Going through the stack of old RFID cards with the proxmark3: touchatag tags / 2023-06-15

Koos van den Hout

2023-06-15 Going through the stack of old RFID cards with the proxmark3: touchatag tags
Touchatag RFID tags in bag I've been interested in RFID and RFID security for years, the first post on my website is from 2010: I found out this week that the rfid card my employer uses to give out coffee is also a mifare classic card. Since that moment I collected all kinds of contactless cards with the idea to check into their security. Mostly from our wintersport holidays since ski passes use rfid technology to make reading them on wintersport easy.

Now the time has come to check my collection with the proxmark3. The simple approach is to scan for tags with lf search or hf search.

Touchatag tags

In 2010 these were a great idea to put tags on products. These are Mifare Ultralight MF0ICU1: 
[usb] pm3 --> hf mfu info 

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]       TYPE: MIFARE Ultralight (MF0ICU1)  
[+]        UID: 04 C8 54 19 3E 25 80 
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: 10 ( ok )
[+]       BCC1: 82 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: FF 7F  - 1111111101111111
[+] OneTimePad: E1 10 06 00  - 11100001000100000000011000000000
Their main purpose is having an NDEF message with a unique URL embedded. 
[=] --- NDEF Message
[+] Capability Container: E1 10 06 00 
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   06: Physical Memory Size: 48 bytes
[+]   06: NDEF Memory Size: 48 bytes
[+]   00: Additional feature information
[+]   00000000
[+]   xxx..... - 00: RFU ( ok )
[+]   ...x.... - 00: don't support special frame
[+]   ....x... - 00: don't support lock block
[+]   .....xx. - 00: RFU ( ok )
[+]   .......x - 00: IC don't support multiple block reads
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[=] ------------------------------------------------------------

[usb] pm3 --> hf mfu ndefread 

[=] --- NDEF Message
[+] Capability Container: E1 10 06 00 
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   06: Physical Memory Size: 48 bytes
[+]   06: NDEF Memory Size: 48 bytes
[+]   00: Additional feature information
[+]   00000000
[+]   xxx..... - 00: RFU ( ok )
[+]   ...x.... - 00: don't support special frame
[+]   ....x... - 00: don't support lock block
[+]   .....xx. - 00: RFU ( ok )
[+]   .......x - 00: IC don't support multiple block reads
[=] Tag reported size vs NDEF reported size mismatch. Using smallest value

[=] --- NDEF parsing ----------------

[+] --- NDEF Message ---
[+] Found NDEF message ( 29 bytes )

[+] Record 1
[=] -----------------------------------------------------
[=] 
[=] Payload info
[=] 
[=] URL
[=]     uri... http://www.ttag.be/m/04C854193E2580
[=] 
[usb] pm3 --> hf mfu dump
[+] TYPE: MIFARE Ultralight (MF0ICU1)  
[+] Reading tag memory...

[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00 
[=] TBD 0....... 00 00 
[=] TBD 1....... 00 
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=]              00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Counter 0... 00 00 00 
[=] Tearing 0... 00 
[=] Counter 1... 00 00 00 
[=] Tearing 1... 00 
[=] Counter 2... 00 00 00 
[=] Tearing 2... 00 
[=] Max data page... 14 ( 60 bytes )
[=] Header size..... 56 bytes

[=] -------------------------------------------------------------
[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 C8 54 10 |   | ..T.
[=]   1/0x01 | 19 3E 25 80 |   | .>%.
[=]   2/0x02 | 82 48 FF 7F |   | .H..
[=]   3/0x03 | E1 10 06 00 | 1 | ....
[=]   4/0x04 | 03 1D D1 01 | 1 | ....
[=]   5/0x05 | 19 55 01 74 | 1 | .U.t
[=]   6/0x06 | 74 61 67 2E | 1 | tag.
[=]   7/0x07 | 62 65 2F 6D | 1 | be/m
[=]   8/0x08 | 2F 30 34 43 | 1 | /04C
[=]   9/0x09 | 38 35 34 31 | 1 | 8541
[=]  10/0x0A | 39 33 45 32 | 1 | 93E2
[=]  11/0x0B | 35 38 30 91 | 1 | 580.
[=]  12/0x0C | D1 A8 23 21 | 1 | ..#!
[=]  13/0x0D | 57 CB 9F EC | 1 | W...
[=]  14/0x0E | AC DC 20 10 | 1 | .. .
[=]  15/0x0F | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
[+] saved 120 bytes to binary file /home/koos/hf-mfu-04C854193E2580-dump-001.bin
[+] saved 30 blocks to text file /home/koos/hf-mfu-04C854193E2580-dump-001.eml
[+] saved to json file /home/koos/hf-mfu-04C854193E2580-dump-001.json
To fit the url in 29 bytes there is some interesting compression. The url type is 01 http://www and ttag.be/m/04C854193E2580 is added.

I can test the NDEF decoding process with the 'nfc decode' command in proxmark3: 
[usb] pm3 --> nfc decode -d 031dd101195501747461672e62652f6d2f3034433835343139334532353830

[=] --- NDEF parsing ----------------

[+] --- NDEF Message ---
[+] Found NDEF message ( 29 bytes )

[+] Record 1
[=] -----------------------------------------------------
[=] 
[=] Payload info
[=] 
[=] URL
[=]     uri... http://www.ttag.be/m/04C854193E2580
[=]
It would be nice to be able to change this since the domain ttag.be now points somewhere else as I found out last year Making a CTF challenge with an NFC tag.

But it turns out I can't write these tags. I tried the change of a 01 to a 02 in block 5 which would change the URL type from http://www. to https://www.. This is a simple change within the NDEF format. 
[usb] pm3 --> hf mfu wrbl -b 5 -d 19550274
[=] Block: 5 (0x05) [ 19 55 02 74 ]
[#] Cmd Send Error: 00 1
[#] Write block error
[+] isOk:00
Reading the MF0ICU1 datasheet explains the block 2 data 82 48 FF 7F contains the locking bits for the blocks and blocks 3-14 are locked for writing. I can't reset those locking bits, but I can write to block 15. 
[usb] pm3 --> hf mfu rdbl -b 15

[=] Block#  | Data        | Ascii
[=] -----------------------------
[=] 15/0x0F | 00 00 00 00 | ....

[usb] pm3 --> hf mfu wrbl -b 15 -d FFFFFFFF
[=] Block: 15 (0x0F) [ FF FF FF FF ]
[+] isOk:01
[usb] pm3 --> hf mfu rdbl -b 15

[=] Block#  | Data        | Ascii
[=] -----------------------------
[=] 15/0x0F | FF FF FF FF | ....
So it's purely the locking bits that make the url on the tag inmutable.

I already knew that I couldn't change the data on the tag, but now I understand why.
Tags: , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.010238 seconds.