Cloning RFID Tags NFC

Gavin Johnson-Lynn







Proxmark 3, Cloning a Mifare Classic 1K







When I first started using the Proxmark, it all sounded like it was going to be easy, you wave a card at the device, the Proxmark works it’s magic and then you can emulate or clone the card.

Wrong, wrong, wrong. For most cards I’ve encountered anyway.

It’s really not that straight forward, there are different cards with different functionality, some have defaults that make it simple to clone them (if the defaults haven’t been changed), some have good security and there are currently no methods to clone them – unless you’ve already got access keys. Maybe some of the security isn’t that strong but the card type isn’t popular enough to have had people scrutinise it.

I have so far had experience with a few different card types, the only relatively easily cloneable one being the Mifare Classic 1K. Understanding how to clone this card felt like a bit of a trek, but once I got there it didn’t seem like such a big deal. Hopefully this step by step guide means others won’t need to do the trek.

A quick note on cloning a card

Cards typically have their own unique ID (UID). They get written when the card is created and that area of memory is then made read only, so it can’t be changed. If you want a clone of the card then you want both the UID and the data on the card to be copied across to the new card, but this isn’t normally possible due to the UID being read only.

Enter the “UID changeable”, aka “Chinese backdoor” (seriously) cards, which allow you to change their UID. It’s useful to have one of these before progressing.

A good start is to update the device………

Install from the command line (I’m using a Mac here):

Code:

> brew tap proxmark/proxmark3
> brew install proxmark3


Connecting to the proxmark:

Change to your proxmark client directory:

Code:

> cd proxmark3/client

List modems, e.g. /dev/cu.usbmodem14101 :

Code:

> ls /dev/cu*


Connect to the modem show from the last command:

Code:

> /proxmark3 /dev/cu.usbmodem14101


The cloning process

You should now have a proxmark command prompt, so with a card on the proxmark, assuming it’s a high frequency card, you can:

Code:

proxmark3> hf search


Which results in a response along the lines of:

Code:

 #db# DownloadFPGA(len: 42096)
 UID : ba 2e a6 ab
ATQA : 00 04 
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 
proprietary non iso14443-4 card found, RATS not supported 
Answers to chinese magic backdoor commands: NO 
Valid ISO14443A Tag Found - Quitting Search

In this case it’s a Mifare 1k card. This also shows us the UID (ba2ea6ab) of the card, which we’ll need later. From there we can find keys in use by checking against a list of default keys (hopefully one of these has been used):

Code:

proxmark3> hf mf chk * ?


This should show us the key we require looking something like:

Code:

No key specified, trying default keys 
chk default key[ 0] ffffffffffff 
chk default key[ 1] 000000000000 
chk default key[ 2] a0a1a2a3a4a5 
chk default key[ 3] b0b1b2b3b4b5 
chk default key[ 4] aabbccddeeff 
chk default key[ 5] 4d3a99c351dd 
chk default key[ 6] 1a982c7e459a 
chk default key[ 7] d3f7d3f7d3f7 
chk default key[ 8] 714c5c886e97 
chk default key[ 9] 587ee5f9350f 
chk default key[10] a0478cc39091 
chk default key[11] 533cb6c723f6 
chk default key[12] 8fd0a4f256e9 
--sector: 0, block:  3, key type:A, key count:13
Found valid key:[ffffffffffff] 
...omitted for brevity...
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff] 


This shows a key of ffffffffffff, which we can plug into the next command, which dumps keys to file:

Code:

proxmark3> hf mf nested 1 0 A ffffffffffff d


This dumps keys from the card into the file dumpkeys.bin.

Now to dump the contents of the card:

Code:

proxmark3> hf mf dump


This dumps data from the card into dumpdata.bin

At this point we’ve got everything we need from the card, we can take it off the reader.

To copy that data onto a new card, place the (Chinese backdoor) card on the proxmark:

Code:

proxmark3> hf mf restore 1


This restores the dumped data onto the new card. Now we just need to give the card the UID we got from the original hf search command:

Code:

proxmark3> hf mf csetuid ba2ea6ab


We’re done, the new card should work.

This whole process can be completed in a minute or two, so it’s not a quick read of the card by any means.

Why do we need keys

When most modern cards are placed next to a card reader there’s a handshake to ensure the card has the expected keys. This handshake moves the card through a number of states and only when the handshake successfully completes will the card allow access to all data stored on it. This is the reason that you can’t simply clone most cards, you need the correct key to complete the handshake and allow access to the contents of the card.

A defensive lesson

Some cards use default keys, while this makes it easy to clone a card, it also makes it pretty poor from a defensive point of view. It’s like using default admin credentials for a database, it makes an attackers life easy.

The lights on the Proxmark

I have to admit pretty much ignoring them. When I use it, it’s always connected to the laptop, so I’ve got the console output to see what it’s doing. There was a point where I tried to understand them, I found a guide, they were starting to make sense. Then I updated the device and that changed what the lights did completely. I’ve ignored them ever since.

Fix a broken card

We had a situation where we wanted to clone a Mifare Desfire card but didn’t have an identical card to copy it to – we only had a Mifare Classic 1K. We also couldn’t read the complete card as we didn’t have the key to authenticate, so all we could usefully get was the UID. Some research suggested a small chance that just using the UID might be enough to get past a secure door if there was a (very) sloppy implementation. We copied that UID (10 bytes) to a Mifare Classic 1K card (which uses a 7 byte UID). The difference in UID size was another indication that this was very unlikely to work. it didn’t work. Doing this left our Mifare Classic card in a state where the Proxmark wouldn’t even read it, so to fix that we did:

Code:

proxmark3> hf mf cwipe 1 w f


Automation

In your proxmark/client/scripts directory, you’ll notice lots of Lua scripts. Some of these may be useful to you, so it’s worth a quick look to see what they do. They’ll also be useful if you plan to automate some of your use of the Proxmark. Looking at the scripts should help understand what you can do.

Andprox

There is a potentially useful app called Andprox which allows you to run a Proxmark on your mobile phone. All of the commands you can run on the Proxmark from a laptop can also be done from Andprox, with the exception of Lua scripts.

The only issue I had with Andprox was that the connection from my mobile to the Proxmark kept dropping. My assumption was that it may not have been getting enough power from my mobile (Nexus 5X – yes, I really need a new mobile)

Tips

RFID is close range, recommendation is that you hold card 1cm above the Proxmark. Typically I just put the card on the Proxmark, sometimes just the position on the device is important, turn it over, move it round a bit. If that fails a lot then I’ll try holding it a little higher.

Useful links:

Cheatsheet: https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html

Commands (and the github repo): https://github.com/Proxmark/proxmark3/wiki/commands

Mifare Classic help: https://store.ryscc.com/blogs/news/35894145-emulating-a-mifare-classic-1k-tag-with-the-proxmark3

Mifare Classic Universal Toolkit (MFCUK): https://github.com/nfc-tools/mfcuk

Mifare Classic Offline Cracker (MFOC): https://github.com/nfc-tools/mfoc

NFC Writer: https://play.google.com/store/apps/details?id=com.tagstand.writer&hl=en_GB

None of this makes me an expert, so far I’ve got a basic understanding, at least enough to get something working!
You can pick up a proxmark from here: Elechouse Proxmark3 Kit RDV2

---

gavinjl.me/proxmark-3-cloning-a-mifare-classic-1k

Using your mobile phone (Android) to clone tags

Skip to content

timdows
Creating the awesomeness

• Home
  
• Projects
  
• About Tim
  
• GitHub
  
• Linkedin
  

Using a mobile phone to clone a MIFARE card

June 20, 2016 by Tim Theeuwes

Overview

1. Why?
   
2. MIFARE Classic?
   
3. MIFARE Ultralight?
   
4. Reading and capturing contents of the card
   
5. About this manufacturer block (Sector 0 – Block 0)
   
6. The UID thing that messes with my head
   
7. Writing a 4Byte dump on a different card
   

Why?

