Helping to clone a room key ultralight ev1

Hi,

I just got my Proxmark3 easy and trying to do some basic practice. I try to clone my room key:
[usb] pm3 → hf search
[!] No known/supported 13.56 MHz tags found
[usb] pm3 → hf search
[/] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 04 B9 18 B2 87 10 94 ( double )
[+] ATQA: 00 44
[+] SAK: 00 [2]
[+] Possible types:
[+] MANUFACTURER: NXP Semiconductors Germany
[+] MIFARE Ultralight EV1 ~32B
[=] proprietary non iso14443-4 card found, RATS not supported
[=]

[?] Hint: Try hf mfu info

[+] Valid ISO 14443-A tag found

[usb] pm3 → hf mfu info

[=] — Tag Information --------------------------
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] UID: 04 B9 18 B2 87 10 94
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 2D ( ok )
[+] BCC1: B1 ( ok )
[+] Internal: 48 ( default )
[+] Lock: 08 00 - 0000100000000000
[+] OTP: 88 01 C9 18 - 10001000000000011100100100011000

[=] — Tag Counters
[=] [0]: 00 00 00
[+] - BD tearing ( ok )
[=] [1]: 00 00 00
[+] - BD tearing ( ok )
[=] [2]: 00 00 00
[+] - BD tearing ( ok )

[=] IC signature public key name: NXP Ultralight EV1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A8
[=] : 27564E11718E017292FAF23226A96614
[=] : B8
[=] Elliptic curve parameters: secp128r1
[=] TAG IC Signature: 6D7D5D6BEDAD8B09345B10F308AC1A48
[=] : 9F2797B124C0C74BED716AE5C3EC401F
[+] Signature verification: successful

[=] — Tag Silicon Information
[=] Wafer Counter: 19009782 ( 0x12210F6 )
[=] Wafer Coordinates: x 185, y 280 (0xB9, 0x118)
[=] Test Site: 2

[=] — Tag Version
[=] Raw bytes: 0004030101000B03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0B, (64 ↔ 32 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
[=]
[=] — Fingerprint
[=] n/a

To this sticker which advertises that the UID can be changed: 13.56mhz UID changeable S50 1K NFC Sticker Wet Inlay NFC tag Sector Blank Car*k* | eBay UK

[usb] pm3 → hf search
[|] Searching for ISO14443-A tag…
[=] ---------- ISO14443-A Information ----------
[+] UID: 1D CE 9D CB 11 10 80 ( double )
[+] ATQA: 00 44
[+] SAK: 00 [2]
[+] Possible types:
[+] MANUFACTURER: Shanghai Fudan Microelectronics Co. Ltd. P.R. China
[+] TYPE: Unknown 000000
[+] MIFARE Ultralight/C/NTAG Compatible
[!] No known/supported 13.56 MHz tags found
[usb] pm3 → hf mfu info

[=] — Tag Information --------------------------
[+] TYPE: Unknown 000000
[+] UID: 1D CE 9D CB 11 10 80
[+] UID[0]: 1D, Shanghai Fudan Microelectronics Co. Ltd. P.R. China
[+] BCC0: C6 ( ok )
[+] BCC1: 4A ( ok )
[+] Internal: C0
[+] Lock: 08 00 - 0000100000000000
[+] OTP: E9 11 DB 18 - 11101001000100011101101100011000
[=]
[=] — Fingerprint
[=] n/a

Is it possible to do this, and how to do it step by step? Please let me know which document I need to study. Thank you very much!

Where did you get the fudan chip? How did the vendor indicate you would change the UID?

Hmm so they don’t actually explain how to change the UID… I’d ask the vendor specifically. There might be a script or a specific command you need to run to change it. Otherwise you could just try writing to the required memory pages 00 and 01… ultralight tags have 4 byte memory pages and the UID is split across page 00 and 01 with a BUF byte. Try reading your room key with taginfo on your phone and post the full scan to see what I’m talking about.

Okay first of all,

@RubyTheKing do hf mfu dump on your hotel keycard we need to know if there is a password or if the memory is readily accessible, if there’s a password it will need to be sniffed but this can go on the back burner for now.

The stickers you’ve linked are advertised as Magic Mifare Classic 1k (mf1s50) chips, which are not the same as the ones shown in your mfu info output of the scanned sticker, either you’ve linked the wrong product or you have been scammed.

Magic MFUL in the varieties that exist, tend to be readily picked up by the proxmark and identified, so i am quite sure you don’t have magic MFUL tags but likely a knockoff ntag which are very common (and useless in your application)

We can test this with direct writes and magic commands but success is very slim.

Given you’ve actively purchased a mifare classic UID changeable tag (and not recieved it) it’s important you know that mifare classic and mifare ultralight are not inherently interchangeable and it is very, very unlikely that even with a magic mifare classic 1k you’d not be able to clone this onto it due to them being wholly separate chips, it’s unlikely the hotel only uses UID but if it does we will find out from the dump i asked of you earlier, if it does only use the UID then a 7byte Magic Mifare Classic might be able to be used but again, not guaranteed.

With the further testing the outcome is likely to be that you need to buy magic mifare ultralights, or a GDM tag that can be configured to be mifare ultralight.

Good eyeballs… I’ve been mobile all day and my answers are sub par. Thanks for stepping in.

You got a memory dump?

Some different models of magic UL-Ev1, but they act different.
If you can sniff the traffic between tag and hotel-reader, you can see if they use the signature or not.

Side note: its a vingcard key ( you can tell by the OTP value )

Thank you very much. I am happy to receive loads of answers from all of you. I can confirm that the eBay link I provided is correct. So, probably they sent me a scam one.

Just to escalate this further, I have a Flipper Zero and have successfully scanned the room card and can also get the key from sniffing the key from the reader, so I can have the full .nfc file of the room key with all 20/20 blocks read. Then I tried to scan the clone card from eBay and could get this dump file in .nfc format also, but I changed it to .txt to upload here.
eBay chip.txt (1.6 KB)

So, from the dump file, it says that this is NTAG203, and has 42 blocks successfully read. I don’t know why, when I try to dump it by using Proxmark3, only 16 blocks are read:

image575×660 10 KB

When I tried to read blocks 0 and 1, this is the result, which is very weird. Even though there are 16 blocks read, only block 0 can be read by using the hf mfu rdbl:

image388×142 2.66 KB

Thank you very much for your time reading this, and I look forward to learn more about this new but very interesting field!

Because the ultralight ev1 chip only has 16 blocks total, 12 of which are user memory starting at page 04. Oddly it looks like your OTP bytes in page 03 are configured for NFC and there is a blank NDEF message programmed into the tag with nothing inside. Probably standard for Ultralight EV1 chips at this point… but the lock clearly doesn’t use any of that memory… it only cares about the UID.

as indicated by the UID starting 1D, this dump you have provided is of the sticker chip you received. please repeat the dump command on your hotel card, the one with the UID beginning 04.

likely because this isn’t the chip for the hotel but the blank, pre encoded for ndef sticker

i’m a sucker for details.

FAO interested parties;

definitely won’t be best the UID w/ vingcard

I can’t dump all the sectors on the room key as the last 4 sectors are locked by the password. I managed to sniff it by using FlipperZero and can have all 20 sectors on the room key. The things I am looking at now are why, with the FlipperZero, the clone card can be read as NTAG203 and has 42 sectors, but the Proxmark3 can only read 16 sectors on it. Is there any script or other command that I need to know when dumping that clone card by using Proxmark3? And why even the clone card has 16 blocks according to hf mfu dump command on Proxmark3, but only block 0 can be read, the hf mfu rdbl -b 1 returns error with the max block is 0?

image388×142 2.66 KB

try running on original card
hf mfu dump --ns

For your magic card, or clone card , I dunno.
try
hf mfu info; hf mfu dump --ns