Timeline/clues:
Blofeld 2015-12-03 00:21:34 #46 managed to sniff passwords for a lot UIDs.
Iceman 2015-12-03 09:20:34 #49 presumes CRC/hash.
DRRB 2015-12-03 15:44:03 #51 Notes chip LPC11U2x Cortex-M0 @33Mhz with 32 kB flash inside the toypad.
jump 2015-12-07 22:16:29 #63 suggest JTAG on Cortex-M0 and download firmware.
sllabgib 2015-12-08 21:14:00 #66 notices J2 inside the toypad. Possibly being the JTAG connector.
sllabgib 2015-12-08 22:42:10 #68 suspects J2 is serial, not JTAG. Suggests attaching wires to JTAG pins of Cortex-M0.
jump 2015-12-08 23:04:17 #69 concludes JTAG cannot work, but SWD (Serial Wire Debug) might still work. Might.
DRRB 2015-12-27 13:26:36 #73 sees no clear text password between game console and toypad. This might mean passwords are generated inside the Cortex-M0.
ags131 2015-12-28 04:25:35 #81 points to url https://github.com/ags131/node-ld (https://github.com/AlinaNova21/node-ld nowadays). Does not contain pwdgen nor TEA in 2015.
bettse 2016-01-09 08:11:48 #95 states "The pwd generation algorithm has been found."
bettse 2016-01-15 16:42:55 #101 adds "To the best of my knowledge, it hasn't been released publicly yet, but I was not alone in working to find it. I wrote some of the code to prove it out, but finding it was an effort by many people on many fronts."
bettse 2016-02-10 18:13:23 #158 states "Toypad firmware. It won't write to any page 0x28 or above." This might indicate bettse has knowledge of the toypad firmware which might indicate he/she obtained it somehow.
bettse 2016-02-20 22:27:36 199 talks about different layers between console and tag. This might be proof he/she investigated all those layers to find the correct one computing the passwords and encrypting/decrypting character ID.
Those are the clues I have after reading http://www.proxmark.org/forum/viewtopic.php?id=2657.
I used all my Google Fu to find the firmware, or other hints how you people discovered pwdgen/tea/scramble, but couldn't find it. Said topic contains the best clues. User bettse seems to be part of the group who figured it all out.
Being a LEGO Dimensions fan, a mathematician, an amateur hacker, a security minded person, I'm would love to obtain the firmware of the toypad and "rediscover" the password algorithm by disassembling the firmware myself. (And if it is not in the firmware, I would guess the algorithm was found by disassembling the code for the Play Station console, being x86.)
Thanks!
]]>If you are still interested about the PACK that the real tag gives, I think I got it. I can only read either the reader or the tag at any given time because I can't put the proxmark in between.
TAG:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |44 00 | |
154208 | 160096 | Tag |88 04 84 5a 52 | |
341696 | 345216 | Tag |04 da 17 | |
487776 | 493600 | Tag |52 a1 70 80 03 | |
667136 | 670720 | Tag |00 fe 51 | |
872496 | 877168 | Tag |00 00 a0 1e | |
1007600 | 1028400 | Tag |00 00 41 50 00 00 31 31 00 21 03 27 00 31 73 66 2b fa | |
1270160 | 1291024 | Tag |00 00 31 31 00 21 03 27 00 31 73 66 56 80 4f 01 4e 2f | |
1432512 | 1453312 | Tag |00 21 03 27 00 31 73 66 56 80 4f 01 00 00 00 00 ce db | |
1595216 | 1616016 | Tag |00 31 73 66 56 80 4f 01 00 00 00 00 00 00 00 00 32 f0 | |
1757920 | 1778784 | Tag |56 80 4f 01 00 00 00 00 00 00 00 00 00 00 00 00 bd a4 | |
Reader:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26 | |
151280 | 153744 | Rdr |93 20 | |
318656 | 329120 | Rdr |93 70 88 04 84 5a 52 98 4b | |
471488 | 473952 | Rdr |95 20 | |
644096 | 654624 | Rdr |95 70 52 a1 70 80 03 b2 62 | |
851712 | 859936 | Rdr |1b 8a 7f 5f 60 1c fb | |
990320 | 995024 | Rdr |30 04 26 ee | |
1252544 | 1257248 | Rdr |30 05 af ff | |
1415248 | 1420016 | Rdr |30 06 34 cd | |
1577936 | 1582704 | Rdr |30 07 bd dc | |
1740640 | 1745344 | Rdr |30 08 4a 24 | |
So the PACK is most likely 0000a01e here. The UID of the tag is 04845A52A17080 and the password is 8a7f5f60.