The MIFARE NFC card is used in many environments. I got a trash card, a card that I have to use to open the underground trash bin, that I want to clone. As the replacement costs for a lost / broken card is €10 a clone would be a good investment.


By holding the card in front of the reader, I can open the trashcan, ohw happy days.
In my search for information, I found the following pages interesting:

• https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf
  
• http://www.proxmark.org/forum/viewtopic.php?id=1535
  
• http://www.shopnfc.it/en/content/7-nfc-device-compatibility
  
• http://publications.icaria.de/mct/releases/2.0/
  
• http://www.scnf.org.uk/smartstore/4-7_B_ID_Questions_Answeres_V8.pdf
  
• http://cache.nxp.com/documents/data_sheet/MF1S70YYX_V1.pdf?pspll=1
  
• https://learn.adafruit.com/adafruit-pn532-rfid-nfc/mifare
  
• http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf (Ultralight / 7Byte UID)
  
• https://www.kismetwireless.net/code-old/svn/hardware/kisbee-02/firmware/drivers/rf/pn532/helpers/
  
• http://stackoverflow.com/questions/21700718/serials-on-nfc-tags-truly-unique-cloneable
  
• http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android
  
• https://store.ryscc.com/products/new-proxmark3-kit
  

 

MIFARE Classic?

Some informational dumps:

• 16 bits CRC per block
  
• Anticollision loop
  
• 1kB or 4kB of EEPROM
  
• CRYPTO1 strem cipher (mjah, close to zero security)
  
• Manufacturer / data / value blocks
  

MIFARE Ultralight?

MiFare Ultralight cards typically contain 512 bits (64 bytes) of memory, including 4 bytes (32-bits) of OTP (One Time Programmable) memory where the individual bits can be written but not erased.
MiFare Ultralight cards have a 7-byte UID that uniquely identifies the card.

 

Reading and capturing contents of the card

After some investigation I noticed that my Samsung mobile phone has a NFC reader.
I used the https://github.com/ikarus23/MifareClassicTool on my Samsung S6, the the result was a bit disappointing:
On a Samsung S6
After some googling, I found that the hardware chip, used to read NFC tags, was just not on my S6.
But it showed that it was on an old S3, that I had laying around, it just worked like a charm on my Samsung Galaxy S3 with Android 6:
On a Samsung S3
In order to read the contents of the card, the MIFARE card can be red easily.
Use the supplied key sets and start mapping and read tag Pom pie dom… Detailed information about every sector on the card (if any data would be present except the UID)
So the only interesting information is in Sector: 0, also called the manufacturer block.
I also noticed that the UID was 7Byte, making it a MIFARE Ultralight card grrrrrrr…

About this manufacturer block (Sector 0 – Block 0)

This part of the card is the only interesting part, as no other data is written to any sector/block as far as I can see.
In order to understand the difference between a 4Byte and 7Byte UID (i.e. MIFARE Classic vs MIFARE Utralight), I have added some pictures:

A more detailed picture explains some more information is included after the serial number on block 0:

A more detailed picture of the 7byte UID:

The UID thing that messes with my head

As you could see on my tag info, the UID on my trash card is 7 byte, so it works a bit different than the 4 byte one.

The different types of UID are explained as follows:

ISO/IEC 14443 Type A defines a Unique IDentifer to be used for card selection and activation. The standard defines single, double and triple size UIDs which correspondingly consist of 4, 7 and 10 Byte.

What is the difference between a 4 Byte UID and a 4 Byte ID?
A 4 byte UID is an identifier which has been assigned by the card manufacturer using a controlled database. This database ensures that a
single identifier is not used twice. In contradiction, a 4 byte ID is an identifier which may be assigned to more then one contactless chip over the production time of a product so that more then one card with the same identified may be deployed into one particular contactless system.

