Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi ikarus,
I used your great tool many times on my Sony Xperia Z but, after the lollipop upgrade, the mct mifare classic tool doesn't work with Mifare Mini ATQA 00 04 SAK 9
i would like inform you that it worked properly on Android 4.4.4 KitKat.
I used your sw to program the TAG on the screenshot.
How can be fixed the issue on new lollipop Android version 5.1.1?
Offline
Hi tontol1,
your work on "raw" ISO14443 messages is quite interesting.
Probably it can still be useful for doing cryptanalysis of underneath crypto algorithms, since AUTH commands are byte oriented.
This sounds especially interesting. It would be super cool to crack Mifare Classic keys from a simple Android device!
I'm looking forward to hear from your progress!
Offline
Hi mariolino,
Hi ikarus,
I used your great tool many times on my Sony Xperia Z but, after the lollipop upgrade,
the mct mifare classic tool doesn't work with Mifare Mini ATQA 00 04 SAK 9
First of all, parts of this are good news to me
I never tried Mifare Mini with MCT. I don't own a mini tag.
Good to know it works!
Now to the bad part:
It is very likely that Sony screwed up. A lot of manufacturers did when it comes
to Mifare Classic and Android 5.+. You can have a look at the two issues that
had already been fixed: #52 and #64. Unfortunately, fixing issues like this is
really annoying.
You can try the usual stuff first before we look deeper into this.
Try out other apps to find out if it's an issue with MCT or Mifare in general (see this)
Also "bildin" (from github) has developed a app to hunt issues like this down.
But I think he didn't publish it...
I've created a issue on github. Lets try to keep the bug/issue related discussion there.
Offline
Hi mariolino,
mariolino wrote:Hi ikarus,
I used your great tool many times on my Sony Xperia Z but, after the lollipop upgrade,
the mct mifare classic tool doesn't work with Mifare Mini ATQA 00 04 SAK 9First of all, parts of this are good news to me
I never tried Mifare Mini with MCT. I don't own a mini tag.
Good to know it works!Now to the bad part:
It is very likely that Sony screwed up. A lot of manufacturers did when it comes
to Mifare Classic and Android 5.+. You can have a look at the two issues that
had already been fixed: #52 and #64. Unfortunately, fixing issues like this is
really annoying.You can try the usual stuff first before we look deeper into this.
Try out other apps to find out if it's an issue with MCT or Mifare in general (see this)
Also "bildin" (from github) has developed a app to hunt issues like this down.
But I think he didn't publish it...I've created a issue on github. Lets try to keep the bug/issue related discussion there.
Dear ikarus, thanks for your quick reply and I want give you a good news for your App..... The Mifare Mini issue comes from the Android Lollipop upgrade for all Apps.
I also used the RFID NFC Tool App, and the issue is present only after the Amdroid upgrade.....
We must search the problem on Lollipop
Regarding the mifare hack using the Android, some guys can start fron this gthub
https://github.com/ehabkost/nfc-tools
Offline
Hi Ikarus,
after some work I was able to force MC tag into partial authentications using my test code.
Due to the famous NACK bug (see "THE DARK SIDE OF SECURITY BY OBSCURITY" and others ) this was just enough to gather enough information to do an "offline" brute force attack.
Since brute force attack is very CPU intensive it cannot be done a mobile device. On modern laptop it requires a lot of days to get a single key.
Nevertheless it is possible, not very fast ... but possible.
To speed-up hacking it's necessary to be able to sync queries with PRNG timing. This is not easy using Java Android api (my way), since Java is not very predictable during execution. C code is much better with this task.
For this reason I think that project nfc-tools (suggested by Mariolino) looks like promising. Maybe with some effort (how big?!) it could be completed and be usable.
Offline
Any thoughts on why my htc m8 continuously loses connection?
Offline
I have a phone Samsung S3 Neo, in which all commands for a Mifare Classic card works, but the commands do not work on use of blocks of value. They know that this is due? or am I doing something wrong?
Thank you.
Offline
I have a phone Samsung S3 Neo, in which all commands for a Mifare Classic card works, but the commands do not work on use of blocks of value. They know that this is due? or am I doing something wrong?
Thank you.
Unfortunately the Samsung S3 Neo use the NFC broadcom chip and it doesn't compatible with NXP tags.
You can buy the old S3 model, it was fully working :-)
Offline
gpagliaroli wrote:I have a phone Samsung S3 Neo, in which all commands for a Mifare Classic card works, but the commands do not work on use of blocks of value. They know that this is due? or am I doing something wrong?
Thank you.Unfortunately the Samsung S3 Neo use the NFC broadcom chip and it doesn't compatible with NXP tags.
