[SOLVED] italian public transportation system (UL-EV1)

iceman · 2015-05-07 21:04:03

Since the implementation of calling "hf mfu info" with a key, we can now see configuration even if it is locked.

TAGINFO:

pm3 --> hf 14a read
 UID : 04 57 B6 E2 05 3F 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : NXP MIFARE Ultralight EV1 48 bytes

pm3 --> hf mfu i k 4af84b19

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 57 B6 E2 05 3F 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 6D, Ok
      BCC1 : 58, Ok
  Internal : 48, default
      Lock : 70 00  - 0000000001110000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

--- UL-EV1 Counters
       [0] : 09 00 00
                    - BD tearing Ok
       [1] : 09 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 79 69 D1 13 02 85 CB CE 8E AB 68 C9 BB D7 67 49 0A 41 4F 0D FA 4C 7F CD 9F 0A A0 B7 89 4A C3 3E


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 00
                    - page 0 and above need authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: C0 05 00 00
                    - Unlimited password attempts
                    - user configuration permanently locked
                    - read and write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

DUMP

pm3 --> hf 14a raw -p -c 3a0013
received 82 octets
04 57 B6 6D 
E2 05 3F 80 
58 48 70 00  -- 58 bcc1, 48 default byte,  lock: 0x70 0x00 
00 00 00 00   -- otp
14 9B B9 67   -- first user data page
B5 B0 45 71 
D5 27 4A FE 
17 B8 3F BA 
23 EA 19 E6 
19 F2 22 3A 
BD CB AC BF
F1 C5 67 6D 
70 52 34 B6 
38 A5 87 E1 
F8 2F BB 23 
0C 1F 7F CE  -- last user data page
00 00 00 00  -- cfg0  [all pages are password protected]
C0 05 00 00  -- cgf1  [ 0xC0 == PROT & CONFIGLOCK,   no AuthLimit.  :) ]
00 00 00 00  -- pwd  [all zero out]
00 00 00 00  -- pack [all zero out]

Last edited by iceman (2015-11-10 19:48:42)

tristanik · 2015-05-07 22:48:01

this is a reading of user data of the ticket described above, with
the counters
[00] 04 00 00
[01] 04 00 00
[02] 00 00 00

14 9b b9 67 -- first user data page
b5 b0 45 71
d5 27 4a fe
17 b8 3f ba
39 ac 94 48
cb 12 66 22
42 95 d9 e2
45 28 04 d9
cf 86 83 01
7d 33 a3 dc
13 fb bc 39
50 b6 da 67 -- last user data page

Last edited by tristanik (2015-05-07 23:33:47)

tristanik · 2015-05-07 22:49:18

collection of UID/psw

UID : 04 57 B6 E2 05 3F 80 psw: 4a f8 4b 19
UID : 04 BD 25 E2 05 3F 80 psw: 33 6b a1 19
UID : 04 80 96 E2 05 3F 81 psw: ff 90 6c b2

iceman · 2015-05-07 23:02:58

Can you add the PACK to the collection UID/psw/pack ?

tristanik · 2015-05-07 23:11:50

collection of UID/psw

UID : 04 57 B6 E2 05 3F 80 psw: 4a f8 4b 19 pack: e5 be 74 d5
UID : 04 BD 25 E2 05 3F 80 psw: 33 6b a1 19 pack: 9c 2d ba 54
UID : 04 80 96 E2 05 3F 81 psw: ff 90 6c b2 pack: 12 9e 76 c5

tristanik · 2015-05-08 08:00:33

this is the dump of tag with UID: 04 BD 25 E2 05 3F 80 and counters to zero. Virgin tag

UID: 04 bd 25 e2 05 3f 80
PASSWORD: 33 6b a1 19
PACK: 9c 2d ba 54

COUNTERS

[00] 00 00 00
[01] 00 00 00
[02] 00 00 00

04 bd 25 14
e2 05 3f 80
58 48 70 00
00 00 00 00
c5 21 a5 0b -- first user data page
bd 6f 16 bb
b6 52 87 7e
f6 a9 37 df
f4 b8 df 5c
16 79 7a 46
ec ef d4 8b
9f 43 fe 8f
52 21 79 77
0c ac 00 28
bf 24 cb 7a
f8 76 e1 59 -- last user data page

