Cracking Mifare Classic 1k
I want to add some mount of launches to my 'student canteen' card. It's 13.56MHz card with Mifare Classic 4k encryption. I have reader/writer. I was searching for some tutorial but only thing i found is for Mifare 1k and 2k. Is it 4k hackable at all?
Mifare Classic NFC cracking
Consider this scenario:
Cracking Mifare Classic 1k
2 written MIFARE Classic (ISO 14443 A) cards, 1 blank MIFARE Classic tag. 1 standard reader that operates on each door, locked shut so no way to tamper.
Card 1 opens door 1 and door 2. Card 2 opens door 3 and door 2.
Cards 1 and 2 are both part of a larger subset of hundreds of thousands of cards that open door 2, but these are the two I have access to right now.
I'd like to write card 3 such that it can open door 2; using the Android NFC reader I was able to get the hexdump of the card's pages, but don't really have any information about the door or what values could exist in order to crack using standard utilities. Any ideas as to how to accomplish this (if this is even possible)? I'm not sure I totally understand, but would I be right in assuming the records that the reader associates with door 2 should be present in both cards?
I have an ACR122U Contactless NFC reader. I bought a lot of blank RFID Mifare 4k tags. Their default Authentication KEY A and KEY B is FF FF FF FF FF FF.
Hack Mifare Classic 1k Android
Now I want to change them to something else. I'm using APDU structure. I'm sending commands like this and it works well:
It works well. I don't know what this interface and model means, but using this type and structure, I want to change KEY A and KEY B.
Please help me. I can't find any document.
Regards
1 Answer
That's true, chips are delivered with default key FF FF FF FF FF FF for key A and B.
To change them you have to authenticate the card with the correct access bits.
Note: the Mifare key is composed as follow:
- 6 byte for key A
- 4 byte for Access Bits
- 6 byte for key B which is optional and can be set to 00 or any other value
To change your keys you have to authenticate the Sector Trailer and the write your new keys + new access conditions if you want to change them too.
Example
New key A = 00 11 22 33 44 55Access bits not overwrittenKey B not used (so FF FF FF FF FF FF)
=> Write to Sector Trailer 00 11 22 33 44 55 FF 0F 00 FF FF FF FF FF FF FF
Further details are on the NXP website available or directly at the following link: https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf
A default Access Bits is usually FF 0F 00 that allow to write and read each block and to read and write key B.