Doing My Homework on FlexMN

Support
1

If you’ve been here a while you may have seen my various post about unsuccessfully trying to create to some way to enter my dorm room without using the actual keycard. At this point, we’re pretty much at end of our rope, using a physical bypass whereby I have a PN532 reader that checks the tag stored in my FlexMT and if it matches, activating a Servo through Arduino that opens the door from the inside. Suffice to say, not the prettiest solution, but it works okay.

Lo and behold, I check the sore and see the illustrious FlexMN, capable of many things, but most importantly, emulating UL_EV1 48 bytes (Mifare Ultralight EV1) tabs. I’ve uploaded the screenshots of the card that is currently used for entry into my room. It’s currently password protected and I’ve poked around and played with the entry key writing system, but there’s no way to physically add UID’s or cards, so adding a unique card is out of the question. I could try to sniff the authentication between the card and my reader, but I’ve never done that before and am kind of unsure how to go about it.

So, I’m wondering that if I set the emulation of the flexMN to the Ultralight Ev1 setting, can I just try to get the front desk to attempt to write the data through their writer, with the flexMN acting like any physical regular Ultralight EV1 card. Is this possible, or can the card data only be programmed on using the ProxMark?

Also side issue, when I’m on my campus’s wifi, the images don’t load on this forum, which is just a fun aside.

image
image699×316 16 KB

Screenshot_20210225-192323
Screenshot_20210225-1923231152×2432 85.8 KB
Screenshot_20210225-192332
Screenshot_20210225-1923321152×2432 248 KB
Screenshot_20210225-192400
Screenshot_20210225-1924001152×2432 426 KB

2

Hi Appellus,

It does look like you could potentially use the flexMN to clone your card, however without understanding exactly how the system works, there a small chance it cannot, or that you cannot create a copy but can create a replacement. Do you have a proxmark 3? If so, try using hf 14a sniff to see the communication between your card and the reader. If that works and you find the key / password and you want to be super sure before spending a lot on a flexMN, you can get a test card version: Magic NTAG® 21x / NTAG® I2C / MIFARE Ultralight® EV1 Compatible Tag – Lab401 or https://cyborg.ksecsolutions.com/product/magic-ntag-21x-ntag-i2c-mifare-ultralight-ev1-compatible-tag/

2 Likes
3

@amal, am I able to set the FlexMN to emulate an Ultralight and then have it be treated by other writers as an Ultralight card, i.e. can data just be written to it without a Proxmark? Or must any data I want the FlexMN to hold be loaded on through the proxmark software since the emulation is unique?

4

I’m pretty sure once you set the parameters of the flexMN with the proxmark, standard data reading and writing can still be done by any reader issuing the proper commands… the question though becomes if that reader is expecting support for specific commands that exist in the ultralight but not the magic ntag chip… like perhaps the Ultralight C’s “administrative commands” for example.

5

Alright, I’ll grab a NTAG Card and see if I can have the entry card writer write directly to it If so, I should be all good for the flexMN correct? Also, @DonFire, I’ve never sniffed before, any good resources I should check out? Or is it as simple as I place the Proxmark inbetween the reader and the card and swipe the card?

1 Like
6

yeah i think that makes sense

basically yes you put the proxmark on the reader and then issue command hf 14a sniff and then tap the card overtop the proxmark HF antenna. once the card is tapped, hit the button on the proxmark to stop sniffing, then issue command hf 14a list to get the sniffed data.

