[Solved] no able to dump NTAG216 (and 215)

Shashadow · 2018-05-03 18:59:57

hello,

just a little question about ntag216.
I would like (even if I don't know the password) make a partial copy from a genuine tag with hf mfu dump.
I tried command for ultralight C it's Ok, but not for NTAG216

pm3 --> hf mfu dump
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
Reading tag memory...
Command execute time-out
pm3 -->

i also try to dump my NTAG216 from Lab401 so with default key but same problem

pm3 --> hf mfu dump k FFFFFFFF
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
Reading tag memory...
Command execute time-out
pm3 -->

however I can read without issue with my S7 phone.
anybody have a idea ?
thanks

Last edited by Shashadow (2018-05-03 22:08:57)

iceman · 2018-05-03 19:32:48

Are you running on the latest source from github? (just to make sure)

Shashadow · 2018-05-03 19:37:41

hmmm... from last week is it the lastest source ? (because you update very often :-) )

my actual source :

pm3 --> hw version
[[[ Cached information ]]]

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman// 2018-04-25 09:05:27
      os: iceman// 2018-04-25 09:05:39
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 235219 bytes (45%) Free: 289069 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


pm3 --> hw tune

measuring antenna characteristics, please wait...
...
LF antenna: 30.02 V - 125.00 kHz
LF antenna: 21.95 V - 134.00 kHz
LF optimal: 29.88 V - 123.71 kHz
[+] LF antenna is OK

HF antenna: 19.57 V - 13.56 MHz
[+] HF antenna is OK

[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

pm3 -->

and it's not a distance issue, I tried lots a differente distance too.

Last edited by Shashadow (2018-05-03 19:38:29)

iceman · 2018-05-03 19:42:43

I get the feeling this is related to your other post about magic ntag21x...

Anyway, you say is a genuine tag, so,

hf 14a info
hf mfu info
hf list 14a

Shashadow · 2018-05-03 19:50:35

you feeling good :-)

info for my genuine tag

pm3 --> hf 14a info
 UID : 04 C2 5D BA 10 57 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
pm3 -->
pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------

-------------------------------------------------------------
      TYPE : NTAG 216 888bytes (NT2H1611G0DU)
       UID : 04 C2 5D BA 10 57 80
    UID[0] : 04, NXP Semiconductors Germany
      BCC0 : 13, Ok
      BCC1 : 7D, Ok
  Internal : 48, default
      Lock : 00 00  - 00
OneTimePad : E1 10 6D 00  - 2110

--- NDEF Message
Capability Container: E1 10 6D 00
  E1 : NDEF Magic Number
  10 : version 1.0 supported by tag
  6D : Physical Memory Size: 880 bytes
  6D : NDEF Memory Size: 872 bytes
  00 : Read access granted without any security / Write access granted without any security
--- Tag Signature

IC signature public key name  : NXP NTAG21x (2013)
IC signature public key value : 04 49 4E 1A 38 6D 3D 3C FE 3D C1 0E 5D E6 8A 49 9B 1C 20 2D B5 B1 32 39 3E 89 ED 19 FE 5B E8 BC 61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 92 E8 2F 1E DB 9C 20 E9 B8 BF 3A 91 1E 91 70 5A 8B 4C BF 8C 22 D8 47 C1 11 7D 2B 21 05 EB E4 03
--- Tag Version

       Raw bytes : 00 04 04 02 01 00 13 03
       Vendor ID : 04, NXP Semiconductors Germany
    Product type : 04, NTAG
 Product subtype : 02, 50pF
   Major version : 01
   Minor version : 00
            Size : 13, (1024 <-> 512 bytes)
   Protocol type : 03 (ISO14443-3 Compliant)
--- Tag Configuration

  cfg0 [227/0xE3] : 04 00 00 02
                    - strong modulation mode disabled
                    - page 2 and above need authentication
  cfg1 [228/0xE4] : 00 05 00 00
                    - Unlimited password attempts
                    - NFC counter disabled
                    - NFC counter password protection enabled
                    - user configuration writeable
                    - write access is protected with password
                    - 05, Virtual Card Type Identifier is  default
  PWD  [229/0xE5] : 00 00 00 00 - (cannot be read)
  PACK [230/0xE6] : 00 00       - (cannot be read)
  RFU  [230/0xE6] :       00 00 - (cannot be read)
--- Known EV1/NTAG passwords.

