 02 03 eb 51 |
382324 | 393908 | Tag | 58 48 70 00 00 00 00 00 e4 9a |
488480 | 494336 | Rdr | 3a 04 0f 57 cf |
497252 | 554916 | Tag | 14 9b b9 67 b5 b0 45 71 d5 27 4a fe 17 b8 3f ba |
| | | 39 ac 94 48 cb 12 66 22 42 95 d9 e2 45 28 04 d9 |
| | | cf 86 83 01 7d 33 a3 dc 13 fb bc 39 50 b6 da 67 |
| | | 3c 44 |
759632 | 764400 | Rdr | 39 00 1a 7f |
765588 | 771412 | Tag | 04 00 00 75 c6 |
893808 | 898576 | Rdr | 39 01 93 6e |
899764 | 905588 | Tag | 04 00 00 75 c6 |
1045664 | 1054976 | Rdr | a2 0c 1d 96 74 46 0f 6f |
1110628 | 1111204 | Tag | 0a! |
1301968 | 1311280 | Rdr | a2 0d 3a d7 d2 8a dc 17 |
1366932 | 1367508 | Tag | 0a! |
1577984 | 1587360 | Rdr | a2 0e 90 dd 9e 31 67 e3 |
1642964 | 1643540 | Tag | 0a! |
1850864 | 1860240 | Rdr | a2 0f e3 03 7c 06 aa 97 |
1915828 | 1916404 | Tag | 0a! |
2123200 | 2127968 | Rdr | 39 00 1a 7f |
2129156 | 2134980 | Tag | 04 00 00 75 c6 |
2145856 | 2155232 | Rdr | a5 00 01 00 00 00 4d bf |
2210820 | 2211396 | Tag | 0a! |
2353744 | 2358512 | Rdr | 39 00 1a 7f |
2359700 | 2365524 | Tag | 05 00 00 a9 9c |
2529072 | 2533840 | Rdr | 39 01 93 6e |
2535028 | 2540852 | Tag | 04 00 00 75 c6 |
2551744 | 2561056 | Rdr | a5 01 01 00 00 00 09 b4 |
2616708 | 2617284 | Tag | 0a! |
2760560 | 2765328 | Rdr | 39 01 93 6e |
2766516 | 2772340 | Tag | 05 00 00 a9 9c |
7729248 | 7730304 | Rdr | 26 |
7731476 | 7733844 | Tag | 44 00 |
7743504 | 7745968 | Rdr | 93 20 |
7747140 | 7753028 | Tag | 88 04 57 b6 6d |
7763312 | 7773840 | Rdr | 93 70 88 04 57 b6 6d be a2 |
7775012 | 7778532 | Tag | 04 da 17 |
7788544 | 7791008 | Rdr | 95 20 |
7792180 | 7798068 | Tag | e2 05 3f 80 58 |
7808336 | 7818864 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
7820036 | 7823620 | Tag | 00 fe 51 |
11620992 | 11622048 | Rdr | 26 |
11623220 | 11625588 | Tag | 44 00 |
11635200 | 11637664 | Rdr | 93 20 |
11638852 | 11644740 | Tag | 88 04 57 b6 6d |
11655008 | 11665536 | Rdr | 93 70 88 04 57 b6 6d be a2 |
11666708 | 11670228 | Tag | 04 da 17 |
11680256 | 11682720 | Rdr | 95 20 |
11683908 | 11689796 | Tag | e2 05 3f 80 58 |
11700048 | 11710576 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
11711748 | 11715332 | Tag | 00 fe 51 |
15553408 | 15554464 | Rdr | 26 |
15555652 | 15558020 | Tag | 44 00 |
15567600 | 15570064 | Rdr | 93 20 |
15571252 | 15577140 | Tag | 88 04 57 b6 6d |
15587424 | 15597952 | Rdr | 93 70 88 04 57 b6 6d be a2 |
15599140 | 15602660 | Tag | 04 da 17 |
15612656 | 15615120 | Rdr | 95 20 |
15616308 | 15622196 | Tag | e2 05 3f 80 58 |
15632464 | 15642992 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
15644180 | 15647764 | Tag | 00 fe 51 |
19485840 | 19486896 | Rdr | 26 |
19488068 | 19490436 | Tag | 44 00 |
19500032 | 19502496 | Rdr | 93 20 |
19503668 | 19509556 | Tag | 88 04 57 b6 6d |
19519840 | 19530368 | Rdr | 93 70 88 04 57 b6 6d be a2 |
19531540 | 19535060 | Tag | 04 da 17 |
