From de7740883dcb084bb4072a00625f8e6ac82e58a3 Mon Sep 17 00:00:00 2001 From: exiom Date: Fri, 20 Jun 2025 12:01:20 +0800 Subject: [PATCH 01/18] Documentation Revamp Added Documentation for - Writing Updated Documentation for - Reading - Compatible RFID Blanks Cleaned up and reorganized the rest of the documentations. --- OpenSourceRfid.md | 3 - README.md | 101 +++------------- BambuLabRfid.md => docs/BambuLabRfid.md | 0 CrealityRfid.md => docs/CrealityRfid.md | 0 OpenTag.md => docs/OpenTag.md | 0 docs/ReadTags.md | 106 ++++++++++++++++ TagSniffing.md => docs/TagSniffing.md | 0 docs/WriteTags.md | 154 ++++++++++++++++++++++++ 8 files changed, 274 insertions(+), 90 deletions(-) delete mode 100644 OpenSourceRfid.md rename BambuLabRfid.md => docs/BambuLabRfid.md (100%) rename CrealityRfid.md => docs/CrealityRfid.md (100%) rename OpenTag.md => docs/OpenTag.md (100%) create mode 100644 docs/ReadTags.md rename TagSniffing.md => docs/TagSniffing.md (100%) create mode 100644 docs/WriteTags.md diff --git a/OpenSourceRfid.md b/OpenSourceRfid.md deleted file mode 100644 index 4d0a4b2..0000000 --- a/OpenSourceRfid.md +++ /dev/null @@ -1,3 +0,0 @@ -File Moved - -See [OpenTag.md](./OpenTag.md) diff --git a/README.md b/README.md index 9827467..398bea2 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,7 @@ # Bambu Lab RFID Tag Guide +This repository contains the collective research of the Bambu Lab Filament RFID Tags and serves as a guide to give you a basic overview how you can decrypt and read your tags. -This guide gives you a basic overview how you can decrypt and read your tags. - -[View Collection of Tags](https://github.com/queengooborg/Bambu-Lab-RFID-Library) +Please visit the [Bambu Lab RFID Library Repository](https://github.com/queengooborg/Bambu-Lab-RFID-Library) to view our collection of tags. [![Link to Discord](https://img.shields.io/badge/Discord-join_now-blue?style=flat-square&logo=discord&logoColor=white&label=Discord&color=blue)](https://discord.gg/zVfCVubwr7) @@ -16,13 +15,10 @@ This guide gives you a basic overview how you can decrypt and read your tags. * [Requirements](#requirements) * [Proxmark3 compatible readers](#proxmark3-compatible-readers) * [Proxmark3 Easy](#proxmark3-easy) - * [Hacking a Bambu Lab Tag and readout of its data](#hacking-a-bambu-lab-tag-and-readout-of-its-data) - * [Deriving the keys](#deriving-the-keys) - * [Proxmark3 fm11rf08s recovery script](#proxmark3-fm11rf08s-recovery-script) - * [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) - * [Tag Documentation](#tag-documentation) + * [Bambu Lab Tag documentation as well as other brands and Open 3D-RFID](#tag-documentation) * [How do RFID tags work?](#how-do-rfid-tags-work) - * [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) + * [Hacking a Bambu Lab Tag and readout of its data](#hacking-a-bambu-lab-tag-and-readout-of-its-data) + * [RFID tag cloning and compatible RFID tags](#rfid-tag-cloning) * [Reverse engineering RFID Board](#reverse-engineering-rfid-board) @@ -44,7 +40,8 @@ This is a research group dedicated to documenting the data structures used by Ba ### How to contribute -If you have a Proxmark3 (or other RFID debugging tool), you can decrypt the contents of your Bambu Lab RFID tags and submit them via [Discord](https://discord.gg/zVfCVubwr7). +If you have a Proxmark3 (or other RFID debugging tool), you can decrypt the contents of your Bambu Lab RFID tags and submit them via [Discord](https://discord.gg/zVfCVubwr7), or alternatively submit a Pull Request to the [Bambu Lab RFID Library Repository](https://github.com/queengooborg/Bambu-Lab-RFID-Library). + A lot of the contents have been deciphered, but the more data we have, the easier it is to compare differences to learn what each byte represents and double-check our answers. ### Todos/Timeline/Next steps @@ -73,73 +70,13 @@ A lot of the contents have been deciphered, but the more data we have, the easie A Proxmark3 Easy is sufficient for all the tasks that need to be done. You can buy a clone from Alixepress, Amazon or Dangerous Things. -## Hacking a Bambu Lab Tag and readout of its data - -We document here the most simple approach to get all required A-Keys and the data of the tag. The easiest way is to derive the keys using the Python script in this repository. - -### Deriving the keys - -A way to derive the keys from the UID of an RFID tag was discovered, which unlocked the ability to scan and scrape RFID tag data without sniffing, as well as with other devices like the Flipper Zero. A script is included in the repository to derive the keys from the UID of a tag. - -First, obtain the tag's UID: - -- Proxmark3 - 1. Run the Proxmark3 software by running `pm3` in the terminal - 2. Place the Proxmark3 device on the RFID tag of the spool - 3. Run `hf mf info` and look for the UID line item -- Flipper Zero - 1. Open the NFC app and scan the tag - 2. The Flipper will attempt to decrypt the tag, but you can skip the "Nested Dictionary (Backdoor)" step for speed - 3. The UID of the tag will appear on-screen -- Bambu Lab AMS - 1. Load the spool into an AMS slot and wait for it to finish loading - 2. View the spool's details on the printer's touchscreen, Bambu Studio or Bambu Handy - 3. The UID is the first eight characters of the spool's serial number - -Next, run the key derivation script and pipe its output to a file by running `python3 deriveKeys.py [UID] > ./keys.dic`. - -Then, use the keys file to extract the data from the RFID tag: - -- Proxmark3 - 1. Run the Proxmark3 software by running `pm3` in the terminal - 2. Place the Proxmark3 device on the RFID tag of the spool - 3. Run `hf mf dump -k ./keys.dic` to dump the RFID tag's contents -- Flipper Zero - 1. Open the qFlipper program and connect your Flipper to your computer - - You may also connect the SD card directly to your computer - 2. Navigate to `SD Card/nfc/assets/` - 3. Copy the `mf_classic_dict_user.nfc` file to your computer - 4. Copy the contents of `keys.dic` to `mf_classic_dict_user.nfc` - 5. Copy `mf_classic_dict_user.nfc` back onto your Flipper - 6. Use the NFC app to scan your tag - -### Proxmark3 fm11rf08s recovery script - -In 2024, a new backdoor[^rfid-backdoor] was found that makes it much easier to obtain the data from the RFID tags. A script is included in the proxmark3 software since v4.18994 (nicknamed "Backdoor"), which allows us to utilize this backdoor. Before this script was implemented, the tag had to be sniffed by placing the spool in the AMS and sniffing the packets transferred between the tag and the AMS. - -Place your reader on the tag, start proxmark3 (run `pm3`) and run the following command: - -`script run fm11rf08s_recovery` - -This script takes about 15-20 minutes to complete. Once it has finished, you will receive a binary key file and a dump. - -To visualize the data on the tag, run the following: - -`script run fm11rf08_full -b` - -### Sniffing the tag data with a Proxmark3 (legacy method) - -Before the above methods were developed, tag data had to be obtained by sniffing the data between the RFID tag and the AMS using a Proxmark3-compatible device. - -To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./TagSniffing.md). - ## Tag Documentation -For a description of the blocks of a Bambu Lab RFID tag, see [BambuLabRfid.md](./BambuLabRfid.md). +For a description of the blocks of a Bambu Lab RFID tag, see [BambuLabRfid.md](./docs/BambuLabRfid.md). -For a description of the blocks of a Creality RFID tag, see [CrealityRfid.md](./CrealityRfid.md). +For a description of the blocks of a Creality RFID tag, see [CrealityRfid.md](./docs/CrealityRfid.md). -An open-source standard proposal, Open 3D-RFID, is being incubated in this repository. For a description of the standard, see [OpenSourceRfid.md](./OpenSourceRfid.md). +An open-source standard proposal, Open 3D-RFID, is being incubated in this repository. For a description of the standard, see [OpenSourceRfid.md](./docs/OpenSourceRfid.md). ## How do RFID tags work? @@ -172,23 +109,13 @@ Here's a high-level summary of how everything works: - RSA Signature Private Key. You'd have to get this from bambu, good luck - Since Bambu Lab will likely not remove the signature requirement, you would need custom AMS firmware to read tags and ignore the signature -## Compatible RFID tags - By generation - -There are tags known as "Magic Tags" which allow functionality that's not part of the classic MIFARE spec. -One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. -Magic tags are often refered to by their "generation", eg "Magic Gen 1". Each newer generation increases the functionality, but tends to also be more expensive) - -Gen 1 --> **Not compatible**(due to AMS checking if tag is unlockable with command 0x40) - -Gen 2 --> **Works** - -Gen 2 OTW --> **Not tested** +## Hacking a Bambu Lab Tag and readout of its data -Gen 3 --> **Not tested** +Please visit [ReadTags.md](./docs/ReadTags.md), where we documented all the approaches we discovered along the way to get all required keys and data out of the tag. -Gen 4 --> **Not tested**(The best option but pricey and hard to source in small chip formfactor) +## RFID Tag Cloning -FUID --> **Works** "Fused UID" aka "write-once UID". Once a UID is written, it cannot be changed +Please visit [WriteTags.md](./docs/WriteTags.md), where we documented all the current and past ways of cloning Bambu Lab filament RFID tags and compatible RFID tags used to clone them. ## Reverse engineering RFID Board diff --git a/BambuLabRfid.md b/docs/BambuLabRfid.md similarity index 100% rename from BambuLabRfid.md rename to docs/BambuLabRfid.md diff --git a/CrealityRfid.md b/docs/CrealityRfid.md similarity index 100% rename from CrealityRfid.md rename to docs/CrealityRfid.md diff --git a/OpenTag.md b/docs/OpenTag.md similarity index 100% rename from OpenTag.md rename to docs/OpenTag.md diff --git a/docs/ReadTags.md b/docs/ReadTags.md new file mode 100644 index 0000000..6348129 --- /dev/null +++ b/docs/ReadTags.md @@ -0,0 +1,106 @@ +# Hacking a Bambu Lab Tag and readout of its data + + We have documented here all the approaches we discovered along the way to get all required keys and data out of the tag. Instructions here are mainly focused on using the _**Proxmark 3**_, as this is what we have and use. There are many other devices capable of doing this, if you have discovered other ways of doing this and would like to contribute to it's documentation, please feel free to submit a pull request. + +Currently, the easiest way is using the built-in function of the latest version of Proxmark3 (Iceman fork). + +## Table of contents + +* [Dumping Tags using Proxmark3](#dumping-tags-using-proxmark3-iceman-fork) +* [Deriving the keys](#deriving-the-keys) +* [Proxmark3 fm11rf08s recovery script](#proxmark3-fm11rf08s-recovery-script) +* [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) + + +### Dumping Tags using Proxmark3 (Iceman fork) +As of 29th of May 2025, [pelrun](https://github.com/pelrun) has implemented functions into pm3 which allows for a much faster and simpler process to generate the keys and dump files from Bambu Lab filament RFID tags. Please update your copy of pm3 by running +```git pull``` +To replicate your own tags or contribute to the library, you can easily make dump and key files of your own tags by running the following commands, after placing the tag on your Proxmark 3, +``` +hf mf bambukeys -r -d;hf mf dump +``` +or +``` +hf mf bambukeys -r -d +hf mf dump +``` +This process should only take a few seconds with an expected output similar to below, (to keep things short, dumps of key and data were omitted) +``` +[=] -----------------------------------Add commentMore actions +[=] UID 4b... XX XX XX XX +[=] ----------------------------------- + +[+] Saved 192 bytes to binary file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` +[+] Loaded binary key file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` +[=] Reading sector access bits... +[=] ................. +[+] Finished reading sector access bits +[=] Dumping all blocks from card... +[-] Sector... 15 block... 3 ( ok ) +[+] Succeeded in dumping all blocks + +[+] time: 10 seconds + +[=] -----+-----+-------------------------------------------------+----------------- +[=] sec | blk | data | ascii +[=] -----+-----+-------------------------------------------------+----------------- + +[+] Saved 1024 bytes to binary file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.bin` +[+] Saved to json file C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.json +``` + +### Deriving the keys + +A way to derive the keys from the UID of an RFID tag was discovered, which unlocked the ability to scan and scrape RFID tag data without sniffing, as well as with other devices like the Flipper Zero. A script is included in the repository to derive the keys from the UID of a tag. + +First, obtain the tag's UID: + +- Proxmark3 + 1. Run the Proxmark3 software by running `pm3` in the terminal + 2. Place the Proxmark3 device on the RFID tag of the spool + 3. Run `hf mf info` and look for the UID line item +- Flipper Zero + 1. Open the NFC app and scan the tag + 2. The Flipper will attempt to decrypt the tag, but you can skip the "Nested Dictionary (Backdoor)" step for speed + 3. The UID of the tag will appear on-screen +- Bambu Lab AMS + 1. Load the spool into an AMS slot and wait for it to finish loading + 2. View the spool's details on the printer's touchscreen, Bambu Studio or Bambu Handy + 3. The UID is the first eight characters of the spool's serial number + +Next, run the key derivation script and pipe its output to a file by running `python3 deriveKeys.py [UID] > ./keys.dic`. + +Then, use the keys file to extract the data from the RFID tag: + +- Proxmark3 + 1. Run the Proxmark3 software by running `pm3` in the terminal + 2. Place the Proxmark3 device on the RFID tag of the spool + 3. Run `hf mf dump -k ./keys.dic` to dump the RFID tag's contents +- Flipper Zero + 1. Open the qFlipper program and connect your Flipper to your computer + - You may also connect the SD card directly to your computer + 2. Navigate to `SD Card/nfc/assets/` + 3. Copy the `mf_classic_dict_user.nfc` file to your computer + 4. Copy the contents of `keys.dic` to `mf_classic_dict_user.nfc` + 5. Copy `mf_classic_dict_user.nfc` back onto your Flipper + 6. Use the NFC app to scan your tag + +### Proxmark3 fm11rf08s recovery script + +In 2024, a new backdoor[^rfid-backdoor] was found that makes it much easier to obtain the data from the RFID tags. A script is included in the proxmark3 software since v4.18994 (nicknamed "Backdoor"), which allows us to utilize this backdoor. Before this script was implemented, the tag had to be sniffed by placing the spool in the AMS and sniffing the packets transferred between the tag and the AMS. + +Place your reader on the tag, start proxmark3 (run `pm3`) and run the following command: + +`script run fm11rf08s_recovery` + +This script takes about 15-20 minutes to complete. Once it has finished, you will receive a binary key file and a dump. + +To visualize the data on the tag, run the following: + +`script run fm11rf08_full -b` + +### Sniffing the tag data with a Proxmark3 (legacy method) + +Before the above methods were developed, tag data had to be obtained by sniffing the data between the RFID tag and the AMS using a Proxmark3-compatible device. + +To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./docs/TagSniffing.md). \ No newline at end of file diff --git a/TagSniffing.md b/docs/TagSniffing.md similarity index 100% rename from TagSniffing.md rename to docs/TagSniffing.md diff --git a/docs/WriteTags.md b/docs/WriteTags.md new file mode 100644 index 0000000..2a76e19 --- /dev/null +++ b/docs/WriteTags.md @@ -0,0 +1,154 @@ +# RFID Tag Cloning + +This serves as a guide on making a clone or your own dump or one from this library, and assumes you have a Proxmark3 and using ProxSpace. As there are plenty of guides online that can better explain how to set this up and therefore it will not be within the scope of this guide. + +## Table of contents + +* [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) +* [Writing to Blank tags](#writing-to-blank-tags) + * [FUID](#fuid) + * [UFUID](#ufuid) + + +## Compatible RFID tags - By generation + +There are tags known as "Magic Tags" which allow functionality that's not part of the classic MIFARE spec. +One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. +Magic tags are often refered to by their "generation", eg "Magic Gen 1". Each newer generation increases the functionality, but tends to also be more expensive) + +Name inside the brackets are alternative names these tags are generally named under in various marketplaces such as AliExpress + +- Gen 1 (UID) --> **Not compatible** (AMS checks if tag is unlockable with command 0x40) +- Gen 2 (CUID) --> **Inconsistent or No longer works** (AMS writes a winky face to block 0, thereby "bricking" the tag) +- Gen 3 --> **Not tested** +- Gen 4 --> **Works** (The best option but pricey and hard to source in small chip formfactor) + - FUID --> **Works** Marketed as "Write-once UID". Functions similarly to a Gen 2 tag, once a UID is written, it cannot be changed. + - UFUID --> **Works** Marketed as "Sealable UID". Functions similarly to a Gen 1 tag, until it is "sealed" by the user. + +More information on the use of magic cards can be found at https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-uscuid + +## Writing to Blank tags +⚠ *(To ease frustrations caused by typos when issuing commands, I encourage you to use the copy button on the right, especially when multiple commands are issued using the same line)* ⚠ + +### FUID +FUIDs are marketed as "write once UID", it has a default UID of `AA55C396` and will allow writes to block 0 in this state. It will lock once written to. + +#### Identify +You can identify the tag by issuing the following commands and will show these expected results +``` +hf mf info +``` +For an unlocked card the following will show, +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: AA 55 C3 96 +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 2 / CUID +[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) +[+] Magic capabilities... Write Once / FUID +``` +For an locked card the following will show, +``` +[=] --- Magic Tag Information +[=] +``` + +#### Write FUID +For simplity, you need to copy the desired source dump file (hf-mf-XXXXXXXX-dump.bin) and it's key file (hf-mf-XXXXXXXX-key.bin) into the `pm3` folder of `ProxSpace` wherever this maybe on your computer. + +To write to the FUID tag, we will issue the following command (replace hf-mf-XXXXXXXX-dump.bin with the file name of your source dump file) +``` +hf mf restore -u XXXXXXXX --force +``` +Expected Output: +``` +[+] Loaded binary key file `hf-mf-5AF731B5-key.bin` +[=] Using key file `hf-mf-5AF731B5-key.bin` +[+] Loaded 1024 bytes from binary file `hf-mf-5AF731B5-dump.bin` + +Wall of write messages omitted ending in ( ok ) + +[=] Done! +``` +You can verify that the tag has been successfully written by again running `hf mf info`, the UID should now be different to the first time you ran this command and matches that of the source dump file. +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: XX XX XX XX +``` +You can additionally verify the content of the tag by issuing the command, +``` +hf mf dump --ns +``` +Your FUID tag is now written, locked and ready to use. + + + +### UFUID +UFUIDs are marketed as a "sealable UID", it will allow writes to the card until it is "sealed" by the user. + +#### Identify +You can identify the tag by issuing the following command: +``` +hf mf info +``` +For an unlocked card the following will show, +``` +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 1a +[+] Magic capabilities... Gen 4 GDM / USCUID ( ZUID Gen1 Magic Wakeup ) +``` +For an locked card the following will show, +``` +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) +``` + +#### Write UFUID +For simplity, you need to copy the desired source dump file (hf-mf-XXXXXXXX-dump.bin) and it's key file (hf-mf-XXXXXXXX-key.bin) into the `pm3` folder of `ProxSpace` wherever this maybe on your computer. + +To write to the UFUID tag, we will issue the following gen1a command (replace hf-mf-XXXXXXXX-dump.bin with the file name of your source dump file) +``` +hf mf cload -f hf-mf-XXXXXXXX-dump.bin +``` +Expected Output: +``` +[+] Loaded 1024 bytes from binary file `hf-mf-XXXXXXXX-dump.bin` +[=] Copying to magic gen1a MIFARE Classic 1K +[=] ................................................................. +[+] Card loaded 64 blocks from file +[=] Done! +``` +You can verify that the tag has been successfully written by again running `hf mf info`, the UID should now be different to the first time you ran this command and matches that of the source dump file. +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: XX XX XX XX +``` +You can additionally verify the content of the tag by issuing the command, +``` +hf mf dump --ns +``` + +#### Seal UFUID +Before you can use this tag, you will need to seal the UFUID tag by issuing the following commands, otherwise it will respond to Magic Card Gen1 commands which the AMS will identify and ignore the tag. + +⚠ (Please use the copy button on the right, as this procedure depends on you issuing the chain of commands succesively and completing the full set within a very short period of time.) ⚠ +``` +hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 +``` +Expected Output: +``` +[usb] pm3 --> hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 +[+] 0A +[+] 0A +[+] 0A +[+] 0A +``` +Now, when you issue the command `hf mf info`, it should now look like this, +``` +[=] --- Magic Tag Information +[=] +``` +Your UFUID tag is now written, locked and ready to use. \ No newline at end of file From 1d179cbe9011cd2c5071eb925940d6bddf7466cc Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Fri, 20 Jun 2025 12:08:50 +0800 Subject: [PATCH 02/18] Revised for better guidance --- docs/ReadTags.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/ReadTags.md b/docs/ReadTags.md index 6348129..7f603d7 100644 --- a/docs/ReadTags.md +++ b/docs/ReadTags.md @@ -26,7 +26,7 @@ hf mf dump ``` This process should only take a few seconds with an expected output similar to below, (to keep things short, dumps of key and data were omitted) ``` -[=] -----------------------------------Add commentMore actions +[=] ----------------------------------- [=] UID 4b... XX XX XX XX [=] ----------------------------------- @@ -48,6 +48,11 @@ This process should only take a few seconds with an expected output similar to b [+] Saved 1024 bytes to binary file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.bin` [+] Saved to json file C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.json ``` +Once the above command is completed you will see that the data dump and keys will have been saved to the working folder of PM3. + +You can find out what each block of data means here, [Bambu Lab Filament Tag Documentation](./docs/BambuLabRfid.md) + +Below continues with more technical explainations and legacy methods. If that doesn't interests you, your instructions are complete here. ### Deriving the keys @@ -103,4 +108,4 @@ To visualize the data on the tag, run the following: Before the above methods were developed, tag data had to be obtained by sniffing the data between the RFID tag and the AMS using a Proxmark3-compatible device. -To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./docs/TagSniffing.md). \ No newline at end of file +To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./docs/TagSniffing.md). From 14733616cd83a2ead87b4c6791166b7fb8a376e4 Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Mon, 23 Jun 2025 10:52:16 +0800 Subject: [PATCH 03/18] Updated for copy ease and extra tips and warnings --- docs/WriteTags.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 2a76e19..7ba01ac 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -28,7 +28,11 @@ Name inside the brackets are alternative names these tags are generally named un More information on the use of magic cards can be found at https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-uscuid ## Writing to Blank tags -⚠ *(To ease frustrations caused by typos when issuing commands, I encourage you to use the copy button on the right, especially when multiple commands are issued using the same line)* ⚠ +⚠ *If you purchased bare coil tags and have trouble reading them, try spacing them away from your Proxmark 3 (10mm worked for me).* ⚠ + +⚠ *ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM.* ⚠ + +⚠ *To ease frustrations caused by typos when issuing commands, I encourage you to use the copy button on the right, especially when multiple commands are issued using the same line.* ⚠ ### FUID FUIDs are marketed as "write once UID", it has a default UID of `AA55C396` and will allow writes to block 0 in this state. It will lock once written to. @@ -59,7 +63,7 @@ For simplity, you need to copy the desired source dump file (hf-mf-XXXXXXXX-dump To write to the FUID tag, we will issue the following command (replace hf-mf-XXXXXXXX-dump.bin with the file name of your source dump file) ``` -hf mf restore -u XXXXXXXX --force +hf mf restore --force -u XXXXXXXX ``` Expected Output: ``` @@ -134,7 +138,7 @@ hf mf dump --ns #### Seal UFUID Before you can use this tag, you will need to seal the UFUID tag by issuing the following commands, otherwise it will respond to Magic Card Gen1 commands which the AMS will identify and ignore the tag. -⚠ (Please use the copy button on the right, as this procedure depends on you issuing the chain of commands succesively and completing the full set within a very short period of time.) ⚠ +⚠ *Please use the copy button on the right, as this procedure depends on you issuing the chain of commands succesively and completing the full set within a very short period of time.* ⚠ ``` hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 ``` @@ -151,4 +155,4 @@ Now, when you issue the command `hf mf info`, it should now look like this, [=] --- Magic Tag Information [=] ``` -Your UFUID tag is now written, locked and ready to use. \ No newline at end of file +Your UFUID tag is now written, locked and ready to use. From d92509d5e011704522c5cf40ce757bd05bf9136e Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 19:56:57 -0700 Subject: [PATCH 04/18] Update document links --- README.md | 6 +++--- docs/ReadTags.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 398bea2..16c3459 100644 --- a/README.md +++ b/README.md @@ -72,11 +72,11 @@ A Proxmark3 Easy is sufficient for all the tasks that need to be done. You can b ## Tag Documentation -For a description of the blocks of a Bambu Lab RFID tag, see [BambuLabRfid.md](./docs/BambuLabRfid.md). +For a description of the blocks of a Bambu Lab RFID tag, see [docs/BambuLabRfid.md](./docs/BambuLabRfid.md). -For a description of the blocks of a Creality RFID tag, see [CrealityRfid.md](./docs/CrealityRfid.md). +For a description of the blocks of a Creality RFID tag, see [docs/CrealityRfid.md](./docs/CrealityRfid.md). -An open-source standard proposal, Open 3D-RFID, is being incubated in this repository. For a description of the standard, see [OpenSourceRfid.md](./docs/OpenSourceRfid.md). +An open-source standard proposal, OpenTag, is being incubated in this repository. For a description of the standard, see [docs/OpenTag.md](./docs/OpenTag.md). ## How do RFID tags work? diff --git a/docs/ReadTags.md b/docs/ReadTags.md index 7f603d7..369613a 100644 --- a/docs/ReadTags.md +++ b/docs/ReadTags.md @@ -50,7 +50,7 @@ This process should only take a few seconds with an expected output similar to b ``` Once the above command is completed you will see that the data dump and keys will have been saved to the working folder of PM3. -You can find out what each block of data means here, [Bambu Lab Filament Tag Documentation](./docs/BambuLabRfid.md) +You can find out what each block of data means here, [Bambu Lab Filament Tag Documentation](./BambuLabRfid.md) Below continues with more technical explainations and legacy methods. If that doesn't interests you, your instructions are complete here. @@ -108,4 +108,4 @@ To visualize the data on the tag, run the following: Before the above methods were developed, tag data had to be obtained by sniffing the data between the RFID tag and the AMS using a Proxmark3-compatible device. -To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./docs/TagSniffing.md). +To read how to obtain the tag data using the legacy sniffing method, see the [TagSniffing.md](./TagSniffing.md). From 72267192bea296f7aeadc1822c03054ad10b3c0f Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:01:16 -0700 Subject: [PATCH 05/18] Bump Proxmark3 version requirement --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 16c3459..53be8cc 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ A lot of the contents have been deciphered, but the more data we have, the easie - An NFC/RFID reader that can read encrypted tags, such as... - A Proxmark3-compatible RFID reader (recommended) - The [proxmark3 (Iceman fork) software](https://github.com/RfidResearchGroup/proxmark3) - - Requires v4.18994 (codename "Backdoor") or higher + - Requires v4.20469 or higher - You MUST use the Iceman fork as the original version of the software is unmaintained; all instructions and scripts are written for the Iceman fork and will not work on the original version - A Flipper Zero From a0d7ef9e24d8a636ab0ccefe8ce0bbb33b9cd089 Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:05:16 -0700 Subject: [PATCH 06/18] Update table of contents within any Markdown file that has a TOC --- .github/workflows/auto_toc_update.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto_toc_update.yml b/.github/workflows/auto_toc_update.yml index 2cc718c..6559e5e 100644 --- a/.github/workflows/auto_toc_update.yml +++ b/.github/workflows/auto_toc_update.yml @@ -19,7 +19,9 @@ jobs: - run: | curl https://raw.githubusercontent.com/ekalinin/github-markdown-toc/master/gh-md-toc -o gh-md-toc chmod a+x gh-md-toc - ./gh-md-toc --insert --no-backup --hide-footer --skip-header README.md + for file in "**/*.md"; do + ./gh-md-toc --insert --no-backup --hide-footer --skip-header $file + done rm gh-md-toc - uses: stefanzweifel/git-auto-commit-action@v4 with: From 86cc18c3ad330db89ac8887bccaafd978dd126b0 Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:05:42 -0700 Subject: [PATCH 07/18] Update TOC in readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 53be8cc..a555bb5 100644 --- a/README.md +++ b/README.md @@ -15,10 +15,10 @@ Please visit the [Bambu Lab RFID Library Repository](https://github.com/queengoo * [Requirements](#requirements) * [Proxmark3 compatible readers](#proxmark3-compatible-readers) * [Proxmark3 Easy](#proxmark3-easy) - * [Bambu Lab Tag documentation as well as other brands and Open 3D-RFID](#tag-documentation) + * [Tag Documentation](#tag-documentation) * [How do RFID tags work?](#how-do-rfid-tags-work) * [Hacking a Bambu Lab Tag and readout of its data](#hacking-a-bambu-lab-tag-and-readout-of-its-data) - * [RFID tag cloning and compatible RFID tags](#rfid-tag-cloning) + * [RFID Tag Cloning](#rfid-tag-cloning) * [Reverse engineering RFID Board](#reverse-engineering-rfid-board) From 76a61a8d9ddb5e88704a374a522a3f3b14afba14 Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:09:33 -0700 Subject: [PATCH 08/18] Update documentation for reading tags - Mark backdoor as legacy method - Simplify language - Mention specific Proxmark3 version required - Remove redundant example - Continue to give primary support Flipper Zero - Add link to Bambu Lab RFID library --- docs/ReadTags.md | 66 +++++++++++++++--------------------------------- 1 file changed, 20 insertions(+), 46 deletions(-) diff --git a/docs/ReadTags.md b/docs/ReadTags.md index 369613a..73c17e4 100644 --- a/docs/ReadTags.md +++ b/docs/ReadTags.md @@ -1,58 +1,32 @@ # Hacking a Bambu Lab Tag and readout of its data - We have documented here all the approaches we discovered along the way to get all required keys and data out of the tag. Instructions here are mainly focused on using the _**Proxmark 3**_, as this is what we have and use. There are many other devices capable of doing this, if you have discovered other ways of doing this and would like to contribute to it's documentation, please feel free to submit a pull request. - -Currently, the easiest way is using the built-in function of the latest version of Proxmark3 (Iceman fork). +This document describes the various approaches for scanning Bambu Lab RFID tags. +If you have a Proxmark3 device, the easiest way to scan tags is using the built-in `bambukeys` function. Otherwise, if you have another RFID scanning device like a Flipper Zero, a Python script is provided in order to derive the keys from the UID