How to duplicate unknown Mifare CLASSIC NFC tags ?

Tutorial

The basics of NFC hacking with a very common example ... !

Dates
  • Creation: 03/31/2020
  • Update: 08/26/2020
Members
duplicate-mifare-classic-nfc-taglucas_bichet

NFC technology allows two devices to communicate wirelessly at short range. This technology is characterized by a frequency range of 13.56 MHz, a data rate of up to 424 kbit/s and a communication distance of the order of a centimetre. The technology is user-intended and cannot normally be used without the user's knowledge.

A device is defined here as any tool with a smart card (e.g. a gate badge) or an RFID reader (e.g. a USB RFID reader) or both at the same time (e.g. a mobile phone, via NFC card emulation on recent versions of Android). 

Communication is mostly one-way: one of the devices acts as a transmitter while the other behaves as a receiver.


Prerequisites

  • A Linux machine with an NFC reader
  • A Mifare CLASSIC NFC tag
  • Optional: a Mifare CLASSIC NFC tag with rewritable UID


What is a Mifare CLASSIC NFC tag ?

Mifare NFC tags are smart cards, or more simply memory cards with an NFC chip. There are several types, the main differences being the size and structure of the memory offered, the level of security offered (through more or less robust authentication mechanisms) as well as the power of the card (presence of several dedicated processors for cryptographic calculations for example).

We are going to look in more detail at the Mifare CLASSIC 1k/4k cards: indeed, these are extremely widespread due to their low cost and their reputation as a secure card until a few years ago. They can be found in the vast majority of card access systems but also in some transport networks!


The operation of this range of cards is fortunately very simple. The memory proposed by this solution is cut differently according to the size of the memory:

  • If the memory is 1kb, it is divided into 16 sectors of 4 blocks.
  • If the memory is 4kb, it is divided into 32 sectors of 4 blocks, followed by 8 sectors of 16 blocks.

Each block contains 16 bytes that the user can read or write as he wants (after authenticating himself, of course, but we'll come back to this later). Only some blocks are exceptions, and are used for the internal functioning of the card. We will detail them here.

The first special block is the first block of the first sector: this block contains information allowing to identify the card. It is the only read-only block of the card: you can only read it, not rewrite it. This block can be composed in 2 different ways, depending on whether the UID (pseudo-unique identifier of the card) is 4 or 7 bytes.


As the diagram above shows:

  • For cards with a 4 bytes UID, the composition of the 1st block is as follows: UID (4 bytes) - LRC (checksum composed of the 4 bytes of the UID xored with each other) (1 byte) - SAK (1 byte) - ATQA (2 bytes) - Manufacturer's info (8 bytes)
  • For cards with a 7 bytes UID, the composition of the 1st block is as follows: UID (7 bytes) - SAK (1 byte) - ATQA (2 bytes) - Manufacturing information (6 bytes)

For the SAK and ATQA bytes, I won't go into details here, but a table to interpret them is available in the attached documentation. For example, you can find the size of the UID of our card among the information contained in the ATQA.


The last block of each sector is also special: it is used to authenticate the user to the targeted sector and contains the access keys to the sector in question as well as the access rights associated with these keys. 

As shown in the diagram above:

  • This block consists of a first access key called key A (6 bytes) followed by 3 bytes indicating the access rights, followed by an empty byte (it is absolutely useless) and finally followed by a second access key called key B (6 bytes).


To better understand how the access bits are used, I invite you to read the documentation in more detail, and to use the following site (which allows you to easily interpret the access bits of the Mifare CLASSIC cards): https://cardinfo.barkweb.com.au/index.php?location=19&sub=20

To show you the range of possibilities of these access bits, it is possible for example to allow key A to read only and key B to write only to the sector.

The last block of each sector is therefore not read-only, it is possible to rewrite it but you must be extremely careful what you write to it in order not to lose control of the card.


Read and write Mifare CLASSIC tag

Reading and writing a Mifare CLASSIC card is relatively simple: all you need is an NFC compatible reader and an associated NFC library in the language you wish to use.


According to my experience, it is possible to interact with a Mifare CLASSIC card in Arduino (https://github.com/Seeed-Studio/PN532), in Node (https://github.com/pokusew/nfc-pcsc), from an Android phone application (https://play.google.com/store/apps/details?id=de.syss.MifareClassicTool&hl=fr), or from a Linux terminal (libnfc).

I will take the latter as an example, but the bookstores mentioned above are all very well documented and accessible.

I personnally use the ACR122 reader, for this reader to work there is a bit of pre-installation: you need to install the pcsc service and associated tools.

apt-get install pcscd pcsc-tools libpcsclite-dev libpcsclite1 libusb-dev

For the reader to work, the pcsc service must be started:

service pcscd start

The reader light should now come on. If this doesn't work, it is often due to the presence of a driver for PN533 drives that is incompatible with the ACR122, which you can disable as follows:

modprobe -r pn533 nfc


We will now install the standard NFC library for Linux :

apt-get install libnfc-bin libnfc-dev libnfc5

Everything is ready: now we can play!


We can therefore list the available readers:

nfc-scan-device

You can also try to list the cards detected on this reader:

nfc-list

The informations discussed above can be found here.


To read and write, the nfc-mfclassic tool is used. This tool was mainly developed for security research purposes on these cards, so it is not extremely simple and useful for conventional use. Indeed, it does not allow to directly indicate the sector that one wishes to read and the key to use. Instead, it proposes to the user to pass as argument a file containing a dump (with the keys included) of a card to reuse the keys, or to use a list of keys that are often found.


For example, to dumpt the contents of the map to the mifare_dump.mfd file, using default keys:

nfc-mfclassic r a u mifare_dump.bin

The main options of nfc-mfclassic are as follows:

  • 'r|R|w|W|f' : action (r = read, w = write, f = format)
  • 'a|A|b|B' : used key (in lowercase, we stop when there is an error, in uppercase, we ignore errors).
  • 'u|Uxxxxxxxx' : préciser un UID spécifique ou non.
  • Target file (containing data to write on the card or the path where to write card's data)
  • Key file (not required if the card uses known keys, as in the example).

I let you play a little with this tool, and discover its functions.


Breaking the authentication keys of an unknown Mifare CLASSIC card

This is where it gets interesting! Indeed, the encryption algorithm (CRYPTO1, a proprietary algorithm that has since been reversed and made open-source by the security research community) and the transport protocol used by Mifare CLASSIC cards contain several vulnerabilities, and tools exploiting them have been developed.

I won't elaborate on the technique of these attacks, but you can find links to technical presentations at the end of the tutorial if you want to know more!


There are 2 main tools to find keys on these cards:

  • mfcuk : it allows to find a key of a sector in a few minutes without any initial information.
  • mfoc : it makes it possible to find all the keys of a card very quickly by knowing only some of them (either common keys, or a key found thanks to the previous tool).

So the idea is to use mfoc to retrieve all the keys, by simply giving it a basic key retrieved with mfcuk if the card doesn't use any common/default key.


So we need these two tools:

apt-get install mfcuk mfoc


We start the search for a basic key like this:

mfcuk -C -R 0:A

The '-C' option initializes the connection to the reader and the '-R' option allows you to indicate which key, from which sector you want to retrieve: in this case, it is the A key from sector 0.

After a few minutes (or hours), a key is retrieved: 'xxxxxxxxxxxxxxxxxxxx'.


We can now use this key with mfoc to find all the other keys:

mfoc -O mifare_dump.mfd -k xxxxxxxxxxxx


Of course, I encourage you to always try mfoc first without the '-k' option (to see if a known key is not used, which can save you a lot of time by avoiding using mfcuk).


Once mfoc is executed, you will have a full map dump, containing the access keys for each block. You can notably reuse this dump with nfc-mfclassic to write the map like here :

nfc-mfclassic w a u my_custom_card.mfd mifare_dump.bin


Bonus : a perfect clone

We said at the beginning of the article that the 1st block of the 1st sector was read-only. As a result, many authentication systems are based on the UID of the cards, which is therefore supposed to be unique.

However, Mifare CLASSIC cards modified so that their 1st block is rewritable can be found on Amazon. It then becomes possible to make a perfect clone of an unknown card: not only its content but also its UID!

The nfc-mfclassic tool allows to write and read this kind of cards, using its 'R|W' option. Indeed, when using these lowercase letters, nfc-mfclassic doesn't try to write on block 0, whereas when using these options in uppercase, the tool will try to rewrite block 0, assuming that our card is a modified card.

nfc-mfclassic W a u my_custom_card.mfd mifare_dump.bin


Sources

Complete installation informations : http://tvaira.free.fr/rfid/tutoriel-nfc-acr122u.pdf

Official Mifare CLASSIC documentation : https://www.nxp.com/docs/en/application-note/AN1304.pdf

Crypto1 and Mifare CLASSIC attacks : https://nethemba.com/resources/mifare-classic-slides.pdf