19545104 | 19547568 | Rdr | 95 20 |
19548740 | 19554628 | Tag | e2 05 3f 80 58 |
19564944 | 19575472 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
19576644 | 19580228 | Tag | 00 fe 51 |
23418272 | 23419328 | Rdr | 26 |
23420500 | 23422868 | Tag | 44 00 |
23432464 | 23434928 | Rdr | 93 20 |
23436100 | 23441988 | Tag | 88 04 57 b6 6d |
23452288 | 23462816 | Rdr | 93 70 88 04 57 b6 6d be a2 |
23463988 | 23467508 | Tag | 04 da 17 |
23477520 | 23479984 | Rdr | 95 20 |
23481156 | 23487044 | Tag | e2 05 3f 80 58 |
23497328 | 23507856 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
23509028 | 23512612 | Tag | 00 fe 51 |
27364256 | 27365312 | Rdr | 26 |
27366484 | 27368852 | Tag | 44 00 |
27378448 | 27380912 | Rdr | 93 20 |
27382084 | 27387972 | Tag | 88 04 57 b6 6d |
27398272 | 27408800 | Rdr | 93 70 88 04 57 b6 6d be a2 |
27409972 | 27413492 | Tag | 04 da 17 |
27423536 | 27426000 | Rdr | 95 20 |
27427172 | 27433060 | Tag | e2 05 3f 80 58 |
27443344 | 27453872 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
27455044 | 27458628 | Tag | 00 fe 51 |
31283120 | 31284176 | Rdr | 26 |
31285348 | 31287716 | Tag | 44 00 |
31297312 | 31299776 | Rdr | 93 20 |
31300948 | 31306836 | Tag | 88 04 57 b6 6d |
31317120 | 31327648 | Rdr | 93 70 88 04 57 b6 6d be a2 |
31328820 | 31332340 | Tag | 04 da 17 |
31342368 | 31344832 | Rdr | 95 20 |
31346004 | 31351892 | Tag | e2 05 3f 80 58 |
31362176 | 31372704 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
31373876 | 31377460 | Tag | 00 fe 51 |
35215552 | 35216608 | Rdr | 26 |
35217780 | 35220148 | Tag | 44 00 |
35229744 | 35232208 | Rdr | 93 20 |
35233380 | 35239268 | Tag | 88 04 57 b6 6d |
35249552 | 35260080 | Rdr | 93 70 88 04 57 b6 6d be a2 |
35261252 | 35264772 | Tag | 04 da 17 |
35274800 | 35277264 | Rdr | 95 20 |
35278436 | 35284324 | Tag | e2 05 3f 80 58 |
35294624 | 35305152 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
35306324 | 35309908 | Tag | 00 fe 51 |
39175088 | 39176144 | Rdr | 26 |
39177316 | 39179684 | Tag | 44 00 |
39189296 | 39191760 | Rdr | 93 20 |
39192932 | 39198820 | Tag | 88 04 57 b6 6d |
39209104 | 39219632 | Rdr | 93 70 88 04 57 b6 6d be a2 |
39220804 | 39224324 | Tag | 04 da 17 |
39234352 | 39236816 | Rdr | 95 20 |
39237988 | 39243876 | Tag | e2 05 3f 80 58 |
39254176 | 39264704 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
39265876 | 39269460 | Tag | 00 fe 51 |
43066848 | 43067904 | Rdr | 26 |
43069076 | 43071444 | Tag | 44 00 |
43081040 | 43083504 | Rdr | 93 20 |
43084676 | 43090564 | Tag | 88 04 57 b6 6d |
43100848 | 43111376 | Rdr | 93 70 88 04 57 b6 6d be a2 |
43112548 | 43116068 | Tag | 04 da 17 |
43126112 | 43128576 | Rdr | 95 20 |
43129748 | 43135636 | Tag | e2 05 3f 80 58 |
43145936 | 43156464 | Rdr | 95 70 e2 05 3f 80 58 00 4c |
43157652 | 43161236 | Tag | 00 fe 51