You can buy the old S3 model, it was fully working :-)
Thx
Offline
Device tested: Samsung Galaxy S4 Value Edition [I9515] is NOT compatibile with MCT.
Offline
hello
is there any possibility to use MCT with external acr122u nfc reader?
i have a samsung note 3 not compatibile with mifare clasic
Offline
I agree with the upstairs, if you can make MCT support ACR122 will be able to let a lot of mobilephone for the use of OTG functions and not need to buy a NFC mobilephone, the cost is lower, I hope you can consider, thank you. I found a mistake, the wrong format control bit as sector of the last,should be “FF078069” is not “FF0780BC”
Offline
example-dump-file
Offline
I have just started learning to write a program, testing the code of others, but the source code in the presence of two BUG, can you guide me, thx you! Source address: https://github.com/flylai/WaterCard_RW_forAndroid , When the program starts, NC is not enabled,if you click NFC settings, even if the NFC does not open the return will not be detected ; triggering NFC can only read the card can not write a card,If you click on writecard, the program crashes.You can reply to my e-mail, thx you very much!
Offline
Two Bugs I have solved myself
Offline
hello
is there any possibility to use MCT with external acr122u nfc reader?
i have a samsung note 3 not compatibile with mifare clasic
It is not possible by now. But there are others out there wanting the same feature.
Have a look at: https://github.com/ikarus23/MifareClassicTool/issues/13.
Unfortunately my statement is the same as it was a year ago:
http://www.proxmark.org/forum/viewtopic … 879#p12879
I found a mistake, the wrong format control bit as sector of the last,should be “FF078069” is not “FF0780BC”
This is not a mistake. I chose to do it this way because all the empty tags I own were formatted this way.
I'm not exactly sure why. This byte (the General Purpose Byte - GPB) is 0x69 for standardized
cards and refers to non-personalized card, according to the Mifare Application Directory (MAD) standard.
But I'm not sure why the GPB of the last sector is 0xBC. I've seen this on both, 4byte and 7byte UID, tags.
Offline
New release! (Version 2.0.5: APK-file, Google Play (Donate Version), F-Droid)
(See: original post, updated)
* Bugfix: Don't save key files with bad characters.
Thanks to Pascal for fixing this issue.
* Fixed SAK issue of Sony's Xperia Z3 in combination with emulated tags.
Thanks again to "bildin" and to "moscowneversleeping" for reporting,
testing and patching this issue.
* OnePlus One, Samsung Galaxy Grand Prime, Samsung Galaxy S5 mini,
Sony Xperia Z2 (some models), Google Nexus 9, Jiayu S3,
LG G4, Samsung Galaxy A5, ZTE Nubia Z7 Max (NX505J),
Samsung Galaxy S6, Samsung Galaxy S6 Edge, Asus Zenfone 2,
Google Nexus 6, Motorola's Moto X (2014, 2ed gen.) are not supported.
Have a nice day!
ikarus
Offline
any possibility of including decoding of other data besides the value blocks ?
what kind of decoding are you missing?
Offline
New release! (Version 2.0.6: APK-file, Google Play (Donate Version), F-Droid)
(See: original post, updated)
* Bugfix: Fixed crash which occurred instantly after
starting (on some devices).
There are still some issues on Android 6.x devices like the Nexus 5x/6p.
* https://github.com/ikarus23/MifareClassicTool/issues/77
* https://github.com/ikarus23/MifareClassicTool/issues/78
I'm working on it...
Have a nice day!
ikarus
Offline
Hello, May I inquire what device should I use to read and write a mifare card?
Android phones with NFC are a great start - they support a range of tags and libraries. Are you getting any errors?
Offline
Hey there,
any Android phone/tablet with an NFC chip by NXP should do the trick.
However there are some strange behaviors within new Android devices lately.
Like the Nexus 5x/6p or other Android 5.x/6.x devices.
There are some devices which are definitively know to work with MCT.
Have a look at the readme file.
Offline
New release! (Version 2.0.7: APK-file, Google Play (Donate Version), F-Droid)
(See: original post, updated)
* Bugfix: Request permissions on Android 6.x devices to read/write
the external storage. Thanks to Mislav Jurinić.
Running MCT on Android 6.x devices should be fine by now.
Have a nice day!
ikarus
Offline
Hi there. I have been using your app for a while and what to say huge thanks to you for developing it!
Past time I've got a problem. I have a Mifare Classic tag, but cause of some reasons tag's SAK was changed from 08 to 20 which leads to the situation when I can not use Mifare Classic app. I just got a message that "Not Mifare Classic tag".
Is there any way I can change the SAK manually?
I've tried to make a dirty fix myself using code from GitHub, but I failed.
Will really appreciate any help, thanks.
Offline
I have just encountered with SAK problem too.
