Reading Mifare UltraLight

Hello there,

Hope everybody is fine !! and happy Christmas !!

I’m newbe with a proxmark…
I just read a UltraLight Mifare card (I think) but do not understand the output.
I saw talking about locks…paswords…3DES keys…
So I would like to understand the real Type of this card and if it is locked in any way? Because it says : “Authentication Failed UL-EV1/NTAG”… but shows no locks?

Here is the outputs :

hf mfu info :
[usb] pm3 → hf mfu info

[=] — Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: FUDAN Ultralight Compatible (or other compatible)
[+] UID: 04 30 BD 33 71 00 00
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 01 (ok)
[+] BCC1: 42 (ok)
[+] Internal: 48 (default)
[+] Lock: 00 00 - 0000000000000000
[+] OneTimePad: 00 00 00 00 - 00000000000000000000000000000000
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory…
[=] ------------------------------------------------------------

hf mfu dump :

[usb] pm3 → hf mfu dump
[+] TYPE: FUDAN Ultralight Compatible (or other compatible)
[+] Reading tag memory…
[!] Authentication Failed UL-EV1/NTAG
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version | 00 00 00 00 00 00 00 00
[=] TBD 0 | 00 00
[=] TBD 1 | 00
[=] Signature | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0 | 00 00 00
[=] Tearing 0 | 00
[=] Counter 1 | 00 00 00
[=] Tearing 1 | 00
[=] Counter 2 | 00 00 00
[=] Tearing 2 | 00
[=] Max data page | 14 (60 bytes)
[=] Header size | 56
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------±------------±–±-----
[=] 0/0x00 | 04 30 BD 01 | | .0.
[=] 1/0x01 | 33 71 00 00 | | 3q…
[=] 2/0x02 | 42 48 00 00 | | BH…
[=] 3/0x03 | 00 00 00 00 | 0 | …
[=] 4/0x04 | 00 00 00 00 | 0 | …
[=] 5/0x05 | 00 00 00 00 | 0 | …
[=] 6/0x06 | 00 00 00 00 | 0 | …
[=] 7/0x07 | 00 00 00 00 | 0 | …
[=] 8/0x08 | 00 00 00 00 | 0 | …
[=] 9/0x09 | 00 00 00 00 | 0 | …
[=] 10/0x0A | 00 00 00 00 | 0 | …
[=] 11/0x0B | 00 00 00 00 | 0 | …
[=] 12/0x0C | 00 00 00 00 | 0 | …
[=] 13/0x0D | 00 00 00 00 | 0 | …
[=] 14/0x0E | 00 00 00 00 | 0 | …
[=] 15/0x0F | 00 00 00 00 | 0 | …
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file hf-mfu-0430BD33710000-dump-1.bin
[+] saved to json file hf-mfu-0430BD33710000-dump-1.json

Thank you very much for your explanations and help =)

This is an utterly empty tag. Every programmable user memory block is set to 00 or null. That’s basically it.

No it is not empty, I got it from a “playland” for my child. I use it to put “credit point unit” on it, so my child can play with it by passing it on the terminal of the game. Every game is playable with a amount of points.
I think on the one I show the output here, there is 4 points remaining.
So it is not locked? even when we see this “Authentication Failed UL-EV1/NTAG” in the pm3 output?
Thank you.

Yes it is empty. Pretty sure playland stores the points in a central database not in the card… Especially ultralight… not secure enough for stored value card use.

Actual ultralight C cards have an admin feature that can protect memory page access but this one is empty so there’s nothing being protected. The playland machines might be using the admin feature as a kind of shitty authenticity check to make sure it’s not an emulator being presented.

Thank you for all this explanations.
So if I understand well, the central databse of the playland just use the UID of the card when it is presented and determine by checking it database the amount of point this UID have still remain? Then authorize or not to play the game?
I was wondering if however the points are stored in the 3 first block which are not empty :

[=] block# | data |lck| ascii
[=] ---------±------------±–±-----
[=] 0/0x00 | 04 30 BD 01 | | .0.
[=] 1/0x01 | 33 71 00 00 | | 3q…
[=] 2/0x02 | 42 48 00 00 | | BH…

Thank you for your time =)

Nope those are the memory blocks that contain the UID and some check bytes.

Thank you amal for all the explanations. I think I understand better now how it works : It only use UID of the card since all the card is blank.

Merry Chistmass!!