Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2023-01-27 23:13:52

alfa-16-bravo
Contributor
Registered: 2023-01-09
Posts: 7

sniff and cauth mifare ultraligh

hello, be indulgent, I'm a beginner, I started by sniffing the card and the real reader, I think I got a lot of information, I'm trying to decipher the keys sent by the original reader, I compare with the traces that come from the proxmark and the hf mfu info command, I admit I don't understand everything, I know that these are a 16byte key (3des), who can help me see more clearly? thank you


hf mfu info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight C (MF0ULC)
[+]        UID: 04 3E 7C 12 42 5C 80
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: CE ( ok )
[+]       BCC1: 8C ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 75  - 0000000001110101
[+] OneTimePad: E1 10 08 0F  - 11100001000100000000100000001111

[=] --- NDEF Message
[+] Capability Container: E1 10 08 0F
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   08: Physical Memory Size: 64 bytes
[+]   0F: Additional feature information
[+]   00001111
[+]   xxx..... - 00: RFU ( ok )
[+]   ...x.... - 00: don't support special frame
[+]   ....x... - 01: support lock block
[+]   .....xx. - 03: RFU ( fail )
[+]   .......x - 01: IC support multiple block reads
[=] Trying some default 3des keys
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed

trace command hf mfu info

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52(7)                                                                    |     | WUPA
       2116 |       4484 | Tag |44  00                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10564 |      16452 | Tag |88  04  3e  7c  ce                                                       |     |
      19072 |      29600 | Rdr |93  70  88  04  3e  7c  ce  a6  9b                                       |  ok | SELECT_UID
      30660 |      34180 | Tag |04  da  17                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39108 |      44996 | Tag |12  42  5c  80  8c                                                       |     |
      47744 |      58208 | Rdr |95  70  12  42  5c  80  8c  b0  e8                                       |  ok | SELECT_UID-2
      59332 |      62916 | Tag |00  fe  51                                                               |     |
      65024 |      69792 | Rdr |1a  00  41  76                                                           |  ok | AUTH-1
      81220 |      93956 | Tag |af  74  51  f6  9f  5a  13  43  d0  8d  1d                               |  ok |
     113536 |     135584 | Rdr |af  77  1a  c6  97  95  3e  5e  d6  2a  b2  b0  a5  53  8b  25  f8  39   |     |
            |            |     |91                                                                       |  ok | AUTH-2 KEY: 00112233...
     147012 |     147652 | Tag |00(4)                                                                    |     |
     157184 |     160736 | Rdr |c2  e0  b4                                                               |  ok |
     164224 |     168992 | Rdr |50  00  57  cd                                                           |  ok | HALT

