Second Chip Suggestions

Support
61

Is that like this?

I haven’t got that advanced with Proxmark yet!

[usb] pm3 --> hf mfp chk
[=] Loaded 26 keys
[=] Search keys
......

[=] -----+----------------------------------+----------------------------------
[=]  Sec | key A                            | key B
[=] -----+----------------------------------+----------------------------------
[=]  000 | -------------------------------- | --------------------------------
[=] -----+----------------------------------+----------------------------------

Not sure I can get the keys:

[usb] pm3 --> hf mf autopwn
[!] ⚠️  no known key was supplied, key recovery might fail
[+] loaded 59 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[-] ⛔ No usable key was found!

More info:

[usb] pm3 --> hf mfp info

[=] --- Tag Information ---------------------------

[+]  UID: 04 AA BB CC DD EE FF 
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 75 77 80 02 C1 05 21 30 10 F6 D1 [ D3 00 ]
[=]      0C...............  TL    length is 12 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               80......  TB1   SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[=]     C1 05 21 30 10 F6 D1      
[+]     C1.....................   Mifare or (multiple) virtual cards of various type
[+]        05..................   length is 5 bytes
[+]           2x...............   MIFARE Plus
[+]           x1...............   1 kByte
[+]              x0............   Generation 1
[+]                 x0.........   Only VCSL supported
[?] Hint: try `hf mfp info`

[=] --- Fingerprint
[=]           SIZE: 2K (7 UID)
[=]             SAK: 2K 7b UID
[=] --- Security Level (SL)
[+]        SL mode: SL1
[=]   SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication
62

you’re using mfp commands. mfp is mifare classic.

use hf mf commands for mifare classic

when you get a dump file, send the .json here or to me in DMs

63

Not really making any progress here! Is there any other commands I should be trying?

[usb] pm3 --> hf mf info

[=] --- ISO14443-a Information ---------------------
[+]  UID: 04 AA BB CC DD EE FF 
[+] ATQA: 00 44
[+]  SAK: 08 [2]

[=] --- Keys Information
[=] [0] key FF FF FF FF FF FF 
[+] loaded 1 keys supplied by user 
[+] loaded 59 keys from hardcoded default array
[=] <N/A>

[=] --- Magic Tag Information
[=] <N/A>

[=] --- PRNG Information
[+] Prng................. hard

[usb] pm3 --> hf mf autopwn
[!] ⚠️  no known key was supplied, key recovery might fail
[+] loaded 59 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[-] ⛔ No usable key was found!

[usb] pm3 --> hf mf darkside
[=] Expected execution time is about 25seconds on average
[=] Press pm3 button to abort

[=] Running darkside .[-] ⛔ card is not vulnerable to Darkside attack (its random number generator is not predictable)

[usb] pm3 --> hf mf chk
[+] loaded 59 keys from hardcoded default array
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 17 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | ------------ | 0 | ------------ | 0
[+]  001 | 007 | ------------ | 0 | ------------ | 0
[+]  002 | 011 | ------------ | 0 | ------------ | 0
[+]  003 | 015 | ------------ | 0 | ------------ | 0
[+]  004 | 019 | ------------ | 0 | ------------ | 0
[+]  005 | 023 | ------------ | 0 | ------------ | 0
[+]  006 | 027 | ------------ | 0 | ------------ | 0
[+]  007 | 031 | ------------ | 0 | ------------ | 0
[+]  008 | 035 | ------------ | 0 | ------------ | 0
[+]  009 | 039 | ------------ | 0 | ------------ | 0
[+]  010 | 043 | ------------ | 0 | ------------ | 0
[+]  011 | 047 | ------------ | 0 | ------------ | 0
[+]  012 | 051 | ------------ | 0 | ------------ | 0
[+]  013 | 055 | ------------ | 0 | ------------ | 0
[+]  014 | 059 | ------------ | 0 | ------------ | 0
[+]  015 | 063 | ------------ | 0 | ------------ | 0
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

[usb] pm3 --> hf mf rdbl --blk 0
[#] Auth error

[usb] pm3 --> hf mf rdbl --blk 0 -k FFFFFFFFFFFF
[#] Auth error
64

Did Patrick do any of yours?

1 Like
65

The first batch Candace did, but Patrick did my last 3. FlexEM a couple weeks ago, and the xG3 and FlexUG4 the other day. They had run out of numbing gel that morning and that 4 gauge pokey stick wasn’t very fun.

Will say, Candace did alright but Patrick is definitely a pro. Significantly less bleeding and swelling for the ones he put in. He put them exactly where I wanted them to end up, and put the xG3 really close to the surface for better pickup.

66

Update: I tried scanning the FlexUG4 chip on the reader (very carefully/still in the plastic) and it doesn’t even register a beep. Am I never going to get this to work? :frowning:

67

A few quick questions:

  • Is there a lube packet on the other side of the implant?
  • What reader?
  • Can you show how you are presenting it?
3 Likes
68

@TACos

Is this true? Cos I haven’t seen this :person_shrugging:

Thanks

69

The lube packet is at the other end of the packaging. And have tried the chip at multiple orientations.

I’ll get a video of it next time.

But it’s the same as the test cards - it just doesn’t register at all. Whereas fobs not enrolled, will beep and flash red instantly.

The enrolled fob registers at a distance instantly, so it’s definitely a well-powered reader.

1 Like
70

what’s it configured to be currently emulating when you’re presenting it to the reader?

3 Likes
71

Perfect.

We hear this a lot and it’s still mostly positioning and orientation. Visuals help :sweat_smile:

I’m remembering this thread now… The UG4, as I recall, comes pre-setup as a MIFARE Classic 1k with a 4-byte UID which your system seems to be ignoring. Can you set it to a MFC with 7-byte UID?

4 Likes
72

Ok this sounds more promising!

I assumed it would still get recognised as any/all of them. So it can only present as one type of chip at a time?

However, the 4 test cards still do nothing. Should one of them have worked?

What’s the easiest/safest way to set it up as MFC 7-byte? Noting I don’t want to be handling it too much before it’s implanted.

1 Like
73

Do you have a Proxmark?
Pretty sure you do.

Do you just need the commands?

Do you have a Flipper Zero?

4 Likes
74

Yes.

None of them are MFC with a 7-byte UID. There are two MFC (gen1a and gen2) but they have 4-byte UIDs. The NTAG216 has a 7-byte UID but it’s not a MIFARE Classic… And then there’s the DESFire which, while MIFARE, isn’t at all the same thing as MIFARE Classic. NXP’s naming is awful and only leads to further confusion in an already convoluted field.

Edited to add:

Using a Proxmark is pretty easy, here’s the script’s help (which is part of the repo linked on the product page and also shown in the product video):

This script enables easy programming of an Ultimate Mifare Magic card
Usage
script run hf_mf_ultimatecard -h -k <passwd> -c -w <type> -u <uid> -t <type> -p <passwd> -a <pack> -s <signature> -o <otp> -v <version> -q <atqa/sak> -g <gtu> -z <ats> -m <ul-mode> -n <ul-protocol>

Arguments
    -h      this help
    -c      read magic configuration
    -u      UID (8-20 hexsymbols), set UID on tag
    -t      tag type to impersonate
                 1 = Mifare Mini S20 4-byte
                 2 = Mifare Mini S20 7-byte 15 = NTAG 210
                 3 = Mifare Mini S20 10-byte 16 = NTAG 212
                 4 = Mifare 1k S50 4-byte   17 = NTAG 213
                 5 = Mifare 1k S50 7-byte   18 = NTAG 215
                 6 = Mifare 1k S50 10-byte  19 = NTAG 216
                 7 = Mifare 4k S70 4-byte   20 = NTAG I2C 1K
                 8 = Mifare 4k S70 7-byte   21 = NTAG I2C 2K
                 9 = Mifare 4k S70 10-byte  22 = NTAG I2C 1K PLUS
            ***  10 = UL -   NOT WORKING FULLY   23 = NTAG I2C 2K PLUS
            ***  11 = UL-C - NOT WORKING FULLY   24 = NTAG 213F
                 12 = UL EV1 48b                25 = NTAG 216F
                 13 = UL EV1 128b
            ***  14 = UL Plus - NOT WORKING YET

    -p      NTAG password (8 hexsymbols),  set NTAG password on tag.
    -a      NTAG pack ( 4 hexsymbols), set NTAG pack on tag.
    -s      Signature data (64 hexsymbols), set signature data on tag.
    -o      OTP data (8 hexsymbols), set `One-Time Programmable` data on tag.
    -v      Version data (16 hexsymbols), set version data on tag.
    -q      ATQA/SAK (<2b ATQA><1b SAK> hexsymbols), set ATQA/SAK on tag.
    -g      GTU Mode (1 hexsymbol), set GTU shadow mode.
    -z      ATS (<1b length><0-16 ATS> hexsymbols), Configure ATS. Length set to 00 will disable ATS.
    -w      Wipe tag. 0 for Mifare or 1 for UL. Fills tag with zeros and put default values for type selected.
    -m      Ultralight mode (00 UL EV1, 01 NTAG, 02 UL-C, 03 UL) Set type of UL.
    -n      Ultralight protocol (00 MFC, 01 UL), switches between UL and MFC mode
    -k      Ultimate Magic Card Key (IF DIFFERENT THAN DEFAULT 00000000)

Example usage
    -- read magic tag configuration
    script run hf_mf_ultimatecard -c
    -- set uid
    script run hf_mf_ultimatecard -u 04112233445566
    -- set NTAG pwd / pack
    script run hf_mf_ultimatecard -p 11223344 -a 8080
    -- set version to NTAG213
    script run hf_mf_ultimatecard -v 0004040201000f03
    -- set ATQA/SAK to [00 44] [08]
    script run hf_mf_ultimatecard -q 004408
    -- wipe tag with a NTAG213 or Mifare 1k S50 4 byte
    script run hf_mf_ultimatecard -w 1
    -- use a non default UMC key. Only use this if the default key for the MAGIC CARD was changed.
    script run hf_mf_ultimatecard -k ffffffff -w 1
    -- Wipe tag, turn into NTAG215, set sig, version, NTAG pwd/pak, and OTP.
    script run hf_mf_ultimatecard -w 1 -t 18 -u 04112233445566 -s 112233445566778899001122334455667788990011223344556677 -p FFFFFFFF -a 8080 -o 11111111
4 Likes
75

All of the above!

2 Likes
76

This could be a winner!

Appreciate it.

Will test this week and report back.

3 Likes
77

I seem to have this problem?!

Running hf 14a reader -@ instantly reads any other card but not the FlexUG4 !

I don’t really want to take it out of the outer plastic, but surely that would interfere less than my own skin!

image
image1176×1246 214 KB

78
  1. It won’t read in the center
  2. The antenna is actually on the bottom board

Flip over the Proxmark and line the implant up over the numbers in the barcode and then try the script command…

3 Likes
79

I was just getting through that long thread and saw this suggestion too. Instant read now! Thanks so much.

2 Likes
80

Ok, running the real fob vs implant I have them identical now, but the door reader refuses to beep?!

[+]  UID: 04 ... 80 
[+] ATQA: 00 44
[+]  SAK: 08 [2]

[+]  UID: 04 ... 80 
[+] ATQA: 00 44
[+]  SAK: 08 [2]

What else does it not like?! Is there another flag it is checking?