Last edited by tristanik (2015-05-08 08:00:54)

tristanik · 2015-05-14 08:47:03

collection of UID/psw

UID : 04 57 B6 E2 05 3F 80 PSW: 4A F8 4B 19 PACK: E5 BE 74 D5
UID : 04 BD 25 E2 05 3F 80 PSW: 33 6B A1 19 PACK: 9C 2D BA 54
UID : 04 80 96 E2 05 3F 81 PSW: FF 90 6C B2 PACK: 12 9E 76 C5
UID : 04 82 7F E2 05 3F 81 PSW: 14 79 6E B2 PACK: F9 77 88 B2
UID : 04 A4 15 52 05 3F 80 PSW: C4 05 D6 47 PACK: 05 1D 7C AB

asper · 2015-05-14 09:20:31

I found a weak correlation between UIDs and PWDs; if you are able to provide more examples I can check if I am correct.

tristanik · 2015-05-14 10:53:10

thanks . Today i try to sniff other passwords

tristanik · 2015-05-14 20:57:38

UID : 04 BF 52 E2 05 3F 80 PSW : 46 1C A3 19 PACK: E9 5A FE DD
UID : 04 CC 52 E2 05 3F 80 PSW : 35 1C D0 19 PACK: 9A 5A 52 07

iceman · 2015-05-14 22:21:35

I cleaned it up.

UID:                  PWD::        PACK:
----------------------------------------
04 A4 15  52053F80 |  C4 05 D6 47 | 05 1D

04 57 B6  E2053F80 |  4A F8 4B 19 | E5 BE
04 BD 25  E2053F80 |  33 6B A1 19 | 9C 2D
04 BF 52  E2053F80 |  46 1C A3 19 | E9 5A
04 CC 52  E2053F80 |  35 1C D0 19 | 9A 5A

04 80 96  E2053F81 |  FF 90 6C B2 | 12 9E
04 82 7F  E2053F81 |  14 79 6E B2 | F9 77

Last edited by iceman (2015-05-17 21:37:50)

asper · 2015-05-14 23:25:50

Ok my theory seems to work but i have only partial "decoding" (it seems to be something "table-related" like something recently studied iceman...).

Give me more time (and maybe more examples) and i will try to find a solution.

tristanik · 2015-05-15 10:55:05

Where we discuss this in the forum?

iceman · 2015-05-15 18:05:03

I found strong relation in UID - PACK.

5th uid nibble == 3rd pack nibble

UID:                  PACK:
----------------------------------------
0457 B 6E2053F80 | E5 B E
04A4 1 552053F80 | 05 1 D
04BD 2 5E2053F80 | 9C 2 D
04BF 5 2E2053F80 | E9 5 A
04CC 5 2E2053F80 | 9A 5 A
0480 9 6E2053F81 | 12 9 E
0482 7 FE2053F81 | F9 7 7

Last edited by iceman (2015-05-17 09:52:25)

midnitesnake · 2015-05-15 20:01:23

iceman wrote:

I found strong relation in UID - PACK.
5th uid nibble == 3rd pack nibble
6th uid nibble =+15d 4th path nibble (or XOR 0x08h)
UID:                  PACK:
----------------------------------------
0457 (B6) E2053F80 | E5 (BE)
04A4 (15) E2053F80 | 05 (1D)
04BD (25) E2053F80 | 9C (2D)
04BF (52) E2053F80 | E9 (5A)
04CC (52) E2053F80 | 9A (5A)
0480 (96) E2053F81 | 12 (9E)
0482 (7F) E2053F81 | F9 (77)

iceman · 2015-05-15 20:18:37

good one, midnitesake! (welcome back

3byte UID xor 8 == 2nd byte PACK.

Marshmellow and I have been remaking the UL commands you did, hope you don't mind.

iceman · 2015-05-15 22:42:43

I think PACK[0] is calculated with xoring the three first UID bytes.

