Cloning a MIFARE Classic 1k
Mathieu Bridon
- https://mathieu.daitauha.fr
You will need writable NFC tags, compatible with MIFARE Classic 1k. Make sure their sector 0 is writable. I used those (just the tags).
1. Try dumping the tag
Place the original on the reader, then try dumping it:
$ mfoc -P 500 -O original.dmp
Found Mifare Classic 1k tag
...
The above command might return an error like:
...
Sector 00 - Unknown Key A Unknown Key B
Sector 01 - Unknown Key A Unknown Key B
Sector 02 - Unknown Key A Unknown Key B
Sector 03 - Unknown Key A Unknown Key B
Sector 04 - Unknown Key A Unknown Key B
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Unknown Key A Unknown Key B
Sector 07 - Unknown Key A Unknown Key B
Sector 08 - Unknown Key A Unknown Key B
Sector 09 - Unknown Key A Unknown Key B
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Unknown Key A Unknown Key B
mfoc: ERROR:
No sector encrypted with the default key has been found, exiting..
That means your original doesn't use the default keys used by mfoc
. If that's
the case, then follow along with step 2.
Instead, if you didn't get an error then congratulations, your tag is even less
secure than you thought, and the original.dmp
file is a full dump of your
original tag. Proceed directly to step 3.
2. Try cracking the keys
With the original still on the reader, run the following command:
console
$ mfcuk -C -R 0:A -s 50 -S 50 -O original.dmp -v 3
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
...
-----------------------------------------------------
Let me entertain you!
uid: ae1a5dd6
type: 08
key: 000000000000
block: 03
diff Nt: 0
auths: 0
-----------------------------------------------------
...
It might take a while (on my laptop it took around 30 minutes), but eventually the command will finish.
The output should say something like the following:
INFO: block 3 recovered KEY: 1234567890AB
1 2 3 4 5 6 7 8 9 a b c d e f
ACTION RESULTS MATRIX AFTER RECOVER - UID ae 1a 5d d6 - TYPE 0x08 (MC1K)
-----------------------------------------------------------------
Sector | Key A | ACTS | RESL | Key B | ACTS | RESL
-----------------------------------------------------------------
0 | 1234567890AB | . R | . R | 000000000000 | . . | . .
1 | 000000000000 | . . | . . | 000000000000 | . . | . .
2 | 000000000000 | . . | . . | 000000000000 | . . | . .
3 | 000000000000 | . . | . . | 000000000000 | . . | . .
4 | 000000000000 | . . | . . | 000000000000 | . . | . .
5 | 000000000000 | . . | . . | 000000000000 | . . | . .
6 | 000000000000 | . . | . . | 000000000000 | . . | . .
7 | 000000000000 | . . | . . | 000000000000 | . . | . .
8 | 000000000000 | . . | . . | 000000000000 | . . | . .
9 | 000000000000 | . . | . . | 000000000000 | . . | . .
10 | 000000000000 | . . | . . | 000000000000 | . . | . .
11 | 000000000000 | . . | . . | 000000000000 | . . | . .
12 | 000000000000 | . . | . . | 000000000000 | . . | . .
13 | 000000000000 | . . | . . | 000000000000 | . . | . .
14 | 000000000000 | . . | . . | 000000000000 | . . | . .
15 | 000000000000 | . . | . . | 000000000000 | . . | . .
INFO: saved extended tag dump file to 'original.dmp'
This means mfcuk
succeeded in cracking the encryption. In the above example,
the secret key is 1234567890AB
. Note the one you obtained for your tag. In
the rest of this page, I will refer to the key as ${KEY}
.
Armed with the secret key, try again dumping the tag: (this is essentially the same as the first step, but specifying the key)
$ mfoc -P 500 -k ${KEY} -O original.dmp
The custom key 0x1234567890AB has been added to the default keys
Found Mifare Classic 1k tag
...
This might again take some time (on my laptop it took around 1h40), but when the command eventually finishes, you should see the following: (among other things)
...
Auth with all sectors succeeded, dumping keys to a file!
...
At this point, the original.dmp
file is a full dump of your original tag.
3. Dump the new, empty tag
This seems to be necessary, to make the new tag writable.
Replace the original tag by the new one on the reader, then run the following:
$ mfoc -P 500 -O new.dmp
Found Mifare Classic 1k tag
...
4. Write to the new tag
You can now copy the dump of the original onto the new tag:
$ nfc-mfclassic W a original.dmp new.dmp
...
Once this finishes, your new tag should be an exact copy of the original one. Congratulations, you're done. Go and try your new tag.
You might get the following error:
$ nfc-mfclassic W a original.dmp new.dmp
NFC reader: / CCID USB Reader opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): c1 a1 6a 36
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
unlock failure!
This means the sector 0 of your new tag is not writable. You'll need to use another tag.