Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-10-12 01:44:46

marzipan
Contributor
Registered: 2018-12-10
Posts: 5

Lock a UFUID card

Recap: a UFUID card appears as a Mifare Classic type card which responds to magic commands (Gen1a) until locked with a command sequence, after which the manufacturer block is fused (locked).

I just received some UFUID tags from an AliExpress seller (search 'UFUID'). I programmed one of these with magic commands. Then thanks to hfmfsniff (http://www.proxmark.org/forum/viewtopic … 767#p35767), I was able to lock block 0 with a Proxmark3. It is now undetectable as a clone by the FDi readers on my apartment block smile

This my script (ufuid_lock.lua):

local getopt = require('getopt')
local utils = require('utils')

author = "Marzipan"
desc =
[[
This script will lock a Chinese UFUID magic card. As supplied a UFUID 
card appears as a Gen1a card until a sequence permanently locks the 
manufacturer block (block 0). Prompts for confirmation before locking.
]]
example = [[
script run ufuid_lock
]]
usage = [[
script run ufuid_lock [-h] [-d]

optional arguments:
        -h      this help
        -d      debug output on
]]
--------------------
-- See:
-- http://www.proxmark.org/forum/viewtopic.php?pid=32307#p32307
--------------------
-- Some utilities 
--------------------
local DEBUG = false
--- 
-- A debug printout-function
function dbg(args)
	if DEBUG then
		print("###", args)
	end
end 

--- 
-- This is only meant to be used when errors occur
function oops(err)
	print("ERROR: ",err)
        core.clearCommandBuffer()
	return nil,err
end

--- 
-- Usage help
function help()
	print(desc)
	print("Example usage")
	print(example)
        print(usage)
end

--------------------
-- The main entry point
function main(args)
	local verbose = false
	-- Read the parameters
	for o, a in getopt.getopt(args, 'hd') do
		if o == "h" then help() return end
		if o == "d" then DEBUG = true end
	end
	dbg("debug not used")
	print("This will permanently lock block 0 (if UFUID card is present),")
	if (utils.confirm("confirm when ready") == false) then return
	end
	core.console("hf 14a raw -p -a -b 7 40")
        core.console("hf 14a raw -p -a 43")
        core.console("hf 14a raw -p -a e0  00  39  f7")
        core.console("hf 14a raw -p -a e1  00  e1  ee")
        core.console("hf 14a raw -p -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47")
end

-- Call the main 
main(args)

When my unfused UFUID card (tag) is present:

[+] Answers to magic commands (GEN 1a): YES

The script output is:

received 1 bytes
0A
received 1 bytes
0A
received 18 bytes
7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08 F1 69
received 1 bytes
0A
received 1 bytes
0A

After the same card is locked, the output is:

received 0 bytes
received 0 bytes
received 0 bytes
received 0 bytes
received 0 bytes

Result of hf search (same card):

[=] Answers to magic commands: NO

So it should be possible to identify an unfused UFUID by sending the first raw command, then testing for response 0x0A... but this is beyond me for now. This is my first script hmm

Offline

Board footer

Powered by FluxBB