How to clone MiFare Classic with the proxmark 3

A while back I wanted to try cloning a MiFare card using the proxmark 3. The target was a card used for opening garbage containers in the city where I live. Reasons being that I wanted a spare in case I lost the original (replacements cost about 10 euro) and I wanted to put it on my key chain to have it always with me.

The cloning process is fairly easy and roughly consists of the following steps:

  1. Identify the type of card
  2. Get keys
  3. Dump content
  4. Analyze content of card
  5. Write dump to empty card*
  6. ……
  7. Profit!!!!!

Identifying the type of card

The proxmark client has an easy way to search and identify cards by using the “lf search” and “hf search” commands. The command output shows that the card is indeed a MiFare classic card.

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [=] Answers to magic commands: NO           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found 

Dumping 1,2,3

Dumping the content of the cards is as easy as running “hf mf dump“. Sadly I was too eager (and inexperienced) and forgot that in order to dump the card you first need to get the keys.

 [usb] pm3 --> hf mf dump
 [!] Could not find file hf-mf-B4EE8234-key.bin   

Getting the keys and dumping the card

There are several ways to cracking MiFare cards but the easiest way is just test and see if the default MiFare keys work. Luckily for me the default key “FFFFFFFFFFFF” did and I was able to dump the card.

Trying out the MiFare default keys

Dumping the card:

 
 [usb] pm3 --> hf mf dump
 [=] Reading sector access bits…          
 …………….
 [+] Finished reading sector access bits          
 [=] Dumping all blocks from card…          
 [+] successfully read block  0 of sector  0.          
 [+] successfully read block  1 of sector  0.          
 [+] successfully read block  2 of sector  0.          
 [+] successfully read block  3 of sector  0.          
 [+] successfully read block  0 of sector  1.

[snip]

[/snip>          
        
 [+] time: 17 seconds
 [+] Succeded in dumping all blocks
 [+] saved 1024 bytes to binary file hf-mf-B4EE8234-data.bin           
 [+] saved 64 blocks to text file hf-mf-B4EE8234-data.eml           
 [+] saved to json file hf-mf-B4EE8234-data.json 

Analyzing the content of the card

After completing the dump I decided to look at the data on the card using hexdump. I found that the only data was at the start of the file and seemed to correspond with the UID, ATAQ and SAK. My guess was that the container/reader only checked for the UID of the card before opening.

hexdump of the card data

Writing the dump to a new card*

At this point I thought I hit the jackpot and could just write the dump to any blank MiFare card without issues but no. As I learned then the first block of any MiFare card is called the “Manufacturers block” and it is not writable by default. Therefore there is no way to change the UID on normal MiFare card. However there are some Chinese sellers that sell so called “Magic” or “UID block 0” modifiable cards where block 0 is (re)writable. The proxmark client will tell you if the card will answer to magic commands as highlighted in the command output:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : AA B5 11 02           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found

At this point we can write the dump to the Chinese card:

 [usb] pm3 --> hf mf cload hf-mf-B4EE8234-data.eml 
 [+] loaded 1024 bytes from text file hf-mf-B4EE8234-data.eml           
 [=] Copying to magic card          
 ……………………………………………………….
 [+] Card loaded 64 blocks from file      

Running hf search again to check to see if the process was successful. As can be seen the UID has been changed to that of the target card:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 88 [2]          
 TYPE : Infineon MIFARE CLASSIC 1K          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found  

If you found this interesting or have feedback/questions please leave a comment!

P.S. Almost all of the above can be done using the “autopwn” command present in the proxmark repo from RfidResearchGroup.

References:

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.