Which would leave th PACK gen ALGO to:

PACK BYTES CALC:
-----------------------------------------
[00]  UID[0] ^ UID[1] ^ UID[2]
[01]  UID[2] ^ 8 

---sample:
UID:                           PACK:
----------------------------------------
04 57 [B6] E2053F80 | E5 [BE]  04 ^ 57 ^ b6 == E5
04 BF [52] E2053F80 | E9 [5A]  04 ^ BF ^ 52 == E9

Last edited by iceman (2015-05-15 22:46:17)

iceman · 2015-05-15 22:50:51

Now this is interesting, since we know how to calc the PACK, it should be able to simulate a tag

reader will send PWD, UID, PM3 will read the UID and the AUTH request and respond with PACK, and the reader will continue to communicate with our simulated tag.

tristanik · 2015-05-16 00:38:44

then the PACK is independent of PSW ...

tristanik · 2015-05-16 00:53:20

There is a transcription error Iceman, the second UID is : 04 A4 15 52 05 3F 80

Last edited by tristanik (2015-05-16 07:47:52)

midnitesnake · 2015-05-16 08:32:52

iceman wrote:

good one, midnitesake! (welcome back
...
Marshmellow and I have been remaking the UL commands you did, hope you don't mind.

Thanks for the shout out. I really don't mind about the remake, theres some really good work there best thing about communities we can tweak and improve each others ideas/work.

Life is still hectic, I pop in now and again. At the moment my proxmark is gathering dust.
Most likely won't be very active till end of the year/next year; Hopefully I can add another LF card

iceman · 2015-05-16 08:45:25

@tristanik, are you sure? It looked like a spelling mistake, since all others has 0xE

@midnitesnake, if you haven't upgraded yr PM3 since autumn, you'r in for a ride. Plenty of new good stuff in LF, and great fixes in HF. Do you have a BCARD laying around?

tristanik · 2015-05-16 21:09:13

yes Iceman , this is a 60h of the ticket

proxmark3> hf 14a raw -c -p -s 60
received 7 octets
04 A4 15 52 05 3F 80
received 10 octets
00 04 03 01 01 00 0B 03 FD F7
proxmark3>

iceman · 2015-05-16 21:14:33

ok then,

asper · 2015-05-16 23:00:02

Unfortunately i am low in time; did you find any further uid->pwd correlations ice ?

iceman · 2015-05-16 23:40:32

I'm guessing its in the line you suggested...

asper · 2015-05-17 09:45:10

midnitesnake wrote:

iceman wrote:
I found strong relation in UID - PACK.
5th uid nibble == 3rd pack nibble
6th uid nibble =+15d 4th path nibble (or XOR 0x08h)
UID:                  PACK:
----------------------------------------
0457 (B6) E2053F80 | E5 (BE)
04A4 (15) E2053F80 | 05 (1D)
04BD (25) E2053F80 | 9C (2D)
04BF (52) E2053F80 | E9 (5A)
04CC (52) E2053F80 | 9A (5A)
0480 (96) E2053F81 | 12 (9E)
0482 (7F) E2053F81 | F9 (77)

Welcome back man !

If we can get more samples I think we will find out the algo. Remember that the algo is proprietary !

asper · 2015-05-17 14:26:18

Low nibble 4th-byte-PWD = (low nibble last UID byte) XOR (1st, 2nd, 3rd low nibbles-PWD)

ex.
UID | PWD
04 A4 15 E2053F80 | C4 05 D6 47
04 A4 15 E2053F8[0] | C[4] 0[5] D[6] 4(7) -> [0] ^ [4] ^ [5] ^ [6] = (7)

It can be a kind of control "checksum".

Last edited by asper (2015-05-17 14:26:52)

iceman · 2015-05-17 14:48:26

Good one, Asper!

tristanik · 2015-05-17 20:48:12

great find!

iceman · 2015-05-17 21:19:14

well, i found something.. (zero-based index)
UID[1] ^ fixed value== PWD[1]
UID[2] ^ fixed value== PWD[2]

however, this fixed valueis different for the three groups of UID data samples we got.