As for simulating the UIDs and getting the trace, I am not sure if it's feasible becasue the reader initiates a connection only once. After that, you need to "simulate" the back cover being opened, then closed and the power button needs to be pressed again.
If anyone wants to collect the above info for their tag:
Tag: put the proxmark inside the filter and fit it inside the purfier.
Reader: put the filter beneath the purifier with the tag pointed up, and the proxmark inside the purifier.
Also, block 6 for me is 00210327, so I speculate that maybe it's the production date in the form "00YYMMDD".
]]> core.console("hf mfu sim -t 2")
Everything worked, it is defined as Mifare Ultralight.
]]>Question I get that I have to sniff and to try to apply the tear off technic (even I am not sure I will be able ) but Will it for on NXP Card Ultralight EV1 MF0ULx1?
If not will it work on the magic Card NTAG 21X modifiable ?
If yes any help will be appreciated.
Thank You for your answer.
]]>--- UL-C Configuration
Higher Lockbits [40/0x28]: 00 00 00 00 - 0000000000000000
Counter [41/0x29]: 00 00 00 00 - 0000000000000000
Auth0 [42/0x2A]: 30 00 00 00 page 48/0x30 and above need authentication
Auth1 [43/0x2B]: 00 00 00 00 read and write access restricted
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------
[=] Trying some default 3des keys
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[+] Found default 3des key:
[=] deskey1 [44/0x2C]: 42 52 45 41 [BREA]
[=] deskey1 [45/0x2D]: 4B 4D 45 49 [KMEI]
[=] deskey2 [46/0x2E]: 46 59 4F 55 [FYOU]
[=] deskey2 [47/0x2F]: 43 41 4E 21 [CAN!]
[=] 3des key: 49454D4B41455242214E4143554F5946
[+] TYPE: MIFARE Ultralight C (MF0ULC)
[+] Reading tag memory...
[#] Cmd Error: 00
[#] Read block 44 error
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 42 ( 172 bytes )
[=] Header size..... 56 bytes
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] DYNAMIC LOCK: 00 00 00
[=] 0/0x00 | 04 03 C5 4A | | ...J
[=] 1/0x01 | CA 4D 61 81 | | .Ma.
[=] 2/0x02 | 67 48 80 01 | | gH..
[=] 3/0x03 | 00 00 00 00 | 0 | ....
[=] 4/0x04 | 02 00 00 10 | 0 | ....
[=] 5/0x05 | 00 06 01 10 | 0 | ....
[=] 6/0x06 | 11 FF 00 00 | 0 | ....
[=] 7/0x07 | 63 69 84 11 | 1 | ci..
[=] 8/0x08 | 33 16 66 28 | 1 | 3.f(
[=] 9/0x09 | 00 00 00 00 | 0 | ....
[=] 10/0x0A | 00 00 00 00 | 0 | ....
[=] 11/0x0B | 00 00 00 00 | 0 | ....
[=] 12/0x0C | 00 00 00 00 | 0 | ....
[=] 13/0x0D | 00 00 00 00 | 0 | ....
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 00 00 | 0 | ....
[=] 16/0x10 | 00 00 00 00 | 0 | ....
[=] 17/0x11 | 00 00 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] 20/0x14 | 00 00 00 00 | 0 | ....
[=] 21/0x15 | 00 00 00 00 | 0 | ....
[=] 22/0x16 | 00 00 00 00 | 0 | ....
[=] 23/0x17 | 00 00 00 00 | 0 | ....
[=] 24/0x18 | 00 00 00 00 | 0 | ....
[=] 25/0x19 | 00 00 00 00 | 0 | ....
[=] 26/0x1A | 00 00 00 00 | 0 | ....
[=] 27/0x1B | 00 00 00 00 | 0 | ....
[=] 28/0x1C | 00 00 00 00 | 0 | ....
[=] 29/0x1D | 00 00 00 00 | 0 | ....
[=] 30/0x1E | 00 00 00 00 | 0 | ....
[=] 31/0x1F | 00 00 00 00 | 0 | ....
[=] 32/0x20 | 00 00 00 00 | 0 | ....
[=] 33/0x21 | 00 00 00 00 | 0 | ....
