[FINISHED] Changes to: HF MFU INFO

iceman · 2015-05-05 22:11:57

Just to give a teaser, but the current output from "hf mfu info" looks like this:

Tested tags: UL-Ev1, UL-C (magic), UL, UL (magic), NTAG 216, NTAG 213, my-d move

- detection works pretty good now. @marshmellow also added a call from "hf 14a read" to benefit from the detection.
- added a help text
- added possibilty to use authentication key

pm3 --> hf mfu i h
It gathers information about the tag and tries to detect what kind it is.
Sometimes the tags are locked down, and you may need a key to be able to read the information
The following tags can be identified:

Ultralight, Ultralight-C, Ultralight EV1
NTAG 213, NTAG 215, NTAG 216
my-d, my-d NFC, my-d move, my-d move NFC

Usage:  hf mfu info k <key>
  Options :
  k <key> : key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]

   sample : hf mfu info
          : hf mfu info k 11223344

ULTRALIGHT EV1

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 B7 80 9A F8 38 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : BB, Ok
      BCC1 : DA, Ok
  Internal : 48, default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 00 00 00
                    - BD tearing Ok
       [1] : 00 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : D8 50 05 90 9A DA B6 E0 EF 5D 0D F2 9C BF 9E FC 03 E2 F1 36 CA 54 23 7E 80 0B FA DB 4B 9A AA 16


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 FF
                    - pages don't need authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: 00 05 00 00
                    - Unlimited password attempts
                    - user configuration writeable
                    - write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

--- Trying some known EV1/NTAG passwords.
Found default password: ff ff ff ff
Got PACK : 00 00 a0 1e

ULTRALIGHT (magic)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight (MF0ICU1)
       UID : 04 11 22 33 44 55 66
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0xBF - Ok
      BCC1 : 0x44 - Ok
  Internal : 0x00 - not default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

ULTRALIGHT (normal)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight (MF0ICU1)
       UID : 04 46 ad 62 83 34 80
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0x67 - Ok
      BCC1 : 0x55 - Ok
  Internal : 0x48 - default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

ULTRALIGHT-C (magic)

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
       UID : 04 11 22 33 44 55 66
    UID[0] : (Manufacturer Byte) = 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 0xBF - Ok
      BCC1 : 0x44 - Ok
  Internal : 0x48 - default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-C Configuration
 Higher Lockbits [40/0x28]: 00 00 00 00  0000000000000000
         Counter [41/0x29]: 00 00 00 00  0000000000000000
           Auth0 [42/0x2A]: 30 00 00 00  - Pages above 48 needs authentication
           Auth1 [43/0x2B]: 01 00 00 00  - write access restricted
         deskey1 [44/0x2C]: 77 66 55 44
         deskey1 [45/0x2D]: 33 22 11 00
         deskey2 [46/0x2E]: ff ee dd cc
         deskey2 [47/0x2F]: bb aa 99 88
 3des key : 00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff

----------------
----------------
SAMPLE calling without authentication key

pm3 --> hf mfu i

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 00 00 00 00 00 00 00
    UID[0] : 00, Manufacturer: no tag-info available
      BCC0 : 00, crc should be 88
      BCC1 : 00, Ok
  Internal : 00, not default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 00 00 00
                    - 00 tearing failure
       [1] : 00 00 00
                    - 00 tearing failure
       [2] : 00 00 00
                    - 00 tearing failure
Error: tag didn't answer to READ SIGNATURE

SAMPLE calling with authentication key.

pm3 --> hf mfu i k 4af84b19

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 57 B6 E2 05 3F 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 6D, Ok
      BCC1 : 58, Ok
  Internal : 48, default
      Lock : 70 00  - 0000000001110000
OneTimePad : 00 00 00 00

--- UL-EV1 Counters
       [0] : 09 00 00
                    - BD tearing Ok
       [1] : 09 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 79 69 D1 13 02 85 CB CE 8E AB 68 C9 BB D7 67 49 0A 41 4F 0D FA 4C 7F CD 9F 0A A0 B7 89 4A C3 3E


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 00
                    - pages above 0 needs authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: C0 05 00 00
                    - Unlimited password attempts
                    - user configuration permanently locked
                    - read and write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

Last edited by iceman (2015-05-25 10:19:48)

app_o1 · 2015-05-06 15:43:13

Brilliant.

asper · 2015-05-06 16:19:13

Very good improvement !

iceman · 2015-05-11 19:34:31

And thanks to @Marshmellow and @Asper, there is even more tags identified.

When all is done, it will detect:

Ultralight *
Ultralight-C *
Ultralight-EV1 (48)
Ultralight-EV1 (128)
NTAG 213
NTAG 215
NTAG 216
MY-D
MY-D NFC
MY-D MOVE
MY-D MOVE NFC

* also special test to detect if tag is UID changeable

Last edited by iceman (2015-05-11 19:35:35)

iceman · 2015-05-18 21:08:58

I talked with @Mashmellow, and we both agree that its time to make a PR and get it all into PM3 master now.

After that is done, we will start fixing "hf mfu read/write" then the "hf mfu" commands is done with its remake.

Kind of nice that we got both kinds of authentication UL-C (0x1A) && ULEV1/NTAG (0x1B) into this makeover.

iceman · 2015-05-19 10:03:42

For those who test this PR, I'll remind you that you will need to flash the firmware

marshmellow · 2015-05-19 19:47:53

Summary of new stuff:

Ultralight Specific:  (mostly iceman's contributions)

New Commands:
hf mfu setpwd <pwd (32 hex symbols)>  - Set 3des password - Ultralight-C
hf mfu setuid <uid (14 hex symbols)>  - Set UID - MAGIC tags only
hf mfu gen                            - Generate 3des mifare diversified keys (testing)

Modified Commands:
hf mfu rdbl b <block number> k <key> l   - Read block any UL / NTAG
hf mfu wrbl b <block number> k <key> l   - Write block any UL / NTAG
hf mfu dump k <key> n <filename> l    - Dump Ultralight / Ultralight-C / NTAG / MY-D tag to binary file and screen
hf mfu info k <key>                   - Get Tag information

Works With:
Mifare Ultralight
Mifare Ultralight C
Mifare Ultralight EV1
NTAG 203
NTAG 210
NTAG 212
NTAG 213
NTAG 215
NTAG 216
NTAG I2C
INFINEON MY_D(tm)
INFINEON MY_D(tm) NFC
INFINEON MY_D(tm) Move
INFINEON MY_D(tm) Move Lean
INFINEON MY_D(tm) Move NFC

Removed duplicate commands:
hf mfu crdbl
hf mfu cwrbl

also included:

hf search                             - search for valid HF tags (14a/MF, iclass, 15693)

still needed:

hf mfu ...           - allow key diversifications
hf search                             - add 14b tags to search

Last edited by marshmellow (2015-06-05 04:32:46)

asper · 2015-05-19 20:46:34

Hi marsh, I have troubles compiling your code, here it is the error:

marshmellow · 2015-05-19 20:52:11

sorry... missed the protocols.h file in a previous commit.... all fixed..

asper · 2015-05-19 21:24:15

It worked, thanx

iceman · 2015-05-19 21:41:04

@Asper just told me that NTAG203 is not identified. Which seems to be a hard tag to seperate from UL ..
It has the same atqa & sak, and doesn't have a GET_VERSION command,.. it does have a NDEF CC message..

REF: http://www.nxp.com/documents/data_sheet/NTAG203F.pdf

marshmellow · 2015-05-19 22:49:37

@asper, on the ntag 203 can you do a:
hf mfu dump q 46

a couple times and tell me what the last page it ever reads is?

thanks.

Last edited by marshmellow (2015-05-19 22:49:58)

asper · 2015-05-19 23:34:47

Tested at various distances (tag<->antenna); here is the log.
They seems to be 29(hex).

Last edited by asper (2015-05-19 23:35:25)

marshmellow · 2015-05-19 23:56:21

As I expected. I don't suppose you could post the trace? I'm curious what NAK on the higher blocks is.

Edit: never mind the NAK was 00... It is in the output

Last edited by marshmellow (2015-05-20 00:36:24)

iceman · 2015-05-20 07:25:01

@Asper, can you test to see if the NTAG 203 answers to 0x1B command?

marshmellow · 2015-05-20 17:21:18

@asper, i pushed a patch, can you see if it correctly identifies the ntag203 now?

asper · 2015-05-20 18:57:25

What exact raw command ice?

iceman · 2015-05-20 19:17:53

hf 14a raw -s -c 1b00000000

But first download the latest changes I pushed to my fork and recompile.

marshmellow · 2015-05-20 19:19:03

They will also be in my fork in 5 min

iceman · 2015-05-20 19:23:37

That's good Marsh!

if only I could put so much effort into , say something like getting the diversification of keys correct or figuring out a key-gen-algo... instead of correctly identifying tags....

Well, when the SHA-1 comes into the PM3, then another toy token will be able to get dumped

marshmellow · 2015-05-20 19:57:15

ok maybe a little longer than 5 minutes. had a few bugs to work out. but posted now.

asper · 2015-05-21 13:44:20

@ice (with your compiled build+firmware flashed):

pm3 --> hf 14a raw -s -c 1b00000000
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->

@marsh (with iceman build with his firmware flashed):

pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->

Last edited by asper (2015-05-21 14:08:54)

asper · 2015-05-21 13:45:43

With your (marshmellow) client (without reflashing iceman's firmware):

proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 f2 6e e2 0d 29 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: e1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
proxmark3>

proxmark3> hf list 14a
Recorded Activity (TraceLen = 175 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 44 00 | |
7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10676 | 16564 | Tag | 88 04 f2 6e 10 | |
18688 | 29216 | Rdr | 93 70 88 04 f2 6e 10 4d ad | | SELECT_UID
30388 | 33908 | Tag | 04 da 17 | |
35200 | 37664 | Rdr | 95 20 | | ANTICOLL-2
38836 | 44724 | Tag | e2 0d 29 80 46 | |
46848 | 57312 | Rdr | 95 70 e2 0d 29 80 46 6b 03 | | ANTICOLL-2
58548 | 62132 | Tag | 00 fe 51 | |
469376 | 474144 | Rdr | 30 00 02 a8 | | READBLOCK(0)
475316 | 496116 | Tag | 04 f2 6e 10 e2 0d 29 80 46 48 00 00 e1 10 12 00 | |
| | | 73 47 | |
proxmark3>

NOTE: the above tag is the NTAG203.

Last edited by asper (2015-05-21 14:09:13)

asper · 2015-05-21 13:59:33

This is an mfu info of ntag216 and ntag213:

proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
UID : 04 37 9f aa 16 3c 81
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 24, Ok
BCC1 : 01, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 6d 00 - 00000000011011010001000011100001
--- NDEF Message
Capability Container: e1 10 6d 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
6D : Physical Memory Size: 880 bytes
6D : NDEF Memory Size: 872 bytes
00 : Read access granted without any security / Write access granted without any security
--- Tag Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 96 84 64 91 6c f5 19 27 ce 4f a9 1b 3b c9 fa d1 9b d5 bf 1f fe ae e8 61 97 9f 3e 2a 67 74 c7 60
--- Tag Version
Raw bytes : 00 04 04 02 01 00 13 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 04, NTAG
Product subtype : 02, 50pF
Major version : 01
Minor version : 00
Size : 13 (1024 <-> 512 bytes)
Protocol type : 03
--- Tag Configuration
cfg0 [16/0x10] : 04 00 00 ff
- pages don't need authentication
- strong modulation mode disabled
cfg1 [17/0x11] : 00 05 00 00
- Unlimited password attempts
- user configuration writeable
- write access is protected with password
- 05, Virtual Card Type Identifier is default
PWD [18/0x12] : 00 00 00 00
PACK [19/0x13] : 00 00 00 00
--- Known EV1/NTAG passwords.
Found a default password: ff ff ff ff || Pack: 00 00
proxmark3>
proxmark3> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 213 144bytes (NT2H1311G0DU)
UID : 04 c4 37 32 a1 3e 80
UID[0] : 04, Manufacturer: NXP Semiconductors Germany
BCC0 : 7F, Ok
BCC1 : 2D, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : e1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: e1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
--- Tag Signature
IC signature public key name : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 2f 27 66 0a d9 cf f6 67 df a0 c8 55 c0 b1 92 d4 58 f3 6b 1c 69 80 34 ca a5 eb 16 0b 30 49 1e 81
--- Tag Version
Raw bytes : 00 04 04 02 01 00 0f 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 04, NTAG
Product subtype : 02, 50pF
Major version : 01
Minor version : 00
Size : 0F (256 <-> 128 bytes)
Protocol type : 03
--- Tag Configuration
cfg0 [16/0x10] : 04 00 00 ff
- pages don't need authentication
- strong modulation mode disabled
cfg1 [17/0x11] : 00 05 00 00
- Unlimited password attempts
- user configuration writeable
- write access is protected with password
- 05, Virtual Card Type Identifier is default
PWD [18/0x12] : 00 00 00 00
PACK [19/0x13] : 00 00 00 00
--- Known EV1/NTAG passwords.
Found a default password: ff ff ff ff || Pack: 00 00
proxmark3>

iceman · 2015-05-21 15:30:48

@asper, interesting, the 203 answers a nack for the 0x1b try.
Can you test with the default key as below?

 hf 14a raw -s -c 1bffffffff

asper · 2015-05-21 15:36:17

pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 1bffffffff
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->

pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : Unknown 000000
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->

Last edited by asper (2015-05-21 15:38:17)

iceman · 2015-05-21 15:51:23

Does that tag always answer with a NACK on other unsupported commands? like GETVERSION?

hf 14a raw -s -c 60

asper · 2015-05-21 17:01:21

Yeah:

pm3 --> hf 14a raw -s -c 60
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 69
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 73
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c 99
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->
pm3 --> hf 14a raw -s -c FF
received 7 octets
04 F2 6E E2 0D 29 80
received 1 octets
00
pm3 -->

marshmellow · 2015-05-21 17:05:23

oy.. there is a bug in the ntag203 detection. i am reading block 30 instead of 0x30 to find the end of the memory...

just fixed it in my fork

asper · 2015-05-21 19:58:06

I will test tomorrow.

asper · 2015-05-22 13:57:14

Yeah:

pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : NTAG 203 144bytes (NT2H0301F0DT)
UID : 04 F2 6E E2 0D 29 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 10, Ok
BCC1 : 46, Ok
Internal : 48, default
Lock : 00 00 - 0000000000000000
OneTimePad : E1 10 12 00 - 00000000000100100001000011100001
--- NDEF Message
Capability Container: E1 10 12 00
E1 : NDEF Magic Number
10 : version 1.0 supported by tag
12 : Physical Memory Size: 152 bytes
12 : NDEF Memory Size: 144 bytes
00 : Read access granted without any security / Write access granted without any security
pm3 -->

marshmellow · 2015-05-22 14:00:11

Sweet...

iceman · 2015-05-22 14:29:50

Well done @Marshmellow!

marshmellow · 2015-06-02 20:10:59

our info command now can detect things nxp's tag info can't. a locked UL_C card shows as an UL in nxp's tag info, but shows correctly in ours

iceman · 2015-06-02 20:15:09

Finally, the PM3 client is better than nxp tag info! Do you have a sample of the outputs?

and lets make it even better!! ...(14b, 15)...

marshmellow · 2015-06-02 20:32:05

TagInfo on read/write locked tag

** TagInfo scan (version 3.0) 2015-05-22 11:27:54 **

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
MIFARE Ultralight (MF0ICU1)

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 46 bytes

-- EXTRA ------------------------------

# Memory size:
64 bytes total memory
* 16 pages, with 4 bytes per page
* 48 bytes user memory (12 pages)

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms


# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00

--------------------------------------

hf mfu info of same tag:

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight C (MF0ULC)  [2]
       UID : 04 09 a9 7a e0 2b 80  
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 2C - Ok
      BCC1 : 31 - Ok
  Internal : 48 -  default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

Trying some default 3des keys
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
#db# NAK - Authentication failed.       
#db# Cmd Error: 00       
#db# Authentication failed       
Found default 3des key: 
         deskey1 [44/0x2C]: 42 52 45 41  [BREA]
         deskey1 [45/0x2D]: 4b 4d 45 49  [KMEI]
         deskey2 [46/0x2E]: 46 59 4f 55  [FYOU]
         deskey2 [47/0x2F]: 43 41 4e 21  [CAN!]