I consumed a ticket ... but where is the psw?

iceman · 2015-04-21 20:53:15

232944 | 241104 | Rdr | 1b 4a f8 4b 19 9b 5c |
242356 | 247092 | Tag | e5 be 74 d5 |
373552 | 379472 | Rdr | 3a 02 03 eb 51 |
382324 | 393908 | Tag | 58 48 70 00 00 00 00 00 e4 9a |
488480 | 494336 | Rdr | 3a 04 0f 57 cf |

Not knowing the UL-Ev1 commands fully, but... the 0x1b is the Auth request

lets see:
0x1b auth
0x4a 0xf8 0x4b 0x19 PWD (from reader)
0xe5 0xbe PACK

tristanik · 2015-04-22 00:03:25

yesssss... you are the best

proxmark3> hf 14a raw -c -p -s 1b 4a f8 4b 19
received 7 octets
04 57 B6 E2 05 3F 80
received 4 octets
E5 BE 74 D5
proxmark3>

iceman · 2015-04-22 08:38:02

No, you are the best. You got the sniffed traffic , without it you wouldnt be able to get the pwd.

can you send me a mail? (I've some questions)

tristanik · 2015-04-22 20:04:29

i don't see your email . is it hidden?

iceman · 2015-04-24 18:15:39

I pushed a fix for the "HF 14A READ" command, to enable it to identify UL / UL-C / UL EV1 tags.

One of these days I will add support for the extended commands in EV1..

tristanik · 2015-04-25 09:10:29

thanks

iceman · 2015-04-25 19:34:52

How to:

Authenticate and read all user memory on EV1 tag.

hf 14a raw -p -s -c 1bxxxxxxxx
hf 14a raw -c 3a040f

tristanik · 2015-04-28 19:23:56

two lines derived from two Ev1 used at the usual time of the usual day (today)

UID 04 57 B6 6D E2 05 3F 80 58
c6 5e 91 0c 52 11 15 ef 24 45 80 27 8a 05 44 da 28/4/2015 9:47am bus nr: 3714

UID 04 BD 25 14 E2 05 3F 80 58
7d d3 58 f1 97 c6 cc b7 62 63 90 7f 2c 4e ad 2a 28/4/15 9:47am bus nr: 3714

Have you idea how date and time is encrypted ?

iceman · 2015-04-28 19:35:51

You need to figure out the transportation system, which it is and if there is some datasheet/manuals to read about it.

tristanik · 2015-04-28 19:48:50

hard to find this

iceman · 2015-04-28 20:54:42

Who said its gonna be easy?

tristanik · 2015-04-28 22:54:56

tomorrow i try same ticket, same bus , 90 minutes of difference

borjaburgos · 2015-05-03 01:36:10

Hello everyone!

Been playing around some with Nintendo's amiibos and have been able to make some progress. I snooped the communication between a 3DS and an amiibo, and following iceman's suggestions earlier in this post I was able to:

proxmark3> hf 14a raw -c -p -s 1b 05 22 e6 b4
received 7 octets
04 DD 16 72 61 3E 80
received 4 octets
80 80 64 16

These, however have 192 bytes of data (48 blocks). Does that mean they are ultralight-c?

iceman · 2015-05-03 09:38:55

I hope you do know that you are posting in a Ultralight-EV1 thread, where you ran a specific Ultralight-EV1 command.

You seem to have a valid Ultralight-EV1 password, and you got a PACK answer back.

In my world that means that you have a Ultralight-EV1 tag.

