Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-10-29 15:18:35
- mnemarchon
- Contributor
- Registered: 2019-08-30
- Posts: 18
Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
I bought the NTAG21x keyfobs from rfxsecure.com. I already have some NTAG21x credit-card-form originally bought from IceSQL shop which work fine.
The Rfxsecure keyfobs are real PITA to work with. First of all you have to position it very precisely and repeat wipe "script run mfu_magic -w" until there is no timeout. After that you have to repeat programming the type and UID until there is no timeout. Took me quite a while to get the first keyfob programmed.
Haven't tested how they will work against real readers in the wild, will update.
Offline
#2 2019-10-29 15:59:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,536
- Website
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
Sad to hear, I don't think I tested the keyfobs from rfxsecure yet.
Do you have the output from the following commands?
hf 14a info
hf mfu info
script run mfu_magic -w
hf 14a list[moved to trade section]
Offline
#3 2019-10-29 20:57:37
- mnemarchon
- Contributor
- Registered: 2019-08-30
- Posts: 18
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
This is result from already programmed keyfob. At least when I tested it against a real reader, it worked fine, but the programming requires right positioning (note the select failures until I found the right position).
pm3 --> hf 14a info
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[!] iso14443a card select failed
TYPE: Possible AZTEK (iso14443a compliant)
pm3 --> hf 14a info
[!] iso14443a card select failed
pm3 --> hf 14a info
[!] iso14443a card select failed
pm3 --> hf 14a info
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
MANUFACTURER : NXP Semiconductors Germany
SAK incorrectly claims that card doesn't support RATS
ATS : 0D 78 00 71 02 89 01 A0 10 20 18 33 AA C4 70
- TL : length is 13 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [], DS: []
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 7 (FWT = 524288/fc)
- TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
UID : 04 11 22 33 44 55 66
UID[0] : 04, NXP Semiconductors Germany
BCC0 : BF, Ok
BCC1 : 44, Ok
Internal : 48, default
Lock : 00 00 - 00
OneTimePad : 00 00 00 00 - 0000
--- Tag Counters
--- Tag Signature
IC signature public key name : NXP NTAG21x (2013)
IC signature public key value : 04 49 4E 1A 38 6D 3D 3C FE 3D C1 0E 5D E6 8A 49 9B 1C 20 2D B5 B1 32 39 3E 89 ED 19 FE 5B E8 BC 61
Elliptic curve parameters : secp128r1
Tag ECC Signature : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
--- Tag Version
Raw bytes : 00 04 03 01 01 00 0B 03
Vendor ID : 04, NXP Semiconductors Germany
Product type : 03, Ultralight
Product subtype : 01, 17 pF
Major version : 01
Minor version : 00
Size : 0B, (64 <-> 32 bytes)
Protocol type : 03 (ISO14443-3 Compliant)
--- Tag Configuration
cfg0 [16/0x10] : 00 00 00 FF
- strong modulation mode disabled
- pages don't need authentication
cfg1 [17/0x11] : 00 05 00 00
- Unlimited password attempts
- NFC counter disabled
- NFC counter password protection enabled
- user configuration writeable
- write access is protected with password
- 05, Virtual Card Type Identifier is default
PWD [18/0x12] : 00 00 00 00 - (cannot be read)
PACK [19/0x13] : 00 00 - (cannot be read)
RFU [19/0x13] : 00 00 - (cannot be read)
--- Known EV1/NTAG passwords.
password not known
pm3 --> script run mfu_magic -w
[+] Executing: mfu_magic.lua, args '-w'
----------------------------------------
----------------------------------------
auth hf 14a raw -c -s -p
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
0A
received 1 bytes
[...]
turning off
received 1 bytes
00
setting default values...
Setting: NTAG 213
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
New type : NTAG 213
Writing
new UID | 04112233445566
Blk# |
00 |041122BF
01 |33445566
02 |44480000
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
New UID : 04112233445566
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
New PASSWORD : FFFFFFFF
Card selected. UID[7]:
04 11 22 33 44 55 66
received 1 bytes
0A
New PACK : 0000
[+] Finished
pm3 --> hf 14a list
trace pointer not allocated
Recorded Activity (TraceLen = 160 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 11 22 bf | |
19072 | 29536 | Rdr |93 70 88 04 11 22 bf b3 f9 | ok | SELECT_UID
30772 | 34292 | Tag |04 da 17 | |
35584 | 38048 | Rdr |95 20 | | ANTICOLL-2
39220 | 45044 | Tag |33 44 55 66 44 | |
47488 | 57952 | Rdr |95 70 33 44 55 66 44 ec a3 | ok | ANTICOLL-2
59188 | 62772 | Tag |00 fe 51 | |
77056 | 86368 | Rdr |a2 f1 00 00 00 00 c5 2b | ok | WRITEBLOCK(241) (?)
