Note: this applies to version 06A0 of the UG4*
The PACK (Password ACKnowledgement) is a 2-byte phrase the NTAG21X transponders send in response to a successful auth. Think of it as a poor man’s way of validating the transponder’s authenticity. Depending on the transponder, this is stored in the first two bytes of page 2C, 86, or E6.
Let’s take a look… Start by wiping and setting it to an NTAG 21X flavor of your choice–I went with a 213.
[usb] pm3 --> script run hf_mf_ultimatecard -w 1 -t 17
[#] Searching implicit relative paths
[#] Searching preferences paths
[#] Searching user .proxmark3 paths
[#] Searching current workdir paths
[+] executing lua /home/work/proxmark3/client/luascripts/hf_mf_ultimatecard.lua
[+] args '-w 1 -t 17'
Starting Ultralight Wipe
Wiping tag
.............................................................................
Setting: Ultimate Magic card to NTAG 213
Writing new UID 04E10CDA993C80
Writing new version 0004040201000F03
Writing new UID 04E10CDA993C80
Writing new NTAG PWD FFFFFFFF
Writing new PACK 0000
Writing new MFUL signature 8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
Setting: Ultimate Magic card to NTAG 213
Writing new UID 04E10CDA993C80
Writing new version 0004040201000F03
[+] finished hf_mf_ultimatecard
[usb] pm3 --> script run hf_mf_ultimatecard -c
[#] Searching implicit relative paths
[#] Searching preferences paths
[#] Searching user .proxmark3 paths
[#] Searching current workdir paths
[+] executing lua /home/work/proxmark3/client/luascripts/hf_mf_ultimatecard.lua
[+] args '-c'
=========================================================================
Ultimate Magic Card Configuration
=========================================================================
- Raw Config 01010000000003000978009102DABC19101011121314151644000001FB1D
- Card Protocol MIFARE Ultralight/NTAG
- Ultralight Mode NTAG21x
- ULM Backdoor Key 00000000
- GTU Mode Disabled, high speed R/W mode for Ultralight
- Card Type NTAG 213
- UID 04E10CDA993C80
- ATQA 00 44
- SAK 00
=========================================================================
Magic UL/NTAG 21* Configuration
=========================================================================
- ATS Disabled
- Password [0xE5] FFFFFFFF [0xF0] FFFFFFFF
- Pack [0xE6] 0000 [0xF1] 0000
- Version 0004040201000F03
- Signature 8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
- Max R/W Block FB
[+] finished hf_mf_ultimatecard
So, in theory, we’re interested in page 2B (password) and the first two bytes of 2C.
[usb] pm3 --> hf 14a raw -skc 1bffffffff # auth
[+] 00 00 [ A0 1E ] # Success -> PACK returned: 0000
[usb] pm3 --> hf 14a raw -skc a22b01020304 #change password to 01020304
[+] 0A # Successful write
[usb] pm3 --> hf 14a raw -skc 302b
[+] 01 02 03 04 00 00 00 00 00 00 00 00 00 00 00 00 [ F9 C2 ] # reading shows the updated value
[usb] pm3 --> hf 14a raw -skc 1b01020304
[+] 04 # auth fails with new password
As you can see, NTAGs are fucky on the UG4… Specific 21X version doesn’t really matter for the memory layout.
[usb] pm3 --> script run hf_mf_ultimatecard -c
[#] Searching implicit relative paths
[#] Searching preferences paths
[#] Searching user .proxmark3 paths
[#] Searching current workdir paths
[+] executing lua /home/work/proxmark3/client/luascripts/hf_mf_ultimatecard.lua
[+] args '-c'
=========================================================================
Ultimate Magic Card Configuration
=========================================================================
- Raw Config 01010000000003000978009102DABC19101011121314151644000001FB1D
- Card Protocol MIFARE Ultralight/NTAG
- Ultralight Mode NTAG21x
- ULM Backdoor Key 00000000
- GTU Mode Disabled, high speed R/W mode for Ultralight
- Card Type NTAG 213
- UID 04E10CDA993C80
- ATQA 00 44
- SAK 00
=========================================================================
Magic UL/NTAG 21* Configuration
=========================================================================
- ATS Disabled
- Password [0xE5] FFFFFFFF [0xF0] FFFFFFFF
- Pack [0xE6] 0000 [0xF1] 0000
- Version 0004040201000F03
- Signature 8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
- Max R/W Block FB
[+] finished hf_mf_ultimatecard
The lua script suggests it uses the NTAG216 pages for the password (E5) and PACK (E6). Second set of values is related to GTU/Shadow Mode (I believe).
