Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-10-10 17:21:58

miaoski
Contributor
Registered: 2016-09-20
Posts: 7

Simulate Ultralight EV1

Hi.
I've read through the posts, but I'm still quite confused on how to simulate an ultralight EV1.
I stay in a hotel where the card reads like,

proxmark3> hf mfu info

--- Tag Information ---------          
-------------------------------------------------------------          
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)          
       UID : 04 d9 19 f2 1c 50 80            
    UID[0] : 04, NXP Semiconductors Germany          
      BCC0 : 4C, Ok          
      BCC1 : 3E, Ok          
  Internal : 48, default          
      Lock : 00 00  - 0000000000000000          
OneTimePad : 79 03 59 1e  - 00011110010110010000001101111001
          
--- Tag Counters          
       [0] : 00 00 00           
                    - BD tearing Ok          
       [1] : 00 00 00           
                    - BD tearing Ok          
       [2] : 00 00 00           
                    - BD tearing Ok          

--- Tag Signature          
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61          
    Elliptic curve parameters : secp128r1          
            Tag ECC Signature : 9f a3 3e e6 be d6 74 2a 3a 9c b2 1d 11 65 36 29 be e8 42 0f 37 2e e1 0f 3f bd 4c ff 86 25 c9 cb           

--- Tag Version          
       Raw bytes : 00 04 03 01 01 00 0b 03           
       Vendor ID : 04, NXP Semiconductors Germany          
    Product type : 03, Ultralight          
 Product subtype : 01, 17 pF          
   Major version : 01          
   Minor version : 00          
            Size : 0B, (64 <-> 32 bytes)          
   Protocol type : 03          

--- Tag Configuration          
  cfg0 [16/0x10] : 00 00 00 ff           
                    - pages don't need authentication          
                    - strong modulation mode disabled          
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts          
                    - user configuration writeable          
                    - write access is protected with password          
                    - 05, Virtual Card Type Identifier is  default          
  PWD  [18/0x12] : 00 00 00 00 - (cannot be read)          
  PACK [19/0x13] : 00 00       - (cannot be read)          
  RFU  [19/0x13] :       00 00 - (cannot be read)          

--- Known EV1/NTAG passwords.          
Found a default password: ff ff ff ff  || Pack: 00 00          

So it's a default password.

proxmark3> hf 14a raw -s -c 60
received 7 octets          
04 D9 19 F2 1C 50 80           
received 10 octets          
00 04 03 01 01 00 0B 03 FD F7           
proxmark3> hf 14a raw -s -c 3a040f
received 7 octets          
04 D9 19 F2 1C 50 80           
received 50 octets          
30 E9 43 D0 71 D7 CF 4E AD D7 46 62 02 7E FB C6 12 02 2E 30 D6 EA E8 AB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 F3           
proxmark3> hf 14a raw -p -s -c 1bffffffff
received 7 octets          
04 D9 19 F2 1C 50 80           
received 4 octets          
00 00 A0 1E           

When I simulated it with hf 14a sim 2 04d919f21c5080, the door lock rejected it.  What command should I try?

Thanks!

Offline

#2 2016-10-10 17:30:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

Well, first you need to dump your tag.
then you need to load the new dump on to pm3.
then you start the sim...
However I'm not sure the "UL-Ev1" type is availble for sim..

these commands below will show you the help text, so you understand the commands.

hf mfu info
hf mfu dump h
hf mfu eload h
hf mfu sim h

Offline

#3 2016-10-10 17:50:20

miaoski
Contributor
Registered: 2016-09-20
Posts: 7

Re: Simulate Ultralight EV1

Hi Iceman,
Thanks as always!  There's no hf mfu eload (I git pull'ed the latest master branch), and hf mfu dump failed.

proxmark3> hf mfu dump k ffffffff
TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)          
Reading tag memory...          
#db# Pages 20          
#db# Pages read 20          

Block#  | Data        |lck| Ascii          
---------------------------------          
---------------------------------          
Dumped 0 pages, wrote 0 bytes to 00000000000000.bin    

Shall I probably checkout the unstable branch?  Thanks again!

Offline

#4 2016-10-10 18:02:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

you should check out the iceman fork  smile  https://github.com/iceman1001/proxmark3

You'll need to flash bootrom/fullimage when switching to my fork.

Offline

#5 2017-12-01 17:41:17

bogito
Contributor
Registered: 2017-10-18
Posts: 52

Re: Simulate Ultralight EV1

Has anyone managed to simulate an EV1 tag?

I have created a full dump of the tag with the correct key but then I can't even load the dump into the emulator memory.

pm3 --> script run dumptoemul-mfu -i ../tag1.bin -o ../tag1.eml
--- Executing: dumptoemul-mfu.lua, args '-i ../tag1.bin -o ../tag1.eml'
Wrote an emulator-dump to the file ../tag1.eml

-----Finished
pm3 --> hf mfu eload u ../tag1
.....................................................
File content error. Got 53 must be 255 blocks.

Offline

#6 2017-12-02 09:07:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

...there are some threads about this but in short as the message says, must be 255 blocks , you need to pad the rest of your dump eml file with empty blocks until you have 255 of them.    Or change in the source code and recompile it.

Offline

#7 2017-12-02 14:30:05

bogito
Contributor
Registered: 2017-10-18
Posts: 52

Re: Simulate Ultralight EV1

You are right, that makes sense. Sorry for that. In order to make up for this, I added an extra option in the dumptoemul-mfu script to enable padding with zeros. Maybe it will help someone. I will make a pull req.
Thanks man! smile

Offline

#8 2017-12-02 17:19:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

Thanks for the PR!    I don't think an extra parameter is the best way to go.  Make one that just automatically pad the file if its too small and print a message about it.   That will be user-friendly.

