I tried others combinaison as :
genuine card with same UID than bricked card before changed;
genuine card with UID consistent with BCC on block 0 of bricked card
none has been worked
I'm think it's really dead, but I relieved that their sacrifice wasn't in vain :-)
my magic card
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
UID : 11 22 33 44 55 66 77
UID[0] : 11, Emosyn-EM Microelectronics USA
BCC0 : 88, Ok
BCC1 : 00, Ok
Internal : 48, default
Lock : 00 00 - 00
OneTimePad : 00 00 00 00 - 0000
Error: tag didn't answer to READ magic
pm3 -->
my bricked card
pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'
----------------------------------------
----------------------------------------
new UID | 11223344556677
Using BRICKABLE Magic tag function
Card selected. UID[3]:
11 22 33
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:
[+]Finished
pm3 -->
and cards together
pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'
----------------------------------------
----------------------------------------
new UID | 11223344556677
Using BRICKABLE Magic tag function
#db# Multiple tags detected. Collision after Bit 8
Card selected. UID[3]:
11 22 33
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:
[+]Finished
pm3 -->
anyway, script can read first block (block 0 so)... but only the third data (so uid1, uid2, uid3, here the 04 62 39), and stop for the fourth data (so the bcc0, which is a wrong bcc)
and no need to put with a genuine normal tag, with or without normal tag output is the same (exception or multiple tags detected. Collision after Bit xx), example :
pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'
----------------------------------------
----------------------------------------
new UID | 11223344556677
Using BRICKABLE Magic tag function
#db# Multiple tags detected. Collision after Bit 10
Card selected. UID[3]:
04 62 39
received 0 bytes:
received 0 bytes:
received 0 bytes:
received 0 bytes:
[+]Finished
pm3 -->
it works :-)
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
UID : 04 BE 5B 5A F4 45 80
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 69, Ok
BCC1 : 6B, Ok
Internal : 48, default
Lock : 00 00 - 00
OneTimePad : 12 34 56 78 - 158120
Error: tag didn't answer to READ magic
pm3 -->
pm3 --> script run ul_uid.lua -b -u 11223344556677
[+]Executing: ul_uid.lua, args '-b -u 11223344556677'
----------------------------------------
----------------------------------------
new UID | 11223344556677
Using BRICKABLE Magic tag function
Card selected. UID[7]:
04 BE 5B 5A F4 45 80
received 1 bytes:
0A
received 1 bytes:
0A
received 1 bytes:
0A
received 0 bytes:
[+]Finished
pm3 -->
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
UID : 11 22 33 44 55 66 77
UID[0] : 11, Emosyn-EM Microelectronics USA
BCC0 : 88, Ok
BCC1 : 00, Ok
Internal : 48, default
Lock : 00 00 - 00
OneTimePad : 12 34 56 78 - 158120
Error: tag didn't answer to READ magic
pm3 -->
I can now change my uid without brick my card, it's nice.
So, I think this card is like gen2 for mifare classic (or FUID as someone would say) no magic backdoor, brick if invalid BCC, but not easily detectable as a clone by reader.
Anyway, all is working correctly now, with your last script for UID no more brick card for me :-)
thanks a lot Iceman
I modified this script.
https://github.com/iceman1001/proxmark3 … ul_uid.lua
pm3 --> sc r ul_uid -h
[+]Executing: ul_uid.lua, args '-h'
----------------------------------------
----------------------------------------
Iceman
v1.0.0
This script tries to set UID on a mifare Ultralight magic card which either
- answers to chinese backdoor commands
- brickable magic tag (must write in one session)
Example usage
-- backdoor magic tag
script run ul_uid -u 11223344556677
-- brickable magic tag
script run ul_uid -b -u 11223344556677
[+]Finished
Current impl of hf mfu setuid uses three individual writes with anti-coll, selection.
]]>I have understood.
I confirm, PM3 write block by block for ultralight when it changes UID, whatever the commande we use (hf mfu setuid, hf mfu restore ...)
here my output with restore option
pm3 --> hf mfu dump
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
Reading tag memory...
Authentication Failed UL-EV1/NTAG
*special* data
DataType | Data | Ascii
----------+-------------------------+---------
Version | 00 04 03 01 01 00 0B 03 | ........
TBD | 00 00 | ..
Tearing | BD BD BD | ...
Pack | 00 00 | ..
TBD | 00 | .
Signature1| 16 06 C3 1F B1 FD C1 78 BF 5D 7C E5 5D EE EB EB | .......x.]|.]...
Signature2| 41 0A B5 45 D5 30 5A A6 2C 7A 42 39 98 E3 62 63 | A..E.0Z.,zB9..bc
-------------------------------------------------------------
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 04 D5 D2 8B | | ....
1/0x01 | 5A 57 58 80 | | ZWX.
2/0x02 | D5 48 00 00 | | .H..
3/0x03 | 12 34 56 78 | 0 | .4Vx
4/0x04 | 12 34 56 78 | 0 | .4Vx
5/0x05 | 12 34 56 78 | 0 | .4Vx
6/0x06 | 12 34 56 78 | 0 | .4Vx
7/0x07 | 12 34 56 78 | 0 | .4Vx
8/0x08 | 12 34 56 78 | 0 | .4Vx
9/0x09 | 12 34 56 78 | 0 | .4Vx
10/0x0A | 12 34 56 78 | 0 | .4Vx
11/0x0B | 12 34 56 78 | 0 | .4Vx
12/0x0C | 12 34 56 78 | 0 | .4Vx
13/0x0D | 12 34 56 78 | 0 | .4Vx
14/0x0E | 12 34 56 78 | 0 | .4Vx
15/0x0F | 12 34 56 78 | 0 | .4Vx
16/0x10 | 12 34 56 78 | 0 | .4Vx
17/0x11 | 12 34 56 78 | 0 | .4Vx
18/0x12 | 00 00 00 00 | 0 | ....
19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Dumped 32 pages, wrote 128 bytes to 04D5D25A575880.bin
pm3 -->
change the card for dump
pm3 --> hf mfu info
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
UID : 04 15 91 BA 51 42 11
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 08, Ok
BCC1 : B8, Ok
Internal : 48, default
Lock : 00 00 - 00
OneTimePad : 00 00 00 00 - 0000
Error: tag didn't answer to READ magic
pm3 -->
----- restore bin data -----
pm3 --> hf mfu restore s r f 04D5D25A575880.bin
Restoring 04D5D25A575880.bin to card
*special* data
DataType | Data | Ascii
----------+-------------------------+---------
Version | 00 04 03 01 01 00 0B 03 | ........
TBD | 00 00 | ..
Tearing | BD BD BD | ...
Pack | 00 00 | ..
TBD | 00 | .
Signature1| 16 06 C3 1F B1 FD C1 78 BF 5D 7C E5 5D EE EB EB | .......x.]|.]...
Signature2| 41 0A B5 45 D5 30 5A A6 2C 7A 42 39 98 E3 62 63 | A..E.0Z.,zB9..bc
-------------------------------------------------------------
Block# | Data |lck| Ascii
---------+-------------+---+------
0/0x00 | 04 D5 D2 8B | | ....
1/0x01 | 5A 57 58 80 | | ZWX.
2/0x02 | D5 48 00 00 | | .H..
3/0x03 | 12 34 56 78 | 0 | .4Vx
4/0x04 | 12 34 56 78 | 0 | .4Vx
5/0x05 | 12 34 56 78 | 0 | .4Vx
6/0x06 | 12 34 56 78 | 0 | .4Vx
7/0x07 | 12 34 56 78 | 0 | .4Vx
8/0x08 | 12 34 56 78 | 0 | .4Vx
9/0x09 | 12 34 56 78 | 0 | .4Vx
10/0x0A | 12 34 56 78 | 0 | .4Vx
11/0x0B | 12 34 56 78 | 0 | .4Vx
12/0x0C | 12 34 56 78 | 0 | .4Vx
13/0x0D | 12 34 56 78 | 0 | .4Vx
14/0x0E | 12 34 56 78 | 0 | .4Vx
15/0x0F | 12 34 56 78 | 0 | .4Vx
16/0x10 | 12 34 56 78 | 0 | .4Vx
17/0x11 | 12 34 56 78 | 0 | .4Vx
18/0x12 | 00 00 00 00 | 0 | ....
19/0x13 | 00 00 00 00 | 0 | ....
---------------------------------
Restoring data blocks.
...........
Restoring configuration blocks.
authentication with keytype[0] 00 00 00 00
special block written 3 - 12 34 56 78
special block written 0 - 04 D5 D2 8B
special block written 1 - 5A 57 58 80
#db# Can't select card
failed to write block 2
special block written 2 - D5 48 00 00
#db# Can't select card
failed to write block 15
special block written 15 - 12 34 56 78
#db# Can't select card
failed to write block 16
special block written 16 - 12 34 56 78
#db# Can't select card
failed to write block 17
special block written 17 - 12 34 56 78
pm3 -->
... card is bricked ...
:-(
and if card is not protect from bad UID iso, the card is bricked.
card is bricked because block 1 is write (contain second part of UID), but block 2 (where we find BCC1) is not consonant with block 1.
and iso UID is for first part :
SN0+SN1+SN2+CT = BCC0
here we have all data in block 0, so no problem we can't brick the card if we put the good BCC0
but for second part UID...
