Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Clone MiFare cards using chinesse UUID writable cards

libnfc supports UUID writable cards and even has some dedicated tools for them.

However it doesn't work with some of the cards found on eBay that are even simpler to use. Sector 0 is unlocked and can be written without any additional commands. libnfc requires a small patch to get it working.

Following has been tested under ArchLinux with modified libnfc 1.5.1, mfoc 0.10.2 and a SCL3711 dongle.

Patch & recompile libnfc

The patch is fairly simple, open libnfc-1.5.1/utils/nfc-mfclassic.c and comment 2 lines (it was lines 384 and 385 for me):

  // Try to write the trailer
  if (nfc_initiator_mifare_cmd (pnd, MC_WRITE, uiBlock, &mp) == false) {
    printf ("failed to write trailer block %d \n", uiBlock);
    bFailure = true;
  }
} else {
  // The first block 0x00 is read only, skip this
// COMMENT THIS      if (uiBlock == 0 && ! write_block_zero)
// COMMENT THIS        continue;

Recompile and install.

Connect the SCL3711 dongle

I manually have to remove the pn533 module in order to get libnfc to work. This needs to be done everytime you re-plug the SCL3711 dongle.

# sudo rmmod pn533

Dump the blank Chinese card

Read the fresh blank chinese card

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
 ATQA (SENS_RES): 00  04  
   UID (NFCID1): 00  00  00  00  
   SAK (SEL_RES): 08  

Dump the blank chinese card card to get the keys

# mfoc -P 500 -O blank-chinese.dmp

Now remove the chinese card and put the card you want to copy and dump it

Dump the Mifare card your want to copy

Let's read the card to clone first

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
ATQA (SENS_RES): 00  04  
    UID (NFCID1): 9b  97  4f  19  
    SAK (SEL_RES): 08  

Time to dump the target card

# mfoc -P 500 -O cardtocopy.dmp

Put the chinese card back and clone the card

Write the Chinese card with the content of the other card including UUID

# nfc-mfclassic w b cardtocopy.dmp blank-chinese.dmp

or

# nfc-mfclassic w a cardtocopy.dmp blank-chinese.dmp

Check that the card is the same:

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
  ATQA (SENS_RES): 00  04  
   UID (NFCID1): 9b  97  4f  19  
   SAK (SEL_RES): 08  

Go back to blank card

# nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp

or

# nfc-mfclassic w a blank-chinese.dmp cardtocopy.dmp

Ambroos commented Dec 3, 2013

Cool, going to try this soon. You should try using a default unadjusted nfc-mfclassic too, with a capital W parameter it should attempt to write the UUID too. Haven't tested it with my SCL3711 yet.

hello from france.

it works with my SCL3711 and raspbian.
we can write uuid with a capital W and a capital X for wrting booth keys.
i buy cards on ebay from clonemykey. (not only him) but this seller is fast and furious, tx to him.

so, tx for this patch(actually still working with libnfc1.7.1)

Hi,

the capital W parameter seems to work with a writable UUID card. Mostly... Curiously, while trying to write a blank chinese card with one of my other backups, I get the following error message: "incorrect bcc in mfd file". What happens if the UUID is written with a hex that doesn't conform with the BCC check? Thanks.

y0d4a commented Dec 4, 2016

hi, i got nxp pn532 and want to try clone my door card.
I have connected with arduino, can i use "nfc-mfclassic" in this option?
if yes, is there some code for arduino how to set, so "nfc-mfclassic" can read it?

thank you..

my cards and tokens came with default UID, they are writable, i had followed your instructions closely but the UID of the blank card does not seem to change at all. Permission of Block 1 and 2 seems to have changed. thanks

duchenpaul commented May 11, 2017 edited

Nice manual, but there is a defect.
In section:
Write the Chinese card with the content of the other card including UUID
nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp
should be
nfc-mfclassic W b blank-chinese.dmp cardtocopy.dmp

the manual of nfc-mfclassic says

The W option allows writing of special MIFARE cards that can be 'unlocked' to allow block 0 to be overwritten.

you see, the author of the patch specifically says that this is for cards that do not have to be unlocked to allow overwriting the sector 0 and may fail to write when an unlock is attempted

tinue commented Aug 30, 2017

The current 1.7x libnfc includes support for these cards, so the patch is not necessary. But even then, original NXP Mifare Classic cards can't be cloned. While all sectors (including 0) are cloned ok, the clone still behaves differently compared to the original. For example, it reports an SAK of "08", while the clone reports "88" (because "88" is in sector 0). Any modern reader will be able to tell that the card is cloned, so don't bother.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment