Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2015-05-07 21:04:03

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

[SOLVED] italian public transportation system (UL-EV1)

Since the implementation of calling "hf mfu info" with a key,  we can now see configuration even if it is locked.

TAGINFO:

pm3 --> hf 14a read
 UID : 04 57 B6 E2 05 3F 80
ATQA : 00 44
 SAK : 00 [2]
TYPE : NXP MIFARE Ultralight EV1 48 bytes

pm3 --> hf mfu i k 4af84b19

--- Tag Information ---------
-------------------------------------------------------------
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
       UID : 04 57 B6 E2 05 3F 80
    UID[0] : 04, Manufacturer: NXP Semiconductors Germany
      BCC0 : 6D, Ok
      BCC1 : 58, Ok
  Internal : 48, default
      Lock : 70 00  - 0000000001110000
OneTimePad : 00 00 00 00  - 00000000000000000000000000000000

--- UL-EV1 Counters
       [0] : 09 00 00
                    - BD tearing Ok
       [1] : 09 00 00
                    - BD tearing Ok
       [2] : 00 00 00
                    - BD tearing Ok

--- UL-EV1 Signature
IC signature public key name  : NXP NTAG21x 2013
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61
    Elliptic curve parameters : secp128r1
            Tag ECC Signature : 79 69 D1 13 02 85 CB CE 8E AB 68 C9 BB D7 67 49 0A 41 4F 0D FA 4C 7F CD 9F 0A A0 B7 89 4A C3 3E


--- UL-EV1 Configuration
 cfg0 [16/0x10]: 00 00 00 00
                    - page 0 and above need authentication
                    - strong modulation mode disabled
 cfg1 [17/0x11]: C0 05 00 00
                    - Unlimited password attempts
                    - user configuration permanently locked
                    - read and write access is protected with password
                 05 - Virtual Card Type Identifier is  default
 PWD  [18/0x12]: 00 00 00 00
 PACK [19/0x13]: 00 00 00 00

--- UL-EV1 / NTAG Version
       Raw bytes : 00 04 03 01 01 00 0B 03
       Vendor ID : 04, Manufacturer: NXP Semiconductors Germany
    Product type : 03, Ultralight
 Product subtype : 01, 17 pF
   Major version : 01
   Minor version : 00
            Size : 0B (64 <-> 32 bytes)
   Protocol type : 03

DUMP

pm3 --> hf 14a raw -p -c 3a0013
received 82 octets
04 57 B6 6D 
E2 05 3F 80 
58 48 70 00  -- 58 bcc1, 48 default byte,  lock: 0x70 0x00 
00 00 00 00   -- otp
14 9B B9 67   -- first user data page
B5 B0 45 71 
D5 27 4A FE 
17 B8 3F BA 
23 EA 19 E6 
19 F2 22 3A 
BD CB AC BF
F1 C5 67 6D 
70 52 34 B6 
38 A5 87 E1 
F8 2F BB 23 
0C 1F 7F CE  -- last user data page
00 00 00 00  -- cfg0  [all pages are password protected]
C0 05 00 00  -- cgf1  [ 0xC0 == PROT & CONFIGLOCK,   no AuthLimit.  :) ]
00 00 00 00  -- pwd  [all zero out]
00 00 00 00  -- pack [all zero out]

Last edited by iceman (2015-11-10 19:48:42)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2015-05-07 22:48:01

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

this is a reading of user data of the ticket described above, with
the counters
[00] 04 00 00
[01] 04 00 00
[02] 00 00 00




14 9b b9 67  -- first user data page
b5 b0 45 71
d5 27 4a fe
17 b8 3f ba           
39 ac 94 48
cb 12 66 22
42 95 d9 e2
45 28 04 d9             
cf  86 83 01
7d 33 a3 dc
13 fb bc 39
50 b6 da 67  -- last user data page

Last edited by tristanik (2015-05-07 23:33:47)

Offline

#3 2015-05-07 22:49:18

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

collection of UID/psw

UID :  04 57 B6  E2 05 3F 80    psw: 4a  f8  4b  19
UID :  04 BD 25  E2 05 3F 80   psw:  33  6b  a1  19
UID :  04 80 96  E2 05 3F 81    psw:  ff  90  6c  b2

Offline

#4 2015-05-07 23:02:58

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

Can you add the PACK to the collection UID/psw/pack ?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2015-05-07 23:11:50

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

collection of UID/psw

UID :  04 57 B6  E2 05 3F 80    psw: 4a  f8  4b  19      pack:    e5 be 74 d5
UID :  04 BD 25  E2 05 3F 80   psw:  33  6b  a1  19    pack:   9c 2d ba 54
UID :  04 80 96  E2 05 3F 81    psw:  ff  90  6c  b2      pack:    12 9e 76 c5

