Instantly share code, notes, and snippets.

Embed
What would you like to do?
Clone MiFare cards using chinesse UUID writable cards

libnfc supports UUID writable cards and even has some dedicated tools for them.

However it doesn't work with some of the cards found on eBay that are even simpler to use. Sector 0 is unlocked and can be written without any additional commands. libnfc requires a small patch to get it working.

Following has been tested under ArchLinux with modified libnfc 1.5.1, mfoc 0.10.2 and a SCL3711 dongle.

Patch & recompile libnfc

The patch is fairly simple, open libnfc-1.5.1/utils/nfc-mfclassic.c and comment 2 lines (it was lines 384 and 385 for me):

  // Try to write the trailer
  if (nfc_initiator_mifare_cmd (pnd, MC_WRITE, uiBlock, &mp) == false) {
    printf ("failed to write trailer block %d \n", uiBlock);
    bFailure = true;
  }
} else {
  // The first block 0x00 is read only, skip this
// COMMENT THIS      if (uiBlock == 0 && ! write_block_zero)
// COMMENT THIS        continue;

Recompile and install.

Connect the SCL3711 dongle

I manually have to remove the pn533 module in order to get libnfc to work. This needs to be done everytime you re-plug the SCL3711 dongle.

# sudo rmmod pn533

Dump the blank Chinese card

Read the fresh blank chinese card

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
 ATQA (SENS_RES): 00  04  
   UID (NFCID1): 00  00  00  00  
   SAK (SEL_RES): 08  

Dump the blank chinese card card to get the keys

# mfoc -P 500 -O blank-chinese.dmp

Now remove the chinese card and put the card you want to copy and dump it

Dump the Mifare card your want to copy

Let's read the card to clone first

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
ATQA (SENS_RES): 00  04  
    UID (NFCID1): 9b  97  4f  19  
    SAK (SEL_RES): 08  

Time to dump the target card

# mfoc -P 500 -O cardtocopy.dmp

Put the chinese card back and clone the card

Write the Chinese card with the content of the other card including UUID

# nfc-mfclassic w b cardtocopy.dmp blank-chinese.dmp

or

# nfc-mfclassic w a cardtocopy.dmp blank-chinese.dmp

Check that the card is the same:

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
  ATQA (SENS_RES): 00  04  
   UID (NFCID1): 9b  97  4f  19  
   SAK (SEL_RES): 08  

Go back to blank card

# nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp

or

# nfc-mfclassic w a blank-chinese.dmp cardtocopy.dmp
@Ambroos

This comment has been minimized.

Show comment
Hide comment
@Ambroos

Ambroos Dec 3, 2013

Cool, going to try this soon. You should try using a default unadjusted nfc-mfclassic too, with a capital W parameter it should attempt to write the UUID too. Haven't tested it with my SCL3711 yet.

Ambroos commented Dec 3, 2013

Cool, going to try this soon. You should try using a default unadjusted nfc-mfclassic too, with a capital W parameter it should attempt to write the UUID too. Haven't tested it with my SCL3711 yet.

@lanoiraude

This comment has been minimized.

Show comment
Hide comment
@lanoiraude

lanoiraude May 11, 2014

hello from france.

it works with my SCL3711 and raspbian.
we can write uuid with a capital W and a capital X for wrting booth keys.
i buy cards on ebay from clonemykey. (not only him) but this seller is fast and furious, tx to him.

so, tx for this patch(actually still working with libnfc1.7.1)

lanoiraude commented May 11, 2014

hello from france.

it works with my SCL3711 and raspbian.
we can write uuid with a capital W and a capital X for wrting booth keys.
i buy cards on ebay from clonemykey. (not only him) but this seller is fast and furious, tx to him.

so, tx for this patch(actually still working with libnfc1.7.1)

@hermes55555

This comment has been minimized.

Show comment
Hide comment
@hermes55555

hermes55555 Nov 16, 2015

Hi,

the capital W parameter seems to work with a writable UUID card. Mostly... Curiously, while trying to write a blank chinese card with one of my other backups, I get the following error message: "incorrect bcc in mfd file". What happens if the UUID is written with a hex that doesn't conform with the BCC check? Thanks.

hermes55555 commented Nov 16, 2015

Hi,

the capital W parameter seems to work with a writable UUID card. Mostly... Curiously, while trying to write a blank chinese card with one of my other backups, I get the following error message: "incorrect bcc in mfd file". What happens if the UUID is written with a hex that doesn't conform with the BCC check? Thanks.