of the tag. + +> [!NOTE] +> Please consider submitting your scanned tags to the [Bambu Lab RFID Library](https://github.com/queengooborg/Bambu-Lab-RFID-Library) repository! + +# Table of contents -## Table of contents -* [Dumping Tags using Proxmark3](#dumping-tags-using-proxmark3-iceman-fork) -* [Deriving the keys](#deriving-the-keys) -* [Proxmark3 fm11rf08s recovery script](#proxmark3-fm11rf08s-recovery-script) -* [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) + * [Dumping Tags using Proxmark3](#dumping-tags-using-proxmark3) + * [Deriving the keys](#deriving-the-keys) + * [Proxmark3 fm11rf08s recovery script (legacy method)](#proxmark3-fm11rf08s-recovery-script-legacy-method) + * [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) -### Dumping Tags using Proxmark3 (Iceman fork) -As of 29th of May 2025, [pelrun](https://github.com/pelrun) has implemented functions into pm3 which allows for a much faster and simpler process to generate the keys and dump files from Bambu Lab filament RFID tags. Please update your copy of pm3 by running -```git pull``` -To replicate your own tags or contribute to the library, you can easily make dump and key files of your own tags by running the following commands, after placing the tag on your Proxmark 3, -``` -hf mf bambukeys -r -d;hf mf dump -``` -or +### Dumping Tags using Proxmark3 + +As of Proxmark3 v4.20469, a new command has been implemented to scan a Bambu Lab RFID tag and automatically derive the keys, offering a fast, one-command way to scan tags. + +To scan a tag with this method, place the Proxmark3 device on the tag and run `pm3` in the terminal. Then, in the `pm3` prompt, run: + ``` hf mf bambukeys -r -d hf mf dump ``` -This process should only take a few seconds with an expected output similar to below, (to keep things short, dumps of key and data were omitted) -``` -[=] ----------------------------------- -[=] UID 4b... XX XX XX XX -[=] ----------------------------------- - -[+] Saved 192 bytes to binary file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` -[+] Loaded binary key file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` -[=] Reading sector access bits... -[=] ................. -[+] Finished reading sector access bits -[=] Dumping all blocks from card... -[-] Sector... 15 block... 3 ( ok ) -[+] Succeeded in dumping all blocks - -[+] time: 10 seconds - -[=] -----+-----+-------------------------------------------------+----------------- -[=] sec | blk | data | ascii -[=] -----+-----+-------------------------------------------------+----------------- - -[+] Saved 1024 bytes to binary file `C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.bin` -[+] Saved to json file C:\Users\exiom\Desktop\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.json -``` -Once the above command is completed you will see that the data dump and keys will have been saved to the working folder of PM3. - -You can find out what each block of data means here, [Bambu Lab Filament Tag Documentation](./BambuLabRfid.md) -Below continues with more technical explainations and legacy methods. If that doesn't interests you, your instructions are complete here. +This process should only take a few seconds. Once the process is complete, the dump will be saved to your current working directory. ### Deriving the keys @@ -90,7 +64,7 @@ Then, use the keys file to extract the data from the RFID tag: 5. Copy `mf_classic_dict_user.nfc` back onto your Flipper 6. Use the NFC app to scan your tag -### Proxmark3 fm11rf08s recovery script +### Proxmark3 fm11rf08s recovery script (legacy method) In 2024, a new backdoor[^rfid-backdoor] was found that makes it much easier to obtain the data from the RFID tags. A script is included in the proxmark3 software since v4.18994 (nicknamed "Backdoor"), which allows us to utilize this backdoor. Before this script was implemented, the tag had to be sniffed by placing the spool in the AMS and sniffing the packets transferred between the tag and the AMS. @@ -102,7 +76,7 @@ This script takes about 15-20 minutes to complete. Once it has finished, you wil To visualize the data on the tag, run the following: -`script run fm11rf08_full -b` +`script run fm11rf08s_full -b` ### Sniffing the tag data with a Proxmark3 (legacy method) From 07df6816d6e2b9d900834dd2c9666e863835586d Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:31:24 -0700 Subject: [PATCH 09/18] Update documentation for writing tags - Combine sections for identifying and writing - De-duplicate instructions - Remove expected output sections - Simplify language - Convert notes to GFM Noteblock syntax - Use multi-line syntax for command --- docs/WriteTags.md | 174 +++++++++++++++------------------------------- 1 file changed, 56 insertions(+), 118 deletions(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 7ba01ac..5b556a9 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -1,158 +1,96 @@ # RFID Tag Cloning -This serves as a guide on making a clone or your own dump or one from this library, and assumes you have a Proxmark3 and using ProxSpace. As there are plenty of guides online that can better explain how to set this up and therefore it will not be within the scope of this guide. +This document serves as a guide for copying tag dumps onto new tags. +This guide is written for the Proxmark3, however this may also be performed with other devices like the Flipper Zero. -## Table of contents +# Table of contents -* [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) -* [Writing to Blank tags](#writing-to-blank-tags) - * [FUID](#fuid) - * [UFUID](#ufuid) + * [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) + * [Identifying Tag Type](#identifying-tag-type) + * [Gen 2](#gen-2) + * [Gen 4 FUID](#gen-4-fuid) + * [Gen 4 UFUID](#gen-4-ufuid) + * [Writing Tag Dumps](#writing-tag-dumps) + * [Seal UFUID](#seal-ufuid) ## Compatible RFID tags - By generation -There are tags known as "Magic Tags" which allow functionality that's not part of the classic MIFARE spec. -One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. -Magic tags are often refered to by their "generation", eg "Magic Gen 1". Each newer generation increases the functionality, but tends to also be more expensive) +There are tags known as "Magic Tags" which allow functionality that is not part of the classic MIFARE spec. One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. Magic tags are often referred to by their "generation", for example "Magic Gen 1", but some online sellers will use alternate names in their listings (denoted in parenthesis in the list below). Each newer generation increases the functionality, but tends to also be more expensive. -Name inside the brackets are alternative names these tags are generally named under in various marketplaces such as AliExpress +> [!TIP] +> If you purchased bare coil tags and have trouble reading them, try increasing the distance between them and your Proxmark3 to about 10mm. - Gen 1 (UID) --> **Not compatible** (AMS checks if tag is unlockable with command 0x40) -- Gen 2 (CUID) --> **Inconsistent or No longer works** (AMS writes a winky face to block 0, thereby "bricking" the tag) +- Gen 2 (CUID) --> **Inconsistent or No longer works** (AMS writes a winky face to block 0, "bricking" the tag) - Gen 3 --> **Not tested** -- Gen 4 --> **Works** (The best option but pricey and hard to source in small chip formfactor) - - FUID --> **Works** Marketed as "Write-once UID". Functions similarly to a Gen 2 tag, once a UID is written, it cannot be changed. - - UFUID --> **Works** Marketed as "Sealable UID". Functions similarly to a Gen 1 tag, until it is "sealed" by the user. +- Gen 4 --> **Works** (The best option, but pricey and hard to source in a small chip formfactor) + - FUID (Write-Once UID) --> **Works** (Functions similarly to a Gen 2 tag: once a UID is written, it cannot be changed) + - UFUID (Sealable UID) --> **Works** (Functions similarly to a Gen 1 tag, until it is "sealed" by the user.) More information on the use of magic cards can be found at https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/magic_cards_notes.md#mifare-classic-uscuid -## Writing to Blank tags -⚠ *If you purchased bare coil tags and have trouble reading them, try spacing them away from your Proxmark 3 (10mm worked for me).