Using a mobile phone to clone a MIFARE card

Overview

  1. Why?
  2. MIFARE Classic?
  3. MIFARE Ultralight?
  4. Reading and capturing contents of the card
  5. About this manufacturer block (Sector 0 – Block 0)
  6. The UID thing that messes with my head
  7. Writing a 4Byte dump on a different card

Why?

The MIFARE NFC card is used in many environments. I got a trash card, a card that I have to use to open the underground trash bin, that I want to clone. As the replacement costs for a lost / broken card is 10 a clone would be a good investment.

20160706_202512

By holding the card in front of the reader, I can open the trashcan, ohw happy days.

In my search for information, I found the following pages interesting:

  • https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf
  • http://www.proxmark.org/forum/viewtopic.php?id=1535
  • http://www.shopnfc.it/en/content/7-nfc-device-compatibility
  • http://publications.icaria.de/mct/releases/2.0/
  • http://www.scnf.org.uk/smartstore/4-7_B_ID_Questions_Answeres_V8.pdf
  • http://cache.nxp.com/documents/data_sheet/MF1S70YYX_V1.pdf?pspll=1
  • https://learn.adafruit.com/adafruit-pn532-rfid-nfc/mifare
  • http://www.nxp.com/documents/data_sheet/MF0ICU1.pdf (Ultralight / 7Byte UID)
  • https://www.kismetwireless.net/code-old/svn/hardware/kisbee-02/firmware/drivers/rf/pn532/helpers/
  • http://stackoverflow.com/questions/21700718/serials-on-nfc-tags-truly-unique-cloneable
  • http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android
  • https://store.ryscc.com/products/new-proxmark3-kit

 

MIFARE Classic?

Some informational dumps:

  • 16 bits CRC per block
  • Anticollision loop
  • 1kB or 4kB of EEPROM
  • CRYPTO1 strem cipher (mjah, close to zero security)
  • Manufacturer / data / value blocks

2016-07-06 21_15_26

2016-07-06 21_17_31

MIFARE Ultralight?

MiFare Ultralight cards typically contain 512 bits (64 bytes) of memory, including 4 bytes (32-bits) of OTP (One Time Programmable) memory where the individual bits can be written but not erased.

MiFare Ultralight cards have a 7-byte UID that uniquely identifies the card.

2016-07-06 22_10_57 2016-07-06 22_11_23

 

Reading and capturing contents of the card

After some investigation I noticed that my Samsung mobile phone has a NFC reader.
I used the https://github.com/ikarus23/MifareClassicTool on my Samsung S6, the the result was a bit disappointing:

Screenshot_2016-07-06-20-27-14

On a Samsung S6

After some googling, I found that the hardware chip, used to read NFC tags, was just not on my S6.
But it showed that it was on an old S3, that I had laying around, it just worked like a charm on my Samsung Galaxy S3 with Android 6:

Screenshot_2016-07-06-20-35-18

On a Samsung S3

In order to read the contents of the card, the MIFARE card can be red easily.

Screenshot_2016-07-06-20-47-40

Use the supplied key sets and start mapping and read tag

Screenshot_2016-07-06-20-47-51

Pom pie dom…

Screenshot_2016-07-06-20-48-06

Detailed information about every sector on the card (if any data would be present except the UID)

So the only interesting information is in Sector: 0, also called the manufacturer block.
I also noticed that the UID was 7Byte, making it a MIFARE Ultralight card grrrrrrr…

About this manufacturer block (Sector 0 – Block 0)

This part of the card is the only interesting part, as no other data is written to any sector/block as far as I can see.
In order to understand the difference between a 4Byte and 7Byte UID (i.e. MIFARE Classic vs MIFARE Utralight), I have added some pictures:

2016-07-06 21_25_54

A more detailed picture explains some more information is included after the serial number on block 0:

2016-07-06 20_44_14

A more detailed picture of the 7byte UID:

2016-07-06 21_59_10

The UID thing that messes with my head

As you could see on my tag info, the UID on my trash card is 7 byte, so it works a bit different than the 4 byte one.

2016-07-06 21_05_26

The different types of UID are explained as follows:

ISO/IEC 14443 Type A defines a Unique IDentifer to be used for card selection and activation. The standard defines single, double and triple size UIDs which correspondingly consist of 4, 7 and 10 Byte.
What is the difference between a 4 Byte UID and a 4 Byte ID?
A 4 byte UID is an identifier which has been assigned by the card manufacturer using a controlled database. This database ensures that a
single identifier is not used twice. In contradiction, a 4 byte ID is an identifier which may be assigned to more then one contactless chip over the production time of a product so that more then one card with the same identified may be deployed into one particular contactless system.

 

Writing a 4Byte dump on a different card

As it is just cool to write a cards dump back, I have found a 4Byte UID MIFARE Classic 1kB card.

Screenshot_2016-07-06-20-11-10

Card information

Screenshot_2016-07-06-20-11-54

Content of Sector: 0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ebay has a solution for everyting. UID writable MIFARE Classic cards. These cards make it possible to write Sector 0 – block 0 (i.e. the manufacturer block).

20160706_173614

Screenshot_2016-07-06-20-12-18

Write tag and enable writing to manufacturer block

Screenshot_2016-07-06-20-12-27

Select what to write from the dump

Screenshot_2016-07-06-20-12-36

Click start mapping and write dump

Compare the two tags, only the SAK is different, I hope that will still work in a real live situation

Screenshot_2016-07-06-22-53-51

Cloned card

Screenshot_2016-07-06-20-11-10

Original card

 

9 thoughts on “Using a mobile phone to clone a MIFARE card

Leave a Reply

Your email address will not be published. Required fields are marked *