Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-03-27 16:50:57

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

[FINISHED] Ultralight Ev1 commands

Ultralight Ev1:
Two version of Ev-1 exists, A)  MF0UL11  B) MF0UL21.  they differ in available memorysize.
You can read the blocks,   A has 0x13 blocks and B has 0x28 blocks, with the "hf mfu rdbl" command.

The Ultralight-Ev1 has an expanded commandset than its brothers UL / UL-C.   
It's easy to run some commands against the tag.

GET_VERSION

pm3 --> hf 14a raw -s -c 60

received 7 octets
04 B7 80 9A F8 38 80

received 10 octets
00 04 03 01 01 00 0B 03 FD F7    
PWD_AUTH 

pm3 --> hf 14a raw -s -c 1b ff ff ff ff

received 7 octets
04 B7 80 9A F8 38 80   --<UID

received 4 octets
00 00 A0 1E               --<PACK ok
AUTHENTICATE  &  FAST READ  all user memory on  EV1 tag.

hf 14a raw -p -s -c 1bxxxxxxxx
hf 14a raw -c 3a040f

It gonna be easy to add this tag to the current codebase.

Last edited by iceman (2015-05-25 10:20:28)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2015-03-31 23:26:38

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

"ff ff ff ff"  is default psw?

Offline

#3 2015-04-01 07:28:27

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Could be a factory default "0xff 0xff 0xff 0xff",  for the tag I tested that was the case.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2015-04-02 21:56:24

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

if i send

proxmark3> hf 14a raw  -c -p -s  1b ff ff ff ff
received 7 octets         
00 04 03 01 01 00 0B           
received 0 octets

Offline

#5 2015-04-02 23:17:32

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

try sent it without "-p"


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2015-04-03 08:07:59

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

proxmark3> hf 14a raw  -c  -s  1b ff ff ff ff
received 7 octets         
04 57 B6 E2 05 3F 80           
received 0 octets         
proxmark3>

Offline

#7 2015-04-03 08:11:24

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

password is wrong, right?

Offline

#8 2015-04-03 16:34:59

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

yes  try some other default pwds?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2015-04-03 21:33:01

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

what are the default passwords?

Offline

#10 2015-04-05 12:04:07

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

one default pwd from factory is all zeros.
another one, like the one I tested above, is  all 0xff's

Use your imagination to test maybe all 0x01,  or 0x40,0x41,0x42, 0x43   
The simplest pwd's to come up with.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2015-04-06 15:57:59

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

I tried the passwords more 'simple and does not work. I would not want to block the card, if it is enabled the AUTHLIM , for the max nunber of usucessful

Offline

#12 2015-04-06 16:00:29

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

then you are out-of-luck.  Can you sniff the traffic between tag and reader?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2015-04-06 16:11:24

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

I should be able to bring the pc with me for sniff, I can not do it without a PC. however I bought hydrabus, I must get from china. will come in a month

Offline

#14 2015-04-06 16:15:59

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Or hook the pm3 up to an android (rooted?)   Asper has a distro for it.
Or hook it up to a laptop?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#15 2015-04-07 19:36:52

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

i have a 7 inch mini laptop ,and samsung s2 rooted .
I might try

Offline

#16 2015-04-07 20:52:37

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Go for it!  Wardriving-ncf wink


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2015-04-21 20:44:30

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

ok, i have sniff :