password not known

pm3 -->
pm3 -->
pm3 --> hf list 14a
trace pointer not allocated
Recorded Activity (TraceLen = 133 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------          
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10692 |      16580 | Tag |88  04  c2  5d  13                                                       |     |
      19456 |      29984 | Rdr |93  70  88  04  c2  5d  13  b2  85                                       |  ok | SELECT_UID
      31172 |      34692 | Tag |04  da  17                                                               |     |
      36096 |      38560 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39748 |      45572 | Tag |ba  10  57  80  7d                                                       |     |
      48512 |      58976 | Rdr |95  70  ba  10  57  80  7d  94  7b                                       |  ok | ANTICOLL-2
      60228 |      63812 | Tag |00  fe  51                                                               |     |
pm3 -->

Shashadow · 2018-05-03 19:59:45

just for info :

I try with my magic NTAG21x, If I change for ntag213, I can make dump with hf mf dump
but when I switch for ntag216, dump doesn't work anymore
issue seems focus with 216 version only.

Issue exist with 215 tag also.
another type seems ok

Last edited by Shashadow (2018-05-03 20:21:28)

Shashadow · 2018-05-03 20:56:43

hmmm, very Strange.
if I pass card on my phone with app "nxp taginfo" and "nxp tagwriter", I have same size with taginfo for both card (888), but it's not the case for tagwriter (888 for genuine, and ... 46 for ntag21x)
a beginning of clue ?

http://lufia.konyxia.com/screenshot2/

however I don't think it's the trouble for dump, because both card can't be dumped... but weird anyway

Last edited by Shashadow (2018-05-03 20:58:27)

iceman · 2018-05-03 20:58:20

hm.. timeout limit was 1,5 s. If you get latest source from github, I have pushed a potential fix where I increased timeout limit to 2.5s

hf mf dbg 3
hf mfu dump
hf 14a list

Shashadow · 2018-05-03 20:59:16

Ok I will try latest source, i come back very soon.

iceman · 2018-05-03 21:00:52

dunno what the tagwriter uses for commands, but you can use the pm3 to sniff it

Shashadow · 2018-05-03 21:20:29

software and OS update, i'm up to date :-)

pm3 --> hw version
[[[ Cached information ]]]


Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman// 2018-05-03 22:04:09
      os: iceman// 2018-05-03 22:04:21
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 235271 bytes (45%) Free: 289017 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

dump is not better
I put output of "hf 14a list" here because it's really long :
http://lufia.konyxia.com/screenshot2/hf14alist.txt

pm3 --> hf mf dbg 3
#db# Debug level: 3
pm3 --> hf mfu dump
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
Reading tag memory...
[!] Command execute time-out
pm3 -->

iceman · 2018-05-03 21:25:57

that 14a list explains a lot.

try, hf mf dbg 4 and get some more details..

Shashadow · 2018-05-03 21:38:35

it's almost the same with dbg 4...
except I have for command "hf mfu dump" the number of block read (231)

pm3 --> hf mfu dump
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
Reading tag memory...
[!] Command execute time-out
#db# Blocks read 231

here the full output
http://lufia.konyxia.com/screenshot2/hf14alist2.txt

iceman · 2018-05-03 21:44:22

hold on, I think I found it...
pull latest, flash, and it should work again!

Shashadow · 2018-05-03 21:59:22

...

what more can I say except you're the best :-)

pm3 --> hf mfu dump
TYPE : NTAG 216 888bytes (NT2H1611G0DU)
Reading tag memory...
#db# Blocks read 231
[!] Authentication Failed UL-EV1/NTAG

*special* data


DataType  | Data                    | Ascii
----------+-------------------------+---------
Version   | 00 04 04 02 01 00 13 03 | ........
TBD       | 00 00                   | ..
Tearing   | 00 00 00                | ...
Pack      | 00 00                   | ..
TBD       | 00                      | .
Signature1| 92 E8 2F 1E DB 9C 20 E9 B8 BF 3A 91 1E 91 70 5A | ../... ...:...pZ
Signature2| 8B 4C BF 8C 22 D8 47 C1 11 7D 2B 21 05 EB E4 03 | .L..".G..}+!....
-------------------------------------------------------------

