Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-10-12 01:44:46

Registered: 2018-12-10
Posts: 5

Lock a UFUID card

Recap: a UFUID card appears as a Mifare Classic type card which responds to magic commands (Gen1a) until locked with a command sequence, after which the manufacturer block is fused (locked).

I just received some UFUID tags from an AliExpress seller (search 'UFUID'). I programmed one of these with magic commands. Then thanks to hfmfsniff ( … 767#p35767), I was able to lock block 0 with a Proxmark3. It is now undetectable as a clone by the FDi readers on my apartment block smile

This my script (ufuid_lock.lua):

local getopt = require('getopt')
local utils = require('utils')

author = "Marzipan"
desc =
This script will lock a Chinese UFUID magic card. As supplied a UFUID 
card appears as a Gen1a card until a sequence permanently locks the 
manufacturer block (block 0). Prompts for confirmation before locking.
example = [[
script run ufuid_lock
usage = [[
script run ufuid_lock [-h] [-d]

optional arguments:
        -h      this help
        -d      debug output on
-- See:
-- Some utilities 
local DEBUG = false
-- A debug printout-function
function dbg(args)
	if DEBUG then
		print("###", args)

-- This is only meant to be used when errors occur
function oops(err)
	print("ERROR: ",err)
	return nil,err

-- Usage help
function help()
	print("Example usage")

-- The main entry point
function main(args)
	local verbose = false
	-- Read the parameters
	for o, a in getopt.getopt(args, 'hd') do
		if o == "h" then help() return end
		if o == "d" then DEBUG = true end
	dbg("debug not used")
	print("This will permanently lock block 0 (if UFUID card is present),")
	if (utils.confirm("confirm when ready") == false) then return
	core.console("hf 14a raw -p -a -b 7 40")
        core.console("hf 14a raw -p -a 43")
        core.console("hf 14a raw -p -a e0  00  39  f7")
        core.console("hf 14a raw -p -a e1  00  e1  ee")
        core.console("hf 14a raw -p -a 85  00  00  00  00  00  00  00  00  00  00  00  00  00  00  08  18  47")

-- Call the main 

When my unfused UFUID card (tag) is present:

[+] Answers to magic commands (GEN 1a): YES

The script output is:

received 1 bytes
received 1 bytes
received 18 bytes
7A FF 00 00 00 00 00 00 BA FA 00 00 00 00 00 08 F1 69
received 1 bytes
received 1 bytes

After the same card is locked, the output is:

received 0 bytes
received 0 bytes
received 0 bytes
received 0 bytes
received 0 bytes

Result of hf search (same card):

[=] Answers to magic commands: NO

So it should be possible to identify an unfused UFUID by sending the first raw command, then testing for response 0x0A... but this is beyond me for now. This is my first script hmm


Board footer

Powered by FluxBB