Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2023-01-27 23:13:52
- alfa-16-bravo
- Contributor
- Registered: 2023-01-09
- Posts: 7
sniff and cauth mifare ultraligh
hello, be indulgent, I'm a beginner, I started by sniffing the card and the real reader, I think I got a lot of information, I'm trying to decipher the keys sent by the original reader, I compare with the traces that come from the proxmark and the hf mfu info command, I admit I don't understand everything, I know that these are a 16byte key (3des), who can help me see more clearly? thank you
hf mfu info
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight C (MF0ULC)
[+] UID: 04 3E 7C 12 42 5C 80
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: CE ( ok )
[+] BCC1: 8C ( ok )
[+] Internal: 48 ( default )
[+] Lock: 00 75 - 0000000001110101
[+] OneTimePad: E1 10 08 0F - 11100001000100000000100000001111
[=] --- NDEF Message
[+] Capability Container: E1 10 08 0F
[+] E1: NDEF Magic Number
[+] 10: version 0.1 supported by tag
[+] : Read access granted without any security / Write access granted without any security
[+] 08: Physical Memory Size: 64 bytes
[+] 0F: Additional feature information
[+] 00001111
[+] xxx..... - 00: RFU ( ok )
[+] ...x.... - 00: don't support special frame
[+] ....x... - 01: support lock block
[+] .....xx. - 03: RFU ( fail )
[+] .......x - 01: IC support multiple block reads
[=] Trying some default 3des keys
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failedtrace command hf mfu info
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2116 | 4484 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10564 | 16452 | Tag |88 04 3e 7c ce | |
19072 | 29600 | Rdr |93 70 88 04 3e 7c ce a6 9b | ok | SELECT_UID
30660 | 34180 | Tag |04 da 17 | |
35584 | 38048 | Rdr |95 20 | | ANTICOLL-2
39108 | 44996 | Tag |12 42 5c 80 8c | |
47744 | 58208 | Rdr |95 70 12 42 5c 80 8c b0 e8 | ok | SELECT_UID-2
59332 | 62916 | Tag |00 fe 51 | |
65024 | 69792 | Rdr |1a 00 41 76 | ok | AUTH-1
81220 | 93956 | Tag |af 74 51 f6 9f 5a 13 43 d0 8d 1d | ok |
113536 | 135584 | Rdr |af 77 1a c6 97 95 3e 5e d6 2a b2 b0 a5 53 8b 25 f8 39 | |
| | |91 | ok | AUTH-2 KEY: 00112233...
147012 | 147652 | Tag |00(4) | |
157184 | 160736 | Rdr |c2 e0 b4 | ok |
164224 | 168992 | Rdr |50 00 57 cd | ok | HALTreader original and card. (card read twice)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
237808 | 240272 | Rdr |93 20 | | ANTICOLL
8665808 | 8666864 | Rdr |26(7) | | REQA
8903616 | 8906080 | Rdr |93 20 | | ANTICOLL
17333424 | 17334480 | Rdr |26(7) | | REQA
17335668 | 17338036 | Tag |44 00 | |
17352880 | 17355344 | Rdr |93 20 | | ANTICOLL
17356532 | 17362420 | Tag |88 04 3e 7c ce | |
17384864 | 17395392 | Rdr |93 70 88 04 3e 7c ce a6 9b | ok | SELECT_UID
17396596 | 17400116 | Tag |04 da 17 | |
17413664 | 17416128 | Rdr |95 20 | | ANTICOLL-2
17417332 | 17423220 | Tag |12 42 5c 80 8c | |
17445920 | 17456384 | Rdr |95 70 12 42 5c 80 8c b0 e8 | ok | SELECT_UID-2
17457636 | 17461220 | Tag |00 fe 51 | |
17887888 | 17892656 | Rdr |30 14 a7 fe | ok | READBLOCK(20)
17893844 | 17914644 | Tag |01 00 00 75 04 3e 7c ce 12 42 5c 80 8c 48 00 75 9d 8d | ok |
33651584 | 33656352 | Rdr |1a 00 41 76 | ok | AUTH-1
33667924 | 33680660 | Tag |af 33 f2 d7 22 b7 cf 36 fe 90 59 | ok |
57151744 | 57173728 | Rdr |af 00 c0 e3 ef 42 57 89 9a 8a b0 5e 8d 40 65 78 70 d3 | |
| | |a5 | ok | AUTH-2
57185364 | 57198164 | Tag |00 95 ba 2c 73 17 f5 f6 d6 b6 26 | ok |