Block#   | Data        |lck| Ascii
---------+-------------+---+------
  0/0x00 | 04 C2 5D 13 |   | ..].
  1/0x01 | BA 10 57 80 |   | ..W.
  2/0x02 | 7D 48 00 00 |   | }H..
  3/0x03 | E1 10 6D 00 | 0 | ..m.
  4/0x04 | 03 90 D1 01 | 0 | ....
  5/0x05 | 8C 54 02 65 | 0 | .T.e
  6/0x06 | 6E 31 34 39 | 0 | n149
  7/0x07 | 36 39 31 38 | 0 | 6918
  8/0x08 | 32 36 36 30 | 0 | 2660
  9/0x09 | 31 34 30 30 | 0 | 1400
...
226/0xE2 | 00 00 00 BD | 0 | ....
227/0xE3 | 04 00 00 02 | 0 | ....
228/0xE4 | 00 05 00 00 | 0 | ....
229/0xE5 | 00 00 00 00 | 0 | ....
230/0xE6 | 00 00 00 00 | 0 | ....
---------------------------------
[+] Dumped 243 pages, wrote 972 bytes to 04C25DBA105780.bin
[!] Partial dump created. (231 of 231 blocks)
pm3 -->

thank you mister

iceman · 2018-05-03 22:05:30

you can turn of debugging now, and I suggest you edit your first post in this thread and add the "[solved]" prefix to your title

Shashadow · 2018-05-03 23:05:23

just for my understanding.
now I have cloned all block from my genuine nTAG216 to my magic ntag216.
I have 231 blocks (from 0 to 230), all are readable, I just have block 229 (PWD) and block 230 (PACK) not readable (and so not copied).

Is this mean card reader try besides to check data in card, to check also if PWD and PACK are good ?
or is just use to modify data when we put or change data in the card ?

Last edited by Shashadow (2018-05-03 23:06:42)

iceman · 2018-05-04 06:22:25

Its time to hit the datasheets, to understand what is possible and not. If you are asking what your card reader is doing, I don't know. Read its manual, ev datasheet, sniff trafic, etc in order to figure out what its doing.

However, that is another question than this thread is about.

Proxmark3 community

Announcement

#1 2018-05-03 18:59:57

[Solved] no able to dump NTAG216 (and 215)

#2 2018-05-03 19:32:48

Re: [Solved] no able to dump NTAG216 (and 215)

#3 2018-05-03 19:37:41

Re: [Solved] no able to dump NTAG216 (and 215)

#4 2018-05-03 19:42:43

Re: [Solved] no able to dump NTAG216 (and 215)

#5 2018-05-03 19:50:35

Re: [Solved] no able to dump NTAG216 (and 215)

#6 2018-05-03 19:59:45

Re: [Solved] no able to dump NTAG216 (and 215)

#7 2018-05-03 20:56:43

Re: [Solved] no able to dump NTAG216 (and 215)

#8 2018-05-03 20:58:20

Re: [Solved] no able to dump NTAG216 (and 215)

#9 2018-05-03 20:59:16

Re: [Solved] no able to dump NTAG216 (and 215)

#10 2018-05-03 21:00:52

Re: [Solved] no able to dump NTAG216 (and 215)

#11 2018-05-03 21:20:29

Re: [Solved] no able to dump NTAG216 (and 215)

#12 2018-05-03 21:25:57

Re: [Solved] no able to dump NTAG216 (and 215)

#13 2018-05-03 21:38:35

Re: [Solved] no able to dump NTAG216 (and 215)

#14 2018-05-03 21:44:22

Re: [Solved] no able to dump NTAG216 (and 215)

#15 2018-05-03 21:59:22

Re: [Solved] no able to dump NTAG216 (and 215)

#16 2018-05-03 22:05:30

Re: [Solved] no able to dump NTAG216 (and 215)

#17 2018-05-03 23:05:23

Re: [Solved] no able to dump NTAG216 (and 215)

#18 2018-05-04 06:22:25

Re: [Solved] no able to dump NTAG216 (and 215)

Board footer