How to clone MiFare Classic with the proxmark3

In this post I will share how to clone a MiFare Classic card using the proxmark3.

Process:

  1. Obtain keys
  2. Dump card content
  3. Write dump to empty card
  4. Todo: Autopwn

Obtain keys

There are several ways to cracking MiFare cards but the easiest way is just test and see if the default MiFare keys work. Luckily for me the default key “FFFFFFFFFFFF” did and I was able to dump the card.

Trying out the MiFare default keys

Dumping card content

 [usb] pm3 --> hf mf dump
 [=] Reading sector access bits…          
 …………….
 [+] Finished reading sector access bits          
 [=] Dumping all blocks from card…          
 [+] successfully read block  0 of sector  0.          
 [+] successfully read block  1 of sector  0.          
 [+] successfully read block  2 of sector  0.          
 [+] successfully read block  3 of sector  0.          
 [+] successfully read block  0 of sector  1.

[snip]

[/snip>          
        
 [+] time: 17 seconds
 [+] Succeded in dumping all blocks
 [+] saved 1024 bytes to binary file hf-mf-B4EE8234-data.bin           
 [+] saved 64 blocks to text file hf-mf-B4EE8234-data.eml           
 [+] saved to json file hf-mf-B4EE8234-data.json 

Writing the dump to a new card*

At this point I thought I hit the jackpot and could just write the dump to any blank MiFare card without issues but no. As I learned then the first block of any MiFare card is called the “Manufacturers block” and it is not writable by default. Therefore there is no way to change the UID on normal MiFare card. However there are some Chinese sellers that sell so called “Magic” or “UID block 0” modifiable cards where block 0 is (re)writable. The proxmark client will tell you if the card will answer to magic commands as highlighted in the command output:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : AA B5 11 02           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found

At this point we can write the dump to the Chinese card:

 [usb] pm3 --> hf mf cload hf-mf-B4EE8234-data.eml 
 [+] loaded 1024 bytes from text file hf-mf-B4EE8234-data.eml           
 [=] Copying to magic card          
 ……………………………………………………….
 [+] Card loaded 64 blocks from file     

Running hf search again to check to see if the process was successful. As can be seen the UID has been changed to that of the target card:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 88 [2]          
 TYPE : Infineon MIFARE CLASSIC 1K          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found  

References:

How to emulate/simulate amiibos with the proxmark3

In this post I will explain how to emulate/simulate Amiibo using the proxmark3. For those who don’t know what a proxmark is here is a short description from the website:

The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide. Originally built by Jonathan Westhues over 10 years ago, the device has progressively evolved into the industry standard tool for RFID Analysis.

https://proxmark.com/

Proces:

  1. Download and compile the proxmark client (flash proxmark)
  2. Download and run mfu2bineml
  3. Emulate/simulate the amiibo with the proxmark3
  4. Profit!!!!

Download and compile the proxmark client

#Install dependencies
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi

#Clone the proxmark3 GitHub repo
git clone https://github.com/tomvanveen/proxmark3.git

#Install the blacklist rules and add user to dialout group (Linux/ubuntu/debian)
make udev

#Clean and complete compilation
Make clean && make all

#Flash the bootrom and fullimage 
client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf

Download and run mfu2bineml

We are using mfu2bineml, a perl program written by Samy Kamkar, to convert the amiibo to a format the proxmark3 will understand. To do this, simply run the program with the amiibo as input and put the output into a file:

user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml

Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)


Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000

hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280

Emulate/simulate the amiibo with the proxmark3

The last part of the program will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client: 

pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml 
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 ) 
[+] press pm3-button to abort simulation

And here is a video demonstration of the Amiibo emulation. 

References: