Programming by Cristian Sandu

Messing Around with MiFare Classic Cards

Hello ppl,

I’ve been reading some cool things in the past year about NFC/RFID tags, especially that one dude who made an NFC enabled ring.

Then I read about cheap NFC readers/writers and libnfc

I am a very curious individual so eventually I started gathering the materials I needed for messing around with this sort of things.

 

Hardware

I got the ACR122U cheapo NFC/RFID reader/writer from a friendly Chinese seller from ebay, yey :). God bless the electronics makers from Hong Kong.

Bought also a set of MiFare Classic 1K cards(they’re like 1 euro a piece).

You also need a computer. With one of them the new fangled USB ports. No serial or PS/2, sorry!

Seriously, though, if you need something special, more DIY, hackish or whatever, you can get a PN532 board and use it however you want. I like USB but hey…

The PN532 chip is the one that makes the magic happen. I think it’s used in them Android phones too.

 

Software

Well, libnfc is the center piece of the whole operation.

Of course, the manufacturer offers some drivers and software but I didn’t really bother with that.

Most Linux distros come with the PN533 driver built in which really just gets in the way of the fun.

OS X also has its one driver and a PCSCD daemon that ruins the hacking fun for me.

Some other cool tools are needed of course for some serious hex hacking: like ghex, kdiff3, vbindiff…

But, whatever. Power to the people, libnfc does all the heacy lifting.

 

Setting up on Linux

First of all blacklist, or remove that annoying PN533 driver.

sudo rmmod pn533
sudo rmmod nfc

You could also blacklist them in udev, but lets not be so evil.

If you’re feeling cool you could just build libnfc from source but… just get the package.

sudo apt-get install libnfc

On a Debian-like system. I don’t care about you Fedora fans, OK? Or Gentoo or Slax…

If you do decide to build libnfc it’s pretty easy, I did that the first time.

What’s very annoying about libnfc is that it requires superuser access to get to the device.

Some useful commands:

sudo nfc-list
sudo nfc-mfclassic w a mycard.mfd
sudo mfoc -o mycard.mfd

This is for MiFare cards. The nfc-mfclassic tools lets you read/write cards. I’ve also seen that they split the MiFare stuff into a separate lib, libfreefare.

Now… go wild. But stay within the law, pls.

 

Setting up on OS X

Gotta love the Mac. I do.

On OS X, I use brew to get my software packages.

So, basically just do:

brew install libnfc

This should get you libnfc-1.7.0. 1.7.1 is latest.

Now, OS X annoyingly has a service that blocks libnfc’s driver. You need to kill it!

# get the pid of pcscd
sudo launchctl list | grep pcscd
# kill it!
kill _the_pid_of_pcscd

That’s it. The next part is just like on Linux.

 

Setting up on Windows

Humm… who cares?

 

MiFare Security…

…IS CRAP!

You can crack MiFare Classic cards with mfoc or mfcuk.

(apt-get them both or brew install them on OS X)

The tool mfoc tries a series of known keys against the card. If none work, it will fail to access it.

The tool mfcuk is smarter, using the “dark side recovery attack” it manages to recover pretty much any key.

So, yeah, don’t rely on MiFare Classic cards to be secure. Beware!

 

Projects?

Opening doors, enabling security webcams, turning off PCs…

Or maybe just reverse engineering other ppl’s NFC/RFID cards for fun? Humm..

NFC is FUN!

Disclaimer

I know all this info is available pretty much everywhere but I just wanted to assemble it a bit, put my own perspective on it.

Take care.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.