classic ev1 new commands

marshmellow · 2015-09-17 15:29:37

anyone know what commands were added with the new Mifare Classic EV1 1K? I see mention of an originality check but can't find the documentation for that command. is it the same as the Ultralight EV1? (sorry I don't have a full EV1 datasheet available).

did they make a Get_Version?

Thanks.

ps. Ultralight Read_Sig command is 0x3C00

iceman · 2015-09-17 17:06:22

The new commands looks to be:

Personalize UID Usage   0x40
SET_MOD_TYPE            0x43

Last edited by iceman (2015-09-17 17:06:41)

marshmellow · 2015-09-17 17:10:44

Thx, there must be a Read_Sig command.

iceman · 2015-09-17 17:12:22

Possible identification would be to test the extra commands in my previous post.

MODEL         UID   ATQA      SAK
1k 
MF1S500yXDyy  7byte 0x00 0x44 0x08
MF1S503yXDyy  4byte 0x00 0x04 0x08

4k 
MF1S700yXDyy  7byte 0x00 0x42 0x18
MF1S703yXDyy  4byte 0x00 0x02 0x18

Last edited by iceman (2015-09-17 17:23:59)

iceman · 2015-09-17 17:20:03

In the datasheet I just read there was no hints towards a read_sig command. But if you have one of these new tags, the PM3 doesn't identify them correct.. Try sending some raw commands and try the 0x3000 command..

Last edited by iceman (2015-09-17 17:24:12)

marshmellow · 2015-09-17 17:50:28

the personalized uid usage was in the older classic cards. (used to adjust the 7 byte uid to 4 byte uid anticollision)

the set_mod_type looks new though. (not sure if it was on the mifare plus cards or not...)

iceman · 2015-09-17 18:08:32

The desfire ev1 cards has read_sign...

iceman · 2015-09-17 18:16:46

Nasty choice of commands on part of Mifare since its the same ones as for the Chinese magic backdoor...

marshmellow · 2015-09-17 18:19:32

You have to authenticate with sector 0 before they work...

What is the desfire read Sig cmd?

marshmellow · 2015-09-17 18:25:19

I have two tags that ack to the set_mod_type, one is brand new and claims to be ev1, the other is a bit over 1 year old and I did not expect it to be ev1... Maybe it is but I'd like to be sure and I think the only way is with the read Sig cmd, which according to promotional sheets on the mifare classic ev1 it should have one...

I confirmed old classic cards nack to that set_mod_type.

Last edited by marshmellow (2015-09-17 18:27:04)

iceman · 2015-09-18 07:29:11

I missed the auth before running it..

marshmellow · 2015-10-17 03:50:33

BTW, on a mifare ev1 1k the signature is contained in sector 17 (block 45 and 46). the keys for that sector are not default and cannot be changed.

(1k should end at sector 15) makes me wonder if there is a sector 16, or others?...

Last edited by marshmellow (2015-10-17 03:53:06)

iceman · 2019-07-18 11:37:14

Which datasheet for Mifare 1k Ev1 states the originiality signature to be on a sector 16, 17?
https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf

marshmellow · 2019-07-18 12:14:35

No public ones I find show it. So I sniffed the nxp app.

piwi · 2019-07-18 12:40:19

It is sector 17 only. The purpose of sector 16 is unclear. The Chameleon Mini code has it implemented including the SIG_READ command (which is same as RESTORE but without a parameter). According to this implementation the SIG_READ does nothing except indicating that a signature is available in sector 17.

0xFFFF · 2019-07-18 13:07:12

What did it smell like @marshmellow?
How much sniffing did you do?

iceman · 2019-07-18 13:50:13

Only mentions in offical datasheet is a changenot at p.33... Seems only to apply for 1K cards, not 4K cards.

But not in the link I gave before but in another one...

piwi · 2019-07-25 07:41:41

I have started working on the Originality Signature Checks. A first PR (not yet merged) on official repo implements it in 'hf mfu info' because I found more info on the Ultralight signature checks than for the Classic EV1.

Tested and works for NTAG213. The Ultralight EV1 is said to use another Public/Private Key pair. I have added a check for this type as well but I couldn't test it (no card of this type in my portfolio). If someone has access to an Ultralight EV1, can you please run 'hf mfu info' and look for

Originality signature check : signature is valid

Mackwa · 2019-07-25 08:56:57

thx piwi for your work on the originality check,
I sucessfully tested your "originality_check" branch
- MF UL EV1 48B
- MF UL EV1 128B
- NTAG 213

TYPE : MIFARE Ultralight EV1 48bytes (MF0UL1101)
--- Tag Originality Signature
         Signature public key : 90 93 3b dc d6 e9 9b 4e 25 5e 3d a5 53 89 a8 27 56 4e 11 71 8e 01 72 92 fa f2 32 26 a9 66 14 b8
  Originality signature check : signature is valid

TYPE : MIFARE Ultralight EV1 128bytes (MF0UL2101)

--- Tag Originality Signature
         Signature public key : 90 93 3b dc d6 e9 9b 4e 25 5e 3d a5 53 89 a8 27 56 4e 11 71 8e 01 72 92 fa f2 32 26 a9 66 14 b8
  Originality signature check : signature is valid

TYPE : NTAG 213 144bytes (NT2H1311G0DU)
--- Tag Originality Signature
         Signature public key : 49 4e 1a 38 6d 3d 3c fe 3d c1 0e 5d e6 8a 49 9b 1c 20 2d b5 b1 32 39 3e 89 ed 19 fe 5b e8 bc 61
  Originality signature check : signature is valid

Proxmark3 community

Announcement

#1 2015-09-17 15:29:37

classic ev1 new commands

#2 2015-09-17 17:06:22

Re: classic ev1 new commands

#3 2015-09-17 17:10:44

Re: classic ev1 new commands

#4 2015-09-17 17:12:22

Re: classic ev1 new commands

#5 2015-09-17 17:20:03

Re: classic ev1 new commands

#6 2015-09-17 17:50:28

Re: classic ev1 new commands

#7 2015-09-17 18:08:32

Re: classic ev1 new commands

#8 2015-09-17 18:16:46

Re: classic ev1 new commands

#9 2015-09-17 18:19:32

Re: classic ev1 new commands

#10 2015-09-17 18:25:19

Re: classic ev1 new commands

#11 2015-09-18 07:29:11

Re: classic ev1 new commands

#12 2015-10-17 03:50:33

Re: classic ev1 new commands

#13 2019-07-18 11:37:14

Re: classic ev1 new commands

#14 2019-07-18 12:14:35

Re: classic ev1 new commands

#15 2019-07-18 12:40:19

Re: classic ev1 new commands

#16 2019-07-18 13:07:12

Re: classic ev1 new commands

#17 2019-07-18 13:50:13

Re: classic ev1 new commands

#18 2019-07-25 07:41:41

Re: classic ev1 new commands

#19 2019-07-25 08:56:57

Re: classic ev1 new commands

Board footer