Alright, back and armed with an NTAG card courtesy of KSEC and I’ve been doing testing all day to see if we can make this a reality. First, info from the original form entry card:
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] UID: 04 A5 1F 62 7D 59 84
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 36 (ok)
[+] BCC1: C2 (ok)
[+] Internal: 48 (default)
[+] Lock: 08 00 - 80
[+] OneTimePad: DF 0D 05 12 - 21518
[=] --- Tag Counters
[=] [0]: 00 00 00
[+] - BD tearing (ok)
[=] [1]: 00 00 00
[+] - BD tearing (ok)
[=] [2]: 00 00 00
[+] - BD tearing (ok)
[=] --- Tag Signature
[=] IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+] Signature verification: successful
[=] --- Tag Version
[=] Raw bytes: 00 04 03 01 01 00 0B 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: 03, Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0B, (64 <-> 32 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
Next, the closest I’ve been able to get my NTAG to look after messing around with the script run hf_mfu_magicwrite
command:
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] UID: 04 A5 1F 62 7D 59 84
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 36 (ok)
[+] BCC1: C2 (ok)
[+] Internal: 00 (not default)
[+] Lock: 00 00 - 00
[+] OneTimePad: DF 0D 05 12 - 21518
[=] --- Tag Counters
[=] [0]: FF FF FF
[+] - 00 tearing (failure)
[=] [1]: FF FF FF
[+] - 00 tearing (failure)
[=] [2]: FF FF FF
[+] - 00 tearing (failure)
[=] --- Tag Signature
[=] IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+] Signature verification: successful
[=] --- Tag Version
[=] Raw bytes: 00 04 03 01 01 00 0B 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: 03, Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0B, (64 <-> 32 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
[=] --- Tag Configuration
[=] cfg0 [16/0x10]: 00 00 00 FF
[=] - strong modulation mode disabled
[=] - pages don't need authentication
[=] cfg1 [17/0x11]: 00 05 00 00
[=] - Unlimited password attempts
[=] - NFC counter disabled
[=] - NFC counter not protected
[=] - user configuration writeable
[=] - write access is protected with password
[=] - 05, Virtual Card Type Identifier is default
[=] PWD [18/0x12]: FF FF FF FF - (cannot be read)
[=] PACK [19/0x13]: FF FF - (cannot be read)
[=] RFU [19/0x13]: FF FF - (cannot be read)
[+] --- Known EV1/NTAG passwords
[+] Found a default password: FF FF FF FF || Pack: FF FF
I went down to my lobby after setting my NTAG card to read as an Ultralight 48 bytes script run hf_mfu_magicwrite -t 1
, but when they tried to write to it, the system said that that it was “invalid card provider”. I’m wondering if this is what @amal was hinting at with the “administrative commands”, or perhaps it’s just recognizing the NTAG as a magic card?
I also did a sniff between my door reader and my original entry card and got the following:
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 385
[usb] pm3 --> trace list -t 14a
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 385 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2244 | 4612 | Tag |44 00 | |
49536 | 52000 | Rdr |93 20 | | ANTICOLL
53188 | 59012 | Tag |88 04 a5 1f 36 | |
103808 | 114272 | Rdr |93 70 88 04 a5 1f 36 83 0f | ok | SELECT_UID
115524 | 119044 | Tag |04 da 17 | |
168064 | 170528 | Rdr |95 20 | | ANTICOLL-2
171716 | 177604 | Tag |62 7d 59 84 c2 | |
222464 | 232928 | Rdr |95 70 62 7d 59 84 c2 ef f6 | ok | SELECT_UID-2
234180 | 237764 | Tag |00 fe 51 | |
289264 | 293968 | Rdr |30 0f f5 50 | ok | READBLOCK(15)
295236 | 316100 | Tag |05 97 05 a7 04 a5 1f 36 62 7d 59 84 c2 48 08 00 ff e0 | ok |
357488 | 362192 | Rdr |30 04 26 ee | ok | READBLOCK(4)
363444 | 384244 | Tag |06 0a 00 21 00 00 00 00 00 00 2f bf ae ef d6 2c 42 27 | ok |
434800 | 439504 | Rdr |30 08 4a 24 | ok | READBLOCK(8)
440756 | 461620 | Tag |a7 a2 83 07 ae 2f 67 37 ef d5 ae 2f d0 2f 2f 2f 7f 13 | ok |
507248 | 512016 | Rdr |30 06 34 cd | ok | READBLOCK(6)
513204 | 534068 | Tag |00 00 2f bf ae ef d6 2c a7 a2 83 07 ae 2f 67 37 df 1a | ok |
584688 | 589456 | Rdr |30 0a 58 07 | ok | READBLOCK(10)
590644 | 611444 | Tag |ef d5 ae 2f d0 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f dd c6 | ok |
661984 | 666688 | Rdr |30 0e 7c 41 | ok | READBLOCK(14)
667956 | 688756 | Tag |2f 2f 2f 00 05 97 05 a7 04 a5 1f 36 62 7d 59 84 cf 39 | ok |
[usb] pm3 -->
It should also be noted that when I try to do a ```hf mfu dump``, I’m only able to get 16 of the blocks:
[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] Reading tag memory...