Offline

#9 2017-12-03 15:26:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

A different solution.
https://github.com/iceman1001/proxmark3 … 7d171920fd

The message earlier made users belive something was wrong but the existing blocks actually always got loaded.
The message can in the end as a notification that we didn't load enough blocks,  but for ultralight / ntag we don't know how many is the good blocks to load.

Offline

#10 2018-03-21 20:34:21

miat
Contributor
Registered: 2017-02-22
Posts: 5

Re: Simulate Ultralight EV1

bogito wrote:

Has anyone managed to simulate an EV1 tag?

works with current iceman build...

Offline

#11 2018-03-21 20:42:06

edo512
Contributor
Registered: 2008-10-07
Posts: 103

Re: Simulate Ultralight EV1

EV1 sim works great with current iceman build for me as well. But this will depend a lot on what commands the reader is sending to the tag. As long as it only reads the contents of the tag memory, you should be fine, but I'm not sure about more advanced functions.

Offline

#12 2018-11-05 20:49:20

neoprema
Contributor
Registered: 2017-01-10
Posts: 14

Re: Simulate Ultralight EV1

I'm trying to do this for a hotel keycard as well. but I get this error:
     
pm3 --> hf mfu eload /tmp/tag1
[!] File content error. Block data must include 32 HEX symbols         
pm3 --> hf mfu eload u /tmp/tag1
..UART:: write time-out
sending bytes to proxmark failed         
.UART:: write time-out
sending bytes to proxmark failed         
.............................
         
[-] Warning, Ultralight/Ntag file content, Loaded 32 blocks into emulator memory     

My details are:
[ CLIENT ]         
client: iceman build for RDV40 with flashmem; smartcard; 
         
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-599-gfb31d6d3 2018-02-19 12:23:25
      os: iceman/master/ice_v3.1.0-599-gfb31d6d3 2018-02-19 12:23:29
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16


The card i'm trying to clone:
--- Tag Information ---------         
-------------------------------------------------------------         
      TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)         
       UID : 04 24 11 A1 CA 48 82           
    UID[0] : 04, NXP Semiconductors Germany         
      BCC0 : B7, Ok         
      BCC1 : A1, Ok         
  Internal : 48, default         
      Lock : 00 00  - 00         
OneTimePad : EE 01 B4 0E  - 29114
         
--- Tag Counters         
       [0] : 00 00 00           
                    - BD tearing Ok         
       [1] : 00 00 00           
                    - BD tearing Ok         
       [2] : 00 00 00           
                    - BD tearing Ok         

--- Tag Signature         
IC signature public key name  : NXP NTAG21x (2013)         
IC signature public key value : 09 49 4E 2A 38 6D 3D 3C FE 3D 11 0E 5D E8 8A 49 9B 1C 20 2D B5 B1 32 39 3E 89 ED 19 FE 5B E8 BC 61           
    Elliptic curve parameters : secp128r1         
            Tag ECC Signature : 61 13 DE B9 1D AA 68 EB 1A 54 BF 21 CC 63 FF 68 EF 76 51 78 BF 31 3B 4F 03 AB 21 99 21 E2 4D 5D           

--- Tag Version         
       Raw bytes : 00 04 03 01 01 00 0B 03           
       Vendor ID : 04, NXP Semiconductors Germany         
    Product type : 03, Ultralight         
Product subtype : 01, 17 pF         
   Major version : 01         
   Minor version : 00         
            Size : 0B, (64 <-> 32 bytes)         
   Protocol type : 03 (ISO14443-3 Compliant)         

--- Tag Configuration         
  cfg0 [16/0x10] : 00 00 00 FF           
                    - strong modulation mode disabled         
                    - pages don't need authentication         
  cfg1 [17/0x11] : 00 05 00 00           
                    - Unlimited password attempts         
                    - NFC counter disabled         
                    - NFC counter password protection enabled         
                    - user configuration writeable         
                    - write access is protected with password         
                    - 05, Virtual Card Type Identifier is  default         
  PWD  [18/0x12] : 00 00 00 00 - (cannot be read)         
  PACK [19/0x13] : 00 00       - (cannot be read)         
  RFU  [19/0x13] :       00 00 - (cannot be read)         

--- Known EV1/NTAG passwords.         
Found a default password: FF FF FF FF  || Pack: 00 00

Also, is there a howto on modifying a card to work with another lock? I'm not sure how one can decide which room this key would open or not?

Offline

#13 2018-11-05 21:13:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,530
Website

Re: Simulate Ultralight EV1

...how did you dump the card?  share dump to verify that you have a correct dump

Offline

#14 2018-11-06 07:13:28

neoprema
Contributor
Registered: 2017-01-10
Posts: 14

Re: Simulate Ultralight EV1

Here is the .eml file:
root@osaka:~/Downloads/proxmark3/proxmark3/client# cat /tmp/tag1.eml

00040301
01000b03
0000bdbd
bd000000
6113deb9
1daa68eb
1a54bf21
cc63ff68
ef765178
bf313b4f
03ab2199
21e24d5d
04241fb7
a2ca4881
a1480000
ef09b40e
060a0021
00000000
000066f6
e7aa1ee4
f5af4ed4
e766c677
c3de66a6
99666659
66666666
66666666
66666600
5597b5aa
000000ff
00050000
ffffffff
00000000

Offline

#15 2018-11-06 07:15:37

neoprema
Contributor
Registered: 2017-01-10
Posts: 14

Re: Simulate Ultralight EV1

I dumped it with;
hf mfu dump k FFFFFFFF

and then

script run dumptoemul-mfu -i /tmp/tag1.bin -o /tmp/tag1.eml

Offline

Board footer

Powered by FluxBB