Skip to content

Instantly share code, notes, and snippets.

@rickdoesburg

rickdoesburg/cloning-mfc-1k-7byte-uid-nfc-card.md

Last active January 6, 2024 23:14
Show Gist options
  • Save rickdoesburg/344a21b72623d5b47059ae6bdcff2122 to your computer and use it in GitHub Desktop.
Save rickdoesburg/344a21b72623d5b47059ae6bdcff2122 to your computer and use it in GitHub Desktop.
Download ZIP
Cloning Mifare Classic 1k 7-byte UID cards and the world of NFC magic cards for dummies
Raw
cloning-mfc-1k-7byte-uid-nfc-card.md

Cloning a 7-byte UID MFC (Mifare Classic) 1k card and more

This is a little blog about my trials of figuring out how to clone a 7-byte 1k MFC card and more I discovered. I'm not an expert, this is just what I found out. I'm writing it down because I couldn't find a single place where this info was grouped together.

A little while ago I bought a Flipper Zero because I was interested in the world of NFC/RFID tags and I wanted to figure out a way to clone my NFC card used to open the underground waste container in my neighbourhood.

Findings

  • It turns out most of my NFC cards used for various services are so called MIFARE Classic (MFC) 1K cards. These appear to be the most common card used for semi-secure things. The tag used to enter my office is a MIFARE DESfire card, which as far as I know, isn't clonable unless you have the decryption keys.
    • There is also a MIFARE Classic 4K version which can store more data. I haven't encountered this one yet so nothing I can tell you about it.
  • The MFC Classic cards come in two variants. A 4-byte and a 7-byte version.

Magic Cards

In order to 'clone' your NFC card you'll need something called a Magic card. It sounds fancy but it's just a (chinese) backdoored version of a regular card. There are many many version available. Normally a card as a unique ID (UID) that isn't changable. As owner of the system you could be cards, which come with unique ids, and add them to your allowed database (system). These backdoored cards allow the UID (and block 0, which stores the UID and some other data) to be changed. Allowing you to 'clone' a card by writing the UID of your original card to it.

The versions:

  • Gen1A

    • These are the most sold versions on Amazon, Aliexpress etc. Very cheap.
    • They are almost certainly 4-byte version. I haven't found a single 7-byte one.
    • Flipper Zero can write these cards/tags

  • Gen2 (Also called CUID)

    • Widely available, cheap.
    • These can be written to using an Android phone and the MIFARE Classic Tool app
    • These can't be used with a Flipper Zero
    • They are also 4-byte

  • Gen3 (They aren't usually called gen3 by the sellers)

    • These cards can be written to using the Flipper Zero but it requires you to use the CLI and APDU commands
      • To use the CLI connect Flipper using USB and visit lab.flipper.net
    • I was be able to find 4-byte and 7-byte versions of this card on Aliexpress. One of the sellers is the Piswords store, the other is called XCRFID Store. And that's about the only place I was be able to find them. They are about €5 a piece which is quite a lot more than the Gen1a and Gen2 versions.

Cloning the 7-byte card

So I bought a couple of the 7-byte cards and was ready to write the UID/Block0 to them using the Flipper Zero CLI. Using the APDU command I was be able to change the UID of the 7-byte card successfully. However writing block 0 wasn't a success. This proved to be enough for one card to work, but the other system didn't accept the card with a difference between the UID and the UID in block 0.

I found a couple of posts from different people having the same issue

The seller responded with little words and no help that I should use an ACR122U-A9 with the software he provided. I was already so far down this rabbit hole I might as well buy a ACR122U so I did.

  • The software provided is partly in chinese
  • It only works on Windows
  • If your ACR122U isn't recognized when opening the software (PS/CS Mifare) it could be because you're running windows in a VM or from a remote desktop (which was my problem)
  • I connected the ACR122U, followed the instructions as best as I could and it worked.
  • I successfully changed the UID and Block0 of the 7-byte Gen3 Magic Card using an ACR122U

It works, partially

  • The cloned tag is identical to the original however it doesn't work for the underground waste bin. The second one I cloned (my charging card for my EV) does work.
  • The reader doesn't respond to the cloned tag. No error, nothing.
  • I've tried locking the card/closing the backdoor, still not working
  • I've tried swapping the SAK as explained by Equip. Still not working
@koenieee
Copy link

Haha it looks like we are trying the same underground container. I succesfully cloned my waste-bin card on a keychain with the proxmark3. It has the exact same data and is read fine by my mobile phone.
Unfortanly it still doesn't open the containers

@rickdoesburg
Copy link
Author

@koenieee Yep. Are you on discord or something? Let's chat and share our findings.

@koenieee
Copy link

Yes you can find me with koenieeee_62109

@acertuche368
Copy link

Any updates on this?

@rickdoesburg
Copy link
Author

rickdoesburg commented Jan 6, 2024
edited

@acertuche368 No updates really, we tried everything we could but we're unable to figure out why our cloned, identical, cards aren't working on certain systems. Particularly the underground waste bins. We've bought multiple different 7-byte tags and cards without success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment