Problem reading FlexUG4 [SOLVED] Move the lube packet!

Well, none of those are Mifare 4k :cry:

So I tried it the

fun way

[usb] pm3 → hf 14a sim -t 8 -u 11223344
[+] Emulating ISO/IEC 14443 type A tag with 4 byte UID (11 22 33 44 )
[=] Press pm3 button to abort simulation
[#] Emulator stopped. Trace length: 33435
[=] Done!
[usb] pm3 → hf 14a info

[+] UID: 11 22 33 44
[+] ATQA: 00 02
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection… hard

[?] Hint: try hf mf commands

[usb] pm3 → script run hf_mf_ultimatecard -c
[+] executing lua /usr/local/bin/…/share/proxmark3/luascripts/hf_mf_ultimatecard.lua
[+] args ‘-c’

ERROR: partial read of configuration, use -k or change cfg0 block

[+] finished hf_mf_ultimatecard

Emulated a Mifare 4k on the PM3, read it on the flipper. Scanned in a crapton of keys, gave up after a few minutes because it was taking it sweet time. Emulated on Flipper and read it from the PM3 and it shows a partial read (makes sense, because I only scanned through sector1, quit during sector 2 read).

1 Like

A shot in the dark(because I have only my phone with me) Are you running latest master? If you do, try to pull and compile from the last(stable) release hash. This may be a regression.

4 Likes

Let’s not worry about that part right now… Try and save one of the MFC tags from the blue bambino then try writing it to the UG4. I’m wondering if some part of the config is b0rked and am curious is a successful write will correct it and allow it to function normally…

2 Likes

tried that

2 Likes

Not letting me write anything to the FlexUG4 from the Flipper.

Read it from Flipper, and emulated to PM3:

Summary

[usb] pm3 → hf 14a info

[+] UID: 04 96 8C BB
[+] ATQA: 00 04
[+] SAK: 18 [2]
[+] Possible types:
[+] MIFARE Classic 4K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection… hard

[?] Hint: try hf mf commands

[usb] pm3 → script run hf_mf_ultimatecard -c
[+] executing lua /usr/local/bin/…/share/proxmark3/luascripts/hf_mf_ultimatecard.lua
[+] args ‘-c’

ERROR: partial read of configuration, use -k or change cfg0 block

[+] finished hf_mf_ultimatecard

Not a full read but it at least does something, so it looks like the PM3 is “working”. Currently playing around with NFC Magic fap on the Flipper, it’s scanning and unlocking keys on the FlexUG4.

2 Likes

Did you tried to run from it Gen4 actions and then set default config? I am still waiting for my testing card so really take what I am writing with a grain of salt.

4 Likes

I didn’t bring my Flipper… I’m in the process of updating Amal’s so I can verify what I remember of the process.

3 Likes

Yup, been messing with that for the last 20 minutes or so…

Okay, so far here’s the latest update:

Can read the FlexUG4 from Flipper, but not from PM3. Can read the emulated tag from Flipper onto PM3.

Flipper: Read/write back onto FlexUG4. Still no read from PM3.
Write info from a saved 1k fob (my bedroom door unlock key xMagic implant), and door is able to read and unlock from the FlexUG4. Still unable to read it using the PM3.

Phone: is able to read FlexUG4 with Taginfo and NFC Tools

Granted, it’s a couple year old PM3 Easy clone from Ali but it’s never had a problem with anything else until now. And it is able to read the Flipper when it’s emulating the FlexUG4 info.

I dunno. It appears to be working alright with the Flipper, just sometimes takes an extra try to get it to read, don’t know if that’s because it’s a fancier chip or not. F0 reads my Apex almost instantly.

If the consensus from everybody is “don’t by generic clones”, I’ll go along with that. I’m just a “Jack of all trades, master of none” kind of electronics guy and am not super knowledgeable with the NFC stuff, my focus is more on small hardware (rpi/esp projects etc).

3 Likes

Hey @Iceman could you please give some advice here? Is this pm3 behaviour expected? Thank you!

1 Like

Dusted off the ChameleonUltra, and even that reads the FlexUG4.

Pointing more and more towards generic clone problems. Maybe that’s why the Rebels won over the Imperials…

3 Likes

14A on Proxmark3 usually needs a bit of distance.

Not sure about implants since it gotten a different antenna but try some distance.
You can use “hf tune” to see if you get a good coupling ( voltage drop )

2 Likes

Just tried it again:

While resting the FlexUG4 on the PM3:
[usb] pm3 → hf tune
[=] Measuring HF antenna
[=] Press pm3 button or to exit
[=] 14837 mV / 14 V / 15 Vmax

Soon as I take it off, bumps to 15222mV. Tried it from touching through an inch or so away, spamming “hf 14a info” and “script run hf_mf_ultimatecard -c” multiple times on top, underneath, angled etc.
When I did it last night with the Evil Foil Packet of Lube it would drop to the 9000’s mV when touching.

Thanks for the help everybody, but it’s really looking like something wrong with my generic PM3Easy. Everything else seems to read it, even if it sometimes takes multiple tries.

Willing to try more things if anybody else has suggestions, but already opened a ticket to return it (needs re-sterilization anyway, got lube all over the paperish backing side and may have soaked in a bit), so sending it off sometime today or tomorrow.

1 Like

If you run, it will be easier for you moving the pm3 around.

hf 14a reader -@

4 Likes

Sweet! Now it looks like the cops are after me :rofl: Love the flashing lights.

Thanks for the cmd that actually helped out a ton.

Update: Accidentally got it to read on the PM3, but only if it’s in this exact spot, and slightly pushing down on the unit to make contact.

Summary

[usb] pm3 → hf 14a reader -@
[=] Press to exit
[#] BCC0 incorrect, got 0x00, expected 0x9e
[#] Aborting
[#] BCC0 incorrect, got 0x00, expected 0x9e
[#] Aborting
[+] UID: 04 96 8C BB
[+] ATQA: 00 04
[+] SAK: 18 [2]

[#] BCC0 incorrect, got 0x00, expected 0x9e
[#] Aborting
[+] UID: 04 96 8C BB
[+] ATQA: 00 04
[+] SAK: 18 [2]

With that spot and pushing down on it to make contact, am able to read/write etc everything with PM3.

Possible antenna/chip issues on the FlexUG4 then? Would explain a lot, plus does take several tries to read.
Similar to reading it from the F0, CU, and my NFC door lock, it’s got to be touching and almost exactly in the right spot. By comparison, my Apex Flex can be read from up to 1/4" away without troubles.

1 Like

Something is off.

The FlexUG4 has a larger antenna, right? That’s should normally be a good thing.

1 Like

Yes, larger antenna. Everything I’ve read about it, should have to move it further away to get a good read, this one I have to almost crush right up against it.

try putting about a inch distance from it. it really shouldnt need to be crushed to get a read.

Yup, tried anywhere from almost-crushing close to near 2 inches away. Only one that reads it without physical contact is the Flipper (all of a hair-width away), or else using a MFGC I can get it as far away as “almost touching”.

Made it a ton easier to move it around while scanning, that’s the only way I got it to read at all on the PM3, was by accident.

Boxing it up now, and heading to the post office though.

That’s unfortunate but better than realising there is an issue when it’s under your skin.

1 Like

Maybe not. I can tell you that my CoM conversion was hard to scan until it was installed. @Satur9 is a wizard.

That being said, you’re not going to get the same performance out of a magic chip that you do from a genuine NXP powerhouse like the p71.

1 Like