search

RfidResearchGroup / ChameleonMini

The ChameleonMini is a versatile contactless smartcard emulator compliant to NFC. The ChameleonMini was first developed by KAOS. This is NOT the official repo for KAOS's ChameleonMini. For further information see the Getting Started Page
http://chameleontiny.com/help/
Other
407 stars 76 forks source link

Loading a mifare ultralight EV1 dump changes signature #27

Open Akisame-AI opened 4 years ago

Akisame-AI commented 4 years ago

I used my PM3 to dump a few mifare ultralight EV1 cards but when I upload a dump to my Chameleon Tiny and I check it with my PM3 I see that the signature has changed to a repeat of "CA".

This is the source dump { "Created": "proxmark3", "FileType": "mfu", "Card": { "UID": "0486350A636780", "Version": "0004030101000B03", "TBO_0": "0000", "TBO_1": "00", "Signature": "51B2DB70C4DA8A338FAB1D4AEE6D678D13798E52A2EDEE6C62CB4DC1EA423E3B", "Counter0": "000000", "Tearing0": "BD", "Counter1": "000000", "Tearing1": "BD", "Counter2": "000000", "Tearing2": "BD" }, "blocks": { "0": "0486353F", "1": "0A636780", "2": "8E48F000", "3": "00000000", "4": "D8FB7FEF", "5": "335E27C9", "6": "6F70A2A5", "7": "FAFEE48F", "8": "00000000", "9": "00000000", "10": "00000000", "11": "00000000", "12": "00000000", "13": "00000000", "14": "00000000", "15": "00000000", "16": "000000FF", "17": "40050000", "18": "FFFFFFFF", "19": "00000000" } }

This is the dump I get from reading my Chameleon Tiny { "Created": "proxmark3", "FileType": "mfu", "Card": { "UID": "0486350A636780", "Version": "0004030101000B03", "TBO_0": "0000", "TBO_1": "00", "Signature": "CACACACACACACACACACACACACACACACACACACACACACACACACACACACACACACACA", "Counter0": "000000", "Tearing0": "BD", "Counter1": "000000", "Tearing1": "BD", "Counter2": "000000", "Tearing2": "BD" }, "blocks": { "0": "0486353F", "1": "0A636780", "2": "8E48F000", "3": "00000000", "4": "D8FB7FEF", "5": "335E27C9", "6": "6F70A2A5", "7": "FAFEE48F", "8": "00000000", "9": "00000000", "10": "00000000", "11": "00000000", "12": "00000000", "13": "00000000", "14": "00000000", "15": "00000000", "16": "000000FF", "17": "40050000", "18": "FFFFFFFF", "19": "00000000" } }

It does the same thing for the other ultralight EV1 cards as well.

I am using Iceman's gui version 1.3.0.3 to upload the dump and I am using the latest pre-compiled firmware (2020-02-03) (I haven't had time to get all the MCU's installed and the pre-compiled one has worked so far)

Akisame-AI commented 4 years ago

I have discovered where the issue happens. In MifareUltralight.c I found that the signature is hard coded to be 0xCA times the signature length. (Just like the Tearing being hardcoded to be 0xBD) Hardcoding the correct signature and re-flashing works but is not desirable.

case CMD_READ_SIG: /* Hardcoded response */ memset(Buffer, 0xCA, SIGNATURE_LENGTH); ISO14443AAppendCRCA(Buffer, SIGNATURE_LENGTH); return (SIGNATURE_LENGTH + ISO14443A_CRCA_SIZE) * 8;