 

Writing a 4Byte dump on a different card

As it is just cool to write a cards dump back, I have found a 4Byte UID MIFARE Classic 1kB card.
Card information Content of Sector: 0
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Ebay has a solution for everyting. UID writable MIFARE Classic cards. These cards make it possible to write Sector 0 – block 0 (i.e. the manufacturer block).

Write tag and enable writing to manufacturer block Select what to write from the dump Click start mapping and write dump
Compare the two tags, only the SAK is different, I hope that will still work in a real live situation
Cloned card Original card
 



Categories Mobile apps, Projects

38 thoughts on “Using a mobile phone to clone a MIFARE card”

[list=comment-list][*]
Luuk Wuijster
December 4, 2016 at 22:41

Is het ook mogelijk om een app te gebruiken om het nfc te broadcasten?
Dus dat je je telefoon gewoon als kaart gebruikt.

• 
  Tim Theeuwes
  January 9, 2017 at 23:02
  
  Een mobiele telefoon zou dat moeten kunnen (draadloos betalen met je NFC chip tegen een pinapparaat aan).
  Maar niet in de app gevonden die ik zelf gebruik.
  Een proxmark3 aanschaffen zou echt top zijn: https://store.ryscc.com
  
  
• 
  Ruben
  October 19, 2017 at 10:31
  
  Is afhankelijk van de reader.
  Sommige readers ondersteunen enkel passieve kaarten, andere ook actieve (emulatie).
  
  

[*]Pingback: Díl 19. – Pražská Lítačka – Kafemlejnek.TV
[*]
Rick
March 28, 2017 at 23:21

Dit is misschien een domme vraag, maar is het mogelijk om een Dump van een kaart met een 7 byte UID te schrijven op kaart met een 4 Byte UID?

• 
  Tim
  April 19, 2017 at 15:15
  
  Dit is mij nog niet gelukt.
  Wat ik zoek zijn 7 byte UID cards die changeable block/sector 0 hebben.
  Als iemand weet waar ik deze kan halen….dan hoor ik dat heel graag
  
  
  • 
    Martijn
    June 21, 2017 at 22:15
    
    Heb je die al gevonden?
    
    
  • 
    Alexandra
    June 27, 2017 at 13:44
    
    Hi Tim,
    Mooi werk. Ik was het zelf ook al aan het uitvogelen toen ik jouw pagina tegenkwam. Ik heb deze gevonden met 7 byte UID: https://www.amazon.co.uk/Genuine-Philips-Mifare-Cards-Byte/dp/B016DQBO2W maar ik weet niet of het merk iets uitmaakt.
    
    
  
  
  

[*]
Jared
June 8, 2017 at 01:13

so did it work?

[*]
Nacho
July 19, 2017 at 14:30

Hi, so interesting.
i have a question: i’d like to emulate de dump with the mobile.
do you think is possible?
i have been looking for an app in google play but I didnt find anything yet.
i would like to emulate my card access.
thanks a lot

[*]
rutg798
August 16, 2017 at 11:58

Is het je ooit gelukt de afval pas te copyeren, ik kan tot nu toe geen herschrijfbare 7 bytes UID card vinden.

[*]
harry
August 23, 2017 at 12:11

het lukt me wel met een jailbreak iphone 6.
op mijn s7 edge ook.
je moet pad laden dan die bytes fixen. staan op Google.
pas is je adres daarom staan die vast. op pas.
via fix kan je deze laden

• 
  Remon Sami
  October 31, 2017 at 11:59
  
  hoi Harry
  graag meer info a.u.b ……..byte fixen ??
  link naar site , link naar software,
  waar kun je pas kopen ??
  remon
  
  

[*]
Ray
September 13, 2017 at 07:02

Sorry maar het is nooit gelukt de afval pas te copyeren, ik heb zak van 10 UID (sleutelhanger) en jouwe structie de UID is 7byte en sector 0 writeble
de probleem is niet schrijf op sector 0 maar A/B key , ik heb CRC error (key not match ) dus ik mess stapje waar de key decoded !!??
graag help ik heb nog meer UID besteld van china en ik hope meer info van je . Ray

[*]
Ray
September 13, 2017 at 07:07

kort corectie :BCC error (key not match )

[*]
kristan oppersma
September 26, 2017 at 13:15

Is het mogelijk om de data op de kaart zelf aan te passen

[*]
max
September 30, 2017 at 13:06

“only the SAK is different, I hope that will still work in a real live situation”
Did you get it working?

[*]
Keith
October 1, 2017 at 03:49

I am getting a “BCC of block 0 is not valid” error when trying to write block 0.

[*]
Keith
October 20, 2017 at 06:55

I don’t get all the stuff you’re staying about Figure 6 and Figure 7, it’s not well explained.
I used the app to try to copy a fob, and it seems to have corrupted each copy so now it’s unreadable.

[*]
Ole
December 11, 2017 at 13:34

i have the exact same blue keyring nfcs.
but sector 0 is not writable, wtf.

[*]
Dave5568
December 16, 2017 at 14:55

Waarom moeilijk doen als het makkelijk kan ?
Ik heb de kaart met mijn mobieltje (Sony) gekopieerd en simuleer nu voortaan de kaart ! (20 seconde app downloaden en 1 sec. kopie, gelijk werken)
Bij mij thuis hebben we dus allemaal ons eigen mobieltje en toch altijd “dezelfde” kaart bij ons )
(Nooit meer je kaart kwijt of niet bij je !)
Mijn advies: nooit je kaart uitlenen (of je mobiel laten hacken) anders kunnen ze op jou naam lekker afval dumpen ! !

• 
  Henk
  December 20, 2017 at 23:05
  
  Welke app heb je dit mee gedana?
  
  
• 
  Leo2489
  January 15, 2018 at 23:06
  
  Dave5568 met welke app simuleer je de kaart?
  
  

[*]
JJ
December 17, 2017 at 13:01

Interessant Tim. Vandaag begonnen met checken hoe ik eenvoudig een vuilcontainer card kan kopieren voor alle gezinsleden. Zou een device zoals dit werken?
https://www.aliexpress.com/item/English-Rfid-NFC-Copier-Reader-Writer-Cloner-Copy-10-Frequency-Programmer-5Pcs-125khz-EM4305-Keyfobs-5Pcs/32814673337.html

[*]
Henk
December 18, 2017 at 12:03

Welke Android app is hiervoor gebruikt?

• 
  Henk
  December 18, 2017 at 12:09
  
  Laat maar zitten, ik heb niet goed gekeken zie ik al.
  
  

[*]
Inku
March 29, 2018 at 06:41

I tried with one of those UID writable cards, and Mifare Classic Tools gave me an error.
Maybe changing a phone would work? I’ve heard that Android actually doesn’t support the command of writing a UID.

[*]
ikarus
April 5, 2018 at 20:37

Hi Tim, great write up!
Maybe you want to update the post because your assumptions about Mifare Classic vs. Mifare Ultralight are wrong. Even the tag with the 7 byte UID is a Mifare Classic tag. There are Mifare Classic tags with 4 or 7 byte UIDs! Check out section 1.3 of the datasheet http://www.nxp.com/documents/data_sheet/MF1S50YYX.pdf Also, MCT app can only read Mifare Classic tags and not Mifare Ultralight.

[*]
MartinFum
May 1, 2018 at 17:05

Hi All im newbie here. Good post! Thx! Love your stories!

[*]
Mathias
May 20, 2018 at 12:43

Good article. Where can I get UID / Block 0 changable cards with a 7byte UID?

[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card – World Best News
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card – Tech + Hckr News
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card – techofacts
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card – JkNews
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card – techspace
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a mifare card | Do Mithay Bol
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a Mifare card (2016) | World News
[*]Pingback: New top story on Hacker News: Using a mobile phone to clone a Mifare card (2016) – ÇlusterAssets Inc.,
[/list]
Comments are closed.



tim@inexpro.nl





timdows.com/projects/using-a-mobile-phone-to-clone-a-mifare-card/