* ⚠ +## Identifying Tag Type -⚠ *ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM.* ⚠ +To identify the type of tag you have, place your Proxmark3 on a tag, launch `pm3` in a terminal and run the following command: -⚠ *To ease frustrations caused by typos when issuing commands, I encourage you to use the copy button on the right, especially when multiple commands are issued using the same line.* ⚠ - -### FUID -FUIDs are marketed as "write once UID", it has a default UID of `AA55C396` and will allow writes to block 0 in this state. It will lock once written to. - -#### Identify -You can identify the tag by issuing the following commands and will show these expected results ``` hf mf info ``` -For an unlocked card the following will show, -``` -[usb] pm3 --> hf mf info -[=] --- ISO14443-a Information --------------------- -[+] UID: AA 55 C3 96 -[=] --- Magic Tag Information -[+] Magic capabilities... Gen 2 / CUID -[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) -[+] Magic capabilities... Write Once / FUID -``` -For an locked card the following will show, -``` -[=] --- Magic Tag Information -[=] -``` -#### Write FUID -For simplity, you need to copy the desired source dump file (hf-mf-XXXXXXXX-dump.bin) and it's key file (hf-mf-XXXXXXXX-key.bin) into the `pm3` folder of `ProxSpace` wherever this maybe on your computer. +The tag type can be identified based upon its magic capabilities. Note that if the tag reports no magic capabilities, it is either incompatible or has already been locked. -To write to the FUID tag, we will issue the following command (replace hf-mf-XXXXXXXX-dump.bin with the file name of your source dump file) -``` -hf mf restore --force -u XXXXXXXX -``` -Expected Output: -``` -[+] Loaded binary key file `hf-mf-5AF731B5-key.bin` -[=] Using key file `hf-mf-5AF731B5-key.bin` -[+] Loaded 1024 bytes from binary file `hf-mf-5AF731B5-dump.bin` +### Gen 2 -Wall of write messages omitted ending in ( ok ) +Gen 2 tags are marketed as "changeable unique identifier". Their UID can be changed by the user. -[=] Done! -``` -You can verify that the tag has been successfully written by again running `hf mf info`, the UID should now be different to the first time you ran this command and matches that of the source dump file. -``` -[usb] pm3 --> hf mf info -[=] --- ISO14443-a Information --------------------- -[+] UID: XX XX XX XX -``` -You can additionally verify the content of the tag by issuing the command, -``` -hf mf dump --ns -``` -Your FUID tag is now written, locked and ready to use. +### Gen 4 FUID +FUIDs are marketed as "write once UID". They have a default UID of `AA55C396` and will allow writes to block 0 in this state. Once the UID is changed, the tag will be locked. +An unlocked tag will have the following magic capabilities: +- Gen 2 / CUID +- Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) +- Write Once / FUID + +### Gen 4 UFUID -### UFUID UFUIDs are marketed as a "sealable UID", it will allow writes to the card until it is "sealed" by the user. -#### Identify -You can identify the tag by issuing the following command: -``` -hf mf info -``` -For an unlocked card the following will show, -``` -[=] --- Magic Tag Information -[+] Magic capabilities... Gen 1a -[+] Magic capabilities... Gen 4 GDM / USCUID ( ZUID Gen1 Magic Wakeup ) -``` -For an locked card the following will show, -``` -[=] --- Magic Tag Information -[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) -``` +An unlocked tag will have the following magic capabilities: -#### Write UFUID -For simplity, you need to copy the desired source dump file (hf-mf-XXXXXXXX-dump.bin) and it's key file (hf-mf-XXXXXXXX-key.bin) into the `pm3` folder of `ProxSpace` wherever this maybe on your computer. +- Gen 1a +- Gen 4 GDM / USCUID ( ZUID Gen1 Magic Wakeup ) -To write to the UFUID tag, we will issue the following gen1a command (replace hf-mf-XXXXXXXX-dump.bin with the file name of your source dump file) -``` -hf mf cload -f hf-mf-XXXXXXXX-dump.bin -``` -Expected Output: -``` -[+] Loaded 1024 bytes from binary file `hf-mf-XXXXXXXX-dump.bin` -[=] Copying to magic gen1a MIFARE Classic 1K -[=] ................................................................. -[+] Card loaded 64 blocks from file -[=] Done! -``` -You can verify that the tag has been successfully written by again running `hf mf info`, the UID should now be different to the first time you ran this command and matches that of the source dump file. +> [!WARNING] +> UFUID tags must be sealed, which is a process that cannot be performed on the Flipper Zero; thus, UFUID tags are not compatible with the Flipper Zero for this use case. + +## Writing Tag Dumps + +> [!IMPORTANT] +> ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM. + +To write a dump to the tag, run the following command in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): ``` -[usb] pm3 --> hf mf info -[=] --- ISO14443-a Information --------------------- -[+] UID: XX XX XX XX +hf mf cload -f /path/to/dump.bin ``` -You can additionally verify the content of the tag by issuing the command, + +You can verify that the tag has been successfully written by running `hf mf info` again. The UID should now match the UID of your dump. + +If you wish to perform a full content verification, you can run the following command: ``` hf mf dump --ns ``` -#### Seal UFUID -Before you can use this tag, you will need to seal the UFUID tag by issuing the following commands, otherwise it will respond to Magic Card Gen1 commands which the AMS will identify and ignore the tag. +### Seal UFUID + +Before you can use a UFUID tag on the AMS, you will need to seal the UFUID tag by issuing the following commands, otherwise it will respond to Magic Card Gen1 commands which the AMS will identify and ignore the tag. -⚠ *Please use the copy button on the right, as this procedure depends on you issuing the chain of commands succesively and completing the full set within a very short period of time.* ⚠ -``` -hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 -``` -Expected Output: -``` -[usb] pm3 --> hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 -[+] 0A -[+] 0A -[+] 0A -[+] 0A -``` -Now, when you issue the command `hf mf info`, it should now look like this, ``` -[=] --- Magic Tag Information -[=] +hf 14a raw -a -k -b 7 40 +hf 14a raw -k 43 +hf 14a raw -k -c e100 +hf 14a raw -c 85000000000000000000000000000008 ``` -Your UFUID tag is now written, locked and ready to use. + +The tag should now display no magic capabilities when running `hf mf info`. Your UFUID tag is now written, locked and ready to use. From afacc903d587ec95bdb6a577978bdf42f2f3fb82 Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Mon, 23 Jun 2025 20:37:15 -0700 Subject: [PATCH 10/18] Use restore command by default --- docs/WriteTags.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 5b556a9..2960c94 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -72,9 +72,15 @@ An unlocked tag will have the following magic capabilities: To write a dump to the tag, run the following command in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): ``` -hf mf cload -f /path/to/dump.bin +hf mf restore --force -f /path/to/dump.bin -k /path/to/keys.bin ``` +> [!NOTE] +> If you have a Gen 4 UFUID tag, it is recommended use the following command instead: +> ``` +> hf mf cload -f /path/to/dump.bin +> ``` + You can verify that the tag has been successfully written by running `hf mf info` again. The UID should now match the UID of your dump. If you wish to perform a full content verification, you can run the following command: From 88d5d0476a6a4f3034c73271d4cdb8bd9ac418b5 Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Tue, 24 Jun 2025 04:38:46 -0700 Subject: [PATCH 11/18] Update tag dump instructions --- docs/WriteTags.