SN3+SN4+SN5+SN6=BCC1
and second UID is on block 1
and BCC1 is on block 2
so if we change second part of UID (in block 1) and we don't do it in the same time the block 2 for BCC1, it's bricked
in conclusion we have 2 kind of card :
- card not brickable, like this one : https://lab401.com/collections/rfid-badges/products/ultralight-uid-modifiable#full_description
(write •Impossible to block / brick)
- and brickable card, as mine, where if you put a bad BBC0 or BBC1 you brick the card
(we can find BCC value with "BCC Calculator" to Android)
The only app I found for change UID with my UID changeable card is "MIFARE++ UltraLight" on Android, none other app doesn't work, not even PM3
Even if I don't know it do it, MIFARE++ surely write in one time block 0, 1 and 2.
Too bad PM3 doesn't do it :-(
So maybe in a futur update ? with a re-calcul of BCC on the fly ?
My issue is OK, I can close this thread.
Thanks a lot for help me.
See you :-)
David
I found this thread :
http://www.proxmark.org/forum/viewtopic.php?id=2946
so as Danz I tried to write block by block with a true UID, but unfortunately ... I (again) brick one card :-(
pm3 --> hf mfu wrbl b 0 d 04BE5B69
Special Block: 0 (0x00) [ 04 BE 5B 69 ]
isOk:01
pm3 --> hf mfu wrbl b 1 d 5AF44580
Special Block: 1 (0x01) [ 5A F4 45 80 ]
isOk:01
pm3 --> hf mfu wrbl b 2 d 6B48FFFF
iso14443a card select failed
pm3 --> hf mfu info
iso14443a card select failed
pm3 -->
I think card has bricked after second block.
Is it really impossible to change UID ?
I come back after a little break on my ultralight C chinese
My dealer didn't succeed to provide a key... :-( so I have to deal with.
I have a question about UID with proxmark, I don't know why but each time I try to change UID (with "hf mfu setuid 11223344556677"), I brick my card.
After some research, I learnt that BBC0 and BBC1 must to be re-calculate for not bricking the card.
So I have concluded PM3 don't re-calculate right BBC, is it true ?
If it's the case, so why the "hf mfu setuid" command ?
and above all, do you know how I can re-calculate BBC0 and BBC1 ?
example, if I want change UID 04 15 91 BA 3B 9B 11 to 04 15 91 BA 3B 9B 22, how can get right value for BBC ?
Thanks
here my UID Card :
pm3 --> hf mfu dump
0/0x00 | 04 15 91 08
1/0x01 | BA 3B 9B 11
2/0x02 | 0B 48 00 00
...
pm3 --> hf mfu info
UID : 04 15 91 BA 3B 9B 11
UID[0] : 04, NXP Semiconductors Germany
BCC0 : 08, Ok
BCC1 : 0B, Ok
Internal : 48, default
...
example :
pm3 --> hf mfu info k 49454D4B41455242214E4143554F5946
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C
ok, so because it's a UL-C we need the key, I will ask to my dealer.
]]> 66816 | 71584 | Rdr |1a 00 41 76 | ok | AUTH
86580 | 99316 | Tag |af 37 d0 db 29 21 a2 a4 e7 a4 95
As seen in your tag-it, the Auth is set from block 18, meaning you need a successful authentication in order to read all those blocks.
The PM3 drops, and doesn't read the rest. The function could be improved.
So, ask where you bought it from for the correct key, in order to unlock it.
You can try these keys aswell,
https://github.com/iceman1001/proxmark3 … fmfu.c#L36
hf mfu info k ...16 bytes..
for hf mfu info k ffffffffffffffff, PM3 told me the key is incorrect length
I try with ffffffff and 00112233445566778899AABBCCDDEEFF, but no success, it's the first code bloc
for UL-C authen it's the second code bloc
and for "Fundan UL-C clone" the third code bloc
I tried a "hf mfu cauth" command (because with another official Ultralight C I have a result), but here it's not the case
pm3 --> hf mfu cauth
#db# Cmd Error: 00
#db# Authentication failed
Authentication failed
pm3 -->
I take some screenshot from my android (NXP TagInfo and NFC TagInfo), card is recognized as Ultralight C (MF0ICU2), I put file here :
http://lufia.konyxia.com/screenshot/
We can see it's ok up to bloc 24, but not after.
I will make more test this evening with acr122u reader, I will tell you, but as of now I really wonder what kind of ultralight is it...
pm3 --> hf mfu info k ffffffffffffffff
[!] ERROR: Key is incorrect length
It gathers information about the tag and tries to detect what kind it is.