proxmark3> hf 14a snoop
proxmark3>
proxmark3> #db# cancelled by button                 
proxmark3> #db# COMMAND FINISHED                 
proxmark3> #db# maxDataLen=5, Uart.state=0, Uart.len=0                 
proxmark3> #db# traceLen=1929, Uart.output[0]=00000095                 
proxmark3> hf 14a list
Recorded Activity         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
All times are in carrier periods (1/13.56Mhz)         
     Start |       End | Src | Data (! denotes parity error)                                   | CRC           
-----------|-----------|-----|-----------------------------------------------------------------------         
         0 |      1056 | Rdr | 26                                                              |           
      2244 |      4612 | Tag | 44  00                                                          |           
     14192 |     16656 | Rdr | 93  20                                                          |           
     17844 |     23732 | Tag | 88  04  57  b6  6d                                              |           
     34000 |     44528 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
     45716 |     49236 | Tag | 04  da  17                                                      |           
     59248 |     61712 | Rdr | 95  20                                                          |           
     62900 |     68788 | Tag | e2  05  3f  80  58                                              |           
     79056 |     89584 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
     90772 |     94356 | Tag | 00  fe  51                                                      |           
    232944 |    241104 | Rdr | 1b  4a  f8  4b  19  9b  5c                                      |           
    242356 |    247092 | Tag | e5  be  74  d5                                                  |           
    373552 |    379472 | Rdr | 3a  02  03  eb  51                                              |           
    382324 |    393908 | Tag | 58  48  70  00  00  00  00  00  e4  9a                          |           
    488480 |    494336 | Rdr | 3a  04  0f  57  cf                                              |           
    497252 |    554916 | Tag | 14  9b  b9  67  b5  b0  45  71  d5  27  4a  fe  17  b8  3f  ba  |           
           |           |     | 39  ac  94  48  cb  12  66  22  42  95  d9  e2  45  28  04  d9  |           
           |           |     | cf  86  83  01  7d  33  a3  dc  13  fb  bc  39  50  b6  da  67  |           
           |           |     | 3c  44                                                          |           
    759632 |    764400 | Rdr | 39  00  1a  7f                                                  |           
    765588 |    771412 | Tag | 04  00  00  75  c6                                              |           
    893808 |    898576 | Rdr | 39  01  93  6e                                                  |           
    899764 |    905588 | Tag | 04  00  00  75  c6                                              |           
   1045664 |   1054976 | Rdr | a2  0c  1d  96  74  46  0f  6f                                  |           
   1110628 |   1111204 | Tag | 0a!                                                             |           
   1301968 |   1311280 | Rdr | a2  0d  3a  d7  d2  8a  dc  17                                  |           
   1366932 |   1367508 | Tag | 0a!                                                             |           
   1577984 |   1587360 | Rdr | a2  0e  90  dd  9e  31  67  e3                                  |           
   1642964 |   1643540 | Tag | 0a!                                                             |           
   1850864 |   1860240 | Rdr | a2  0f  e3  03  7c  06  aa  97                                  |           
   1915828 |   1916404 | Tag | 0a!                                                             |           
   2123200 |   2127968 | Rdr | 39  00  1a  7f                                                  |           
   2129156 |   2134980 | Tag | 04  00  00  75  c6                                              |           
   2145856 |   2155232 | Rdr | a5  00  01  00  00  00  4d  bf                                  |           
   2210820 |   2211396 | Tag | 0a!                                                             |           
   2353744 |   2358512 | Rdr | 39  00  1a  7f                                                  |           
   2359700 |   2365524 | Tag | 05  00  00  a9  9c                                              |           
   2529072 |   2533840 | Rdr | 39  01  93  6e                                                  |           
   2535028 |   2540852 | Tag | 04  00  00  75  c6                                              |           
   2551744 |   2561056 | Rdr | a5  01  01  00  00  00  09  b4                                  |           
   2616708 |   2617284 | Tag | 0a!                                                             |           
   2760560 |   2765328 | Rdr | 39  01  93  6e                                                  |           
   2766516 |   2772340 | Tag | 05  00  00  a9  9c                                              |           
   7729248 |   7730304 | Rdr | 26                                                              |           
   7731476 |   7733844 | Tag | 44  00                                                          |           
   7743504 |   7745968 | Rdr | 93  20                                                          |           
   7747140 |   7753028 | Tag | 88  04  57  b6  6d                                              |           
   7763312 |   7773840 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
   7775012 |   7778532 | Tag | 04  da  17                                                      |           
   7788544 |   7791008 | Rdr | 95  20                                                          |           
   7792180 |   7798068 | Tag | e2  05  3f  80  58                                              |           
   7808336 |   7818864 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
   7820036 |   7823620 | Tag | 00  fe  51                                                      |           
  11620992 |  11622048 | Rdr | 26                                                              |           
  11623220 |  11625588 | Tag | 44  00                                                          |           
  11635200 |  11637664 | Rdr | 93  20                                                          |           
  11638852 |  11644740 | Tag | 88  04  57  b6  6d                                              |           
  11655008 |  11665536 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  11666708 |  11670228 | Tag | 04  da  17                                                      |           
  11680256 |  11682720 | Rdr | 95  20                                                          |           
  11683908 |  11689796 | Tag | e2  05  3f  80  58                                              |           
  11700048 |  11710576 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  11711748 |  11715332 | Tag | 00  fe  51                                                      |           
  15553408 |  15554464 | Rdr | 26                                                              |           
  15555652 |  15558020 | Tag | 44  00                                                          |           
  15567600 |  15570064 | Rdr | 93  20                                                          |           
  15571252 |  15577140 | Tag | 88  04  57  b6  6d                                              |           