3des key : 49 45 4d 4b 41 45 52 42 21 4e 41 43 55 4f 59 46 
Tag appears to be locked, try using the key to get more info

TagInfo on tag before locked:

** TagInfo scan (version 3.0) 2015-04-28 12:33:55 **

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
MIFARE Ultralight C (MF0ICU2)

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 137 bytes

-- EXTRA ------------------------------

# Memory size:
192 bytes total memory
* 48 pages, with 4 bytes per page
* 144 bytes user memory (36 pages)

# Authentication information:
Default sample key

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms


# Detailed protocol information:
ID: 04:09:A9:7A:E0:2B:80
ATQA: 0x4400
SAK: 0x00

# Memory content:
[00] *  04:09:A9 2C (UID0-UID2, BCC0)
[01] *  7A:E0:2B:80 (UID3-UID6)
[02] .  31 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .  00:00:00:00 (OTP0-OTP3)
[04] .  02 00 00 10 |....|
[05] .  00 06 01 10 |....|
[06] .  11 FF 00 00 |....|
[07] .  00 00 00 00 |....|
[08] .  00 00 00 00 |....|
[09] .  00 00 00 00 |....|
[0A] .  00 00 00 00 |....|
[0B] .  00 00 00 00 |....|
[0C] .  00 00 00 00 |....|
[0D] .  00 00 00 00 |....|
[0E] .  00 00 00 00 |....|
[0F] .  00 00 00 00 |....|
[10] .  00 00 00 00 |....|
[11] .  00 00 00 00 |....|
[12] .  00 00 00 00 |....|
[13] .  00 00 00 00 |....|
[14] .  00 00 00 00 |....|
[15] .  00 00 00 00 |....|
[16] .  00 00 00 00 |....|
[17] .  00 00 00 00 |....|
[18] .  00 00 00 00 |....|
[19] .  00 00 00 00 |....|
[1A] .  00 00 00 00 |....|
[1B] .  00 00 00 00 |....|
[1C] .  00 00 00 00 |....|
[1D] .  00 00 00 00 |....|
[1E] .  00 00 00 00 |....|
[1F] .  00 00 00 00 |....|
[20] .  00 00 00 00 |....|
[21] .  00 00 00 00 |....|
[22] .  00 00 00 00 |....|
[23] .  00 00 00 00 |....|
[24] .  00 00 00 00 |....|
[25] .  00 00 00 00 |....|
[26] .  00 00 00 00 |....|
[27] .  00 00 00 00 |....|
[28] .  00 00 -- -- (LOCK2-LOCK3)
[29] .  00 00 -- -- (CNT0-CNT1, value: 0)
[2A] .  30 -- -- -- (AUTH0)
[2B] .  00 -- -- -- (AUTH1)
[2C] .- 42 52 45 41 |BREA|
[2D] .- 4B 4D 45 49 |KMEI|
[2E] .- 46 59 4F 55 |FYOU|
[2F] .- 43 41 4E 21 |CAN!|

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only

--------------------------------------

Last edited by marshmellow (2015-06-02 20:37:34)

iceman · 2015-06-02 20:42:38

interesting to see their dump layout.. with -- and only hex..

asper · 2015-06-03 07:46:47

Fantastic! If you need help in getting 14443B and 15693 info just ask !

Last edited by asper (2015-06-03 08:04:30)

app_o1 · 2015-06-03 13:35:27

It is like Christmas! Awesome job lads!

marshmellow · 2015-06-18 23:10:52

added another one:

proxmark3> hf mfu info

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : FUDAN Ultralight Compatible (or other compatible)
       UID : 04 64 9d 1a 54 00 00
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 75, Ok
      BCC1 : 4E, Ok
  Internal : 48, default
      Lock : 00 00  - 0000000000000000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

iceman · 2015-06-19 14:33:50

Great! Fudan UL compatible, is it special in some kind of way like magic or has different commands? or responses?

marshmellow · 2015-06-19 14:36:35

Nope, just an attempt to pass as a true UL. And it does fool just about every reader I know. Except the pm3 now

marshmellow · 2015-06-19 14:37:43

But it doesn't have all the same error responses as the original.

iceman · 2015-06-19 14:39:24

I skimmed the code, but the detection is based on?

marshmellow · 2015-06-19 15:09:55

00 error instead of 01 error to crc error. I believe there are other imitations that have a similar issue which is why I labelled it or other compatible

Last edited by marshmellow (2015-06-19 15:19:29)

marshmellow · 2015-06-19 15:11:25

But I know the tags I'm testing are a fudan. If I find a better test I'll implement it.

iceman · 2015-06-19 15:18:08

ok, I saw the faulty crc and was thinking that I havn't test for that on tags..

my_fair_cats_sick · 2017-02-23 22:08:37

@iceman, is this in your branch as well? I was running something trying to look at this and the command format looks a little different.

my_fair_cats_sick · 2017-02-23 22:12:29

also, is there anything out there to brute force the 8 byte key or crack these for reading?

iceman · 2017-02-23 23:03:09

This is in PM3 master. (and of course in mine)

You need to know what the tag is and if there is some limits on faulty auths. If there is you may permalock.

