1

Topic: NFC Tag Passwords without having the Tag

Just as a note I started by using a UID changeable Mifare Ultralight NFC tag.  The first I believe 15 pages are the same format as the NTAG213 that we are dealing with the Junior.  I was able to use a reader and rewrite the Ultralight UID and place it in the printer.  I would have a logic analyzer hooked up to the printer.  The printer would read the ultralight UID -- The printer would send the password ---- Then the printer would give an error because the rest of the data on the tag wasn't usable.  But the Ultralight worked well enough to get the password.  I paid $23 for the UID changeable Ultralight card.  The website I get it from doesn't appear to be seeing just the cards any more, but a basic good search yielded multiple options. 

After I had done that for a while I did move on and get a Proxmark3 and eventually got it to fully emulate an NTAG213.  I was able to fully print using the Proxmark3 as the NFC tag in the printer.  I was also able to use it to get passwords without using the logic analyzer because it could record both the in and out communications, so it worked to get passwords as well.

My intent and what I never had enough information to pursue was to program a brute force PACK attack using the Proxmark3.  I was hoping to use a Blank NFC tag - take the UID and get the password the printer would give and then use that UID and password and just start with PACK 0000 and go one at a time up to FFFF and either record all the data to look back through or ideally have the attack stop once it hit the right pack.  I really never got anywhere with this just some brief outlines because I'm not a programmer.