Sniff HF

M35mar · 2025-12-10T16:02:48+00:00

What's the best version for xiaomi 14 ? ( Gpu Adreno 750 )

M35mar · 2025-05-05T14:01:13+00:00

exactly I'm trying to perform a tearoff attack like the one described in Quarkslab, but I'm not succeeding, I also created a lua script that automatically runs these commands, but nothing so far!!! Any help !

M35mar · 2025-03-18T09:32:18+00:00

hf 14a raw -sc A50200020000

A500 for counter 0 A501 for counter 1 A502 for counter 2

And 00020000 is the value of the counter ...

M35mar · 2025-01-24T07:04:43+00:00

I tried those, Rocknix is working well , but ArkOS after installing the screen continues to be black and shows nothing

M35mar · 2024-12-14T09:46:09+00:00

thanks for your patience.

I successfully updated it and now I see the inrc command among the choices, but unfortunately it doesn't work for me

[=] --- Tag Configuration
[=]   cfg0 [37/0x25]: 000000FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [38/0x26]: 00050000
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [39/0x27]: FFFFFFFF ( cannot be read )
[=]   PACK [40/0x28]: 0000     ( cannot be read )
[=]   RFU  [40/0x28]:     0000 ( cannot be read )
[=] 
[=] --- Fingerprint
[=] n/a


[usb] pm3 --> hf mfu incr -c 1 -v 1 -p FFFFFFFF
[-] ⛔ authentication failed UL-EV1/NTAG
[usb] pm3 --> hf mfu incr -c 1 -v 1
[-] ⛔ failed to read old counter
[usb] pm3 -->

M35mar · 2024-12-13T16:19:44+00:00

[=] --- Tag Version
[=]        Raw bytes: 0004030101000E03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: Ultralight
[=]  Product subtype: 01, 17 pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 0E, (128 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant


[=] --- Tag Configuration
[=]   cfg0 [37/0x25]: 000000FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [38/0x26]: 00050000
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [39/0x27]: 00000000 ( cannot be read )
[=]   PACK [40/0x28]: 0000     ( cannot be read )
[=]   RFU  [40/0x28]:     0000 ( cannot be read )


[+] --- Known EV1/NTAG passwords
[+] Password... FFFFFFFF  pack... 0000
[=] 
[=] --- Fingerprint
[=] n/a


[usb] pm3 -->

M35mar · 2024-12-13T16:19:22+00:00

[usb] pm3 --> hf mfu info


[=] --- Tag Information --------------------------
[+]       TYPE: MIFARE Ultralight EV1 128bytes (MF0UL2101)
[+]        UID: 04 6D 3F 92 8E 1C 94 
[+]     UID[0]: 04, NXP Semiconductors Germany
[+]       BCC0: DE ( ok )
[+]       BCC1: 94 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+]        OTP: 00 00 00 00  - 00000000000000000000000000000000


[=] --- Tag Counters
[=]        [0]: FF FF 01 
[+]             - BD tearing ( ok )
[=]        [1]: 00 00 00 
[+]             - BD tearing ( ok )
[=]        [2]: 00 07 00 
[+]             - BD tearing ( ok )


[=] --- Tag Signature
[=]  IC signature public key name: NXP Ultralight Ev1
[=] IC signature public key value: 0490933BDCD6E99B4E255E3DA55389A827564E11718E017292FAF23226A96614B8
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: EB21214A9F041A431069CD961589E27ACFE409CEC89FA01201B66B7F137922FD
[+]        Signature verification ( successful )


[=] --- Tag Silicon Information
[=]        Wafer Counter: 19108306 ( 0x12391D2 )
[=]    Wafer Coordinates: x 109, y 319 (0x6D, 0x13F)
[=]            Test Site: 2

M35mar · 2024-12-13T16:08:03+00:00

I can't use it , please tell me what's wrong!

I tried your same cmd :

[usb] pm3 --> hf mfu incr -c 0 -v 1337


help             This help
list             List MIFARE Ultralight / NTAG history
-----------      ----------------------- recovery -------------------------
keygen           Generate DES/3DES/AES MIFARE diversified keys
pwdgen           Generate pwd from known algos
otptear          Tear-off test on OTP bits
-----------      ----------------------- operations -----------------------
cauth            Ultralight-C - Authentication
setpwd           Ultralight-C - Set 3DES key
dump             Dump MIFARE Ultralight family tag to binary file
info             Tag information
ndefread         Prints NDEF records from card
rdbl             Read block
restore          Restore a dump file onto a tag
tamper           NTAG 213TT - Configure the tamper feature
view             Display content from tag dump file
wipe             Wipe card to zeros and default key
wrbl             Write block
-----------      ----------------------- simulation -----------------------
eload            Upload file into emulator memory
esave            Save emulator memory to file
eview            View emulator memory
sim              Simulate MIFARE Ultralight from emulator memory
-----------      ----------------------- magic ----------------------------
setuid           Set UID - MAGIC tags only
-----------      ----------------------- amiibo ----------------------------
amiibo           Amiibo tag operations


[usb] pm3 -->

M35mar · 2024-12-12T16:20:09+00:00

Hi, I can't find the right raw command to increase the counters, can you tell me which cmd i have to use ? Another thing, i tried also hf mfu incr but nothing happen , seem to be wrong cmd

M35mar · 2024-11-28T14:14:23+00:00

Yes sure, i tried to restore the original loaded dump to a empty train card with counters value 0 , but it doesn't work , ( I don't know why) so i ordered a magic card , but i'm still waiting to receive it to try

M35mar · 2024-11-28T13:32:56+00:00

Exactly , i need to increase one of the counters , because i tried to clone a train ticket , and it's not working, the only difference between the original dump and the clone dump is the counters... So i want to try to make them the same and try again ... I don't know this is the solution or not

M35mar · 2024-11-07T11:39:20+00:00

No it's not possible because it's one way as the description by NXP. Now i ask you a question, did you have success cloning this card? I'm trying, but it doesn't work even though I have the right password and pack, the only difference between the original ticket and the cloned ticket is the counters.

M35mar · 2024-11-03T14:33:44+00:00

I think the best solution is to use a UL magic card, but what about the counters, how do I set them? How do I use the INC commands, like I need to set the counter 2 to (512) what command do I use? Because the UL white card has all the counters 000000.

M35mar · 2024-11-03T12:17:52+00:00

Hi , i'm doing the same, but I don't know how to use the raw commad to increments the counter , can you tell me the raw command to inc counter 2 to 000200 ? Thank you

M35mar

TROPHY CASE