  15587424 |  15597952 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  15599140 |  15602660 | Tag | 04  da  17                                                      |           
  15612656 |  15615120 | Rdr | 95  20                                                          |           
  15616308 |  15622196 | Tag | e2  05  3f  80  58                                              |           
  15632464 |  15642992 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  15644180 |  15647764 | Tag | 00  fe  51                                                      |           
  19485840 |  19486896 | Rdr | 26                                                              |           
  19488068 |  19490436 | Tag | 44  00                                                          |           
  19500032 |  19502496 | Rdr | 93  20                                                          |           
  19503668 |  19509556 | Tag | 88  04  57  b6  6d                                              |           
  19519840 |  19530368 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  19531540 |  19535060 | Tag | 04  da  17                                                      |           
  19545104 |  19547568 | Rdr | 95  20                                                          |           
  19548740 |  19554628 | Tag | e2  05  3f  80  58                                              |           
  19564944 |  19575472 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  19576644 |  19580228 | Tag | 00  fe  51                                                      |           
  23418272 |  23419328 | Rdr | 26                                                              |           
  23420500 |  23422868 | Tag | 44  00                                                          |           
  23432464 |  23434928 | Rdr | 93  20                                                          |           
  23436100 |  23441988 | Tag | 88  04  57  b6  6d                                              |           
  23452288 |  23462816 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  23463988 |  23467508 | Tag | 04  da  17                                                      |           
  23477520 |  23479984 | Rdr | 95  20                                                          |           
  23481156 |  23487044 | Tag | e2  05  3f  80  58                                              |           
  23497328 |  23507856 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  23509028 |  23512612 | Tag | 00  fe  51                                                      |           
  27364256 |  27365312 | Rdr | 26                                                              |           
  27366484 |  27368852 | Tag | 44  00                                                          |           
  27378448 |  27380912 | Rdr | 93  20                                                          |           
  27382084 |  27387972 | Tag | 88  04  57  b6  6d                                              |           
  27398272 |  27408800 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  27409972 |  27413492 | Tag | 04  da  17                                                      |           
  27423536 |  27426000 | Rdr | 95  20                                                          |           
  27427172 |  27433060 | Tag | e2  05  3f  80  58                                              |           
  27443344 |  27453872 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  27455044 |  27458628 | Tag | 00  fe  51                                                      |           
  31283120 |  31284176 | Rdr | 26                                                              |           
  31285348 |  31287716 | Tag | 44  00                                                          |           
  31297312 |  31299776 | Rdr | 93  20                                                          |           
  31300948 |  31306836 | Tag | 88  04  57  b6  6d                                              |           
  31317120 |  31327648 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  31328820 |  31332340 | Tag | 04  da  17                                                      |           
  31342368 |  31344832 | Rdr | 95  20                                                          |           
  31346004 |  31351892 | Tag | e2  05  3f  80  58                                              |           
  31362176 |  31372704 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  31373876 |  31377460 | Tag | 00  fe  51                                                      |           
  35215552 |  35216608 | Rdr | 26                                                              |           
  35217780 |  35220148 | Tag | 44  00                                                          |           
  35229744 |  35232208 | Rdr | 93  20                                                          |           
  35233380 |  35239268 | Tag | 88  04  57  b6  6d                                              |           
  35249552 |  35260080 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  35261252 |  35264772 | Tag | 04  da  17                                                      |           
  35274800 |  35277264 | Rdr | 95  20                                                          |           
  35278436 |  35284324 | Tag | e2  05  3f  80  58                                              |           
  35294624 |  35305152 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  35306324 |  35309908 | Tag | 00  fe  51                                                      |           
  39175088 |  39176144 | Rdr | 26                                                              |           
  39177316 |  39179684 | Tag | 44  00                                                          |           
  39189296 |  39191760 | Rdr | 93  20                                                          |           
  39192932 |  39198820 | Tag | 88  04  57  b6  6d                                              |           
  39209104 |  39219632 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  39220804 |  39224324 | Tag | 04  da  17                                                      |           
  39234352 |  39236816 | Rdr | 95  20                                                          |           
  39237988 |  39243876 | Tag | e2  05  3f  80  58                                              |           
  39254176 |  39264704 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  39265876 |  39269460 | Tag | 00  fe  51                                                      |           
  43066848 |  43067904 | Rdr | 26                                                              |           
  43069076 |  43071444 | Tag | 44  00                                                          |           
  43081040 |  43083504 | Rdr | 93  20                                                          |           
  43084676 |  43090564 | Tag | 88  04  57  b6  6d                                              |           
  43100848 |  43111376 | Rdr | 93  70  88  04  57  b6  6d  be  a2                              |           
  43112548 |  43116068 | Tag | 04  da  17                                                      |           
  43126112 |  43128576 | Rdr | 95  20                                                          |           
  43129748 |  43135636 | Tag | e2  05  3f  80  58                                              |           
  43145936 |  43156464 | Rdr | 95  70  e2  05  3f  80  58  00  4c                              |           
  43157652 |  43161236 | Tag | 00  fe  51               

