Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2016-04-18 12:50:58
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
New Mifare Ultralight tag and backdoor commands.
I got some magic Midare Ultralight keyfobs from a forum user, stating that they respondes to the chinese magic backdoor commands. S/he also said they needed to be sent before modifications to Block0,1..
hf 14a read
pm3 --> hf 14a re
UID : 53 98 21 20 00 79 80
ATQA : 00 44
SAK : 00 [2]
TYPE : MIFARE Ultralight (MF0ICU1)
MANUFACTURER : no tag-info available
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands (GEN1): YES <--- look here!hf mfu info
pm3 --> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight (MF0ICU1) <--- currently not identified as magic in our imp.
UID : 53 98 21 20 00 79 80
UID[0] : 53, no tag-info available
BCC0 : 62, Ok
BCC1 : D9, Ok
Internal : 48, default
Lock : 00 00 - 0
OneTimePad : 00 00 00 00 - 000hf list 14a
pm3 --> hf list 14a
Recorded Activity (TraceLen = 199 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 53 98 21 62 | |
18688 | 29152 | Rdr |93 70 88 53 98 21 62 76 cc | ok | SELECT_UID
30388 | 33908 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38836 | 44724 | Tag |20 00 79 80 d9 | |
46848 | 57312 | Rdr |95 70 20 00 79 80 d9 86 3a | ok | ANTICOLL-2
58548 | 62132 | Tag |00 fe 51 | |
1047168 | 1051936 | Rdr |e0 80 31 73 | ok | RATS
2333568 | 2334560 | Rdr |40 | | MAGIC WUPC1
2336052 | 2336628 | Tag |0a! | |
2340608 | 2341920 | Rdr |43 | | MAGIC WUPC2
2343092 | 2343668 | Tag |0a! | |
2347648 | 2352416 | Rdr |50 00 57 cd | ok | HALT
pm3 -->Offline
#2 2016-04-18 13:02:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
Writing to block 0, using the raw commands works.
pm3 --> hf 14a raw -p -b 7 40
received 1 octets
0A
pm3 --> hf 14a raw -p 43
received 1 octets
0A
pm3 --> hf 14a raw -p -c a20059982120
received 1 octets
0A
pm3 --> hf li 14a
Recorded Activity (TraceLen = 266 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 53 98 21 62 | |
18688 | 29152 | Rdr |93 70 88 53 98 21 62 76 cc | ok | SELECT_UID
30388 | 33908 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38836 | 44724 | Tag |20 00 79 80 d9 | |
46848 | 57312 | Rdr |95 70 20 00 79 80 d9 86 3a | ok | ANTICOLL-2
58548 | 62132 | Tag |00 fe 51 | |
1047168 | 1051936 | Rdr |e0 80 31 73 | ok | RATS
2333440 | 2334432 | Rdr |40 | | MAGIC WUPC1
2335924 | 2336500 | Tag |0a! | |
2340480 | 2341792 | Rdr |43 | | MAGIC WUPC2
2342964 | 2343540 | Tag |0a! | |
2347520 | 2352288 | Rdr |50 00 57 cd | ok | HALT
3609728 | 3610720 | Rdr |40 | | MAGIC WUPC1
3612340 | 3612916 | Tag |0a! | |
4859904 | 4861216 | Rdr |43 | | MAGIC WUPC2
4862516 | 4863092 | Tag |0a! | |
24320384 | 24329760 | Rdr |a2 00 59 98 21 20 00 c7 | ok | WRITEBLOCK(0)
24372532 | 24373108 | Tag |0a! | |Offline
#3 2016-04-18 13:20:36
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
The "hf mf cgetblk" works, but remember these commands works on 16bytes size, not 4 like the UL has.
pm3 --> hf mf cgetblk 0
--block number: 0
data: 53 80 71 2A 02 00 D9 80 5B 48 00 00 00 00 00 00
pm3 --> hf mf cgetblk 1
--block number: 1
data: 02 00 D9 80 5B 48 00 00 00 00 00 00 00 00 00 00
pm3 --> hf mf cgetblk 2
--block number: 2
data: 5B 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00
pm3 -->Offline
#4 2016-04-18 13:21:29
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
Don't use the "hf mf csetuid", that will ruin it.
the "hf mfu setuid" doesn't work either.
Offline
#5 2016-04-20 09:26:53
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: New Mifare Ultralight tag and backdoor commands.
Great so where do you suggest we get ultralight Chinese cards and the only commands we should use in order not to ruin it ?
I got one from xpfga and ruin it the same way above.
Offline
#6 2016-04-20 10:25:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
You are lucky that it is based on backdoor commands.
You can easily re-write it the raw commands as seen above.
If you screwed up block 0,1,2 (where the uid is located) then just don't use the select option in raw cmd.
and write 3 new blocks with correct BBC and CRC
Offline
#7 2016-05-15 18:53:52
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
I changed my 'remagic.luc' script to revive these cards also. "script run remagic -u"
I've also been curious on these backdoor commands, trying to understand what they do.
We know since before that:
0x40 is init.
0x41 is wipe
0x43 is not keys needed for reading and writing. it just runs the commands given afterwards.
0x40, init backdoor mode
0x41, wipe fills card with 0xFF
0x42, fills card with 0x00
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
0x44, fills card with 0x55
0x45, fills card with 0xAA
0x46, fills card with 0x00
0x47, ??
0x48, ??
0x49, ??
used commands:
pm3 --> hf 14a raw -p -a -b 7 40
pm3 --> hf 14a raw -p -a 44Offline
#8 2016-05-15 18:54:42
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
The 0x47, 0x48, 0x49 is accepted with a 0x0A but what to do next?
Offline
#9 2017-03-24 00:35:10
- clayer
- Contributor
- Registered: 2013-12-22
- Posts: 45
Re: New Mifare Ultralight tag and backdoor commands.
i`ve killed down magic UL tag
proxmark3> hf 14a re
iso14443a card select failed
but
proxmark3> hf mf cgetblk 0
--block number: 0
block data:04 01 02 8f ff ff ff ff ff ff ff ff ff ff ff ff
revive commands doesn`t help to get back tag.
How i can restore to work condition?
Which raw command must send?
Offline
#10 2017-03-24 03:24:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: New Mifare Ultralight tag and backdoor commands.
which software are you using?
which version of magic ul was it? Looks like magic UL which answers to backdoor cmds.
if it is, you can use hf 14a raw or hf mf csetbl commands to write new data to the first three blocks. ie blocks 0,1,2
For speed, just dump a working UL card, and take its three first blocks to make your magic UL work again 
Offline
#11 2017-04-11 00:35:30
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: New Mifare Ultralight tag and backdoor commands.
I've dump it block by block last year on UL magic card .. worked perfectly ! didn't use csetuid or mfu set.
Offline