[#] Cmd Error: 00
[#] Read block 16 error
[!] Authentication Failed UL-EV1/NTAG
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 04 03 01 01 00 0B 03
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | A0 4A 6E B0 81 09 68 61 A9 3F 5A 36 3F 71 5C 47 C5 33 87 68 9D 9E 13 EC 2C D9 7D 4C 32 09 8C 9E
[=] Counter 0 | 00 00 00
[=] Tearing 0 | BD
[=] Counter 1 | 00 00 00
[=] Tearing 1 | BD
[=] Counter 2 | 00 00 00
[=] Tearing 2 | BD
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 A5 1F 36 | | ...6
[=] 1/0x01 | 62 7D 59 84 | | b}Y.
[=] 2/0x02 | C2 48 08 00 | | .H..
[=] 3/0x03 | DF 0D 05 12 | 1 | ....
[=] 4/0x04 | 06 0A 00 21 | 0 | ...!
[=] 5/0x05 | 00 00 00 00 | 0 | ....
[=] 6/0x06 | 00 00 2F BF | 0 | ../.
[=] 7/0x07 | AE EF D6 2C | 0 | ...,
[=] 8/0x08 | A7 A2 83 07 | 0 | ....
[=] 9/0x09 | AE 2F 67 37 | 0 | ./g7
[=] 10/0x0A | EF D5 AE 2F | 0 | .../
[=] 11/0x0B | D0 2F 2F 2F | 0 | .///
[=] 12/0x0C | 2F 2F 2F 2F | 0 | ////
[=] 13/0x0D | 2F 2F 2F 2F | 0 | ////
[=] 14/0x0E | 2F 2F 2F 00 | 0 | ///.
[=] 15/0x0F | 05 97 05 A7 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-04A51F627D5984-dump-2.bin
[+] saved to json file hf-mfu-04A51F627D5984-dump-1.json
[!] Partial dump created. (16 of 20 blocks)
I’ve gathered that the original entry keycard has sine password on it, but I’m unsure how to crack it. I’ve tried the hf mfu pwdgen
with both the selftest and UID flags:
[usb] pm3 --> hf mfu pwdgen r
---------------------------------
Using UID : 04 A5 1F 62 7D 59 84
---------------------------------
algo | pwd | pack
------+----------+-----
EV1 | 4E501783 | BE17
Ami | 6D3791AC | 8080
LD | F377AAD7 | AA55
XYZ | 5F685050 | D578
------+----------+-----
Vingcard algo
--------------------
[usb] pm3 --> hf mfu pwdgen t
[=] PWD / KEY generator selftest
[=] ----------------------------
[+] UID | 04 11 12 11 12 11 10 | 8432EB17 - OK
[+] UID | 04 1F 98 EA 1E 3E 81 | 5FD37ECA - OK
[+] UID | 04 62 B6 8A B4 42 80 | 5A349515 - OK
[+] UID | 04 C5 DF 4A 6D 51 80 | 72B1EC61 - OK
[+] UID | 74 57 CA A9 | 82c7e64bc565 - OK
[+] ID | 0x00000080 | 00018383 - OK
[+] ------------------- Selftest OK
[usb] pm3 -->
I’m kind of at a wall here in terms of what steps I should take next. Should I try to crack the password of the original card using the sniff and the pwdgen, and if so, how? Or, since I couldn’t get the front desk to write to the NTAG when it was in the correct emulation state, should I just consider this a lost cause?