7

Alright, back and armed with an NTAG card courtesy of KSEC and I’ve been doing testing all day to see if we can make this a reality. First, info from the original form entry card:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+]        UID: 04 A5 1F 62 7D 59 84
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 36 (ok)
[+]       BCC1: C2 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 08 00  - 80
[+] OneTimePad: DF 0D 05 12  - 21518

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing (ok)
[=]        [1]: 00 00 00
[+]             - BD tearing (ok)
[=]        [2]: 00 00 00
[+]             - BD tearing (ok)

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+]        Signature verification: successful

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0B 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

Next, the closest I’ve been able to get my NTAG to look after messing around with the script run hf_mfu_magicwrite command:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+]        UID: 04 A5 1F 62 7D 59 84
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 36 (ok)
[+]       BCC1: C2 (ok)
[+]   Internal: 00 (not default)
[+]       Lock: 00 00  - 00
[+] OneTimePad: DF 0D 05 12  - 21518

[=] --- Tag Counters
[=]        [0]: FF FF FF
[+]             - 00 tearing (failure)
[=]        [1]: FF FF FF
[+]             - 00 tearing (failure)
[=]        [2]: FF FF FF
[+]             - 00 tearing (failure)

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+]        Signature verification: successful

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0B 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [16/0x10]: 00 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [17/0x11]: 00 05 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [18/0x12]: FF FF FF FF - (cannot be read)
[=]   PACK [19/0x13]: FF FF       - (cannot be read)
[=]   RFU  [19/0x13]:       FF FF - (cannot be read)

[+] --- Known EV1/NTAG passwords
[+] Found a default password: FF FF FF FF  || Pack: FF FF

I went down to my lobby after setting my NTAG card to read as an Ultralight 48 bytes script run hf_mfu_magicwrite -t 1, but when they tried to write to it, the system said that that it was “invalid card provider”. I’m wondering if this is what @amal was hinting at with the “administrative commands”, or perhaps it’s just recognizing the NTAG as a magic card?

I also did a sniff between my door reader and my original entry card and got the following:

[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 385
[usb] pm3 --> trace list -t 14a
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 385 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52(7)                                                                    |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
      49536 |      52000 | Rdr |93  20                                                                   |     | ANTICOLL
      53188 |      59012 | Tag |88  04  a5  1f  36                                                       |     |
     103808 |     114272 | Rdr |93  70  88  04  a5  1f  36  83  0f                                       |  ok | SELECT_UID
     115524 |     119044 | Tag |04  da  17                                                               |     |
     168064 |     170528 | Rdr |95  20                                                                   |     | ANTICOLL-2
     171716 |     177604 | Tag |62  7d  59  84  c2                                                       |     |
     222464 |     232928 | Rdr |95  70  62  7d  59  84  c2  ef  f6                                       |  ok | SELECT_UID-2
     234180 |     237764 | Tag |00  fe  51                                                               |     |
     289264 |     293968 | Rdr |30  0f  f5  50                                                           |  ok | READBLOCK(15)
     295236 |     316100 | Tag |05  97  05  a7  04  a5  1f  36  62  7d  59  84  c2  48  08  00  ff  e0   |  ok |
     357488 |     362192 | Rdr |30  04  26  ee                                                           |  ok | READBLOCK(4)
     363444 |     384244 | Tag |06  0a  00  21  00  00  00  00  00  00  2f  bf  ae  ef  d6  2c  42  27   |  ok |
     434800 |     439504 | Rdr |30  08  4a  24                                                           |  ok | READBLOCK(8)
     440756 |     461620 | Tag |a7  a2  83  07  ae  2f  67  37  ef  d5  ae  2f  d0  2f  2f  2f  7f  13   |  ok |
     507248 |     512016 | Rdr |30  06  34  cd                                                           |  ok | READBLOCK(6)
     513204 |     534068 | Tag |00  00  2f  bf  ae  ef  d6  2c  a7  a2  83  07  ae  2f  67  37  df  1a   |  ok |
     584688 |     589456 | Rdr |30  0a  58  07                                                           |  ok | READBLOCK(10)
     590644 |     611444 | Tag |ef  d5  ae  2f  d0  2f  2f  2f  2f  2f  2f  2f  2f  2f  2f  2f  dd  c6   |  ok |
     661984 |     666688 | Rdr |30  0e  7c  41                                                           |  ok | READBLOCK(14)
     667956 |     688756 | Tag |2f  2f  2f  00  05  97  05  a7  04  a5  1f  36  62  7d  59  84  cf  39   |  ok |
[usb] pm3 -->

It should also be noted that when I try to do a ```hf mfu dump``, I’m only able to get 16 of the blocks:

[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] Reading tag memory...
[#] Cmd Error: 00
[#] Read block 16 error
[!] Authentication Failed UL-EV1/NTAG
[=] MFU dump file information
[=] -------------------------------------------------------------
[=]       Version | 00 04 03 01 01 00 0B 03
[=]         TBD 0 | 00 00
[=]         TBD 1 | 00
[=]     Signature | A0 4A 6E B0 81 09 68 61 A9 3F 5A 36 3F 71 5C 47 C5 33 87 68 9D 9E 13 EC 2C D9 7D 4C 32 09 8C 9E
[=]     Counter 0 | 00 00 00
[=]     Tearing 0 | BD
[=]     Counter 1 | 00 00 00
[=]     Tearing 1 | BD
[=]     Counter 2 | 00 00 00
[=]     Tearing 2 | BD
[=] Max data page | 14 (60 bytes)
[=]   Header size | 56
[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 A5 1F 36 |   | ...6
[=]   1/0x01 | 62 7D 59 84 |   | b}Y.
[=]   2/0x02 | C2 48 08 00 |   | .H..
[=]   3/0x03 | DF 0D 05 12 | 1 | ....
[=]   4/0x04 | 06 0A 00 21 | 0 | ...!
[=]   5/0x05 | 00 00 00 00 | 0 | ....
[=]   6/0x06 | 00 00 2F BF | 0 | ../.
[=]   7/0x07 | AE EF D6 2C | 0 | ...,
[=]   8/0x08 | A7 A2 83 07 | 0 | ....
[=]   9/0x09 | AE 2F 67 37 | 0 | ./g7
[=]  10/0x0A | EF D5 AE 2F | 0 | .../
[=]  11/0x0B | D0 2F 2F 2F | 0 | .///
[=]  12/0x0C | 2F 2F 2F 2F | 0 | ////
[=]  13/0x0D | 2F 2F 2F 2F | 0 | ////
[=]  14/0x0E | 2F 2F 2F 00 | 0 | ///.
[=]  15/0x0F | 05 97 05 A7 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-04A51F627D5984-dump-2.bin
[+] saved to json file hf-mfu-04A51F627D5984-dump-1.json
[!] Partial dump created. (16 of 20 blocks)

I’ve gathered that the original entry keycard has sine password on it, but I’m unsure how to crack it. I’ve tried the hf mfu pwdgen with both the selftest and UID flags:

[usb] pm3 --> hf mfu pwdgen r
---------------------------------
 Using UID : 04 A5 1F 62 7D 59 84
---------------------------------
 algo | pwd      | pack
------+----------+-----
 EV1  | 4E501783 | BE17
 Ami  | 6D3791AC | 8080
 LD   | F377AAD7 | AA55
 XYZ  | 5F685050 | D578
------+----------+-----
 Vingcard algo
--------------------
[usb] pm3 --> hf mfu pwdgen t
[=] PWD / KEY generator selftest
[=] ----------------------------
[+] UID | 04 11 12 11 12 11 10  | 8432EB17 - OK
[+] UID | 04 1F 98 EA 1E 3E 81  | 5FD37ECA - OK
[+] UID | 04 62 B6 8A B4 42 80  | 5A349515 - OK
[+] UID | 04 C5 DF 4A 6D 51 80  | 72B1EC61 - OK
[+] UID | 74 57 CA A9           | 82c7e64bc565 - OK
[+] ID  | 0x00000080            | 00018383 - OK
[+] ------------------- Selftest OK
[usb] pm3 -->

I’m kind of at a wall here in terms of what steps I should take next. Should I try to crack the password of the original card using the sniff and the pwdgen, and if so, how? Or, since I couldn’t get the front desk to write to the NTAG when it was in the correct emulation state, should I just consider this a lost cause?