doc/standalone/hf_doegox_auth0.md
Author: Philippe Teuwen (doegox) Frequency: HF (13.56 MHz) Hardware: Generic Proxmark3 (RDV4 with 9V antenna recommended)
Back to Standalone Modes Index | Source Code | Development Guide
Performs a relay-style attack to unlock password-protected MIFARE Ultralight C or Ultralight AES tags by rewriting the AUTH0 configuration byte during an authenticated session.
MIFARE Ultralight C and AES variants can password-protect their memory by setting an AUTH0 byte that specifies the first page requiring authentication. If AUTH0 itself is writable during an authenticated session, this mode exploits that window — during a legitimate reader's auth handshake — to rewrite AUTH0 to a higher page number, effectively unlocking all previously protected pages.
This is a sophisticated attack that requires precise timing and makes protected data permanently accessible.
| LED | Meaning |
|---|---|
| A (solid) | Looking for card / preparing |
| B (solid) | Card found |
| C (solid) | Sniffing for auth exchange |
| D (solid) | Write successful |
| D (blinking) | Write failed |
| Action | Effect |
|---|---|
| Press (1 sec) | Initiate AUTH0 write during next auth sniff |
| Button press | Exit mode (from other states) |
stateDiagram-v2
[*] --> LOOK_FOR_CARD : Startup\nLED_A
LOOK_FOR_CARD --> SNIFF_AUTH : ULC/ULAES found\nLED_B → LED_C
LOOK_FOR_CARD --> LOOK_FOR_CARD : No compatible card
SNIFF_AUTH --> WAIT_BUTTON : Auth detected
WAIT_BUTTON --> WAIT_RELEASE : Button pressed\n(ready to write)
WAIT_RELEASE --> WRITE_AUTH0 : Button released
WRITE_AUTH0 --> EXIT_SUCCESS : AUTH0 rewritten\nLED_D solid
WRITE_AUTH0 --> EXIT_FAIL : Write failed\nLED_D blink
EXIT_SUCCESS --> [*]
EXIT_FAIL --> [*]
make clean
make STANDALONE=HF_DOEGOX_AUTH0 -j
./pm3-flash-fullimage