57742448 | 57747152 | Rdr |30 1c ef 72 | ok | READBLOCK(28)
57748404 | 57769204 | Tag |00 01 95 01 00 22 04 20 00 52 04 20 00 00 27 10 14 9c | ok |
88060192 | 88069568 | Rdr |a2 1f 00 00 26 de 8b 29 | ok | WRITEBLOCK(31)
88850928 | 88851984 | Rdr |26(7) | | REQA
89088880 | 89091344 | Rdr |93 20 | | ANTICOLL
89879232 | 89880288 | Rdr |26(7) | | REQA
90117040 | 90119504 | Rdr |93 20 | | ANTICOLL
90906896 | 90907952 | Rdr |26(7) | | REQA
91144832 | 91147296 | Rdr |93 20 | | ANTICOLL
92920496 | 92921552 | Rdr |26(7) | | REQA
93158304 | 93160768 | Rdr |93 20 | | ANTICOLL
96156688 | 96157744 | Rdr |26(7) | | REQA
96394624 | 96397088 | Rdr |93 20 | | ANTICOLL
104823520 | 104824576 | Rdr |26(7) | | REQA
105061472 | 105063936 | Rdr |93 20 | | ANTICOLL
113489088 | 113490144 | Rdr |26(7) | | REQA
113727024 | 113729488 | Rdr |93 20 | | ANTICOLL
122156176 | 122157232 | Rdr |26(7) | | REQA
122158436 | 122160804 | Tag |44 00 | |
122175632 | 122178096 | Rdr |93 20 | | ANTICOLL
122179284 | 122185172 | Tag |88 04 3e 7c ce | |
122207632 | 122218160 | Rdr |93 70 88 04 3e 7c ce a6 9b | ok | SELECT_UID
122219348 | 122222868 | Tag |04 da 17 | |
122236432 | 122238896 | Rdr |95 20 | | ANTICOLL-2
122240084 | 122245972 | Tag |12 42 5c 80 8c | |
122268688 | 122279152 | Rdr |95 70 12 42 5c 80 8c b0 e8 | ok | SELECT_UID-2
122280404 | 122283988 | Tag |00 fe 51 | |
122711808 | 122716576 | Rdr |30 14 a7 fe | ok | READBLOCK(20)
122717764 | 122738564 | Tag |01 00 00 75 04 3e 7c ce 12 42 5c 80 8c 48 00 75 9d 8d | ok |
138475632 | 138480400 | Rdr |1a 00 41 76 | ok | AUTH-1
138491972 | 138504772 | Tag |af 97 06 8c ef 87 ad 8b 2a 84 76 | ok |
161974384 | 161996368 | Rdr |af 7d 5c 24 2b 42 bd 50 ff ce 80 49 3e da 87 f5 0e 33 | |
| | |f0 | ok | AUTH-2
162008004 | 162020804 | Tag |00 45 1f 40 9a dc 21 cd 9a e7 c7 | ok |
162566368 | 162571072 | Rdr |30 1c ef 72 | ok | READBLOCK(28)
162572324 | 162593124 | Tag |00 01 95 01 00 22 04 20 00 52 04 20 00 00 27 10 14 9c | ok |
192885648 | 192895024 | Rdr |a2 1f 00 00 26 de 8b 29 | ok | WRITEBLOCK(31)
192950740 | 192951316 | Tag |0a(3) | |
193323504 | 193332880 | Rdr |a2 29 01 00 00 00 69 92 | ok | WRITEBLOCK(41) (?)
193388612 | 193389188 | Tag |0a(3) | |
199172084 | 199172532 | Tag |07(2) | |Last edited by alfa-16-bravo (2023-01-27 23:16:43)
Offline
#2 2023-01-28 20:53:34
- alfa-16-bravo
- Contributor
- Registered: 2023-01-09
- Posts: 7
Re: sniff and cauth mifare ultraligh
I have read the mifare ultralight c datasheet and now understand that the key will not be displayed because it is held only by the reader and the card, but if I put the card in its original reader and wait for it to they do the authentication with the card and I stick the proxmark 3 on the card and I ask to read blocks 44 to 47 (block key authentication) can I recover these blocks?
Offline
#3 2023-07-26 00:44:03
- Coucou69
- Contributor
- Registered: 2022-03-17
- Posts: 2
Re: sniff and cauth mifare ultraligh
Hi,
Quite a late answer, but may be useful to another too fast reader.
Datasheets (especially NXP ones) are well written, and a surprising source of knowledge on the product they are related to !
So carefully reading the Mifare Ultalight C one's may lead you to find this :
"The memory pages holding the authentication key can never be read, independent of the
configuration." just below table 11.
It should be crystal clear then that your plan in recovering the keys this way is somehow.... compromized.
Regards.
Offline
Pages: 1