I’m working on trying to clone an Ultralight EV1 48 byte with a Magic NTAG I’ve gotten my hands on, but haven’t been able to find any good guides online as to how I should be interpreting the data (if you’re interested in my recently updated campaign for cardless room access control, see here). The data from the card is as follows:
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101)
[+] UID: 04 A5 1F 62 7D 59 84
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 36 (ok)
[+] BCC1: C2 (ok)
[+] Internal: 48 (default)
[+] Lock: 08 00 - 80
[+] OneTimePad: DF 0D 05 12 - 21518
[=] --- Tag Counters
[=] [0]: 00 00 00
[+] - BD tearing (ok)
[=] [1]: 00 00 00
[+] - BD tearing (ok)
[=] [2]: 00 00 00
[+] - BD tearing (ok)
[=] --- Tag Signature
[=] IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: A04A6EB081096861A93F5A363F715C47C53387689D9E13EC2CD97D4C32098C9E
[+] Signature verification: successful
[=] --- Tag Version
[=] Raw bytes: 00 04 03 01 01 00 0B 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: 03, Ultralight
[=] Product subtype: 01, 17 pF
[=] Major version: 01
[=] Minor version: 00
[=] Size: 0B, (64 <-> 32 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
With the following sniff output:
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 385
[usb] pm3 --> trace list -t 14a
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 385 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52(7) | | WUPA
2244 | 4612 | Tag |44 00 | |
49536 | 52000 | Rdr |93 20 | | ANTICOLL
53188 | 59012 | Tag |88 04 a5 1f 36 | |
103808 | 114272 | Rdr |93 70 88 04 a5 1f 36 83 0f | ok | SELECT_UID
115524 | 119044 | Tag |04 da 17 | |
168064 | 170528 | Rdr |95 20 | | ANTICOLL-2
171716 | 177604 | Tag |62 7d 59 84 c2 | |
222464 | 232928 | Rdr |95 70 62 7d 59 84 c2 ef f6 | ok | SELECT_UID-2
234180 | 237764 | Tag |00 fe 51 | |
289264 | 293968 | Rdr |30 0f f5 50 | ok | READBLOCK(15)
295236 | 316100 | Tag |05 97 05 a7 04 a5 1f 36 62 7d 59 84 c2 48 08 00 ff e0 | ok |
357488 | 362192 | Rdr |30 04 26 ee | ok | READBLOCK(4)
363444 | 384244 | Tag |06 0a 00 21 00 00 00 00 00 00 2f bf ae ef d6 2c 42 27 | ok |
434800 | 439504 | Rdr |30 08 4a 24 | ok | READBLOCK(8)
440756 | 461620 | Tag |a7 a2 83 07 ae 2f 67 37 ef d5 ae 2f d0 2f 2f 2f 7f 13 | ok |
507248 | 512016 | Rdr |30 06 34 cd | ok | READBLOCK(6)
513204 | 534068 | Tag |00 00 2f bf ae ef d6 2c a7 a2 83 07 ae 2f 67 37 df 1a | ok |
584688 | 589456 | Rdr |30 0a 58 07 | ok | READBLOCK(10)
590644 | 611444 | Tag |ef d5 ae 2f d0 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f dd c6 | ok |
661984 | 666688 | Rdr |30 0e 7c 41 | ok | READBLOCK(14)
667956 | 688756 | Tag |2f 2f 2f 00 05 97 05 a7 04 a5 1f 36 62 7d 59 84 cf 39 | ok |
[usb] pm3 -->
How exactly should I interpret this data? I know for a fact there’s a password on this card since when I try to do a dump on it, I’m told authentication failed for the first four blocks. Any pointers on parsing this?