---grp 1
04 [A4] [15] 52 053F80 | C4 05 D6 47 
                            10 72 -- fixed 
---grp 2
04 [57] [B6] E2 053F80 | 4A F8 4B 19 
                            4E 1C -- fixed 
04 [BD] [25] E2 053F80 | 33 6B A1 19 
                            4E 1C -- const
04 [BF] [52] E2 053F80 | 46 1C A3 19 
                            4E 1C -- fixed 
04 [CC] [52] E2 053F80 | 35 1C D0 19 
                            4E 1C -- fixed 
---grp 3
04 [80] [96] E2 053F81 | FF 90 6C B2 
                            06 EC -- fixed 
04 [82] [7F] E2 053F81 | 14 79 6E B2 
                            06 EC -- fixed

Last edited by iceman (2015-05-24 21:06:04)

iceman · 2015-05-19 12:24:33

All pwd bytes, can be matched to a fixed value for the different groups of UID we have.

Last edited by iceman (2015-05-24 21:06:18)

asper · 2015-05-24 10:31:35

Just to point out the pack algo byte0 is not correct:
The correct one should be:

[00] UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ E2
(where E2 is a fixed value just like the 08 for pack byte1)

I think that more data are needed to find the correct algo because it can also be:
[00] UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ UID[4] ^ UID[5] ^ E2

Last edited by asper (2015-05-24 10:40:41)

tristanik · 2015-05-24 18:40:51

as soon as possible i will sniff other PSW

iceman · 2015-05-24 21:28:58

The extension of checksum can almost be done for hi-nibble of PWD[3], if we follow aspers idea.

UID | PWD
------------------------------------
04 A4 15 52053F80 | C4 05 D6 47
04 A4 15 [5]2053F80 | [C]4 [0]5 [D]6 (4)7 -> [5] ^ [c] ^ [0] ^ [d] = (4)

This works for groups: 52053F80 , E2053F80
but not for group: E2053F81

tristanik · 2015-05-28 14:15:40

I did a test. I created an ultralight Magic with uid = 00 00 00 00 00 00 00 , and as I got PSW = 4f 27 11 c1

Last edited by tristanik (2015-05-28 14:23:18)

asper · 2015-05-28 14:58:26

Can you post a log of the sniff ?

tristanik · 2015-05-28 19:20:44

26
TAG 44 00
93 20 00
TAG 88 00 00 00 88
93 70 88 00 00 00 88 a9 01 00
TAG 04 da 17
95 20 00
TAG 00 00 00 00 00
95 70 00 00 00 00 00 51 81 00
TAG 00 fe 51
1b 4f 27 11 c1 46 83 00
Uff
1b 4f 27 11 c1 46 83
1b 4f 27 11 c1 46 83
1b 4f 27 11 c1 46 83

asper · 2015-05-29 10:44:53

What if you try to write the same password in the tag? Does the reader go further in sending commands to the tag?

tristanik · 2015-05-29 19:50:53

@ Asper . this tag is a magic ultralight , don't have psw address .
the machine give a password because it is the answer uid tag, but then communication stops

i have try UID= 00 00 00 00 00 00 01 psw= 07 d7 bb 82

Ufc 26
U0f 00 00
Uff 93 20
U0f 00 00 00 00 00
Uff 93 70 88 00 00 00 88 a9 01
U0f 00 00 00
Uff 95 20
U0f 00 00 00 00 00
Uff 95 70 00 00 00 01 01 00 89
U0f 00 fc 50
Uff 1b 07 d7 bb 82 0d de
U00
TAG 00 00
1b 07 d7 bb 82 0d de
1b 07 d7 bb 82 0d de
1b 07 d7 bb 82 0d de

iceman · 2015-05-31 19:12:27

yeah... @asper has requested a ul/ulc/ul-ev1/ntag sim to make it easier collecting those pwd's...

tristanik · 2015-06-09 21:38:28

UID: 00 00 00 00 00 00 00 PSW: 4f 27 11 c1
UID: 10 00 00 00 00 00 00 PSW: 4f 37 01 c1
UID: 01 00 00 00 00 00 00 PSW: 4f 26 10 c1
UID: 00 01 00 00 00 00 00 PSW: 4e 27 10 c1

iceman · 2015-06-15 16:02:17

I did some changes to the "hf 14a sim" and it can now simulate a NTAG215..

You should be able to collect UID/PWD using a lua script....

tristanik · 2015-06-27 12:25:40

Thanks Iceman

Last edited by tristanik (2015-06-27 13:16:19)

iceman · 2015-09-30 12:11:08

Great news!

I just got news that this pwd-algo is broken and there exists a keygen.

