Ultralight C cloning

Support
1

I am trying to clone my hotel keycard to a UG4 (first to a test card, then once that works to my UG4).

I know there are password protected pages; I was hopeful they might not use them.

{
“Created”: “proxmark3”,
“FileType”: “mfu”,
“Card”: {
“UID”: “049AA0AA077C80”,
“Version”: “0000000000000000”,
“TBO_0”: “0000”,
“TBO_1”: “00”,
“Signature”: “0000000000000000000000000000000000000000000000000000000000000000”,
“Counter0”: “000000”,
“Tearing0”: “00”,
“Counter1”: “000000”,
“Tearing1”: “00”,
“Counter2”: “000000”,
“Tearing2”: “00”
},
“blocks”: {
“0”: “049AA0B6”,
“1”: “AA077C80”,
“2”: “51480000”,
“3”: “00000000”,
“4”: “00000000”,
“5”: “00000000”,
“6”: “00000000”,
“7”: “00000000”,
“8”: “00000000”,
“9”: “00000000”
}
}

I have cloned the above, and verified it wrote properly to my UG4 test card.

Looking at this similar MiFare Ultralight C cloning - #6 by ddt it seems some passwords are already out in the wild.
And from watching Going live soon - #2 by Iceman it seems I could use some of the side channel attacks, but it looks like it would take a significant amount of time, and I’m still learning the ropes with my proxmark3.

Any chance someone has the password for a full dump already, or is there a better way I am missing?

2 Likes
2

You should be able to get the passwords using the reader and the card. There is a command on the pm3 which sniffs the traffic between the two. I can’t recall it off the top of my head and don’t have access to mine at the moment. Alternatively, if you have a F0, you can do the same with the unlock option. I use the later.

2 Likes
3

I think the only option readily available for UL-C is a brute force attack, which both the flipper and PM3 support

I don’t think you can sniff keys for it

@equipter has some kind of ancient tome that lets him generate the keys at least in some cases, and he may be able to help you more

In the meantime you may try:
hf mfu cchk -f mfulc_default_keys.dic

BUT:

Even if you find the key, it sounds like it may not work for you :classic_annoy:

3 Likes
4

I will do more experimenting in the morning, I could not get the sniffing to work, but I think that was a me issue. I could not get the flipper to detect a valid password either, but I will retry after updating it.

I have not done anything with ultralight-c until now, so I am not super clear on how it functions. It does seem like one of the tougher nuts to crack.

2 Likes