Sniffing an Password from Ultralight EV1

Appellus · April 21, 2021, 4:45pm

I’m working on trying to clone an Ultralight EV1 48 byte with a Magic NTAG I’ve gotten my hands on, but haven’t been able to find any good guides online as to how I should be interpreting the data (if you’re interested in my recently updated campaign for cardless room access control, see here). The data from the card is as follows:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+]        UID: 04 A5 1F 62 7D 59 84
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 36 (ok)
[+]       BCC1: C2 (ok)
[+]   Internal: 48 (default)
[+]       Lock: 08 00  - 80
[+] OneTimePad: DF 0D 05 12  - 21518

[=] --- Tag Counters
[=]        [0]: 00 00 00
[+]             - BD tearing (ok)
[=]        [1]: 00 00 00
[+]             - BD tearing (ok)
[=]        [2]: 00 00 00
[+]             - BD tearing (ok)

[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+]        Signature verification: successful

[=] --- Tag Version
[=]        Raw bytes: 00 04 03 01 01 00 0B 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: 03, Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0B, (64 <-> 32 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

With the following sniff output:

[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 385
[usb] pm3 --> trace list -t 14a
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 385 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52(7)                                                                    |     | WUPA
       2244 |       4612 | Tag |44  00                                                                   |     |
      49536 |      52000 | Rdr |93  20                                                                   |     | ANTICOLL
      53188 |      59012 | Tag |88  04  a5  1f  36                                                       |     |
     103808 |     114272 | Rdr |93  70  88  04  a5  1f  36  83  0f                                       |  ok | SELECT_UID
     115524 |     119044 | Tag |04  da  17                                                               |     |
     168064 |     170528 | Rdr |95  20                                                                   |     | ANTICOLL-2
     171716 |     177604 | Tag |62  7d  59  84  c2                                                       |     |
     222464 |     232928 | Rdr |95  70  62  7d  59  84  c2  ef  f6                                       |  ok | SELECT_UID-2
     234180 |     237764 | Tag |00  fe  51                                                               |     |
     289264 |     293968 | Rdr |30  0f  f5  50                                                           |  ok | READBLOCK(15)
     295236 |     316100 | Tag |05  97  05  a7  04  a5  1f  36  62  7d  59  84  c2  48  08  00  ff  e0   |  ok |
     357488 |     362192 | Rdr |30  04  26  ee                                                           |  ok | READBLOCK(4)
     363444 |     384244 | Tag |06  0a  00  21  00  00  00  00  00  00  2f  bf  ae  ef  d6  2c  42  27   |  ok |
     434800 |     439504 | Rdr |30  08  4a  24                                                           |  ok | READBLOCK(8)
     440756 |     461620 | Tag |a7  a2  83  07  ae  2f  67  37  ef  d5  ae  2f  d0  2f  2f  2f  7f  13   |  ok |
     507248 |     512016 | Rdr |30  06  34  cd                                                           |  ok | READBLOCK(6)
     513204 |     534068 | Tag |00  00  2f  bf  ae  ef  d6  2c  a7  a2  83  07  ae  2f  67  37  df  1a   |  ok |
     584688 |     589456 | Rdr |30  0a  58  07                                                           |  ok | READBLOCK(10)
     590644 |     611444 | Tag |ef  d5  ae  2f  d0  2f  2f  2f  2f  2f  2f  2f  2f  2f  2f  2f  dd  c6   |  ok |
     661984 |     666688 | Rdr |30  0e  7c  41                                                           |  ok | READBLOCK(14)
     667956 |     688756 | Tag |2f  2f  2f  00  05  97  05  a7  04  a5  1f  36  62  7d  59  84  cf  39   |  ok |
[usb] pm3 -->

How exactly should I interpret this data? I know for a fact there’s a password on this card since when I try to do a dump on it, I’m told authentication failed for the first four blocks. Any pointers on parsing this?

amal · April 21, 2021, 5:43pm

well the first thing you should do is look up the documentation for the ultralight ev1 chip and find out which command is the PWD_AUTH command (or equivalent), then check your sniffed data for a reader command that matches that value and format.

amal · April 21, 2021, 5:43pm

well also… let’s clarify… what exactly are you sniffing?

Appellus · April 21, 2021, 9:59pm

I’m sniffing the communication between the original keycard and the reader I use to get into my room. Checking the data sheet here, it says that the hex code for PWD_AUTH is 1Bh, but I can’t find any according string in the reader commands.

amal · April 22, 2021, 12:03am

From the sniff data it appears then that nothing is happening with the unreadable blocks…

Block counts start at 00 so reading block 04 should not be part of the “first four blocks” you can’t read. Might just be a red herring. Copy the blocks you can read and try it.

Zwack · April 22, 2021, 1:16am

I am curious if it randomly reads six blocks (greater than 03) every time or if it always reads the same six. It wouldn’t make the tag any more secure, but it would stop a replay attack.

MadPalmTree · September 5, 2023, 12:58am

Would REALLY like to know if anyone has ever figured this one out. Been working on the same thing for past year now.

Appellus · September 5, 2023, 5:25pm

With this particular instance, I got very very lucky with a random app from the GPlay store that copied exactly what the door needed onto the Magic NTAG. I honestly have no clue exactly which block was the one I needed, but it was able to get it onto the NTAG. It may work for you, but no guarantees.