Skip to content

Instantly share code, notes, and snippets.

@alphazo

alphazo/gist:3303282

Created August 9, 2012 11:03
Show Gist options
  • Star 79 You must be signed in to star a gist
  • Fork 20 You must be signed in to fork a gist
  • Save alphazo/3303282 to your computer and use it in GitHub Desktop.
Save alphazo/3303282 to your computer and use it in GitHub Desktop.
Download ZIP
Clone MiFare cards using chinesse UUID writable cards
Raw
gistfile1.md

libnfc supports UUID writable cards and even has some dedicated tools for them.

However it doesn't work with some of the cards found on eBay that are even simpler to use. Sector 0 is unlocked and can be written without any additional commands. libnfc requires a small patch to get it working.

Following has been tested under ArchLinux with modified libnfc 1.5.1, mfoc 0.10.2 and a SCL3711 dongle.

Patch & recompile libnfc

The patch is fairly simple, open libnfc-1.5.1/utils/nfc-mfclassic.c and comment 2 lines (it was lines 384 and 385 for me):

  // Try to write the trailer
  if (nfc_initiator_mifare_cmd (pnd, MC_WRITE, uiBlock, &mp) == false) {
    printf ("failed to write trailer block %d \n", uiBlock);
    bFailure = true;
  }
} else {
  // The first block 0x00 is read only, skip this
// COMMENT THIS      if (uiBlock == 0 && ! write_block_zero)
// COMMENT THIS        continue;

Recompile and install.

Connect the SCL3711 dongle

I manually have to remove the pn533 module in order to get libnfc to work. This needs to be done everytime you re-plug the SCL3711 dongle.

# sudo rmmod pn533

Dump the blank Chinese card

Read the fresh blank chinese card

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
 ATQA (SENS_RES): 00  04  
   UID (NFCID1): 00  00  00  00  
   SAK (SEL_RES): 08

Dump the blank chinese card card to get the keys

# mfoc -P 500 -O blank-chinese.dmp

Now remove the chinese card and put the card you want to copy and dump it

Dump the Mifare card your want to copy

Let's read the card to clone first

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
ATQA (SENS_RES): 00  04  
    UID (NFCID1): 9b  97  4f  19  
    SAK (SEL_RES): 08

Time to dump the target card

# mfoc -P 500 -O cardtocopy.dmp

Put the chinese card back and clone the card

Write the Chinese card with the content of the other card including UUID

# nfc-mfclassic w b cardtocopy.dmp blank-chinese.dmp

or

# nfc-mfclassic w a cardtocopy.dmp blank-chinese.dmp

Check that the card is the same:

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
  ATQA (SENS_RES): 00  04  
   UID (NFCID1): 9b  97  4f  19  
   SAK (SEL_RES): 08

Go back to blank card

# nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp

or

# nfc-mfclassic w a blank-chinese.dmp cardtocopy.dmp
@Fusseldieb
Copy link

Fusseldieb commented Mar 29, 2019
edited

But even then, original NXP Mifare Classic cards can't be cloned.

Don't say can't, there's always a way...

@xqyww123
Copy link

xqyww123 commented Apr 7, 2021
edited

Hacking code is perhaps necessary. The original code checks several settings to decides whether a card is unlockable,

    // Chinese magic emulation card, ATS=0978009102:dabc1910
    if ((res == 9)  && (abtRx[5] == 0xda) && (abtRx[6] == 0xbc)
        && (abtRx[7] == 0x19) && (abtRx[8] == 0x10)) {
    magic2 = true;
    }

and also bool write_card(int write_block_zero)

  if (write_block_zero)
    if (!unlock_card())
      return false;

At least for my Chinese card, the original unlock operation fails at bool unlock_card(void) function.
It's not hard to imagine, Chinese card pretends as 'a normal card' to bypass some firewall, and cannot be recognized by the original code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment