Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I've been looking into how to detect if a UL / UL-C tag is magic (ie UID changeable)
Together with Marshmellow, we found that a decent detection between Ul-EV1 (both sizes), UL-C, UL tag quite well,, and implemented these "tricks" in the "HF MFU INFO" command.
However, the magic test is harder. So far I noticed that the nonce on a UL-C Magic tag (when requesting a AUTH (0x1A) ) stays the same. So the procedure to detect a UL-C (magic) is to do two auth requests and see if the nonce is the same.
Here is the current problem, we don't have a way to detect if a UL tag is magic.
One way would be read block 0, try write block 0, (if success, then magic) re-write the old block 0.
however this is a doubtful way of detection, since is means actually change the UID.
What do the community suggest? Is there a good way of detection?
Last edited by iceman (2015-05-25 10:20:12)
Offline
Change uid with a specific rule (example: uid+1) to make the original old value determinated even if the owner doesn't know it and the procedure goes someway wrong.
Other way: study magic timing answer to specific commands, it can be different from original nxp tags (need some tests on original cards).
Offline
Also Ultralight EV1 has the signature feature (AN11349.pdf page 20). I do not have the command set right here but this can be a method to identify it. Here a specific thread.
Last edited by asper (2015-05-01 22:01:58)
Offline
Hm, how about we read the UID, (select) and try to write the same UID.. No change done ,
However, if it fails we know its a normal UL. It should answer a write 0xA2 with a 0x0A NACK.
Offline
The most simple way
Last edited by asper (2015-05-01 23:11:35)
Offline
I think there will be an even easier way of detecting it.
Reading the PWD bytes or AUTH bytes, should only give 0x00's but on a magic tag you get the values
Offline
I think I found it.
----------------------
I did look at a UL magic test, and when I fiddled around I kind of got a solution (better then the one which is presently implemented).
If I send a "0xA0" read, which is a comp_write thingy, that works in two steps sending packages. However when I was looking at it, i didnt realise it needed two steps..
but the interesting part is the different answers to this request. with just one minor request, we can detect if a tag is MAGIC or not super easy. And it's the same for a UL-C MAGIC.. But I haven't tested it against a proper UL-C.
UL MAGIC tag
pm3 --> hf 14a raw -s -c a000
received 7 octets
05 01 02 05 06 07 08
received 1 octets
0A ---->> ACK
Normal UL tag
pm3 --> hf 14a raw -s -c a000
received 7 octets
04 46 AD 62 83 34 80
received 1 octets
00 --->> NACK
Offline
Fantastic finding!
Offline
My is normal tag EV1
proxmark3> hf 14a raw -c -p -s 1b 33 6b a1 19
received 7 octets
04 BD 25 E2 05 3F 80
received 4 octets
9C 2D BA 54
proxmark3>
proxmark3> hf 14a raw -c a000
received 1 octets
00
exists a magic ultralight ev1 ?
Offline
I never heard of a magic ultralight ev1.
There is little money in making a tag magic for obvious reasons, A tag needs to be well spread for the interest to rise.. or pay the money. There is another thread on the forum about it.
In your case you must start collecting UID/pwd ( simulating and sniffing ) and see if you can figure out the pwd diversification algo..
Offline
for now I have collected three
UID : 04 57 B6 E2 05 3F 80 psw: 4a f8 4b 19
UID : 04 BD 25 E2 05 3F 80 psw: 33 6b a1 19
UID : 04 80 96 E2 05 3F 81 psw: ff 90 6c b2
Offline
cool,
However, can you keep to the right thread? this one is about Magic detection on UL/ULC
I started a new thread for you
http://www.proxmark.org/forum/viewtopic.php?id=2445
Last edited by iceman (2015-05-07 21:13:45)
Offline