[usb] pm3 --> hf 14a raw -skc a2e501020304 # Change password
[+] 0A
[usb] pm3 --> hf 14a raw -skc 1b01020304
[+] 00 00 [ A0 1E ] # Success.... It changed this time.
[usb] pm3 --> script run hf_mf_ultimatecard -c
[#] Searching implicit relative paths
[#] Searching preferences paths
[#] Searching user .proxmark3 paths
[#] Searching current workdir paths
[+] executing lua /home/work/proxmark3/client/luascripts/hf_mf_ultimatecard.lua
[+] args '-c'
=========================================================================
Ultimate Magic Card Configuration
=========================================================================
- Raw Config 01010000000003000978009102DABC19101011121314151644000001FB1D
- Card Protocol MIFARE Ultralight/NTAG
- Ultralight Mode NTAG21x
- ULM Backdoor Key 00000000
- GTU Mode Disabled, high speed R/W mode for Ultralight
- Card Type NTAG 213
- UID 04E10CDA993C80
- ATQA 00 44
- SAK 00
========================================================================================
Magic UL/NTAG 21* Configuration
========================================================================================
- ATS Disabled
- Password [0xE5] 01020304 [0xF0] FFFFFFFF
- Pack [0xE6] 0000 [0xF1] 0000
- Version 0004040201000F03
- Signature 8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
- Max R/W Block FB
[+] finished hf_mf_ultimatecard
Alright. We can write to E5 to change the PW.
[usb] pm3 --> hf 14a raw -skc a2e6beef0000 # try changing the PACK with the block from the script
[+] 0A # Successfully written
[usb] pm3 --> script run hf_mf_ultimatecard -c
[#] Searching implicit relative paths
[#] Searching preferences paths
[#] Searching user .proxmark3 paths
[#] Searching current workdir paths
[+] executing lua /home/work/proxmark3/client/luascripts/hf_mf_ultimatecard.lua
[+] args '-c'
=========================================================================
Ultimate Magic Card Configuration
=========================================================================
- Raw Config 01010000000003000978009102DABC19101011121314151644000001FB1D
- Card Protocol MIFARE Ultralight/NTAG
- Ultralight Mode NTAG21x
- ULM Backdoor Key 00000000
- GTU Mode Disabled, high speed R/W mode for Ultralight
- Card Type NTAG 213
- UID 04E10CDA993C80
- ATQA 00 44
- SAK 00
=========================================================================
Magic UL/NTAG 21* Configuration
=========================================================================
- ATS Disabled
- Password [0xE5] 01020304 [0xF0] FFFFFFFF
- Pack [0xE6] BEEF [0xF1] 0000
- Version 0004040201000F03
- Signature 8B76052EE42F5567BEB53238B3E3F9950707C0DCC956B5C5EFCFDB709B2D82B3
- Max R/W Block FB
[+] finished hf_mf_ultimatecard
[usb] pm3 --> hf 14a raw -skc 1b01020304
[+] 00 00 [ A0 1E ] # Successful auth but the wrong PACK
Annoying. I would have given up here had I not seen this very UG4 return a PACK of FFFF initially. As in, from the default MFC 1k, I did a -t 19 (iirc) and then auth’d. It seems the PACK should be derived from user memory as the password is. So, I striped the user memory to FB with page numbers and auth’d again.
[usb] pm3 --> hf 14a raw -skc a213beef0000
[+] 0A
[usb] pm3 --> hf 14a raw -skc 1b01020304
[+] BE EF [ 27 A1 ]
[usb] pm3 -->
There you have it. Page 13 sets the PACK. Why? Fuck if I know. There’s a PR open (now merged) to update the lua script.
* How to find your UG4 version:
hf 14a raw -skc CF00000000CC
Where “00000000” is the backdoor password.