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 2960c94..ac9b931 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -70,16 +70,17 @@ An unlocked tag will have the following magic capabilities: > [!IMPORTANT] > ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM. -To write a dump to the tag, run the following command in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): +To write a dump to the tag, run one of the following commands in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): + +Gen 4 UFUID: ``` -hf mf restore --force -f /path/to/dump.bin -k /path/to/keys.bin +hf mf cload -f /path/to/dump.bin ``` -> [!NOTE] -> If you have a Gen 4 UFUID tag, it is recommended use the following command instead: -> ``` -> hf mf cload -f /path/to/dump.bin -> ``` +Other Tag Type: +``` +hf mf restore --force -f /path/to/dump.bin +``` You can verify that the tag has been successfully written by running `hf mf info` again. The UID should now match the UID of your dump. From 31227dd9fdaa60a735ff9f4ea991dd3c03af4d9d Mon Sep 17 00:00:00 2001 From: "Queen Vinyl Da.i'gyu-Kazotetsu" Date: Tue, 24 Jun 2025 04:43:25 -0700 Subject: [PATCH 12/18] Add requirements and warnings to tag writing guide --- README.md | 1 + docs/WriteTags.md | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/README.md b/README.md index a555bb5..10ac66b 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ A lot of the contents have been deciphered, but the more data we have, the easie ## Requirements +- Basic command line knowledge - A computer running macOS or Linux, or a Windows computer with a WSL installation - Python 3.6 or higher - Bambu Lab Filament spool **or** the related tags diff --git a/docs/WriteTags.md b/docs/WriteTags.md index ac9b931..6b18985 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -3,8 +3,12 @@ This document serves as a guide for copying tag dumps onto new tags. This guide is written for the Proxmark3, however this may also be performed with other devices like the Flipper Zero. +> [!WARNING] +> This guide comes with **ABSOLUTELY NO WARRANTY.** Proceed at your own risk! + # Table of contents + * [Requirements](#requirements) * [Compatible RFID tags - By generation](#compatible-rfid-tags---by-generation) * [Identifying Tag Type](#identifying-tag-type) * [Gen 2](#gen-2) @@ -14,6 +18,10 @@ This guide is written for the Proxmark3, however this may also be performed with * [Seal UFUID](#seal-ufuid) +## Requirements + +Please view the [Requirements section of the README](../README.md#requirements). + ## Compatible RFID tags - By generation There are tags known as "Magic Tags" which allow functionality that is not part of the classic MIFARE spec. One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. Magic tags are often referred to by their "generation", for example "Magic Gen 1", but some online sellers will use alternate names in their listings (denoted in parenthesis in the list below). Each newer generation increases the functionality, but tends to also be more expensive. From b63d804e2775597832606b52d711a0cdc676ce4b Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 10:41:23 +0800 Subject: [PATCH 13/18] Updated Document Links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 10ac66b..3f4a9b6 100644 --- a/README.md +++ b/README.md @@ -112,11 +112,11 @@ Here's a high-level summary of how everything works: ## Hacking a Bambu Lab Tag and readout of its data -Please visit [ReadTags.md](./docs/ReadTags.md), where we documented all the approaches we discovered along the way to get all required keys and data out of the tag. +Please visit [docs/ReadTags.md](./docs/ReadTags.md), where we documented all the approaches we discovered along the way to get all required keys and data out of the tag. ## RFID Tag Cloning -Please visit [WriteTags.md](./docs/WriteTags.md), where we documented all the current and past ways of cloning Bambu Lab filament RFID tags and compatible RFID tags used to clone them. +Please visit [docs/WriteTags.md](./docs/WriteTags.md), where we documented all the current and past ways of cloning Bambu Lab filament RFID tags and compatible RFID tags used to clone them. ## Reverse engineering RFID Board From 353da66607fa0f1a3f79d1ed24eeba9fadcb7dbc Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 10:51:18 +0800 Subject: [PATCH 14/18] Update ReadTags.md --- docs/ReadTags.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/ReadTags.md b/docs/ReadTags.md index 73c17e4..eb5355f 100644 --- a/docs/ReadTags.md +++ b/docs/ReadTags.md @@ -21,12 +21,45 @@ As of Proxmark3 v4.20469, a new command has been implemented to scan a Bambu Lab To scan a tag with this method, place the Proxmark3 device on the tag and run `pm3` in the terminal. Then, in the `pm3` prompt, run: +``` +hf mf bambukeys -r -d;hf mf dump +``` +or ``` hf mf bambukeys -r -d hf mf dump ``` -This process should only take a few seconds. Once the process is complete, the dump will be saved to your current working directory. +This process should only take a few seconds with an expected output similar to below, (to keep things short, dumps of keys and data were truncated) + +``` +[=] ----------------------------------- +[=] UID 4b... XX XX XX XX +[=] ----------------------------------- + +[+] Saved 192 bytes to binary file `Path\to\your\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` +[+] Loaded binary key file `Path\to\your\ProxSpace\pm3/hf-mf-XXXXXXXX-key.bin` +[=] Reading sector access bits... +[=] ................. +[+] Finished reading sector access bits +[=] Dumping all blocks from card... +[-] Sector... 15 block... 3 ( ok ) +[+] Succeeded in dumping all blocks + +[+] time: 10 seconds + +[=] -----+-----+-------------------------------------------------+----------------- +[=] sec | blk | data | ascii +[=] -----+-----+-------------------------------------------------+----------------- + +[+] Saved 1024 bytes to binary file `Path\to\your\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.bin` +[+] Saved to json file Path\to\your\ProxSpace\pm3/hf-mf-XXXXXXXX-dump.json +``` +Once the above command is completed you will see that the data dump and keys will have been saved to the working directory of PM3. + +You can find out what each block of data means here, [Bambu Lab Filament Tag Documentation](/BambuLabRfid.md) + +Below continues with more technical explainations and legacy methods. If that doesn't interests you, your instructions are complete here. ### Deriving the keys From 4dd96e9c9c29680de2b1b791d4259839c24c9466 Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 10:52:22 +0800 Subject: [PATCH 15/18] Update ReadTags.md --- docs/ReadTags.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ReadTags.md b/docs/ReadTags.md index eb5355f..02f0fb5 100644 --- a/docs/ReadTags.md +++ b/docs/ReadTags.md @@ -9,10 +9,10 @@ If you have a Proxmark3 device, the easiest way to scan tags is using the built- # Table of contents - * [Dumping Tags using Proxmark3](#dumping-tags-using-proxmark3) - * [Deriving the keys](#deriving-the-keys) - * [Proxmark3 fm11rf08s recovery script (legacy method)](#proxmark3-fm11rf08s-recovery-script-legacy-method) - * [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) +* [Dumping Tags using Proxmark3](#dumping-tags-using-proxmark3) +* [Deriving the keys](#deriving-the-keys) +* [Proxmark3 fm11rf08s recovery script (legacy method)](#proxmark3-fm11rf08s-recovery-script-legacy-method) +* [Sniffing the tag data with a Proxmark3 (legacy method)](#sniffing-the-tag-data-with-a-proxmark3-legacy-method) ### Dumping Tags using Proxmark3 From 9dd59d34f68ca5c24ec65de67262748c76d8542d Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 11:28:23 +0800 Subject: [PATCH 16/18] Update WriteTags.md --- docs/WriteTags.md | 127 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 104 insertions(+), 23 deletions(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 6b18985..c1098f5 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -13,9 +13,10 @@ This guide is written for the Proxmark3, however this may also be performed with * [Identifying Tag Type](#identifying-tag-type) * [Gen 2](#gen-2) * [Gen 4 FUID](#gen-4-fuid) + * [Writing FUID](#writing-fuid) * [Gen 4 UFUID](#gen-4-ufuid) - * [Writing Tag Dumps](#writing-tag-dumps) - * [Seal UFUID](#seal-ufuid) + * [Writing UFUID](#writing-ufuid) + * [Seal UFUID](#seal-ufuid) ## Requirements @@ -27,7 +28,7 @@ Please view the [Requirements section of the README](../README.md#requirements). There are tags known as "Magic Tags" which allow functionality that is not part of the classic MIFARE spec. One example is that most Magic Tags allow the UID