Great work!

iceman · 2015-10-01 17:16:10

And now only the data mapping is left..

Proxmark3 community

Announcement

#1 2015-05-07 21:04:03

[SOLVED] italian public transportation system (UL-EV1)

#2 2015-05-07 22:48:01

Re: [SOLVED] italian public transportation system (UL-EV1)

#3 2015-05-07 22:49:18

Re: [SOLVED] italian public transportation system (UL-EV1)

#4 2015-05-07 23:02:58

Re: [SOLVED] italian public transportation system (UL-EV1)

#5 2015-05-07 23:11:50

Re: [SOLVED] italian public transportation system (UL-EV1)

#6 2015-05-08 08:00:33

Re: [SOLVED] italian public transportation system (UL-EV1)

#7 2015-05-14 08:47:03

Re: [SOLVED] italian public transportation system (UL-EV1)

#8 2015-05-14 09:20:31

Re: [SOLVED] italian public transportation system (UL-EV1)

#9 2015-05-14 10:53:10

Re: [SOLVED] italian public transportation system (UL-EV1)

#10 2015-05-14 20:57:38

Re: [SOLVED] italian public transportation system (UL-EV1)

#11 2015-05-14 22:21:35

Re: [SOLVED] italian public transportation system (UL-EV1)

#12 2015-05-14 23:25:50

Re: [SOLVED] italian public transportation system (UL-EV1)

#13 2015-05-15 10:55:05

Re: [SOLVED] italian public transportation system (UL-EV1)

#14 2015-05-15 18:05:03

Re: [SOLVED] italian public transportation system (UL-EV1)

#15 2015-05-15 20:01:23

Re: [SOLVED] italian public transportation system (UL-EV1)

#16 2015-05-15 20:18:37

Re: [SOLVED] italian public transportation system (UL-EV1)

#17 2015-05-15 22:42:43

Re: [SOLVED] italian public transportation system (UL-EV1)

#18 2015-05-15 22:50:51

Re: [SOLVED] italian public transportation system (UL-EV1)

#19 2015-05-16 00:38:44

Re: [SOLVED] italian public transportation system (UL-EV1)

#20 2015-05-16 00:53:20

Re: [SOLVED] italian public transportation system (UL-EV1)

#21 2015-05-16 08:32:52

Re: [SOLVED] italian public transportation system (UL-EV1)

#22 2015-05-16 08:45:25

Re: [SOLVED] italian public transportation system (UL-EV1)

#23 2015-05-16 21:09:13

Re: [SOLVED] italian public transportation system (UL-EV1)

#24 2015-05-16 21:14:33

Re: [SOLVED] italian public transportation system (UL-EV1)

#25 2015-05-16 23:00:02

Re: [SOLVED] italian public transportation system (UL-EV1)

#26 2015-05-16 23:40:32

Re: [SOLVED] italian public transportation system (UL-EV1)

#27 2015-05-17 09:45:10

Re: [SOLVED] italian public transportation system (UL-EV1)

#28 2015-05-17 14:26:18

Re: [SOLVED] italian public transportation system (UL-EV1)

#29 2015-05-17 14:48:26

Re: [SOLVED] italian public transportation system (UL-EV1)

#30 2015-05-17 20:48:12

Re: [SOLVED] italian public transportation system (UL-EV1)

#31 2015-05-17 21:19:14

Re: [SOLVED] italian public transportation system (UL-EV1)

#32 2015-05-19 12:24:33

Re: [SOLVED] italian public transportation system (UL-EV1)

#33 2015-05-24 10:31:35

Re: [SOLVED] italian public transportation system (UL-EV1)

#34 2015-05-24 18:40:51

Re: [SOLVED] italian public transportation system (UL-EV1)

#35 2015-05-24 21:28:58

Re: [SOLVED] italian public transportation system (UL-EV1)

#36 2015-05-28 14:15:40

Re: [SOLVED] italian public transportation system (UL-EV1)

#37 2015-05-28 14:58:26

Re: [SOLVED] italian public transportation system (UL-EV1)

#38 2015-05-28 19:20:44

Re: [SOLVED] italian public transportation system (UL-EV1)

#39 2015-05-29 10:44:53

Re: [SOLVED] italian public transportation system (UL-EV1)