[=] 34/0x22 | 00 00 00 00 | 0 | ....
[=] 35/0x23 | 00 00 00 00 | 0 | ....
[=] 36/0x24 | 00 00 00 00 | 0 | ....
[=] 37/0x25 | 00 00 00 00 | 0 | ....
[=] 38/0x26 | 00 00 00 00 | 0 | ....
[=] 39/0x27 | 00 00 00 00 | 0 | ....
[=] 40/0x28 | 00 00 00 00 | 0 | ....
[=] 41/0x29 | 00 00 00 00 | 0 | ....
[=] 42/0x2A | 30 00 00 00 | 0 | 0...
[=] 43/0x2B | 00 00 00 00 | 0 | ....
[=] ---------------------------------
Datasheets (especially NXP ones) are well written, and a surprising source of knowledge on the product they are related to !
So carefully reading the Mifare Ultalight C one's may lead you to find this :
"The memory pages holding the authentication key can never be read, independent of the
configuration." just below table 11.
It should be crystal clear then that your plan in recovering the keys this way is somehow.... compromized.
Regards.
]]>[=] --- Tag Counter
[=] [02]: 00 00 00
[+] - 00 tearing ( fail )
[!!] ? Error: tag didn't answer to READ SIGNATURE
And when doing a dump I could see that the MFU dump file information is zero:
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 04 04 02 01 00 0F 03
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 43 ( 176 bytes )
[=] Header size..... 56 bytes
I try with proxmark3 rev1 and proxmark easy, and in both cases I get the same issues.
Has anyone had similar complications?
Thanks!!
]]>-- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight C (MF0ULC)
[+] UID: 04 XX XX XX XX XX 80
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: BE ( ok )
[+] BCC1: 9A ( ok )
[+] Internal: 48 ( default )
[+] Lock: 00 00 - 0000000000000000
[+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000
--- UL-C Configuration
Higher Lockbits [40/0x28]: 00 00 00 00 - 0000000000000000
Counter [41/0x29]: 00 00 00 00 - 0000000000000000
Auth0 [42/0x2A]: 03 00 00 00 page 3/0x03 and above need authentication
Auth1 [43/0x2B]: 01 00 00 00 write access restricted
[=] Trying some default 3des keys
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[#] Cmd Error: 00
[#] Authentication failed
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
Iceman/master/v4.15864-198-g72455389d 2023-01-10 22:05:41 3eecd9ccc
compiled with............. GCC 10.2.1 20210110
platform.................. Linux / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... present
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ PROXMARK3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: Iceman/master/v4.15864-198-g72455389d 2023-01-10 22:08:07 3eecd9ccc
os: Iceman/master/v4.15864-198-g72455389d 2023-01-10 22:09:31 3eecd9ccc
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image 2s30vq100 2022-03-23 17:21:05
HF image 2s30vq100 2022-03-23 17:21:16
HF FeliCa image 2s30vq100 2022-03-23 17:21:27
HF 15 image 2s30vq100 2022-03-23 17:21:38
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 59% used )
depends on your magic UL card... Some doesn't set those values.
I'm having some issues with simulating a Mifare Ultralight EV1 card on a Proxmark 3 RDV4. Below are the steps I've completed thus far:
I have successfully performed a sniff on the communication between an Ultralight card and a reader to obtain the 4 byte auth key for an EV1 card. I have then performed a dump operation via `hf mfu dump -k` to dump the card contents to a bin file. After performing this I used the lua script "data_mfu_bin2eml.lua" to convert the bin file to an associated eml file.
Once this was done I utilised the directive `mfu eload -ul -f <dumpEMLfile>` to load the dump into the simulator memory and then began executing the simulation via `hf mfu sim -t 2 --uid <UID>`. However, this failed when I presented the Proxmark against the reader.
My assumption with the failure is down to the fact that there was no option to specify the authentication key in the simulator and I can't find an option to do this with the Ultralight cli commands. As a last ditch effort I tried loading up the emulator via `hf mf eload -ul -f <dumpBIN>` as I figured that the bin file might contain the authentication key, but I was still having no luck during simulation.
Is there a way to specify authentication keys for MFU EV1 simulation or am I doing something fundamentally wrong here?
James.
]]>So, just if someone has the same issue, as Carl said, the magnet is necessary to activate the reader. I wrote the UID into a mifare ultralight card and using the magnet it works... Something new learned.
Thank you.
]]>