to be changed, which is normally read-only on MIFARE tags. Magic tags are often referred to by their "generation", for example "Magic Gen 1", but some online sellers will use alternate names in their listings (denoted in parenthesis in the list below). Each newer generation increases the functionality, but tends to also be more expensive. > [!TIP] -> If you purchased bare coil tags and have trouble reading them, try increasing the distance between them and your Proxmark3 to about 10mm. +> If you purchased bare coil tags or you have removed them from a keyfob and have trouble reading them, try increasing the distance between the tag and your Proxmark3 to about 10mm. - Gen 1 (UID) --> **Not compatible** (AMS checks if tag is unlockable with command 0x40) - Gen 2 (CUID) --> **Inconsistent or No longer works** (AMS writes a winky face to block 0, "bricking" the tag) @@ -48,64 +49,144 @@ hf mf info The tag type can be identified based upon its magic capabilities. Note that if the tag reports no magic capabilities, it is either incompatible or has already been locked. +> [!WARNING] +> It is IMPORTANT to identify and follow instructions appropriate for your tag, as some commands are specific to the tag type and not always compatible with other tags, running incorrect commands can be irreversible, rendering the tag useless. + ### Gen 2 -Gen 2 tags are marketed as "changeable unique identifier". Their UID can be changed by the user. +Gen 2 tags are marketed as "changeable unique identifier". Their UID can be changed by the user. Currently these are no longer compatible with the AMS system. + +Example Information Output: +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: XX XX XX XX +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 2 / CUID +``` ### Gen 4 FUID FUIDs are marketed as "write once UID". They have a default UID of `AA55C396` and will allow writes to block 0 in this state. Once the UID is changed, the tag will be locked. -An unlocked tag will have the following magic capabilities: -- Gen 2 / CUID -- Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) -- Write Once / FUID +Example Information Output, for an unlocked FUID tag: +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: AA 55 C3 96 +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 2 / CUID +[+] Magic capabilities... Gen 4 GDM / USCUID ( Gen4 Magic Wakeup ) +[+] Magic capabilities... Write Once / FUID +``` +#### Writing FUID + +> [!IMPORTANT] +> ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM. + +To write a dump to a FUID tag, run the following command in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): + +``` +hf mf restore --force -f /path/to/dump.bin +``` +Expected Output: +``` +[+] Loaded binary key file `hf-mf-XXXXXXXX-key.bin` +[=] Using key file `hf-mf-XXXXXXXX-key.bin` +[+] Loaded 1024 bytes from binary file `hf-mf-XXXXXXXX-dump.bin` + +Wall of write messages omitted ending in ( ok ) + +[=] Done! +``` +You can verify that the tag has been successfully written by running `hf mf info` again. The UID should now match the UID of your dump. + +Example Information Output, for a written and locked tag: +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: XX XX XX XX +[=] --- Magic Tag Information +[=] +``` +If you wish to perform a full content verification, you can run the following command: +``` +hf mf dump --ns +``` ### Gen 4 UFUID UFUIDs are marketed as a "sealable UID", it will allow writes to the card until it is "sealed" by the user. -An unlocked tag will have the following magic capabilities: - -- Gen 1a -- Gen 4 GDM / USCUID ( ZUID Gen1 Magic Wakeup ) +Example Information Output, for an unlocked UFUID tag: +``` +[=] --- Magic Tag Information +[+] Magic capabilities... Gen 1a +[+] Magic capabilities... Gen 4 GDM / USCUID ( ZUID Gen1 Magic Wakeup ) +``` > [!WARNING] > UFUID tags must be sealed, which is a process that cannot be performed on the Flipper Zero; thus, UFUID tags are not compatible with the Flipper Zero for this use case. -## Writing Tag Dumps +#### Writing UFUID > [!IMPORTANT] > ALWAYS CHECK THAT YOU CAN CONSISTENTLY READ YOUR TAG USING THE INFO COMMAND BEFORE ATTEMPTING TO WRITE TO THEM. -To write a dump to the tag, run one of the following commands in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): +To write a dump to a UFUID tag, run the following commands in `pm3` (replace `/path/to/dump.bin` with the actual filepath of your dump): -Gen 4 UFUID: ``` hf mf cload -f /path/to/dump.bin ``` - -Other Tag Type: +Expected Output: ``` -hf mf restore --force -f /path/to/dump.bin +[+] Loaded 1024 bytes from binary file `hf-mf-XXXXXXXX-dump.bin` +[=] Copying to magic gen1a MIFARE Classic 1K +[=] ................................................................. +[+] Card loaded 64 blocks from file +[=] Done! ``` - You can verify that the tag has been successfully written by running `hf mf info` again. The UID should now match the UID of your dump. +Example Information Output, for a written and locked tag: +``` +[usb] pm3 --> hf mf info +[=] --- ISO14443-a Information --------------------- +[+] UID: XX XX XX XX +[=] --- Magic Tag Information +[=] +``` If you wish to perform a full content verification, you can run the following command: ``` hf mf dump --ns ``` -### Seal UFUID +#### Seal UFUID Before you can use a UFUID tag on the AMS, you will need to seal the UFUID tag by issuing the following commands, otherwise it will respond to Magic Card Gen1 commands which the AMS will identify and ignore the tag. - +> [!WARNING] +> This procedure depends on you issuing the chain of commands succesively and completing the full set within a very short period of time. You can opt to run the stacked version of the command to ensure it is run succesively. ``` hf 14a raw -a -k -b 7 40 hf 14a raw -k 43 hf 14a raw -k -c e100 hf 14a raw -c 85000000000000000000000000000008 ``` - -The tag should now display no magic capabilities when running `hf mf info`. Your UFUID tag is now written, locked and ready to use. +or (Stacked Version) +``` +hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 +``` +Expected Output: +``` +[usb] pm3 --> hf 14a raw -a -k -b 7 40;hf 14a raw -k 43;hf 14a raw -k -c e100;hf 14a raw -c 85000000000000000000000000000008 +[+] 0A +[+] 0A +[+] 0A +[+] 0A +``` +The tag should now display no magic capabilities when running `hf mf info`. +``` +[=] --- Magic Tag Information +[=] +``` +Your UFUID tag is now written, locked and ready to use. From 3f835f5689d019614720bb571e81ed39d9b90d88 Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 11:37:35 +0800 Subject: [PATCH 17/18] Update WriteTags.md --- docs/WriteTags.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index c1098f5..4672110 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -4,7 +4,11 @@ This document serves as a guide for copying tag dumps onto new tags. This guide is written for the Proxmark3, however this may also be performed with other devices like the Flipper Zero. > [!WARNING] -> This guide comes with **ABSOLUTELY NO WARRANTY.** Proceed at your own risk! +> This guide comes with **ABSOLUTELY NO WARRANTY.** +> +> While we try to take the utmost care in writing this guide, however software and hardware can change, making this guide outdated. +> +> Currently only write-once tags work with consistency, many of the described commands are irreversible, so proceed at your own risk! # Table of contents From 94e1d090860257a7a6278c4a4d175b04d98d89a4 Mon Sep 17 00:00:00 2001 From: Jackson Yu Date: Wed, 25 Jun 2025 11:39:43 +0800 Subject: [PATCH 18/18] Update WriteTags.md --- docs/WriteTags.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/WriteTags.md b/docs/WriteTags.md index 4672110..2529d18 100644 --- a/docs/WriteTags.md +++ b/docs/WriteTags.md @@ -53,7 +53,7 @@ hf mf info The tag type can be identified based upon its magic capabilities. Note that if the tag reports no magic capabilities, it is either incompatible or has already been locked. -> [!WARNING] +> [!CAUTION] > It is IMPORTANT to identify and follow instructions appropriate for your tag, as some commands are specific to the tag type and not always compatible with other tags, running incorrect commands can be irreversible, rendering the tag useless. ### Gen 2