Proxmark3 community

delorean

Contributor

Registered: 2022-02-10

Posts: 7

Ultralight keyfob -Reader only checks UID and simulation not working-

Hi all,

I have an ultralight keyfob that after sniffing the comms with the reader, the readers seems to only check the UID to unlock the door:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight (MF0ICU1)  
[+]        UID: 04 75 24 22 DD 29 84 
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: DD ( ok )
[+]       BCC1: 52 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: 00 00 00 00  - 00000000000000000000000000000000
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

Sniffing results , it only checks UID to unlock the door:

proxmark3> hf list 14a
Recorded Activity (TraceLen = 102 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |       1056 | Rdr | 26                                                              |     | REQA
       2260 |       4628 | Tag | 44  00                                                          |     |
     216960 |     219424 | Rdr | 93  20                                                          |     | ANTICOLL
     220628 |     226452 | Tag | 88  04  75  24  dd                                              |     |
     754432 |     764896 | Rdr | 93  70  88  04  75  24  dd  5b  8b                              |  ok | SELECT_UID
     766164 |     769684 | Tag | 04  da  17                                                      |     |
     969984 |     972448 | Rdr | 95  20                                                          |     | ANTICOLL-2
     973652 |     979540 | Tag | 22  dd  29  84  52

However, when I try to simulate the keyfob it does not work and I get nothing in the "hf list" results:

This is how I'm trying it:

hf 14a sim -t2 -u 04752422DD2984 

Should I use "hf mfu sim -t 2" ? instead of "hf 14a sim -t 2" ? I thought it was the same..

I was looking for an option to send raw data to the reader, but the only option i see is to send raw data to a Tag.. I was wondering if I should use the standalone mode and create my code to send exactly the same responses to the reader to replicate what happens in the sniffing capture...

Thank you.

Last edited by delorean (2022-02-11 00:15:45)

delorean

Contributor

Registered: 2022-02-10

Posts: 7

Re: Ultralight keyfob -Reader only checks UID and simulation not working-

Hi,

Still not working... It is really strange... I also emulated it in a different way (dumping it and emulating):

hf mfu dump
[+] TYPE: MIFARE Ultralight (MF0ICU1)  
[+] Reading tag memory...
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 00 00 00 00 00 00 00 
[=]         TBD 0 | 00 00 
[=]         TBD 1 | 00 
[=]     Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=]     Counter 0 | 00 00 00 
[=]     Tearing 0 | 00 
[=]     Counter 1 | 00 00 00 
[=]     Tearing 1 | 00 
[=]     Counter 2 | 00 00 00 
[=]     Tearing 2 | 00 
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 75 24 DD |   | .u$.
[=]   1/0x01 | 22 DD 29 84 |   | ".).
[=]   2/0x02 | 52 48 00 00 |   | RH..
[=]   3/0x03 | 00 00 00 00 | 0 | ....
[=]   4/0x04 | FF FF FF FF | 0 | ....
[=]   5/0x05 | 00 00 00 00 | 0 | ....
[=]   6/0x06 | 00 00 00 00 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | 00 00 00 00 | 0 | ....
[=]   9/0x09 | 00 00 00 00 | 0 | ....
[=]  10/0x0A | 00 00 00 00 | 0 | ....
[=]  11/0x0B | 00 00 00 00 | 0 | ....
[=]  12/0x0C | 00 00 00 00 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-04752422DD2984-dump-1.bin




hf mfu eload --ul f hf-mfu-04752422DD2984-dump.bin
hf mfu sim -t 2

But it does not communicate at all with the reader. They keyfob is a "magnetic" keyfob that has a strong magnet inside (pictures below) I'm trying to find out if the magnet has something to do that is necessary to be able to "speak" with the reader, I don't think so, but...

I'm putting here my findings just in case someone is facing this problem some day.. and also if someone can provide some useful info.

carl55

Contributor

From: Arizona USA

Registered: 2010-07-04

Posts: 175

Re: Ultralight keyfob -Reader only checks UID and simulation not working-

I can't remember the specifics but I saw something similar a few years ago where a proximity sensor was installed in the reader.
When a magnetic field was detected it caused the reader to start radiating its RF signal.
I believe this was done to preserve power since it was a battery powered reader and it wanted to minimize power consumption by turning off the RF field until a fob was presented.

You should check and see if RF power is being radiated by your reader when no tag is near it.
You can utilize this device (or something similar) to check if the RF signal is normally off, intermittently on, or continuously on.
https://www.redteamtools.com/RFID_LF_HF … ector_Card

No reader-to-tag communication can occur unless there is an RF signal being transmitted to support the tags backscatter modulation.

delorean

Contributor

Registered: 2022-02-10

Posts: 7

Re: Ultralight keyfob -Reader only checks UID and simulation not working-

I can't remember the specifics but I saw something similar a few years ago where a proximity sensor was installed in the reader.
When a magnetic field was detected it caused the reader to start radiating its RF signal.
I believe this was done to preserve power since it was a battery powered reader and it wanted to minimize power consumption by turning off the RF field until a fob was presented.

You should check and see if RF power is being radiated by your reader when no tag is near it.
You can utilize this device (or something similar) to check if the RF signal is normally off, intermittently on, or continuously on.
https://www.redteamtools.com/RFID_LF_HF … ector_Card

No reader-to-tag communication can occur unless there is an RF signal being transmitted to support the tags backscatter modulation.

Thanks Carl! That makes total sense, I believe the reader indeed has batteries. I will check and let you know how it goes. But yeah it also makes sense since the reader is not sending anything at all to my proxmark and is a really good explanation. I will try to put the magnet between the proxmark and the reader and see if it works.

Last edited by delorean (2022-02-14 23:48:26)

delorean

Contributor

Registered: 2022-02-10

Posts: 7

Re: Ultralight keyfob -Reader only checks UID and simulation not working-

Hi,

So, just if someone has the same issue, as Carl said, the magnet is necessary to activate the reader. I wrote the UID into a mifare ultralight card and using the magnet it works... Something new learned.

Thank you.