- May 28, 2017 Android Mifare Desfire EV1 Key Extraction / Lower Layers. Have you had any luck extracting or cracking the key of a mifare desfire ev1?
- Mifare Classic Tool: Github - Crack Mifare card key using brute-force attack with NFC smartphone and Mifare Classic Tool(Modified).
In this tutorial, I'll explain to you the memory organization of a Mifare card + how to crack it.
This is an Android NFC-App for reading, writing, analyzing, etc. MIFARE® Classic RFID-Tags.
GENERAL INFORMATION
This tool provides several features to interact with (and only with) MIFARE Classic RFID-Tags.
It is designed for users who have at least basic familiarity with the MIFARE Classic technology.
┏━┫ PLEASE READ ┣━
┃Please read the whole page and make sure you got everything right before rating. Thank you!
┃If you rate with less then 4 stars, please leave a comment why. This way I can improve this app.
┃If you like MCT please consider to buy the donate version.
┗━
FEATURES
• Read MIFARE Classic tags
• Save and edit the tag data you read
• Write to MIFARE Classic tags (block-wise)
• Clone MIFARE Classic tags
(Write dump of a tag to another tag; write 'dump-wise')
• Key management based on dictionary-attack
(Write the keys you know in a file (dictionary).
MCT will try to authenticate with these
keys against all sectors and read as much as possible.)
• Format a tag back to the factory/delivery state
• Write the manufacturer block of special MIFARE Classic tags
• Create, edit and save key files (dictionaries)
• Decode & Encode MIFARE Classic Value Blocks
• Decode & Encode MIFARE Classic Access Conditions
• Compare dumps (Diff Tool)
• Display generic tag information
• Display the tag data as highlighted hex
• Display the tag data as 7-Bit US-ASCII
• Display the MIFARE Classic Access Conditions as a table
• Display MIFARE Classic Value Blocks as integer
• In-App (offline) help and information
• It's open source (GPLv3) ;)
IMPORTANT NOTES
Some important things are:
• The features this tool provides are very basic. There are no such
fancy things like saving a URL to an RFID-Tag with a nice looking
graphical user interface. If you want so save things on a tag,
you have to input the raw hexadecimal data.
• This App can NOT crack/hack
any MIFARE Classic keys. If you want to read/write an RFID-Tag, you
need keys for this specific tag first. For additional information
please read/see Getting Started from the links section.
• There will be no 'brute-force' attack
capability in this application. It is way too slow due
to the protocol.
• The first block of the first sector of an original
MIFARE Classic tag is read-only i.e. not writable. But there
are special MIFARE Classic tags that support writing to the
manufacturer block with a simple write command. This App is able to
write to such tags and can therefore create fully correct clones.
However, some special tags require a special command sequence
to put them into the state where writing to the manufacturer block is possible.
These tags will not work.
Remember this when you are shopping for special tags!
• This app will NOT work on some devices because
their hardware (NFC-controller) does not support MIFARE Classic
( https://github.com/ikarus23/MifareClassicTool/issues/1 ).
You can find a list of unsupported devices here:
https://github.com/ikarus23/MifareClassicTool#general-information
LINKS
• Project Page on github:
https://github.com/ikarus23/MifareClassicTool
• MIFARE Classic Tool on F-Droid:
https://f-droid.org/repository/browse/?fdid=de.syss.MifareClassicTool
• Getting started & other help:
https://github.com/ikarus23/MifareClassicTool#getting-started
• Bug tracker:
IF YOU ENCOUNTER A PROBLEM PLEASE REPORT IT HERE
https://github.com/ikarus23/MifareClassicTool/issues
• Additional stuff:
http://publications.icaria.de/mct/
• Thread at the Proxmark3 Forum:
http://www.proxmark.org/forum/viewtopic.php?id=1535
MIFARE® is a registered trademark of NXP Semiconductors.
GENERAL INFORMATION
This tool provides several features to interact with (and only with) MIFARE Classic RFID-Tags.
It is designed for users who have at least basic familiarity with the MIFARE Classic technology.
┏━┫ PLEASE READ ┣━
┃Please read the whole page and make sure you got everything right before rating. Thank you!
┃If you rate with less then 4 stars, please leave a comment why. This way I can improve this app.
┃If you like MCT please consider to buy the donate version.
┗━
FEATURES
• Read MIFARE Classic tags
• Save and edit the tag data you read
• Write to MIFARE Classic tags (block-wise)
• Clone MIFARE Classic tags
(Write dump of a tag to another tag; write 'dump-wise')
• Key management based on dictionary-attack
(Write the keys you know in a file (dictionary).
MCT will try to authenticate with these
keys against all sectors and read as much as possible.)
• Format a tag back to the factory/delivery state
• Write the manufacturer block of special MIFARE Classic tags
• Create, edit and save key files (dictionaries)
• Decode & Encode MIFARE Classic Value Blocks
• Decode & Encode MIFARE Classic Access Conditions
• Compare dumps (Diff Tool)
• Display generic tag information
• Display the tag data as highlighted hex
• Display the tag data as 7-Bit US-ASCII
• Display the MIFARE Classic Access Conditions as a table
• Display MIFARE Classic Value Blocks as integer
• In-App (offline) help and information
• It's open source (GPLv3) ;)
IMPORTANT NOTES
Some important things are:
• The features this tool provides are very basic. There are no such
fancy things like saving a URL to an RFID-Tag with a nice looking
graphical user interface. If you want so save things on a tag,
you have to input the raw hexadecimal data.
• This App can NOT crack/hack
any MIFARE Classic keys. If you want to read/write an RFID-Tag, you
need keys for this specific tag first. For additional information
please read/see Getting Started from the links section.
• There will be no 'brute-force' attack
capability in this application. It is way too slow due
to the protocol.
• The first block of the first sector of an original
MIFARE Classic tag is read-only i.e. not writable. But there
are special MIFARE Classic tags that support writing to the
manufacturer block with a simple write command. This App is able to
write to such tags and can therefore create fully correct clones.
However, some special tags require a special command sequence
to put them into the state where writing to the manufacturer block is possible.
These tags will not work.
Remember this when you are shopping for special tags!
• This app will NOT work on some devices because
their hardware (NFC-controller) does not support MIFARE Classic
( https://github.com/ikarus23/MifareClassicTool/issues/1 ).
You can find a list of unsupported devices here:
https://github.com/ikarus23/MifareClassicTool#general-information
LINKS
• Project Page on github:
https://github.com/ikarus23/MifareClassicTool
• MIFARE Classic Tool on F-Droid:
https://f-droid.org/repository/browse/?fdid=de.syss.MifareClassicTool
• Getting started & other help:
https://github.com/ikarus23/MifareClassicTool#getting-started
• Bug tracker:
IF YOU ENCOUNTER A PROBLEM PLEASE REPORT IT HERE
https://github.com/ikarus23/MifareClassicTool/issues
• Additional stuff:
http://publications.icaria.de/mct/
• Thread at the Proxmark3 Forum:
http://www.proxmark.org/forum/viewtopic.php?id=1535
MIFARE® is a registered trademark of NXP Semiconductors.
Collapse
1,047 total
4
Cracking Mifare Classic 1k
2
• Removed PayPal links to be compliant to Google's payment policies.
• Some fixed to the all-0-keys bug.
• Some fixed to the all-0-keys bug.
Collapse
May 4, 2019
1.1M
100,000+
2.3.1
Mifare Plus Cracking
4.0 and up
IKARUS Projects
Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. Thewarning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate incomputer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.
Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportationnetworks throughout Asia, Europe and the U.S. and in building-access passes.
The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chipseems to be an involved and expensive process. But in a recent report published by Nohl, titled 'Cryptanalysis of Crypto-1,' he presents anattack that recovers secret keys in mere minutes on an average desktop PC.
In December, Nohl and Plotz gave a presentation on MiFare's security vulnerabilities at the 24th Chaos Communications Congress (24C3), the annual four-day conference organized by Germany's notorious hacking collective, the Chaos Computer Club (CCC). Thousands of hackers from far-flung locales converged on Berlin between Christmas and New Year's for a raft of talks and project demonstrations.
In their popular talk at 24C3, punctuated by bursts of raucous applause, Nohl presented an overview of radio frequency identification security vulnerabilities and the process of hacking the MiFare chip's means of encryption, known as the Crypto-1 cipher. 'This is the first public announcement that the Crypto-1 cipher on the MiFare tag is known,' said Nohl in December at the 24C3 talk. 'We will give out further details next year.'
Get out the microscopes
To hack the chip, Nohl and Plotz reverse-engineered the cryptography on the MiFare chip through a painstaking process. They examined theactual MiFare Classic chip in exacting detail using a microscope and the open-source OpenPCD RFID reader and snapped several in-depthphotographs of the chip's architecture. The chip is tiny -- about a 1-millimeter-square shred of silicon -- and is composed sed of severallayers.
The researchers sliced off the minuscule layers of the chip and took photos of each layer. There are thousands of tiny blocks on thechip -- about 10,000 in all -- each encoding something such as an AND gate or an OR gate or a flip-flop.
Analyzing all of the blocks on the chip would have taken forever, but there was a shortcut. 'We couldn't actually look at all 10,000 of these small building blocks, so we wanted to categorize them a bit before we started analyzing,' said Nohl at 24C3. 'We observed that there aren't actually 10,000 different ones. They're all taken from a library of cells. There are only about 70 different types of gates; we ended up writing MATLAB scripts that once we select one instance of a gate finds allthe other ones.'
To find the cryptographically important regions of the chip, Nohl and Plotz scanned for clues in the blocks: long strings of flip-flops thatwould implement the register important to the cipher, XOR gates that are virtually never used in control logic, and blocks on the edge ofthe chip that were sparsely connected to the rest of the chip, but strongly connected to each other.
They then reconstructed the circuit using their data, and from the reconstruction, they read the functionality. It was a painful process, but once it was done, the researchers had decoded the security on the chip, unveiling several vulnerabilities. Among the potential securityrisks they uncovered was a 16-bit random number generator that was easy to manipulate -- so easy, in fact, that they were able to coax thegenerator into producing the same 'random' number in every transaction, effectively crippling the security.
Simpler from here on out
A potential attacker wouldn't have to go through all of the steps that Nohl and Plotz had to undertake to hack the RFID chip. A diagram ofthe Crypto-1 cipher, published in Nohl's recent paper, shows that the heart of the cipher is a 48-bit linear feedback shift register and afilter function. To find bits of the key, an attacker would send challenges to the reader and analyze the first bit of key stream sentback to the reader.
Though there are some tricks to generating these challenges, it is computationally not a terribly expensive, or expansive, procedure.'The number of challenges needed to recover key bits with high probability varies for different bits, but generally does not exceed afew dozen,' writes Nohl in the paper.
![Mifare Mifare](/uploads/1/2/6/3/126338325/532065260.png)
At 24C3, Nohl warned against the increasing ubiquity of RFID tags. 'We need some level of authentication, some security that has yet to be added to many of these applications,' he said. He pointed to the increasing use of RFID tags in public transit systems, car keys,passports, and even World Cup tickets -- and the potential worrying privacy implications of large-scale RFID tagging of products by big retailers such as Wal-Mart Stores Inc.
Cracking Mifare Classic Android
The gist? If you rely on MiFare Classic security for anything, you may want to start moving to a different system.