- MIFARE Classic?
- MIFARE Ultralight?
- Reading and capturing contents of the card
- About this manufacturer block (Sector 0 – Block 0)
- The UID thing that messes with my head
- Writing a 4Byte dump on a different card
The MIFARE NFC card is used in many environments. I got a trash card, a card that I have to use to open the underground trash bin, that I want to clone. As the replacement costs for a lost / broken card is €10 a clone would be a good investment.
By holding the card in front of the reader, I can open the trashcan, ohw happy days.
In my search for information, I found the following pages interesting:
- http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf (Ultralight / 7Byte UID)
Some informational dumps:
- 16 bits CRC per block
- Anticollision loop
- 1kB or 4kB of EEPROM
- CRYPTO1 strem cipher (mjah, close to zero security)
- Manufacturer / data / value blocks
MiFare Ultralight cards typically contain 512 bits (64 bytes) of memory, including 4 bytes (32-bits) of OTP (One Time Programmable) memory where the individual bits can be written but not erased.
MiFare Ultralight cards have a 7-byte UID that uniquely identifies the card.
Reading and capturing contents of the card
After some investigation I noticed that my Samsung mobile phone has a NFC reader.
I used the https://github.com/ikarus23/MifareClassicTool on my Samsung S6, the the result was a bit disappointing:
After some googling, I found that the hardware chip, used to read NFC tags, was just not on my S6.
But it showed that it was on an old S3, that I had laying around, it just worked like a charm on my Samsung Galaxy S3 with Android 6:
In order to read the contents of the card, the MIFARE card can be red easily.
So the only interesting information is in Sector: 0, also called the manufacturer block.
I also noticed that the UID was 7Byte, making it a MIFARE Ultralight card grrrrrrr…
About this manufacturer block (Sector 0 – Block 0)
This part of the card is the only interesting part, as no other data is written to any sector/block as far as I can see.
In order to understand the difference between a 4Byte and 7Byte UID (i.e. MIFARE Classic vs MIFARE Utralight), I have added some pictures:
A more detailed picture explains some more information is included after the serial number on block 0:
A more detailed picture of the 7byte UID:
The UID thing that messes with my head
As you could see on my tag info, the UID on my trash card is 7 byte, so it works a bit different than the 4 byte one.
The different types of UID are explained as follows:
ISO/IEC 14443 Type A defines a Unique IDentifer to be used for card selection and activation. The standard defines single, double and triple size UIDs which correspondingly consist of 4, 7 and 10 Byte.What is the difference between a 4 Byte UID and a 4 Byte ID?A 4 byte UID is an identifier which has been assigned by the card manufacturer using a controlled database. This database ensures that a
single identifier is not used twice. In contradiction, a 4 byte ID is an identifier which may be assigned to more then one contactless chip over the production time of a product so that more then one card with the same identified may be deployed into one particular contactless system.
Writing a 4Byte dump on a different card
As it is just cool to write a cards dump back, I have found a 4Byte UID MIFARE Classic 1kB card.
Ebay has a solution for everyting. UID writable MIFARE Classic cards. These cards make it possible to write Sector 0 – block 0 (i.e. the manufacturer block).
Compare the two tags, only the SAK is different, I hope that will still work in a real live situation