Feel free to add a bruteforce

Proxmark3 community

Announcement

#1 2015-05-05 22:11:57

[FINISHED] Changes to: HF MFU INFO

#2 2015-05-06 15:43:13

Re: [FINISHED] Changes to: HF MFU INFO

#3 2015-05-06 16:19:13

Re: [FINISHED] Changes to: HF MFU INFO

#4 2015-05-11 19:34:31

Re: [FINISHED] Changes to: HF MFU INFO

#5 2015-05-18 21:08:58

Re: [FINISHED] Changes to: HF MFU INFO

#6 2015-05-19 10:03:42

Re: [FINISHED] Changes to: HF MFU INFO

#7 2015-05-19 19:47:53

Re: [FINISHED] Changes to: HF MFU INFO

#8 2015-05-19 20:46:34

Re: [FINISHED] Changes to: HF MFU INFO

#9 2015-05-19 20:52:11

Re: [FINISHED] Changes to: HF MFU INFO

#10 2015-05-19 21:24:15

Re: [FINISHED] Changes to: HF MFU INFO

#11 2015-05-19 21:41:04

Re: [FINISHED] Changes to: HF MFU INFO

#12 2015-05-19 22:49:37

Re: [FINISHED] Changes to: HF MFU INFO

#13 2015-05-19 23:34:47

Re: [FINISHED] Changes to: HF MFU INFO

#14 2015-05-19 23:56:21

Re: [FINISHED] Changes to: HF MFU INFO

#15 2015-05-20 07:25:01

Re: [FINISHED] Changes to: HF MFU INFO

#16 2015-05-20 17:21:18

Re: [FINISHED] Changes to: HF MFU INFO

#17 2015-05-20 18:57:25

Re: [FINISHED] Changes to: HF MFU INFO

#18 2015-05-20 19:17:53

Re: [FINISHED] Changes to: HF MFU INFO

#19 2015-05-20 19:19:03

Re: [FINISHED] Changes to: HF MFU INFO

#20 2015-05-20 19:23:37

Re: [FINISHED] Changes to: HF MFU INFO

#21 2015-05-20 19:57:15

Re: [FINISHED] Changes to: HF MFU INFO

#22 2015-05-21 13:44:20

Re: [FINISHED] Changes to: HF MFU INFO

#23 2015-05-21 13:45:43

Re: [FINISHED] Changes to: HF MFU INFO

#24 2015-05-21 13:59:33

Re: [FINISHED] Changes to: HF MFU INFO

#25 2015-05-21 15:30:48

Re: [FINISHED] Changes to: HF MFU INFO

#26 2015-05-21 15:36:17

Re: [FINISHED] Changes to: HF MFU INFO

#27 2015-05-21 15:51:23

Re: [FINISHED] Changes to: HF MFU INFO

#28 2015-05-21 17:01:21

Re: [FINISHED] Changes to: HF MFU INFO

#29 2015-05-21 17:05:23

Re: [FINISHED] Changes to: HF MFU INFO

#30 2015-05-21 19:58:06

Re: [FINISHED] Changes to: HF MFU INFO

#31 2015-05-22 13:57:14

Re: [FINISHED] Changes to: HF MFU INFO

#32 2015-05-22 14:00:11

Re: [FINISHED] Changes to: HF MFU INFO

#33 2015-05-22 14:29:50

Re: [FINISHED] Changes to: HF MFU INFO

#34 2015-06-02 20:10:59

Re: [FINISHED] Changes to: HF MFU INFO

#35 2015-06-02 20:15:09

Re: [FINISHED] Changes to: HF MFU INFO

#36 2015-06-02 20:32:05

Re: [FINISHED] Changes to: HF MFU INFO

#37 2015-06-02 20:42:38

Re: [FINISHED] Changes to: HF MFU INFO

#38 2015-06-03 07:46:47

Re: [FINISHED] Changes to: HF MFU INFO

#39 2015-06-03 13:35:27

Re: [FINISHED] Changes to: HF MFU INFO