Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello community!
I have a Mifare Ultralight tag with which it is only possible to read 34 pages of memory. The rest of the pages are encrypted with the key.
I went to the access device (door lock) and sniffed the traffic between it and the tag. Here it is:
https://pastebin.com/raw/d6gT7cxT
Now my question is:
Is it possible to recover or calculate a password (key) from this data? Where to begin?
Some logs:
[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+] Reading tag memory...
[#] Cmd Error: 00
[#] Read block 34 error
[!] ⚠ Authentication Failed UL-EV1/NTAG
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 34 21 01 01 00 0E 03
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | AD 9F FB 45 F7 61 50 A8 EC 68 E8 B6 A8 79 F6 02 BB 03 BA F6 7D 64 C2 E6 14 AC D1 58 1A 9C 5D 70
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 32 (132 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 34 D7 08 63 | | 4..c
[=] 1/0x01 | C9 65 AC D8 | | .e..
[=] 2/0x02 | D8 00 78 00 | | ..x.
[=] 3/0x03 | 85 03 C4 47 | 1 | ...G
[=] 4/0x04 | 82 4C 1B DA | 1 | .L..
[=] 5/0x05 | 4B B8 B9 A5 | 1 | K...
[=] 6/0x06 | 81 A8 CE AA | 1 | ....
[=] 7/0x07 | 00 00 00 00 | 0 | ....
[=] 8/0x08 | 00 00 00 00 | 0 | ....
[=] 9/0x09 | 00 00 00 00 | 0 | ....
[=] 10/0x0A | 00 00 00 00 | 0 | ....
[=] 11/0x0B | 00 00 00 00 | 0 | ....
[=] 12/0x0C | 00 00 00 00 | 0 | ....
[=] 13/0x0D | 00 00 00 00 | 0 | ....
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 00 00 | 0 | ....
[=] 16/0x10 | 2C C9 F7 89 | 0 | ,...
[=] 17/0x11 | 00 00 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] 20/0x14 | 2C C9 F7 89 | 0 | ,...
[=] 21/0x15 | 00 00 00 00 | 0 | ....
[=] 22/0x16 | 00 00 00 00 | 0 | ....
[=] 23/0x17 | 00 00 00 00 | 0 | ....
[=] 24/0x18 | 2C C9 F7 89 | 0 | ,...
[=] 25/0x19 | 00 00 00 00 | 0 | ....
[=] 26/0x1A | 00 00 00 00 | 0 | ....
[=] 27/0x1B | 00 00 00 00 | 0 | ....
[=] 28/0x1C | 00 00 00 00 | 0 | ....
[=] 29/0x1D | 00 00 00 00 | 0 | ....
[=] 30/0x1E | 00 00 00 00 | 0 | ....
[=] 31/0x1F | 00 00 00 00 | 0 | ....
[=] 32/0x20 | 00 00 00 00 | 0 | ....
[=] 33/0x21 | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 192 bytes to binary file hf-mfu-34D708C965ACD8-dump-2.bin
[+] saved to json file hf-mfu-34D708C965ACD8-dump-2.json
[!] ⚠ Partial dump created. (34 of 41 blocks)
Last edited by dirh (2022-01-07 15:28:38)
Offline
unlucky, the reader newer did an authentication.
What is the output from
hf mfu info
Offline
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+] UID: 34 D7 08 C9 65 AC D8
[+] UID[0]: 34, Mikron JSC Russia
[+] BCC0: 63 (ok)
[+] BCC1: D8 (ok)
[+] Internal: 00 (not default)
[+] Lock: 78 00 - 0111100000000000
[+] OneTimePad: 85 03 C4 47 - 10000101000000111100010001000111
[=] --- Tag Counters
[=] [0]: 00 00 00
[+] - 00 tearing ( fail )
[=] [1]: 00 00 00
[+] - 00 tearing ( fail )
[=] [2]: 00 00 00
[+] - 00 tearing ( fail )
[=] --- Tag Signature
[=] IC signature public key name: MIKRON Public key
[=] IC signature public key value: 04f971eda742a4a80d32dcf6a814a707cc3dc396d35902f72929fdcd698b3468f2
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: AD9FFB45F76150A8EC68E8B6A879F602BB03BAF67D64C2E614ACD1581A9C5D70
[+] Signature verification ( successful )
[=] --- Tag Version
[=] Raw bytes: 00 34 21 01 01 00 0E 03
[=] Vendor ID: 34, Mikron JSC Russia
[=] Product type: 21, unknown
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0E, (128 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
[?] Hint: try `hf mfu pwdgen -r` to get see known pwd gen algo suggestions
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------
The intercom that opens this label is called VIZIT.
Previously, they used regular Ultralight and copying was not a problem. But now some of the tag pages are password protected. And if you do not completely copy the tag, the intercom will not react on it.
I know there is a device that can calculate the password (called _S_M_K_е_у without "_"). Works in a similar way through sniffing. However, there is no guarantee that it will not send false data to the intercom while sniffing to exploit some vulnerability. For my purposes it is expensive ($ 230 is a bit too much to copy one tag - it is usually bought for business purposes, not my case).
I was hoping that there might be something in the data exchange log between the tag and the device that would catch your eye, but apparently it's not that simple
Last edited by dirh (2022-01-08 21:57:57)
Offline
cool, interesting tag, if you can sniff the traffic between card and reader you should get it.
Is there a way to get my hands one or two of those tags?
Offline
I will try to do this for research purposes. The difficulty is that the management company gave only one RFID tag. You cannot even buy additionally due to the fact that they are out of stock. I took up the idea of copying, since I have 4 people in my family, everyone needs a key.
Last edited by dirh (2022-01-12 11:43:26)
Offline