Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-05-01 17:45:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

[FINISHED] UL and UL-C magic tags detection

I've been looking into how to detect if a UL / UL-C tag is magic (ie UID changeable)

Together with Marshmellow, we found that a decent detection between  Ul-EV1 (both sizes), UL-C, UL tag quite well,,  and implemented these "tricks" in the  "HF MFU INFO" command.

However, the magic test is harder. So far I noticed that the nonce on a UL-C Magic tag (when requesting a AUTH (0x1A) ) stays the same.  So the procedure to detect a UL-C (magic) is to do two auth requests and see if the nonce is the same.

Here is the current problem,  we don't have a way to detect if a UL tag is magic.   

One way would be read block 0,  try write block 0, (if success, then magic)  re-write the old block 0.
however this is a doubtful way of detection, since is means actually change the UID.

What do the community suggest? Is there a good way of detection?

Last edited by iceman (2015-05-25 10:20:12)

Offline

#2 2015-05-01 19:33:25

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] UL and UL-C magic tags detection

Change uid with a specific rule (example: uid+1) to make the original old value determinated even if the owner doesn't know it and the procedure goes someway wrong.

Other way: study magic timing answer to specific commands, it can be different from original nxp tags (need some tests on original cards).

Offline

#3 2015-05-01 21:58:03

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] UL and UL-C magic tags detection

Also Ultralight EV1 has the signature feature (AN11349.pdf page 20). I do not have the command set right here but this can be a method to identify it. Here a specific thread.

Last edited by asper (2015-05-01 22:01:58)

Offline

#4 2015-05-01 22:28:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] UL and UL-C magic tags detection

Hm,  how about we read the UID,  (select) and try to write the same UID..  No change done smile,   
However,  if it fails we know its a normal UL.    It should answer a write 0xA2  with a 0x0A NACK.

Offline

#5 2015-05-01 23:11:12

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] UL and UL-C magic tags detection

The most simple way wink

Last edited by asper (2015-05-01 23:11:35)

Offline

#6 2015-05-03 18:44:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] UL and UL-C magic tags detection

I think there will be an even easier way of detecting it.
Reading the PWD bytes or AUTH bytes, should only give 0x00's   but on a magic tag you get the values smile

Offline

#7 2015-05-06 22:40:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] UL and UL-C magic tags detection

I think I found it.
----------------------

I did look at a UL magic test,  and when I fiddled around I kind of got a solution (better then the one which is presently implemented).

If I send a "0xA0" read,  which is a comp_write thingy, that works in two steps sending packages.   However when I was looking at it, i didnt realise it needed two steps..
but the interesting part is the different answers to this request.     with just one minor request, we can detect if a tag is MAGIC or not super easy.   And it's the same for a UL-C MAGIC..   But I haven't tested it against a proper UL-C.


UL MAGIC tag

pm3 --> hf 14a raw -s -c a000
received 7 octets
05 01 02 05 06 07 08
received 1 octets
0A                      ---->> ACK

Normal UL tag

pm3 --> hf 14a raw -s -c a000
received 7 octets
04 46 AD 62 83 34 80
received 1 octets
00                       --->> NACK

Offline

#8 2015-05-07 09:03:00

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] UL and UL-C magic tags detection

Fantastic finding!

Offline

#9 2015-05-07 12:50:34

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [FINISHED] UL and UL-C magic tags detection

My is normal tag EV1
proxmark3> hf 14a raw  -c -p -s  1b  33  6b  a1  19
received 7 octets         
04 BD 25 E2 05 3F 80           
received 4 octets         
9C 2D BA 54           
proxmark3>
proxmark3> hf 14a raw -c a000
received 1 octets         
00
exists a magic ultralight ev1 ?

Offline

#10 2015-05-07 13:31:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] UL and UL-C magic tags detection

I never heard of a magic ultralight ev1.

There is little money in making a tag magic for obvious reasons,    A tag needs to be well spread for the interest to rise..  or pay the money.  There is another thread on the forum about it.

In your case you must start collecting UID/pwd  ( simulating and sniffing )  and see if you can figure out the pwd diversification algo..

Offline

#11 2015-05-07 19:57:32

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [FINISHED] UL and UL-C magic tags detection

for now I have collected three

UID :  04 57 B6  E2 05 3F 80    psw: 4a  f8  4b  19
UID :  04 BD 25  E2 05 3F 80   psw:  33  6b  a1  19
UID :  04 80 96  E2 05 3F 81    psw:  ff  90  6c  b2

Offline

#12 2015-05-07 20:38:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [FINISHED] UL and UL-C magic tags detection

cool,
However, can you keep to the right thread?  this one is about Magic detection on UL/ULC


I started a new thread for you
http://www.proxmark.org/forum/viewtopic.php?id=2445

Last edited by iceman (2015-05-07 21:13:45)

Offline

Board footer

Powered by FluxBB