reader original and card. (card read twice)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26(7)                                                                    |     | REQA
     237808 |     240272 | Rdr |93  20                                                                   |     | ANTICOLL
    8665808 |    8666864 | Rdr |26(7)                                                                    |     | REQA
    8903616 |    8906080 | Rdr |93  20                                                                   |     | ANTICOLL
   17333424 |   17334480 | Rdr |26(7)                                                                    |     | REQA
   17335668 |   17338036 | Tag |44  00                                                                   |     |
   17352880 |   17355344 | Rdr |93  20                                                                   |     | ANTICOLL
   17356532 |   17362420 | Tag |88  04  3e  7c  ce                                                       |     |
   17384864 |   17395392 | Rdr |93  70  88  04  3e  7c  ce  a6  9b                                       |  ok | SELECT_UID
   17396596 |   17400116 | Tag |04  da  17                                                               |     |
   17413664 |   17416128 | Rdr |95  20                                                                   |     | ANTICOLL-2
   17417332 |   17423220 | Tag |12  42  5c  80  8c                                                       |     |
   17445920 |   17456384 | Rdr |95  70  12  42  5c  80  8c  b0  e8                                       |  ok | SELECT_UID-2
   17457636 |   17461220 | Tag |00  fe  51                                                               |     |
   17887888 |   17892656 | Rdr |30  14  a7  fe                                                           |  ok | READBLOCK(20)
   17893844 |   17914644 | Tag |01  00  00  75  04  3e  7c  ce  12  42  5c  80  8c  48  00  75  9d  8d   |  ok |
   33651584 |   33656352 | Rdr |1a  00  41  76                                                           |  ok | AUTH-1
   33667924 |   33680660 | Tag |af  33  f2  d7  22  b7  cf  36  fe  90  59                               |  ok |
   57151744 |   57173728 | Rdr |af  00  c0  e3  ef  42  57  89  9a  8a  b0  5e  8d  40  65  78  70  d3   |     |
            |            |     |a5                                                                       |  ok | AUTH-2
   57185364 |   57198164 | Tag |00  95  ba  2c  73  17  f5  f6  d6  b6  26                               |  ok |
   57742448 |   57747152 | Rdr |30  1c  ef  72                                                           |  ok | READBLOCK(28)
   57748404 |   57769204 | Tag |00  01  95  01  00  22  04  20  00  52  04  20  00  00  27  10  14  9c   |  ok |
   88060192 |   88069568 | Rdr |a2  1f  00  00  26  de  8b  29                                           |  ok | WRITEBLOCK(31)
   88850928 |   88851984 | Rdr |26(7)                                                                    |     | REQA
   89088880 |   89091344 | Rdr |93  20                                                                   |     | ANTICOLL
   89879232 |   89880288 | Rdr |26(7)                                                                    |     | REQA
   90117040 |   90119504 | Rdr |93  20                                                                   |     | ANTICOLL
   90906896 |   90907952 | Rdr |26(7)                                                                    |     | REQA
   91144832 |   91147296 | Rdr |93  20                                                                   |     | ANTICOLL
   92920496 |   92921552 | Rdr |26(7)                                                                    |     | REQA
   93158304 |   93160768 | Rdr |93  20                                                                   |     | ANTICOLL
   96156688 |   96157744 | Rdr |26(7)                                                                    |     | REQA
   96394624 |   96397088 | Rdr |93  20                                                                   |     | ANTICOLL
  104823520 |  104824576 | Rdr |26(7)                                                                    |     | REQA
  105061472 |  105063936 | Rdr |93  20                                                                   |     | ANTICOLL
  113489088 |  113490144 | Rdr |26(7)                                                                    |     | REQA
  113727024 |  113729488 | Rdr |93  20                                                                   |     | ANTICOLL
  122156176 |  122157232 | Rdr |26(7)                                                                    |     | REQA
  122158436 |  122160804 | Tag |44  00                                                                   |     |
  122175632 |  122178096 | Rdr |93  20                                                                   |     | ANTICOLL
  122179284 |  122185172 | Tag |88  04  3e  7c  ce                                                       |     |
  122207632 |  122218160 | Rdr |93  70  88  04  3e  7c  ce  a6  9b                                       |  ok | SELECT_UID
  122219348 |  122222868 | Tag |04  da  17                                                               |     |
  122236432 |  122238896 | Rdr |95  20                                                                   |     | ANTICOLL-2
  122240084 |  122245972 | Tag |12  42  5c  80  8c                                                       |     |
  122268688 |  122279152 | Rdr |95  70  12  42  5c  80  8c  b0  e8                                       |  ok | SELECT_UID-2
  122280404 |  122283988 | Tag |00  fe  51                                                               |     |
  122711808 |  122716576 | Rdr |30  14  a7  fe                                                           |  ok | READBLOCK(20)
  122717764 |  122738564 | Tag |01  00  00  75  04  3e  7c  ce  12  42  5c  80  8c  48  00  75  9d  8d   |  ok |
  138475632 |  138480400 | Rdr |1a  00  41  76                                                           |  ok | AUTH-1
  138491972 |  138504772 | Tag |af  97  06  8c  ef  87  ad  8b  2a  84  76                               |  ok |
  161974384 |  161996368 | Rdr |af  7d  5c  24  2b  42  bd  50  ff  ce  80  49  3e  da  87  f5  0e  33   |     |
            |            |     |f0                                                                       |  ok | AUTH-2
  162008004 |  162020804 | Tag |00  45  1f  40  9a  dc  21  cd  9a  e7  c7                               |  ok |
  162566368 |  162571072 | Rdr |30  1c  ef  72                                                           |  ok | READBLOCK(28)
  162572324 |  162593124 | Tag |00  01  95  01  00  22  04  20  00  52  04  20  00  00  27  10  14  9c   |  ok |
  192885648 |  192895024 | Rdr |a2  1f  00  00  26  de  8b  29                                           |  ok | WRITEBLOCK(31)
  192950740 |  192951316 | Tag |0a(3)                                                                    |     |
  193323504 |  193332880 | Rdr |a2  29  01  00  00  00  69  92                                           |  ok | WRITEBLOCK(41) (?)
  193388612 |  193389188 | Tag |0a(3)                                                                    |     |
  199172084 |  199172532 | Tag |07(2)                                                                    |     |

Last edited by alfa-16-bravo (2023-01-27 23:16:43)

Offline

#2 2023-01-28 20:53:34

alfa-16-bravo
Contributor
Registered: 2023-01-09
Posts: 7

Re: sniff and cauth mifare ultraligh

I have read the mifare ultralight c datasheet and now understand that the key will not be displayed because it is held only by the reader and the card, but if I put the card in its original reader and wait for it to they do the authentication with the card and I stick the proxmark 3 on the card and I ask to read blocks 44 to 47 (block key authentication) can I recover these blocks?

Offline

#3 2023-07-26 00:44:03

Coucou69
Contributor
Registered: 2022-03-17
Posts: 2

Re: sniff and cauth mifare ultraligh

Hi,
Quite a late answer, but may be useful to another too fast reader.

Datasheets (especially NXP ones) are well written, and a surprising source of knowledge on the product they are related to !

So carefully reading the Mifare Ultalight C one's may lead you to find this :
"The memory pages holding the authentication key can never be read, independent of the
configuration." just below table 11.

It should be crystal clear then that your plan in recovering the keys this way is somehow.... compromized.


Regards.

Offline

Board footer

Powered by FluxBB