Sometimes the tags are locked down, and you may need a key to be able to read the information
The following tags can be identified:
Ultralight, Ultralight-C, Ultralight EV1, NTAG 203, NTAG 210,
NTAG 212, NTAG 213, NTAG 215, NTAG 216, NTAG I2C 1K & 2K
my-d, my-d NFC, my-d move, my-d move NFC
Usage: hf mfu info k <key> l
Options :
k <key> : (optional) key for authentication [UL-C 16bytes, EV1/NTAG 4bytes]
l : (optional) swap entered key's endianness
Examples:
hf mfu info
hf mfu info k 00112233445566778899AABBCCDDEEFF
hf mfu info k AABBCCDDD
pm3 -->
pm3 -->
pm3 --> hf mfu info k ffffffff
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C
pm3 -->
pm3 -->
pm3 --> hf mfu info k 00112233445566778899AABBCCDDEEFF
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC) <magic>
#db# Cmd Error: 00
#db# Authentication failed
Authentication Failed UL-C
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 232 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 15 91 08 | |
19072 | 29536 | Rdr |93 70 88 04 15 91 08 e0 4b | ok | SELECT_UID
30772 | 34292 | Tag |04 da 17 | |
35584 | 38048 | Rdr |95 20 | | ANTICOLL-2
39220 | 45044 | Tag |ba 45 03 11 ed | |
47616 | 58080 | Rdr |95 70 ba 45 03 11 ed 5b b4 | ok | ANTICOLL-2
59316 | 62900 | Tag |00 fe 51 | |
66816 | 71584 | Rdr |1a 00 41 76 | ok | AUTH
86580 | 99316 | Tag |af 37 d0 db 29 21 a2 a4 e7 a4 95 | ok |
627840 | 649888 | Rdr |af 77 86 cf d4 85 d2 f0 48 07 3a 3c df 87 3c b2 b6 fc | |
| | |e6 | ok | AUTH_ANSW
699444 | 700084 | Tag |00! | |
734720 | 738272 | Rdr |c2 e0 b4 | ok | RESTORE(224)
741760 | 746528 | Rdr |50 00 57 cd | ok | HALT
pm3 -->
pm3 --> hf 14a raw -s -3 1a00
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 11 bytes:
AF 3B B9 C4 DD 59 A0 BA 76 3D F5
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 165 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 15 91 08 | |
56960 | 67424 | Rdr |93 70 88 04 15 91 08 e0 4b | ok | SELECT_UID
68660 | 72180 | Tag |04 da 17 | |
73472 | 75936 | Rdr |95 20 | | ANTICOLL-2
77108 | 82932 | Tag |ba 45 03 11 ed | |
85504 | 95968 | Rdr |95 70 ba 45 03 11 ed 5b b4 | ok | ANTICOLL-2
97204 | 100788 | Tag |00 fe 51 | |
112768 | 115168 | Rdr |1a 00 | | AUTH
130228 | 142964 | Tag |af 3b b9 c4 dd 59 a0 ba 76 3d f5 | !crc|
pm3 -->
pm3 --> hf 14a raw -s -3 -c a00
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 0 bytes:
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 145 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 15 91 08 | |
56960 | 67424 | Rdr |93 70 88 04 15 91 08 e0 4b | ok | SELECT_UID
68660 | 72180 | Tag |04 da 17 | |
73472 | 75936 | Rdr |95 20 | | ANTICOLL-2
77108 | 82932 | Tag |ba 45 03 11 ed | |
85504 | 95968 | Rdr |95 70 ba 45 03 11 ed 5b b4 | ok | ANTICOLL-2
97204 | 100788 | Tag |00 fe 51 | |
114304 | 117920 | Rdr |a0 f4 f4 | ok | WRITEBLOCK(244)
pm3 -->
------
pm3 --> hf 14a raw -s -3 -c 30
Card selected. UID[7]:
04 15 91 BA 45 03 11
received 0 bytes:
pm3 -->
pm3 -->
pm3 --> hf list 14a
Recorded Activity (TraceLen = 145 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 15 91 08 | |
56960 | 67424 | Rdr |93 70 88 04 15 91 08 e0 4b | ok | SELECT_UID
68660 | 72180 | Tag |04 da 17 | |
73472 | 75936 | Rdr |95 20 | | ANTICOLL-2
77108 | 82932 | Tag |ba 45 03 11 ed | |
85504 | 95968 | Rdr |95 70 ba 45 03 11 ed 5b b4 | ok | ANTICOLL-2
97204 | 100788 | Tag |00 fe 51 | |
112896 | 116448 | Rdr |30 7d 60 | ok | READBLOCK(125)
pm3 -->
lets try with some default key.
hf mfu info k ffffffffffffffff
hf list 14a
And try to get the output from a UL-C authentication command..
hf 14a raw -s -3 1a00
hf list 14a
Fudan UL-C clone?
hf 14a raw -s -3 -c a00
hf list 14a
hf 14a raw -s -3 -c 30
hf list 14a