158132 | 158708 | Tag |0a! | |
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[+] field dropped. Offline
#4 2019-10-30 08:22:55
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,536
- Website
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
... sounds a tricky fob to find good coupling with.
Which version of the script are you running?
script run mfu_magic -hOffline
#5 2019-10-30 19:42:06
- mnemarchon
- Contributor
- Registered: 2019-08-30
- Posts: 18
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
That was 1.0.5, after long search I found 1.1.0, though except for better output it doesn't work better with the tag.
Copyright (c) 2017 IceSQL AB. All rights reserved.
v1.1.0
This script enables easy programming of a MAGIC NTAG 21* cardAlso it seems that no matter what I can't change the UID when the type is NTAG216 (-t 7). When type is set to Ultralight (-t 2), wipe and set UID works:
pm3 --> script run mfu_magic -w
[+] Executing: mfu_magic.lua, args '-w'
----------------------------------------
----------------------------------------
Wiping tag
.........................................................................................................................................................................................................................................................
setting default values...
Setting: NTAG 213
Writing new version 0004040201000F03
Writing new type 00
Writing new UID 04112233445566
Writing new PWD FFFFFFFF
Writing new PACK 0000
[+] Finished
pm3 --> script run mfu_magic -t 7 -u 04112233445599
[+] Executing: mfu_magic.lua, args '-t 7 -u 04112233445599'
----------------------------------------
----------------------------------------
Setting: NTAG 216
Writing new version 0004040201001303
Writing new type 02
Writing new UID 04112233445599
[+] Finished
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[+] field dropped.
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[+] field dropped.
pm3 --> script run mfu_magic -t 7 -u 04112233445599
[+] Executing: mfu_magic.lua, args '-t 7 -u 04112233445599'
----------------------------------------
----------------------------------------
Setting: NTAG 216
Writing new version 0004040201001303
Writing new type 02
Writing new UID 04112233445599
[+] Finished
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[+] field dropped.
pm3 --> script run mfu_magic -u 04112233445599
[+] Executing: mfu_magic.lua, args '-u 04112233445599'
----------------------------------------
----------------------------------------
Writing new UID 04112233445599
[+] Finished
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 66
ATQA : 00 44
SAK : 00 [2]
[+] field dropped.
pm3 --> script run mfu_magic -t 2 -u 04112233445599
[+] Executing: mfu_magic.lua, args '-t 2 -u 04112233445599'
----------------------------------------
----------------------------------------
Setting: UL-EV1 128
Writing new OTP 00000000
Writing new version 0004030101000e03
Writing new type 01
Writing new UID 04112233445599
[+] Finished
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 99
ATQA : 00 44
SAK : 00 [2]
[+] field dropped. After some experimenting it seems it just doesn't like some types, like '-t 7' or '-t 3' (can't change UID when emulating NTAG216/NTAG210):
pm3 --> script run mfu_magic -t 7 -u 041122334455ee
[+] Executing: mfu_magic.lua, args '-t 7 -u 041122334455ee'
----------------------------------------
----------------------------------------
Setting: NTAG 216
Writing new version 0004040201001303
Writing new type 02
Writing new UID 041122334455ee
[+] Finished
pm3 --> hf 14a reader
UID : 04 11 22 33 44 55 CC
ATQA : 00 44
SAK : 00 [2]
[+] field dropped. Offline
#6 2019-10-30 22:50:43
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,536
- Website
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
Are you on latest RRG/Iceman repo?
Then you would need a later version of the script.
Offline
#7 2019-10-31 01:51:17
- mnemarchon
- Contributor
- Registered: 2019-08-30
- Posts: 18
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
I cloned the latest RRG repo (https://github.com/RfidResearchGroup/proxmark3), but I can't see the mfu_magic script there at all. Unless it was renamed or lost in history.
Offline
#8 2019-10-31 07:13:51
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,536
- Website
Re: Rfxsecure.com Magic NTAG21x keyfobs are fairly problematic
it was never there to start with... Only accessable from vendor. Send me an email.
Offline