MIFARE Classic
MIFARE Classic¶
- Uses the ISO/IEC 14443-3 protocol
- Operates at 13.56 MHz
- 1K or 4K EEPROM
- Uses a key to write and a separate key to read the datablock
- Uses propriety Crypto-1 cipher that was reverse engineered
- CRYPTO1 cipher is a 48-bit linear feedback shift register (LFSR)
with generating polynomial g(x) = x48 + x43 + x39 + x38 + x36 + x34 + x33 + x31 + x29 + x24 + x23 + x21 + x19 + x13 + x9 + x7 + x6 + x5 + 1
- CRYPTO1 cipher is a 48-bit linear feedback shift register (LFSR)
Documentation:
- RF Documentation
Mifare Classic EV1¶
- 48bit Crypto-1
- ECC signature
Proxmark Commands¶
Read Card:
[usb] pm3 --> hf mf info
[=] --- ISO14443-a Information ---------------------
[+] UID: 6D 5D 03 B2
[+] ATQA: 00 04
[+] SAK: 08 [2]
[=] --- Keys Information
[=] [0] key FF FF FF FF FF FF
[+] loaded 1 keys supplied by user
[+] loaded 59 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Block 0.......... 6D 5D 03 B2 81 08 04 00 62 63 64 65 66 67 68 69
[+] Fudan tag detected
[=] --- Magic Tag Information
[=] <N/A>
[=] --- PRNG Information
[#] Static nonce......... 01200145
[+] Static nonce......... yes
Dump and View:
[usb] pm3 --> hf mf dump
[=] Using... hf-mf-6C2337D5-key.bin
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[/]successfully read block 3 of sector 15
[+] Succeeded in dumping all blocks
[+] time: 10 seconds
[...]
[usb] pm3 --> hf mf view --file hf-mf-6C2337D5-dump-001.bin
[+] loaded 1024 bytes from binary file `hf-mf-6C2337D5-dump-001.bin`
[=] -----+-----+-------------------------------------------------+-----------------
[=] sec | blk | data | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=] 0 | 0 | 6C 23 37 D5 AD 08 04 00 03 71 31 F3 60 0A 46 1D | l#7......q1.`.F.
[=] | 1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 1 | 4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 2 | 8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 3 | 12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 4 | 16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 5 | 20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 6 | 24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 7 | 28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 8 | 32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 9 | 36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 10 | 40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 11 | 44 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 45 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 47 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 12 | 48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 13 | 52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 14 | 56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] 15 | 60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=] | 63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] -----+-----+-------------------------------------------------+-----------------
[?] cyan = value block with decoded value
Mifare Application Information:
[usb] pm3 --> hf mf mad
[=] Authentication ( ok )
[#] Auth error
[=] --- MIFARE App Directory Information ----------------
[=] -----------------------------------------------------
[=] ------------ MAD v1 details -------------
[+] Card publisher sector 0x01
[=] ---------------- Listing ----------------
[=] 00 MAD v1
[=] 01 [7006] Hotel, access contr. & sec [Vingcard a.s.]
[=] 02 [7005] Energy Saving System For Hotels, Access Control [ENKOA System]
[=] 03 [7007] Hotel, access contr. & sec [Vingcard a.s.]
[=] 04 [7007] continuation
[=] 05 [7007] continuation
[=] 06 [7009] Access control data for electronic locks [Timelox AB]
[=] 07 [0000] free
[=] 08 [0000] free
[=] 09 [0000] free
[=] 10 [0000] free
[=] 11 [0000] free
[=] 12 [0000] free
[=] 13 [0000] free
[=] 14 [0000] free
[=] 15 [0000] free
Key Search:
[usb] pm3 --> hf mf fchk -f mfc_default_keys
[+] loaded 59 keys from hardcoded default array
[+] loaded 1726 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/mfc_default_keys.dic
[=] Running strategy 1
[=] .
[=] Running strategy 2
[=] .
[=] time in checkkeys (fast) 47.1s
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | 1 | B578F38A5C61 | 1
[+] 001 | 007 | ------------ | 0 | ------------ | 0
[+] 002 | 011 | A0A1A2A3A4A5 | 1 | 0000014B5C31 | 1
[+] 003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 005 | 023 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 006 | 027 | FFFFFFFFFFFF | 1 | ------------ | 0
[+] 007 | 031 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 008 | 035 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 009 | 039 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 010 | 043 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 011 | 047 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 012 | 051 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 013 | 055 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 014 | 059 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] 015 | 063 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details
Auto Dump Keys and Data:
[usb] pm3 --> hf mf autopwn -f mfc_default_keys
[!] no known key was supplied, key recovery might fail
[+] loaded 59 keys from hardcoded default array
[+] loaded 1726 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/mfc_default_keys.dic
[=] running strategy 1
[=] .
[=] running strategy 2
[=] .
[+] target sector 0 key type A -- found valid key [ A0A1A2A3A4A5 ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ B578F38A5C61 ]
[+] target sector 2 key type A -- found valid key [ A0A1A2A3A4A5 ]
[+] target sector 2 key type B -- found valid key [ 0000014B5C31 ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Found 1 key candidates
[+] Target block 4 key type A -- found valid key [ D0020E22BA10 ]
[+] target sector 1 key type A -- found valid key [ D0020E22BA10 ]
[+] Found 1 key candidates
[+] Target block 4 key type B -- found valid key [ 10083AEC46B0 ]
[+] target sector 1 key type B -- found valid key [ 10083AEC46B0 ]
[+] Found 1 key candidates
[+] Target block 24 key type B -- found valid key [ 94E6E9E0F498 ]
[+] target sector 6 key type B -- found valid key [ 94E6E9E0F498 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | A0A1A2A3A4A5 | D | B578F38A5C61 | D
[+] 001 | 007 | D0020E22BA10 | N | 10083AEC46B0 | N
[+] 002 | 011 | A0A1A2A3A4A5 | D | 0000014B5C31 | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | 94E6E9E0F498 | N
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[?] MAD key detected. Try `hf mf mad` for more details
[+] Generating binary key file
[+] Found keys have been dumped to D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-key.bin
[=] --[ FFFFFFFFFFFF ]-- has been inserted for unknown keys where res is 0
[=] transferring keys to simulator memory ( ok )
[=] dumping card content to emulator memory (Cmd Error: 04 can occur)
[#] Block 8 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 2 block 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 9 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 10 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 11 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 24 Cmd 0x30 Cmd Error 04
[#] Error No rights reading sector 6 block 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 25 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 26 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[#] Block 27 Cmd 0x30 Wrong response len, expected 18 got 0
[-] fast dump reported back failure w KEY A, swapping to KEY B
[=] downloading card content from emulator memory
[+] saved 1024 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-dump.bin
[+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-mf-306EDAAE-dump.json
[=] autopwn execution time: 52 seconds
[usb] pm3 --> hf mf nack
[=] Checking for NACK bug
[=] ...
[+] NACK test: always leak NACK
Magic Card 7b UID¶
Change Block 0:
[usb] pm3 --> hf mf rdbl --blk 0
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mf wrbl --blk 0 -d 000102030405060708090a0b0c0d0e0f --force
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[+] Write ( ok )
[?] try `hf mf rdbl` to verify
[usb] pm3 --> hf mf rdbl --blk 0
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ................
[usb] pm3 --> hf mf info
[=] --- ISO14443-a Information ---------------------
[+] UID: 00 01 02 03 04 05 06
[+] ATQA: 00 42
[+] SAK: 18 [2]
[=] --- Keys Information
[=] [0] key FF FF FF FF FF FF
[+] loaded 1 keys supplied by user
[+] loaded 59 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Block 0.......... 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[=] --- Magic Tag Information
[+] Magic capabilities... Gen 2 / CUID
[=] --- PRNG Information
[#] Static nonce......... 00000000
[+] Static nonce......... yes
Magic Card 7b UID¶
Change Block 0:
[usb] pm3 --> hf mf rdbl --blk 0
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[usb] pm3 --> hf mf wrbl --blk 0 -d 000102030405060708090a0b0c0d0e0f --force
[=] Writing block no 0, key A - FFFFFFFFFFFF
[=] data: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[+] Write ( ok )
[?] try `hf mf rdbl` to verify
[usb] pm3 --> hf mf rdbl --blk 0
[=] # | sector 00 / 0x00 | ascii
[=] ----+-------------------------------------------------+-----------------
[=] 0 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ................
[usb] pm3 --> hf mf info
[=] --- ISO14443-a Information ---------------------
[+] UID: 00 01 02 03
[+] ATQA: 00 02
[+] SAK: 18 [2]
[=] --- Keys Information
[=] [0] key FF FF FF FF FF FF
[+] loaded 1 keys supplied by user
[+] loaded 59 keys from hardcoded default array
[+] Sector 0 key A... FFFFFFFFFFFF
[+] Sector 0 key B... FFFFFFFFFFFF
[+] Block 0.......... 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[=] --- Magic Tag Information
[+] Magic capabilities... Gen 2 / CUID
[=] --- PRNG Information
[+] Prng................. weak
Magic Gen4 Card¶
How to remove the write protections on Gen4 Cards:
#Get Magic config info
hf mf gdmcfg
#turn Magic Wakeup on...
hf mf gdmsetcfg -d 7AFF00000000000000005A5A00000008
#turn Magic Wakeup off...
hf mf gdmsetcfg -d 850000000000000000005A5A00000008
Saflok Card¶
Uses a default key of 0x2a2c13cc242a in key_id[1].
Source