I consumed a ticket ... but where is the psw?  big_smile

Offline

#18 2015-04-21 20:53:15

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

232944 |    241104 | Rdr | 1b  4a  f8  4b  19  9b  5c                                      |           
    242356 |    247092 | Tag | e5  be  74  d5                                                  |           
    373552 |    379472 | Rdr | 3a  02  03  eb  51                                              |           
    382324 |    393908 | Tag | 58  48  70  00  00  00  00  00  e4  9a                          |           
    488480 |    494336 | Rdr | 3a  04  0f  57  cf                                              |

Not knowing the UL-Ev1  commands fully,  but...  the  0x1b  is the Auth request smile

lets see:
  0x1b auth
  0x4a  0xf8  0x4b  0x19   PWD (from reader)
  0xe5  0xbe   PACK


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2015-04-22 00:03:25

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

yesssss...   you are the best  smile

proxmark3> hf 14a raw  -c -p -s  1b  4a  f8  4b  19
received 7 octets         
04 57 B6 E2 05 3F 80           
received 4 octets         
E5 BE 74 D5           
proxmark3>

Offline

#20 2015-04-22 08:38:02

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

No,  you are the best.   You got the sniffed traffic , without it you wouldnt be able to get the pwd.

can you send me a mail?   (I've some questions)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#21 2015-04-22 20:04:29

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

i don't see your email . is it hidden?

Offline

#22 2015-04-24 18:15:39

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

I pushed a fix for the "HF 14A READ" command, to enable it to identify UL / UL-C / UL EV1 tags.

One of these days I will add support for the extended commands in EV1..


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#23 2015-04-25 09:10:29

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

thanks

Offline

#24 2015-04-25 19:34:52

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

How to:

Authenticate  and read all user memory on  EV1 tag.

hf 14a raw -p -s -c 1bxxxxxxxx
hf 14a raw -c 3a040f

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#25 2015-04-28 19:23:56

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

two lines derived from two Ev1 used at the usual time of the usual day (today)

UID   04 57 B6 6D E2 05 3F 80 58
c6  5e  91  0c  52  11  15  ef  24  45  80  27  8a  05  44  da        28/4/2015  9:47am    bus nr:  3714

UID   04 BD 25 14 E2 05 3F 80 58
7d  d3  58  f1  97  c6  cc  b7  62  63  90  7f  2c  4e  ad  2a        28/4/15      9:47am    bus nr:  3714

Have you idea how date and time is encrypted ?

Offline

#26 2015-04-28 19:35:51

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

You need to figure out the transportation system,  which it is  and if there is some datasheet/manuals to read about it.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#27 2015-04-28 19:48:50

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

hard to find this

Offline

#28 2015-04-28 20:54:42

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Who said its gonna be easy?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#29 2015-04-28 22:54:56

tristanik
Contributor
Registered: 2014-11-25
Posts: 95

Re: [FINISHED] Ultralight Ev1 commands

tomorrow i try same ticket, same bus , 90 minutes of difference

Offline

#30 2015-05-03 01:36:10

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

Hello everyone!

Been playing around some with Nintendo's amiibos and have been able to make some progress. I snooped the communication between a 3DS and an amiibo, and following iceman's suggestions earlier in this post I was able to:

proxmark3> hf 14a raw -c -p -s 1b  05  22  e6  b4
received 7 octets
04 DD 16 72 61 3E 80
received 4 octets
80 80 64 16

These, however have 192 bytes of data (48 blocks). Does that mean they are ultralight-c?

Offline

#31 2015-05-03 09:38:55

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

I hope you do know that you are posting in a Ultralight-EV1 thread,   where you ran a specific Ultralight-EV1 command.

You seem to have a valid Ultralight-EV1 password,  and you got a PACK answer back.

In my world that means that you have a Ultralight-EV1 tag.   

If you read the first post in this thread, you can run the GET_VERSION command to see some information about the tag, like the size.   And since you have the password, you can read all memory from the tag aswell.

Last edited by iceman (2015-05-03 10:17:32)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#32 2015-05-03 16:53:23

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

Thanks iceman!

I wasn't sure if those were EV1 specific commands. Also I am able to read up to 48 blocks (0x30) using the "hf mfu crdbl" command. But you mentioned there are two types of tags, (A) which has 0x13 blocks and (B) which has 0x28 blocks. Why the discrepancy?

Here's the output of my tags GET_VERSION, and PWD_AUTH, AUTH + FAST_READ:

proxmark3>  hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E
proxmark3> hf 14a raw -p -s -c 1b02e1ee36
received 7 octets
04 D2 57 7A E3 3E 80
received 4 octets
80 80 64 16
proxmark3> hf 14a raw -c 3a040f
received 50 octets
A5 E2 B5 00 39 20 0F BD BF 5A D0 3C 67 ED 42 5A B9 97 F1 71 1C BA B5 6D AE C6 BE EF 4A 13 55 70 54 C4 DF 61 A5 F9 EF 91 00 5B 1E C0 61 58 4A BE C8 53
proxmark3>

I'm going to do some research on EV1, and get up to speed with the proxmark3, since I haven't done much hacking with it despite owning one for over 3 years now. I'd like to get it to simulate an EV1 card. If I can help any other efforts to get support for the ev1 in the proxmark3, let me know!

Thanks for the help!

Offline

#33 2015-05-03 17:30:30

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

According to this NXP data sheet http://www.nxp.com/documents/data_sheet/MF0ULX1.pdf on the EV1 and my tag's reply to the GET_VERSION command. My tag's memory size is between 256 and 512 bytes. 

proxmark3>  hf 14a raw -s -c 60
received 7 octets
04 1A 9B 82 C2 3E 80
received 10 octets
00 04 04 02 01 00 11 03 01 9E
The most significant 7 bits of the storage size byte are interpreted as an unsigned integer value n. As a result, it codes the total available user memory size as 2n. If the least significant bit is 0b, the user memory size is exactly 2n. If the least significant bit is 1b, the user memory size is between 2n and 2n+1.
The user memory for the MF0UL11 is 48 bytes. This memory size is between 32d bytes and 64d bytes. Therefore, the most significant 7 bits of the value 0Bh, are interpreted as 5d and the least significant bit is 1b.
The user memory for the MF0UL21 is 128 bytes. This memory size is exactly 128d. Therefore, the most significant 7 bits of the value 0Eh, are interpreted as 7d and the least significant bit is 0b.

Offline

#34 2015-05-03 17:54:33

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

iceman, looking at the datasheet for the ntag215 I think I found my winner...

https://dangerousthings.com/wp-content/ … 15_216.pdf

Offline

#35 2015-05-03 18:21:52

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

00 = static
04 = NXP (manufacturer)
04 = product type 4   (  3 = ultralight)
02 = product subtype
01 = Major version
00 = Minor version
11 = size ( 256-512kb )
03 = protocol type

The product type doesn't look like a Ultralight,  so NTAG could be right,
the size of NTAG215 (user memory 504kb) matches the spann,   that means you could read much more memory then from page 04 to page 0F..

You should read the capability container (page3) and look what it tells you.

I don't have some NTAG to test on.  Would be good to get that identification into the mfu commands.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#36 2015-05-03 18:51:44

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

I'm remaking some of the "hf mfu" commands,  among others a correct identification of the different tags.  I had no idea that NTAG's where so similar to Ultralight tags.  Its answers like EV1 tag when I see your printouts.  But the GET_VERSION is different and can be used.

can you do a  "hf 14a read"  & "hf list 14a"  so I can see the ATQA & SAK answers on your tag?

And if you tag is a amiibo,  then I will start another thread where it can be discussed.   You got a PWD from it, ...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#37 2015-05-03 19:39:12

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

"hf 14a read" actually results in a buffer overflow.

https://github.com/Proxmark/proxmark3/issues/100
I see that you commented in the issue though. I'll make the change to the version array and try again.

Offline

#38 2015-05-03 19:44:38

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

proxmark3> hf 14a read
 UID : 04 d2 57 7a e3 3e 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : NXP MIFARE Ultralight EV1 128 bytes
MANUFACTURER : NXP Semiconductors Germany
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
proxmark3> hf list 14a
Recorded Activity (TraceLen = 211 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |       992 | Rdr | 52                                                              |     | WUPA
      2228 |      4596 | Tag | 44  00                                                          |     |
      7040 |      9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |     16500 | Tag | 88  04  d2  57  09                                              |     |
     18816 |     29280 | Rdr | 93  70  88  04  d2  57  09  8c  42                              |     | SELECT_UID
     30516 |     34036 | Tag | 04  da  17                                                      |     |
     35328 |     37792 | Rdr | 95  20                                                          |     | ANTICOLL-2
     38964 |     44788 | Tag | 7a  e3  3e  80  27                                              |     |
     47104 |     57568 | Rdr | 95  70  7a  e3  3e  80  27  89  06                              |     | ANTICOLL-2
     58804 |     62388 | Tag | 00  fe  51                                                      |     |
    522496 |    526112 | Rdr | 60  f8  32                                                      |     | AUTH-A(248)
    527284 |    538932 | Tag | 00  04  04  02  01  00  11  03  01  9e                          |     |
   1106944 |   1111712 | Rdr | e0  80  31  73                                                  |     | RATS
   1825664 |   1826656 | Rdr | 40                                                              |     | MAGIC WUPC1
   1962112 |   1963424 | Rdr | 43                                                              |     | MAGIC WUPC2
   2099328 |   2104096 | Rdr | 50  00  57  cd                                                  |     | HALT
proxmark3>

Offline

#39 2015-05-03 19:53:20

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

The capability container (page 3) is: F1 10 FF EE

proxmark3> hf 14a raw -c 3a0303
received 6 octets
F1 10 FF EE B5 49

Last edited by borjaburgos (2015-05-03 19:53:38)

Offline

#40 2015-05-03 20:10:33

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

Something doesn't add up... according to the doc: "Byte 2 in the capability container defines the available memory size for NDEF messages."

In my tag that would be "FF" -> meaning 2040 byte NDEF memory size is defined in the Capability Container. Which is well beyond the size of the NTAG215.

And +1 to starting a new amiibo specific thread, specially now that we know it's not an EV1 tag.

Last edited by borjaburgos (2015-05-03 20:19:58)

Offline

#41 2015-05-04 03:59:57

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

and the magic number 0xE1 in CC, which is a must for NDEF,  isn't there either.
so we can say that Amiibo uses a NTAG tag but doesn't store its data according to NDEF.

You will need to map the memory wink


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#42 2015-05-04 14:56:48

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: [FINISHED] Ultralight Ev1 commands

iceman, given what we know about amiibo thus far (NTAG 215, non-NDEF data, PWD, etc.), what would be the best channel to start an amiibo thread?

Offline

#43 2015-05-04 15:08:06

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Here you go,  http://www.proxmark.org/forum/viewtopic … 776#p15776

You can start filling in all that you found out,  like the PWD?!?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#44 2015-05-04 15:11:59

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [FINISHED] Ultralight Ev1 commands

Great guys!
Hope to see some dump soon!
Old amiibos were actually topaz, probably ntag are cheaper and much more usable than a partial iso14443A protocol (like in topaz)

Last edited by asper (2015-05-04 15:13:07)

Offline

#45 2015-05-05 00:46:18

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

I've been remaking some "hf mfu" commands, and with @marshmellow, we had done some work on it.
if it will be ready, i don't know but its much better than before at least smile

There is changes in the "hf mfu" commands,  among other is the "hf mfu info" now able to detect between UL/ULC/ULEV1
/NTAG213/NTAG215/NTAG216  (but I don't have NTAGS to verify it),,   It kind of prints out a lot of stuff about the tag.
It tries to detect if is magic,  or  if it has some default 3des keys,   it reads some counters,..   

If you start  with "hf 14a reader",  and it says something like UL then see it as a starting point to go next to "hf mfu info"...

There is more to be implemented from the datasheets, but its a good start if I may say so.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#46 2015-05-05 03:47:36

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: [FINISHED] Ultralight Ev1 commands

btw, most of the work has been done by iceman... smile  i'd say in about 1-2 weeks we'll be ready to commit to the master. (guestimate)

Offline

#47 2015-05-05 09:34:47

iceman
Administrator
Registered: 2013-04-25
Posts: 5,613
Website

Re: [FINISHED] Ultralight Ev1 commands

Well,   this was just ment to be about UL/ULC..  then it got UL-EV1,..  and now all NTAG...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB