Help writing to FlexUG4 with PM3

So as the title says, Im trying to write to my FlexUG4. I got it mainly to use as my bus pass as I needed a 7 bype uid and this was the perfect thing for it.
After grabbing the info from my bus pass and trying to load it to my FlexUG4, I kept getting a “couldnt verify size” error and the UG4 setting the UID to all 0’s. I tested the file on a UG4 card I got off of the flipperzero etsy shop and got it first try. From my understanding, they should be the same chip, and I did verify that the PM3 was able to read the UG4 before loading by do “hf tune” followed by “hf search” and waiting until data started showing. I have also tried loading the data with and without a RSP


^^ this is the error that shows up when trying to load


^^ If i do an “hf search” this is what data shows after getting the error, I think the static nonce is from when I first got my UG4 installed and I was trying to get my hotel key card to work on it (I was not successful in doing that) and i havnt figured out how to remove that yet. Unless it was there already, then ignore my previous statement


^^ this is what shows if I do an Autopwn on the UG4 after the failed load


^^ after a short comparison of the autopwn data from my bus pass (pic above) to the data on my UG4, are the 016 and 017 (signature) lines my problem? My best guess is no, since viewing the .bin file doesnt show those lines and since i was able to load it to my UG4 card just fine


Full view of the data from my pass incase theres something i missed

Any help is greatly appreciated, and i apologize in advance, i work night shift so my replies to anything are typically later in the afternoon (it is 4:15 am at the time of this post)

**Edit: after doing a “wipe” with my flipperzero, the static nonce disappeared, and when trying to gload to the UG4 it no longer sets the UID to all 0’s but to the first 4 bytes instead and still fails.
My flipper definitely doesnt like that, as it stops recognizing my UG4 at all, i have resolved that by lying to it and tricking it into thinking its writing to my UG4 card then putting my UG4 implant in its place (for the time being ive just loaded the original data that came on the UG4 when i got it)

2 Likes

you could try using the hf_mf_ultimatecard script to wipe the tag and then set the uid/sak/atqa and then try to gload again.

fwiw i have the same static nonce on my ug4 as well.

the hf_mf_ultimatecard script can also give you some other more useful information about the card config

Once i figure out where I put my laptop charger, and how to use that command without potentially bricking my chip, I shall give an update. Thankfully I have a bunch of magic tags I can learn and test with

2 Likes

d0c171d0-e2c2-4388-801f-debd2e8edddb_text

That’s what I love to hear.
Testing on cards NOT Implants.

You are an example to others

2 Likes

Well yeah! There’s no way I’m going to risk bricking my expensive implants trying to learn commands I’ve never used before. Now a cheap $10 pack of 20 magic nfc tags from Amazon (link for anyone needing learning materials), I’ll test and risk possibly brick those all day. End of the day, I’m not having to schedule a doctors appointment to cut my hands opens, just tossing a dead sticker.

2 Likes

So after much fumbling around, Ive made little to no progress.
To start, I tried doing this on both my laptop and pc, and the results for both were different and my pc seems to have changed the behavior of my UG4 card as I now have to use “script run hf_mf_ultimatecard -t” and go between 5 and 8 a few times to get my bus pass file to load to it but i was able to get “script run hf_mf_ultimatecard -s (with sig)” to load to it somewhat consistently. However, after doing this process with my UG4 implant, i get a “wrong ul” error when trying to set the type unless i was using an RSP (im trying to do this without the RSP as my flipperzero doesnt write to my UG4 implant properly when i use it, and my PM3 seems to not be able to read tags correctly consistently with it) and when I can get it to set the type, i still get the “cant verify card size” error when trying to load the bus pass file. I have thankfully managed to not brick my implant yet

Well, that’s the first time we’ve heard this. Are you running stock firmware? I ask because I’ve seen some of them break NFC/RFID.

Yeah it’s just stock, only using what ever updates come out of the flipperzero app, I do also what to be sure were on the same page, it only happened when I use an RSP, after taking it off, everything was fine. I have one slapped on my phone and it seems to work fine (or i havnt caught any errors [doubtful]) but i dont do all the same stuff with that one
i tired to replicate what happened so i had recent pics. But i cant get it to do it again, so heres some screenshots from when i first saw it


this is what the data should look like

this is what i had written a few times. If i read the tag with the flipperzero, itll show that nothing is wrong

I also tend to get those errors in the first pic when i read my UG4 implant using a RSP
Screenshot 2024-08-25 124442
This is my UG4 without the RSP

Erm, are you sending it raw commands or using the NFC Magic app?

1 Like

Im was using the nfc magic app, I dont know where on my flipper i would send raw commands from. Id have to do some testing on some spare tags before i do that on my implants

As an upadate, I found a section in the flipper that allowed me to add keys to the dictionary, after adding the key for my bus pass and rereading my buspass, i was able to load it using the flipper. Then using my pm3, load the dump file with gload and then add the signature using the Hf_mf_ultimate script. Im not sure what fully changed that allowed me to do so since theoretically the amountof data loaded from my flipper shouldnt have changed and i didnt use a new dump file with the pm3. But doing an “hf mf info” shows all the correct data, i cant however get my pm3 to do a full autopwn, i get a “no response from Proximark3” error after a while.


I was using an RSP when trying to autopwn, but not for anything else. This is also the result of the third try, the first two kept giving me “bcc0 incorrect…” and “Multiple tags detected. Collision after Bit 1” errors