Offline

#6 2015-05-08 08:00:33

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

this is the dump of tag with UID: 04 BD 25  E2 05 3F 80  and counters to zero. Virgin tag

UID:                04 bd 25 e2 05 3f 80
PASSWORD:    33  6b  a1  19
PACK:             9c  2d  ba  54

COUNTERS

[00] 00 00 00
[01] 00 00 00
[02] 00 00 00



04  bd  25  14
e2  05  3f  80
58  48  70  00
00  00  00  00
c5  21  a5  0b  -- first user data page
bd  6f  16  bb
b6  52  87  7e
f6  a9  37  df         
f4  b8  df  5c
16  79  7a  46
ec  ef  d4  8b
9f  43  fe  8f           
52  21  79  77
0c  ac  00  28
bf  24  cb  7a
f8  76  e1  59  -- last user data page

Last edited by tristanik (2015-05-08 08:00:54)

Offline

#7 2015-05-14 08:47:03

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

collection of UID/psw

UID :  04 57 B6  E2 05 3F 80     PSW:  4A F8  4B  19     PACK:   E5 BE 74 D5
UID :  04 BD 25  E2 05 3F 80     PSW:  33 6B  A1  19    PACK:   9C 2D BA 54
UID :  04 80 96  E2 05 3F 81     PSW:  FF 90  6C   B2    PACK:   12 9E 76 C5
UID :  04 82 7F  E2 05 3F 81     PSW:  14 79  6E   B2    PACK:    F9 77 88 B2
UID :  04 A4 15  52 05 3F 80     PSW:  C4 05  D6  47    PACK:   05 1D 7C AB

Offline

#8 2015-05-14 09:20:31

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

I found a weak correlation between UIDs and PWDs; if you are able to provide more examples I can check if I am correct.

Offline

#9 2015-05-14 10:53:10

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

thanks . Today i try to sniff other passwords

Offline

#10 2015-05-14 20:57:38

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

UID :  04 BF 52  E2 05 3F 80     PSW : 46 1C  A3  19    PACK:   E9 5A FE DD
UID :  04 CC 52  E2 05 3F 80     PSW : 35 1C  D0  19    PACK:   9A 5A 52 07

Offline

#11 2015-05-14 22:21:35

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

I cleaned it up.

UID:                  PWD::        PACK:
----------------------------------------
04 A4 15  52053F80 |  C4 05 D6 47 | 05 1D

04 57 B6  E2053F80 |  4A F8 4B 19 | E5 BE
04 BD 25  E2053F80 |  33 6B A1 19 | 9C 2D
04 BF 52  E2053F80 |  46 1C A3 19 | E9 5A
04 CC 52  E2053F80 |  35 1C D0 19 | 9A 5A

04 80 96  E2053F81 |  FF 90 6C B2 | 12 9E
04 82 7F  E2053F81 |  14 79 6E B2 | F9 77

Last edited by iceman (2015-05-17 21:37:50)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2015-05-14 23:25:50

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

Ok my theory seems to work but i have only partial "decoding" (it seems to be something "table-related" like something recently studied iceman...).

Give me more time (and maybe more examples) and i will try to find a solution.

Offline

#13 2015-05-15 10:55:05

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

Where we discuss this in the forum?

Offline

#14 2015-05-15 18:05:03

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

I found strong relation in UID - PACK.

5th uid nibble == 3rd pack nibble

UID:                  PACK:
----------------------------------------
0457 B 6E2053F80 | E5 B E
04A4 1 552053F80 | 05 1 D
04BD 2 5E2053F80 | 9C 2 D
04BF 5 2E2053F80 | E9 5 A
04CC 5 2E2053F80 | 9A 5 A
0480 9 6E2053F81 | 12 9 E
0482 7 FE2053F81 | F9 7 7

Last edited by iceman (2015-05-17 09:52:25)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#15 2015-05-15 20:01:23

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: [SOLVED] italian public transportation system (UL-EV1)

iceman wrote:

I found strong relation in UID - PACK.

5th uid nibble == 3rd pack nibble
6th uid nibble =+15d 4th path nibble (or XOR 0x08h)

UID:                  PACK:
----------------------------------------
0457 (B6) E2053F80 | E5 (BE)
04A4 (15) E2053F80 | 05 (1D)
04BD (25) E2053F80 | 9C (2D)
04BF (52) E2053F80 | E9 (5A)
04CC (52) E2053F80 | 9A (5A)
0480 (96) E2053F81 | 12 (9E)
0482 (7F) E2053F81 | F9 (77)

Offline

#16 2015-05-15 20:18:37

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

good one, midnitesake!   (welcome back smile

3byte UID xor 8 == 2nd byte PACK.

Marshmellow and I have been remaking the UL commands you did,  hope you don't mind.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#17 2015-05-15 22:42:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

I think PACK[0] is calculated with xoring the three first UID bytes.

Which would leave th PACK gen ALGO to:

PACK BYTES CALC:
-----------------------------------------
[00]  UID[0] ^ UID[1] ^ UID[2]
[01]  UID[2] ^ 8 

---sample:
UID:                           PACK:
----------------------------------------
04 57 [B6] E2053F80 | E5 [BE]  04 ^ 57 ^ b6 == E5
04 BF [52] E2053F80 | E9 [5A]  04 ^ BF ^ 52 == E9

Last edited by iceman (2015-05-15 22:46:17)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2015-05-15 22:50:51

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

Now this is interesting, since we know how to calc the PACK,  it should be able to simulate a tag smile

reader will send PWD, UID,    PM3 will read the UID and  the AUTH request and respond with PACK,  and the reader will continue to communicate with our simulated tag.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#19 2015-05-16 00:38:44

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

then the PACK is independent of PSW ...

Offline

#20 2015-05-16 00:53:20

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

There is a transcription error Iceman, the second UID is  :  04 A4 15  52 05 3F 80

Last edited by tristanik (2015-05-16 07:47:52)

Offline

#21 2015-05-16 08:32:52

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: [SOLVED] italian public transportation system (UL-EV1)

iceman wrote:

good one, midnitesake!   (welcome back smile

...

Marshmellow and I have been remaking the UL commands you did,  hope you don't mind.

Thanks for the shout out. I really don't mind about the remake, theres some really good work there smile best thing about communities we can tweak and improve each others ideas/work.

Life is still hectic, I pop in now and again.  At the moment my proxmark is gathering dust.
Most likely won't be very active till end of the year/next year; Hopefully I can add another LF card  wink

Offline

#22 2015-05-16 08:45:25

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

@tristanik,   are you sure?  It looked like a spelling mistake,  since all others has 0xE

@midnitesnake,  if you haven't upgraded yr PM3 since autumn, you'r in for a ride.  Plenty of new good stuff in LF,  and great fixes in HF.  Do you have a BCARD laying around?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#23 2015-05-16 21:09:13

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

yes Iceman , this is a 60h of the ticket

proxmark3> hf 14a raw  -c -p -s  60
received 7 octets         
04 A4 15 52 05 3F 80           
received 10 octets         
00 04 03 01 01 00 0B 03 FD F7           
proxmark3>

Offline

#24 2015-05-16 21:14:33

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

ok then,


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#25 2015-05-16 23:00:02

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

Unfortunately i am low in time; did you find any further uid->pwd correlations ice ?

Offline

#26 2015-05-16 23:40:32

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

I'm guessing its in the line you suggested...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#27 2015-05-17 09:45:10

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

midnitesnake wrote:
iceman wrote:

I found strong relation in UID - PACK.

5th uid nibble == 3rd pack nibble
6th uid nibble =+15d 4th path nibble (or XOR 0x08h)

UID:                  PACK:
----------------------------------------
0457 (B6) E2053F80 | E5 (BE)
04A4 (15) E2053F80 | 05 (1D)
04BD (25) E2053F80 | 9C (2D)
04BF (52) E2053F80 | E9 (5A)
04CC (52) E2053F80 | 9A (5A)
0480 (96) E2053F81 | 12 (9E)
0482 (7F) E2053F81 | F9 (77)

Welcome back man !

If we can get more samples I think we will find out the algo. Remember that the algo is proprietary !

Offline

#28 2015-05-17 14:26:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

Low nibble 4th-byte-PWD = (low nibble last UID byte) XOR (1st, 2nd, 3rd low nibbles-PWD)

ex.
UID |  PWD
04 A4 15  E2053F80  |   C4 05 D6 47
04 A4 15  E2053F8[0]   |   C[4] 0[5] D[6] 4(7)  -> [0] ^ [4] ^ [5] ^ [6] = (7)

It can be a kind of control "checksum".

Last edited by asper (2015-05-17 14:26:52)

Offline

#29 2015-05-17 14:48:26

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

Good one, Asper!


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#30 2015-05-17 20:48:12

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

great find!

Offline

#31 2015-05-17 21:19:14

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

well,  i found something..  (zero-based index)
UID[1] ^ fixed value== PWD[1] 
UID[2] ^ fixed value== PWD[2]

however, this fixed valueis different for the three groups of UID data samples we got.

---grp 1
04 [A4] [15] 52 053F80 | C4 05 D6 47 
                            10 72 -- fixed 
---grp 2
04 [57] [B6] E2 053F80 | 4A F8 4B 19 
                            4E 1C -- fixed 
04 [BD] [25] E2 053F80 | 33 6B A1 19 
                            4E 1C -- const
04 [BF] [52] E2 053F80 | 46 1C A3 19 
                            4E 1C -- fixed 
04 [CC] [52] E2 053F80 | 35 1C D0 19 
                            4E 1C -- fixed 
---grp 3
04 [80] [96] E2 053F81 | FF 90 6C B2 
                            06 EC -- fixed 
04 [82] [7F] E2 053F81 | 14 79 6E B2 
                            06 EC -- fixed 

Last edited by iceman (2015-05-24 21:06:04)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#32 2015-05-19 12:24:33

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

All pwd bytes, can be matched to a fixed value for the different groups of UID we have.

Last edited by iceman (2015-05-24 21:06:18)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#33 2015-05-24 10:31:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

Just to point out the pack algo byte0 is not correct:
The correct one should be:

[00]  UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ E2
(where E2 is a fixed value just like the 08 for pack byte1)

I think that more data are needed to find the correct algo because it can also be:
[00]  UID[0] ^ UID[1] ^ UID[2] ^ UID[3] ^ UID[4] ^ UID[5] ^ E2

Last edited by asper (2015-05-24 10:40:41)

Offline

#34 2015-05-24 18:40:51

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

as soon as possible i will sniff other PSW

Offline

#35 2015-05-24 21:28:58

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

The extension of checksum can almost be done for hi-nibble of PWD[3],  if we follow aspers idea.


UID |  PWD
------------------------------------
04 A4 15  52053F80  |   C4 05 D6 47
04 A4 15  [5]2053F80   |   [C]4 [0]5 [D]6 (4)7  ->  [5] ^ [c] ^ [0] ^ [d] = (4)

This works for groups:  52053F80 , E2053F80
       but not for group:  E2053F81


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#36 2015-05-28 14:15:40

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

I did a test. I created an ultralight Magic with uid = 00 00 00 00 00 00 00     , and as I got  PSW = 4f 27 11 c1

Last edited by tristanik (2015-05-28 14:23:18)

Offline

#37 2015-05-28 14:58:26

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

Can you post a log of the sniff ?

Offline

#38 2015-05-28 19:20:44

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

26
TAG 44 00
    93 20 00
TAG 88 00 00 00 88
    93 70 88 00 00 00 88 a9 01 00
TAG 04 da 17
    95 20 00
TAG 00 00 00 00 00
    95 70 00 00 00 00 00 51 81 00
TAG 00 fe 51
    1b 4f 27 11 c1 46 83 00
Uff
    1b 4f 27 11 c1 46 83
    1b 4f 27 11 c1 46 83
    1b 4f 27 11 c1 46 83

Offline

#39 2015-05-29 10:44:53

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: [SOLVED] italian public transportation system (UL-EV1)

What if you try to write the same password in the tag? Does the reader go further in sending commands to the tag?

Offline

#40 2015-05-29 19:50:53

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

@ Asper . this tag is a magic ultralight , don't have psw address .
the machine give a password because it is the answer uid tag, but then communication stops


i have try UID= 00 00 00 00 00 00 01    psw= 07 d7 bb 82

Ufc 26
U0f 00 00
Uff 93 20
U0f 00 00 00 00 00
Uff 93 70 88 00 00 00 88 a9 01
U0f 00 00 00
Uff 95 20
U0f 00 00 00 00 00
Uff 95 70 00 00 00 01 01 00 89
U0f 00 fc 50
Uff 1b 07 d7 bb 82 0d de
U00
TAG 00 00
    1b 07 d7 bb 82 0d de
    1b 07 d7 bb 82 0d de
    1b 07 d7 bb 82 0d de

Offline

#41 2015-05-31 19:12:27

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

yeah... @asper has requested a  ul/ulc/ul-ev1/ntag  sim to make it easier collecting those pwd's...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#42 2015-06-09 21:38:28

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

UID: 00 00 00 00 00 00 00    PSW:  4f 27 11 c1
UID: 10 00 00 00 00 00 00    PSW:  4f 37 01 c1
UID: 01 00 00 00 00 00 00    PSW:  4f 26 10 c1
UID: 00 01 00 00 00 00 00    PSW:  4e 27 10 c1

Offline

#43 2015-06-15 16:02:17

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

I did some changes to the "hf 14a sim"  and it can now simulate a NTAG215..

You should be able to collect UID/PWD using a lua script....


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#44 2015-06-27 12:25:40

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: [SOLVED] italian public transportation system (UL-EV1)

Thanks Iceman

Last edited by tristanik (2015-06-27 13:16:19)

Offline

#45 2015-09-30 12:11:08

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

Great news! big_smile

I just got news that this pwd-algo is broken and there exists a keygen.

Great work!


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#46 2015-10-01 17:16:10

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: [SOLVED] italian public transportation system (UL-EV1)

And now only the data mapping is left..


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB