2023-06-30
Trying to recycle mifare ultralight cards as NDEF tags.. and failing
While working with the other NFC tags I had a crazy idea: what if I can 'recycle' used one-time public transport tickets as NDEF tags. The one-time public transport tickets are mifare ultralight tags just like the touchatag tag. For example, when I look at a card for the Amsterdam city public transport GVB:[usb|script] pm3 --> hf mfu info [=] --- Tag Information -------------------------- [=] ------------------------------------------------------------- [+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) [+] UID: 04 94 02 7A 24 49 84 [+] UID[0]: 04, NXP Semiconductors Germany [+] BCC0: 1A ( ok ) [+] BCC1: 93 ( ok ) [+] Internal: 48 ( default ) [+] Lock: 00 F0 - 0000000011110000 [+] OneTimePad: C9 31 FF FF - 11001001001100011111111111111111 [=] --- Tag Counters [=] [0]: 00 00 00 [+] - BD tearing ( ok ) [=] [1]: 00 00 00 [+] - BD tearing ( ok ) [=] [2]: 00 00 00 [+] - BD tearing ( ok ) [=] --- Tag Signature [=] IC signature public key name: NXP Ultralight Ev1 [=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E0 17292FAF23226A96614B8 [=] Elliptic curve parameters: NID_secp128r1 [=] TAG IC Signature: 75524714847D8750F50A3AF60609E9DAB8D2CF708FC18 203FCD120E9BAFDE92B [+] Signature verification ( successful ) [=] --- Tag Silicon Information [=] Wafer Counter: 17376399 ( 0x109248F ) [=] Wafer Coordinates: x 148, y 258 (0x94, 0x102) [=] Test Site: 2 [=] --- Tag Version [=] Raw bytes: 00 04 03 01 01 00 0B 03 [=] Vendor ID: 04, NXP Semiconductors Germany [=] Product type: Ultralight [=] Product subtype: 01, 17 pF [=] Major version: 01 [=] Minor version: 00 [=] Size: 0B, (64 <-> 32 bytes) [=] Protocol type: 03, ISO14443-3 Compliant [=] --- Tag Configuration [=] cfg0 [16/0x10]: 00 00 00 FF [=] - strong modulation mode disabled [=] - pages don't need authentication [=] cfg1 [17/0x11]: 00 05 00 00 [=] - Unlimited password attempts [=] - NFC counter disabled [=] - NFC counter not protected [=] - user configuration writeable [=] - write access is protected with password [=] - 05, Virtual Card Type Identifier is default [=] PWD [18/0x12]: 00 00 00 00 - (cannot be read) [=] PACK [19/0x13]: 00 00 - (cannot be read) [=] RFU [19/0x13]: 00 00 - (cannot be read) [+] --- Known EV1/NTAG passwords [+] Found default password FF FF FF FF pack 00 00 [=] ------------------------ Fingerprint ----------------------- [=] Reading tag memory... [=] ------------------------------------------------------------ [usb|script] pm3 --> hf mfu dump [+] TYPE: MIFARE Ultralight EV1 48bytes (MF0UL1101) [+] Reading tag memory... [!] Authentication Failed UL-EV1/NTAG [=] MFU dump file information [=] ------------------------------------------------------------- [=] Version..... 00 04 03 01 01 00 0B 03 [=] TBD 0....... 00 00 [=] TBD 1....... 00 [=] Signature... 75 52 47 14 84 7D 87 50 F5 0A 3A F6 06 09 E9 DA [=] B8 D2 CF 70 8F C1 82 03 FC D1 20 E9 BA FD E9 2B [=] Counter 0... 00 00 00 [=] Tearing 0... BD [=] Counter 1... 00 00 00 [=] Tearing 1... BD [=] Counter 2... 00 00 00 [=] Tearing 2... BD [=] Max data page... 18 ( 76 bytes ) [=] Header size..... 56 bytes [=] ------------------------------------------------------------- [=] block# | data |lck| ascii [=] ---------+-------------+---+------ [=] 0/0x00 | 04 94 02 1A | | .... [=] 1/0x01 | 7A 24 49 84 | | z$I. [=] 2/0x02 | 93 48 00 F0 | | .H.. [=] 3/0x03 | C9 31 FF FF | 0 | .1.. [=] 4/0x04 | C0 00 30 02 | 0 | ..0. [=] 5/0x05 | 4D B3 AF E0 | 0 | M... [=] 6/0x06 | 4A A3 99 E6 | 0 | J... [=] 7/0x07 | B5 AC 0A E6 | 0 | .... [=] 8/0x08 | C8 00 20 02 | 0 | .. . [=] 9/0x09 | 2D B3 AF 10 | 0 | -... [=] 10/0x0A | 82 47 35 59 | 0 | .G5Y [=] 11/0x0B | 38 A0 86 6C | 0 | 8..l [=] 12/0x0C | 90 EA 3C 8A | 1 | ..<. [=] 13/0x0D | B5 CF 8C DF | 1 | .... [=] 14/0x0E | AC A4 BE 2A | 1 | ...* [=] 15/0x0F | 70 31 CD E5 | 1 | p1.. [=] 16/0x10 | 00 00 00 FF | 0 | .... [=] 17/0x11 | 00 05 00 00 | 0 | .... [=] 18/0x12 | 00 00 00 00 | 0 | .... [=] 19/0x13 | 00 00 00 00 | 0 | .... [=] --------------------------------- [=] Using UID as filename [+] saved 136 bytes to binary file /home/koos/hf-mfu-0494027A244984-dump-001.bin [+] saved 34 blocks to text file /home/koos/hf-mfu-0494027A244984-dump-001.eml [+] saved to json file /home/koos/hf-mfu-0494027A244984-dump-001.jsonAs visible in the dump above, only blocks 12, 13, 14 and 15 are locked, so I hoped to be able to put a small message in blocks 4 - 11. I tried to write an NDEF structure to the card. I wrote the right NDEF message to a mifare classic 1K and tried to copy the NDEF structure byte by byte to the ultralight card. But I couldn't make it work. Just like with the touchatag, time to dive into the documentation for the NDEF format. I found out via Defining a NDEF Message - Stack Overflow that an NDEF message on a type 2 card has to start in block 3 and I can't write any wanted number to block 3 as this is a block with one time programmable OTP bits. These bits can only be flipped from 0 to 1 and not from 1 to 0. The touchatag has this in block 3:[=] 3/0x03 | E1 10 06 00 | 1 | ....And the E1 is the magic number for an NDEF message. On the public transport card the first byte of block 3 is C9 or '1100 1001' in bits and I would want to change this to E1 '1110 0001' in bits where the problem occurs at '1110 0001' needing a bitflip from 1 to 0. I tried starting the NDEF message in block 4 but that doesn't work which matches the above documentation. So the current conclusion is that I can't recycle the public transport tickets as NDEF message tags.