@y0d4a

This comment has been minimized.

Show comment
Hide comment
@y0d4a

y0d4a Dec 4, 2016

hi, i got nxp pn532 and want to try clone my door card.
I have connected with arduino, can i use "nfc-mfclassic" in this option?
if yes, is there some code for arduino how to set, so "nfc-mfclassic" can read it?

thank you..

y0d4a commented Dec 4, 2016

hi, i got nxp pn532 and want to try clone my door card.
I have connected with arduino, can i use "nfc-mfclassic" in this option?
if yes, is there some code for arduino how to set, so "nfc-mfclassic" can read it?

thank you..

@Kinny092

This comment has been minimized.

Show comment
Hide comment
@Kinny092

Kinny092 Feb 20, 2017

my cards and tokens came with default UID, they are writable, i had followed your instructions closely but the UID of the blank card does not seem to change at all. Permission of Block 1 and 2 seems to have changed. thanks

Kinny092 commented Feb 20, 2017

my cards and tokens came with default UID, they are writable, i had followed your instructions closely but the UID of the blank card does not seem to change at all. Permission of Block 1 and 2 seems to have changed. thanks

@duchenpaul

This comment has been minimized.

Show comment
Hide comment
@duchenpaul

duchenpaul May 11, 2017

Nice manual, but there is a defect.
In section:
Write the Chinese card with the content of the other card including UUID
nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp
should be
nfc-mfclassic W b blank-chinese.dmp cardtocopy.dmp

the manual of nfc-mfclassic says

The W option allows writing of special MIFARE cards that can be 'unlocked' to allow block 0 to be overwritten.

duchenpaul commented May 11, 2017

Nice manual, but there is a defect.
In section:
Write the Chinese card with the content of the other card including UUID
nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp
should be
nfc-mfclassic W b blank-chinese.dmp cardtocopy.dmp

the manual of nfc-mfclassic says

The W option allows writing of special MIFARE cards that can be 'unlocked' to allow block 0 to be overwritten.

@hramrach

This comment has been minimized.

Show comment
Hide comment
@hramrach

hramrach Jul 14, 2017

you see, the author of the patch specifically says that this is for cards that do not have to be unlocked to allow overwriting the sector 0 and may fail to write when an unlock is attempted

hramrach commented Jul 14, 2017

you see, the author of the patch specifically says that this is for cards that do not have to be unlocked to allow overwriting the sector 0 and may fail to write when an unlock is attempted

@tinue

This comment has been minimized.

Show comment
Hide comment
@tinue

tinue Aug 30, 2017

The current 1.7x libnfc includes support for these cards, so the patch is not necessary. But even then, original NXP Mifare Classic cards can't be cloned. While all sectors (including 0) are cloned ok, the clone still behaves differently compared to the original. For example, it reports an SAK of "08", while the clone reports "88" (because "88" is in sector 0). Any modern reader will be able to tell that the card is cloned, so don't bother.

tinue commented Aug 30, 2017

The current 1.7x libnfc includes support for these cards, so the patch is not necessary. But even then, original NXP Mifare Classic cards can't be cloned. While all sectors (including 0) are cloned ok, the clone still behaves differently compared to the original. For example, it reports an SAK of "08", while the clone reports "88" (because "88" is in sector 0). Any modern reader will be able to tell that the card is cloned, so don't bother.

@tamsky

This comment has been minimized.

Show comment
Hide comment
@tamsky

tamsky May 29, 2018

@tinue have you tried the nfc-mfsetuid command? it correctly sets the SAK for me.

tamsky commented May 29, 2018

@tinue have you tried the nfc-mfsetuid command? it correctly sets the SAK for me.

@bokub

This comment has been minimized.

Show comment
Hide comment
@bokub

bokub May 31, 2018

@tamsky Thanks so much, that worked like a charm 🎉

bokub commented May 31, 2018

@tamsky Thanks so much, that worked like a charm 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment