29 Jan 2017, 13:27 This post summarizes my experience with cloning RFID cards that I am using on daily basis. There is nothing new here, just a summary of well-known hacks that I found on the internet. Corporate badge At work we use 125KHz passive RFID badges which are easy to clone. Each badge has unique ID, so the first step is to read this ID. I have been using this DIY based on an Arduino: By the way, I had to make some slight to the firware to make it work.

1. Cracking Mifare Card

Once you get the ID, you can “program” it on an ATtiny85 microcontroller as described. This is how my assembled clone looks like: Residential entry The building where I live (and many other buildings) has a front door which is opened with an NFC tag. I found that it is Mifare Classic 1k tag which has been cracked long time ago. Actually, it turned out that I don’t have to crack anything to create a clone because the tag had default keys. They were relying only on the fact that each tag has unique ID and the door opens when pre-recorded ID is shown.

Cracking Mifare Card

Some fine people in China are selling tags that you can program with whatever ID you want, so creating is a clone a simple matter of running nfc-mfsetuid: Public transport Turns out that Mifare Classic 1k is also being used for the public transport in Sofia. I managed to crack one of the old cards that I have – it has been using a combination of default keys and “SofiaM”: However, some of the new cards for the subway manage to resist my cracking attempts. I guess they are using something more secure which is running an emulation of Mifare Classic. UPDATE: No, they are not.

In addition to the breaking of the Mifare Classic, a team of scientists that included Paar cracked the encryption of the Keeloq security system used by manufacturers of cars, garage door openers, and other devices.

Keys have been disclosed.

Early chinese magic card ARE NOT COMPATIBLE at all wit nfc mobile phones (they need special commands that cannot be sent using the phone - tested). Latest chinese magic card should not need those special commands so you should be able to write them with an nfc phone (not tested). Nfc mobile phone MUST HAVE an NXP nfc chip inside to work with mifare cards; Broadcom nfc chips ARE NOT COMPATIBLE with mifare cards (ex Galaxy S3 has nxp chip, S4 broadcom chip; your phone is compatible with all original mifare if you managed to dump the card with MCT but will only works with mifare chinese magic '2nd generation' cards). PM3 for android (proxdroid) is a software to control proxmark3 via Android but you need to buy a proxmark3 to use it but it's not so easy to set it up. I don't know how to simulate a mifare in an nfc mobile phone, never tested that possibility and I don't know if it is actually possible.

This interesting thread can have some answers about card emulation: Last edited by asper (2014-01-12 15:52:28). You must ask the seller if block0 is writable with normal write command or only using special commands, this is the only way to know if it is a 1st or2nd generation card (hoping he will tell you the truth). The 'backdoored' are usually 1st generation so you can write block0 only with pm3 or with a dedicated reader/writer; they can always be used as standard mifare with your phone but block0 will be impossible to write with your phone. Only with 2nd generation you can edit block0 with your phone (probably but not tested). If you have doubts just ask the seller. Last edited by asper (2014-01-12 23:45:03).

I was successfully able to copy my Mifare Classic 1K onto this card. Now I am just trying to figure out what the data on Sector 0 represents. If I am able to figure that out, then possibly I can guess someone elses Sector 0 and copy their card without having their card in hand. I know the Sector 0 contains the UID, but the UID doesn't really mean anything right now. Like it doesn't match any number on the card.

Still trying to figure this out. Thanks for the help everyone, I am happy that I have successfully gotten to this point. If you do not have the keys for your card, you will probably need to use proxmark to bruteforce the keys. For me, I got lucky because both of my keys were common keys so I did not have to use a proxmark in my case. I used the Mifare Classic Tool to dump the data from my card onto my phone using the default keys. Then I looked at the data and the data only existed on Sector 0 but on most cards Sector 0 is not writeable so I purchased a UID changeable card in which Sector 0 can be changed.

I used Mifare Classic Tool again to copy the dump from my phone to my UID changeable card. I selected the option to also write Sector 0 to the card. I was successful in being able to copy a Mifare Classic 1K onto a blank UID changeable card.

So I am not exactly sure about your case because this was my first attempt at anything related to RFID but I am pretty sure if you don't have the keys you will have to brute them which can't be done by phone, so you will probably need proxmark. Hi, I think I managed to dump my card by brute forcing the keys. No need for a proxmark, just used mfoc (only 5 min.). According to some other sources, mfcuk would be faster, but it has been running for 25min now on only one sector and hasn't found anything yet. According to the people of my company, they use payment saldo's on the card only. So no central database, I would like to find a way to 'decrypt' the HEX-values on my card to read out my current money saldo. Any thoughts?

Did mfcuk worked in the end? Ok, so you're using a newer client software on the PC-side, but the device is old. I would recommend that you flash the device with the new code.

I always recommend using the latest versions, since a lot of us are reluctant to spend time helping out with problems for older builds, but if the version you are using is 'recent enough' that'll probably work. So, go to armsrc, 'make', then go to./client/, and use the flasher to flash at least osimage and fpgaimage (linux: 'flasher /dev/ttyACM3./armsrc/obj/osimage.elf./armsrc/obj/fpgaimage.elf'). Or you can do a flash with the fullimage.elf, and get all three components flashed at once. That will flash the bootrom aswell, but if you do that, make sure not to unplug the device in the progress or you'll brick the device.