If you read the first post in this thread, you can run the GET_VERSION command to see some information about the tag, like the size. And since you have the password, you can read all memory from the tag aswell.

Last edited by iceman (2015-05-03 10:17:32)

borjaburgos · 2015-05-03 16:53:23

Thanks iceman!

I wasn't sure if those were EV1 specific commands. Also I am able to read up to 48 blocks (0x30) using the "hf mfu crdbl" command. But you mentioned there are two types of tags, (A) which has 0x13 blocks and (B) which has 0x28 blocks. Why the discrepancy?

Here's the output of my tags GET_VERSION, and PWD_AUTH, AUTH + FAST_READ:

proxmark3>  hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E
proxmark3> hf 14a raw -p -s -c 1b02e1ee36
received 7 octets
04 D2 57 7A E3 3E 80
received 4 octets
80 80 64 16
proxmark3> hf 14a raw -c 3a040f
received 50 octets
A5 E2 B5 00 39 20 0F BD BF 5A D0 3C 67 ED 42 5A B9 97 F1 71 1C BA B5 6D AE C6 BE EF 4A 13 55 70 54 C4 DF 61 A5 F9 EF 91 00 5B 1E C0 61 58 4A BE C8 53
proxmark3>

I'm going to do some research on EV1, and get up to speed with the proxmark3, since I haven't done much hacking with it despite owning one for over 3 years now. I'd like to get it to simulate an EV1 card. If I can help any other efforts to get support for the ev1 in the proxmark3, let me know!

Thanks for the help!

borjaburgos · 2015-05-03 17:30:30

According to this NXP data sheet http://www.nxp.com/documents/data_sheet/MF0ULX1.pdf on the EV1 and my tag's reply to the GET_VERSION command. My tag's memory size is between 256 and 512 bytes.

proxmark3>  hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E

The most significant 7 bits of the storage size byte are interpreted as an unsigned integer value n. As a result, it codes the total available user memory size as 2n. If the least significant bit is 0b, the user memory size is exactly 2n. If the least significant bit is 1b, the user memory size is between 2n and 2n+1.
The user memory for the MF0UL11 is 48 bytes. This memory size is between 32d bytes and 64d bytes. Therefore, the most significant 7 bits of the value 0Bh, are interpreted as 5d and the least significant bit is 1b.
The user memory for the MF0UL21 is 128 bytes. This memory size is exactly 128d. Therefore, the most significant 7 bits of the value 0Eh, are interpreted as 7d and the least significant bit is 0b.

borjaburgos · 2015-05-03 17:54:33

iceman, looking at the datasheet for the ntag215 I think I found my winner...

https://dangerousthings.com/wp-content/ … 15_216.pdf

iceman · 2015-05-03 18:21:52

00 = static
04 = NXP (manufacturer)
04 = product type 4 ( 3 = ultralight)
02 = product subtype
01 = Major version
00 = Minor version
11 = size ( 256-512kb )
03 = protocol type

The product type doesn't look like a Ultralight, so NTAG could be right,
the size of NTAG215 (user memory 504kb) matches the spann, that means you could read much more memory then from page 04 to page 0F..

You should read the capability container (page3) and look what it tells you.

I don't have some NTAG to test on. Would be good to get that identification into the mfu commands.

iceman · 2015-05-03 18:51:44

I'm remaking some of the "hf mfu" commands, among others a correct identification of the different tags. I had no idea that NTAG's where so similar to Ultralight tags. Its answers like EV1 tag when I see your printouts. But the GET_VERSION is different and can be used.

can you do a "hf 14a read" & "hf list 14a" so I can see the ATQA & SAK answers on your tag?

And if you tag is a amiibo, then I will start another thread where it can be discussed. You got a PWD from it, ...

borjaburgos · 2015-05-03 19:39:12

"hf 14a read" actually results in a buffer overflow.

https://github.com/Proxmark/proxmark3/issues/100
I see that you commented in the issue though. I'll make the change to the version array and try again.

borjaburgos · 2015-05-03 19:44:38

proxmark3> hf 14a read
 UID : 04 d2 57 7a e3 3e 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : NXP MIFARE Ultralight EV1 128 bytes
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf list 14a
Recorded Activity (TraceLen = 211 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |       992 | Rdr | 52                                                              |     | WUPA
      2228 |      4596 | Tag | 44  00                                                          |     |
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |     16500 | Tag | 88  04  d2  57  09                                              |     |
     18816 |     29280 | Rdr | 93  70  88  04  d2  57  09  8c  42                              |     | SELECT_UID
     30516 |     34036 | Tag | 04  da  17                                                      |     |
     35328 |     37792 | Rdr | 95  20                                                          |     | ANTICOLL-2
     38964 |     44788 | Tag | 7a  e3  3e  80  27                                              |     |
     47104 |     57568 | Rdr | 95  70  7a  e3  3e  80  27  89  06                              |     | ANTICOLL-2
     58804 |     62388 | Tag | 00  fe  51                                                      |     |
    522496 |    526112 | Rdr | 60  f8  32                                                      |     | AUTH-A(248)
    527284 |    538932 | Tag | 00  04  04  02  01  00  11  03  01  9e                          |     |
   1106944 |   1111712 | Rdr | e0  80  31  73                                                  |     | RATS
   1825664 |   1826656 | Rdr | 40                                                              |     | MAGIC WUPC1
   1962112 |   1963424 | Rdr | 43                                                              |     | MAGIC WUPC2
   2099328 |   2104096 | Rdr | 50  00  57  cd                                                  |     | HALT
proxmark3>

borjaburgos · 2015-05-03 19:53:20

The capability container (page 3) is: F1 10 FF EE

proxmark3> hf 14a raw -c 3a0303
received 6 octets
F1 10 FF EE B5 49

Last edited by borjaburgos (2015-05-03 19:53:38)

borjaburgos · 2015-05-03 20:10:33

Something doesn't add up... according to the doc: "Byte 2 in the capability container defines the available memory size for NDEF messages."

In my tag that would be "FF" -> meaning 2040 byte NDEF memory size is defined in the Capability Container. Which is well beyond the size of the NTAG215.

And +1 to starting a new amiibo specific thread, specially now that we know it's not an EV1 tag.

Last edited by borjaburgos (2015-05-03 20:19:58)

iceman · 2015-05-04 03:59:57

and the magic number 0xE1 in CC, which is a must for NDEF, isn't there either.
so we can say that Amiibo uses a NTAG tag but doesn't store its data according to NDEF.

You will need to map the memory

borjaburgos · 2015-05-04 14:56:48

iceman, given what we know about amiibo thus far (NTAG 215, non-NDEF data, PWD, etc.), what would be the best channel to start an amiibo thread?

iceman · 2015-05-04 15:08:06

Here you go, http://www.proxmark.org/forum/viewtopic … 776#p15776

You can start filling in all that you found out, like the PWD?!?

asper · 2015-05-04 15:11:59

Great guys!
Hope to see some dump soon!
Old amiibos were actually topaz, probably ntag are cheaper and much more usable than a partial iso14443A protocol (like in topaz)

Last edited by asper (2015-05-04 15:13:07)

iceman · 2015-05-05 00:46:18

I've been remaking some "hf mfu" commands, and with @marshmellow, we had done some work on it.
if it will be ready, i don't know but its much better than before at least

There is changes in the "hf mfu" commands, among other is the "hf mfu info" now able to detect between UL/ULC/ULEV1
/NTAG213/NTAG215/NTAG216 (but I don't have NTAGS to verify it),, It kind of prints out a lot of stuff about the tag.
It tries to detect if is magic, or if it has some default 3des keys, it reads some counters,..

If you start with "hf 14a reader", and it says something like UL then see it as a starting point to go next to "hf mfu info"...

There is more to be implemented from the datasheets, but its a good start if I may say so.

marshmellow · 2015-05-05 03:47:36

btw, most of the work has been done by iceman... i'd say in about 1-2 weeks we'll be ready to commit to the master. (guestimate)

iceman · 2015-05-05 09:34:47

Well, this was just ment to be about UL/ULC.. then it got UL-EV1,.. and now all NTAG...

