Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2021-02-18 04:49:01

rumeye
Contributor
Registered: 2021-02-14
Posts: 4

Mifare Ultralight Clone

Hey everyone,

First post here so bear with me... I've completed my intro post and have recently obtained a proxmark3. I am still learning how to use the device and I think I've started with the most challenging card to clone.

I am using my hotel key which is an Ultralight EV1 (48 bytes). I am trying to see if I can clone my card and develop an understanding of the card's settings.

I have tried several different methods to obtain information from the card and learned that it is protected by a password. Common default ones do not work. I have used the sniff command to obtain the activity on the card and believe I have identified the hex data where the password is stored (based off reading other posts and information posted by Iceman).

I found this:
208464 |  216688 | Rdr | 1b 9e 97 6d 68 68 8c
                   ok  |  PWD-AUTH KEY:  0x9e976d68

Since I have this information - is this the password key or do I need to somehow decrypt this data?

I tried to do a dump command using variations of the above key and converting the bin file to an eml file. However, when I tried to load the eml file (using eload command) proxmark says the file is not found or locked "-u.eml".

Does anyone have any suggestions or places I can read up a little more on this process? I haven't had much luck elsewhere.

Offline

#2 2021-02-18 11:49:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mifare Ultralight Clone

if you are on latest RRG/Iceman ,   since we are doing the cliparser change there is mismatch with "hf mfu eload" right now.
You will need to use the  "hf mf eload -h"  instead to load an ultralight dump to the emulator memory.

You would use the pwd when running the dump command to get a complete dump.

Offline

#3 2021-02-20 19:47:46

rumeye
Contributor
Registered: 2021-02-14
Posts: 4

Re: Mifare Ultralight Clone

Hey Iceman - that worked!

Thanks for your help. I did the 'hf mu' command and got it to simulate.

Now I am just working on getting it on to a magic card instead of simulating through the device. yikes/

Offline

#4 2021-04-30 21:30:37

zissilia
Contributor
From: Greece
Registered: 2020-10-12
Posts: 31

Re: Mifare Ultralight Clone

hallo i have one metro  card tag  ISO14443-A
how can clone and how can read inside ? i am beginner
after this command what can do?

[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+]        UID: 04 15 B6 F2 BD 69 81
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 2F (ok)
[+]       BCC1: A7 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 01 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 01 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: E0FDFD22DF397D51F47F03F3F7555CEAF8289DDF4169BDF93368361E0EA064A9
[+]        Signature verification ( successful )

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0E 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0E, (128 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

Offline

#5 2021-04-30 21:44:27

zissilia
Contributor
From: Greece
Registered: 2020-10-12
Posts: 31

Re: Mifare Ultralight Clone

hallo i have one metro  card tag  ISO14443-A
how can clone and how can read inside ? i am beginner
after this command what can do?

[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+]        UID: 04 15 B6 F2 BD 69 81
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 2F (ok)
[+]       BCC1: A7 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: 00 00 00 00  - 0000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 01 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 01 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: E0FDFD22DF397D51F47F03F3F7555CEAF8289DDF4169BDF93368361E0EA064A9
[+]        Signature verification ( successful )

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0E 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0E, (128 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

Last edited by zissilia (2021-05-16 09:35:00)

Offline

Pages: 1

Board footer

Powered by FluxBB