Proxmark3 community

Announcement

#1 2015-03-27 16:50:57

[FINISHED] Ultralight Ev1 commands

#2 2015-03-31 23:26:38

Re: [FINISHED] Ultralight Ev1 commands

#3 2015-04-01 07:28:27

Re: [FINISHED] Ultralight Ev1 commands

#4 2015-04-02 21:56:24

Re: [FINISHED] Ultralight Ev1 commands

#5 2015-04-02 23:17:32

Re: [FINISHED] Ultralight Ev1 commands

#6 2015-04-03 08:07:59

Re: [FINISHED] Ultralight Ev1 commands

#7 2015-04-03 08:11:24

Re: [FINISHED] Ultralight Ev1 commands

#8 2015-04-03 16:34:59

Re: [FINISHED] Ultralight Ev1 commands

#9 2015-04-03 21:33:01

Re: [FINISHED] Ultralight Ev1 commands

#10 2015-04-05 12:04:07

Re: [FINISHED] Ultralight Ev1 commands

#11 2015-04-06 15:57:59

Re: [FINISHED] Ultralight Ev1 commands

#12 2015-04-06 16:00:29

Re: [FINISHED] Ultralight Ev1 commands

#13 2015-04-06 16:11:24

Re: [FINISHED] Ultralight Ev1 commands

#14 2015-04-06 16:15:59

Re: [FINISHED] Ultralight Ev1 commands

#15 2015-04-07 19:36:52

Re: [FINISHED] Ultralight Ev1 commands

#16 2015-04-07 20:52:37

Re: [FINISHED] Ultralight Ev1 commands

#17 2015-04-21 20:44:30

Re: [FINISHED] Ultralight Ev1 commands

#18 2015-04-21 20:53:15

Re: [FINISHED] Ultralight Ev1 commands

#19 2015-04-22 00:03:25

Re: [FINISHED] Ultralight Ev1 commands

#20 2015-04-22 08:38:02

Re: [FINISHED] Ultralight Ev1 commands

#21 2015-04-22 20:04:29

Re: [FINISHED] Ultralight Ev1 commands

#22 2015-04-24 18:15:39

Re: [FINISHED] Ultralight Ev1 commands

#23 2015-04-25 09:10:29

Re: [FINISHED] Ultralight Ev1 commands

#24 2015-04-25 19:34:52

Re: [FINISHED] Ultralight Ev1 commands

#25 2015-04-28 19:23:56

Re: [FINISHED] Ultralight Ev1 commands

#26 2015-04-28 19:35:51

Re: [FINISHED] Ultralight Ev1 commands

#27 2015-04-28 19:48:50

Re: [FINISHED] Ultralight Ev1 commands

#28 2015-04-28 20:54:42

Re: [FINISHED] Ultralight Ev1 commands

#29 2015-04-28 22:54:56

Re: [FINISHED] Ultralight Ev1 commands

#30 2015-05-03 01:36:10

Re: [FINISHED] Ultralight Ev1 commands

#31 2015-05-03 09:38:55

Re: [FINISHED] Ultralight Ev1 commands

#32 2015-05-03 16:53:23

Re: [FINISHED] Ultralight Ev1 commands

#33 2015-05-03 17:30:30

Re: [FINISHED] Ultralight Ev1 commands

#34 2015-05-03 17:54:33

Re: [FINISHED] Ultralight Ev1 commands

#35 2015-05-03 18:21:52

Re: [FINISHED] Ultralight Ev1 commands

#36 2015-05-03 18:51:44

Re: [FINISHED] Ultralight Ev1 commands

#37 2015-05-03 19:39:12

Re: [FINISHED] Ultralight Ev1 commands

#38 2015-05-03 19:44:38

Re: [FINISHED] Ultralight Ev1 commands

#39 2015-05-03 19:53:20

Re: [FINISHED] Ultralight Ev1 commands