It was changed from 8 to 20 and I can't use MFT with my card.
Is it possible to add SAK editor option to MFT?
Thanks!
Offline
Hi twisted.transistor, Hi vlader.
Sorry for not answering earlier. I've just had a look at the MIFARE Type Identification Procedure (page 10+).
As you can see, a change of the SAK from 0x08 to 0x20 is common for Mifare Plus tags when the security level (SL)
is increased from 1 to 3. These tags are used to migrate from an old Mifare Classic environment to a more secure
Mifare Plus environment. Mifare Plus tags with security level 1 are compatible with Mifare Classic. However, with
a security level 3 Mifare Plus tags are now longer compatible with Mifare Classic as they now use stronger crypto.
So I think you have tags of an Mifare Classic deployment that just migrated to Mifare Plus SL 3...
Maybe you find some way to validate this.
Offline
Hi, ikarus.
You are completely right. Our cards migrated to newer protocol, we see it via updated SAK.
Probably the procedure of reading new dumps would be more complicated with Mifare Plus data or even impossible.
But I have old dump which I can't write to the same card.
Is it possible not to read SAK before dump writing and let MCT overwrite the whole card using old Mifare 1k dump?
Thanks,
vlader
Offline
Hi vlader,
I'm not sure if I got you right: you got a dump from the time the tag had a SAK of 0x08.
Now you want to write that dump back to the tag that has now a SAK of 0x20?
As far as I know, Mifare Plus tags with a SL of 3 are no longer compatible with Mifare Classic.
This means you can neither read nor write them witn MCT.
Offline
Hi vlader,
I'm not sure if I got you right: you got a dump from the time the tag had a SAK of 0x08.
Now you want to write that dump back to the tag that has now a SAK of 0x20?
As far as I know, Mifare Plus tags with a SL of 3 are no longer compatible with Mifare Classic.
This means you can neither read nor write them witn MCT.
Hi ikarus. I think I got the same problem as vlader.
I have a Mifare Classic tag that had SAK of 0x08, but somehow the SAK was changed and now my Mifare Classic tag has SAK of 0x20.
And what we are looking for is either way to change SAK of the tag back to 0x08, either the way to avoid checking for the SAK (when your application is launched) so we will be able to work with our Mifare Classic tags like we did before.
Offline
Hi vlader,
I'm not sure if I got you right: you got a dump from the time the tag had a SAK of 0x08.
Now you want to write that dump back to the tag that has now a SAK of 0x20?
As far as I know, Mifare Plus tags with a SL of 3 are no longer compatible with Mifare Classic.
This means you can neither read nor write them witn MCT.
Hi ikarus,
Everything was described by twisted.transistor.
I'll try to do it once more.
Initially, I have Mifare Classic tag with SAK 0x08. I made a dump from it.
Then, after some time of using this tag I discovered then SAK in my card was suddenly changed to 0x20, the most probably it happened while balance replenishment. I emphasize that the tag is the same and it was never changed.
I hope that SAK changing operation with the same plastic card is reversible.
Now I am asking about possibility to write my old dump to my old Mifare Classic card, where just SAK was changed.
It would be even better if we have possibility to change SAK back or read tag with SAK 0x20 using reading method from SAK 0x08 tags.
Offline
Hi twisted.transistor, hi vlader,
how could you be sure if it's still a Mifare Classic tag? Are you sure it was not a Mifare Plus tag in
compatibility mode (SL 1) before? And if not, what caused the change of the SAK?
Do you have other Mifare Classic tags? Do they still show a SAK of 0x08?
Have you checked apps like NFC TagInfo? Do they identify your tag as Mifare Classic?
Only if you are sure that your tag is still a Mifare Classic tag with a wrong SAK (for whatever reasion),
it makes sense to edit MCT in order to ignore the SAK. And even then it might be impossible because
of how Android handels NFC tags.
Changing the the SAK back to 0x08 is not possible for an original Mifare Classic tag. As far as I know
changing the SAK in any way is only possible for tags emulating a Mifare Classic tag (e.g. SmartMX)
or Mifare Plus tags (by changing the SL).
Last edited by ikarus (2016-03-04 00:57:21)
Offline
Hi ikarus,
The most probably it is Mifare Classic card because I've been using it several years.
"how could you be sure if it's still a Mifare Classic tag?" As I wrote above it's too old card.
"Are you sure it was not a Mifare Plus tag in compatibility mode (SL 1) before? " All the other soft shows it exactly.
"And if not, what caused the change of the SAK?" As I wrote in my previous post the most probably changes were made while balance replenishment using my tag.
"Do you have other Mifare Classic tags? " Of course, they where bought at the same time but keep working with your app because I haven't done balance replenishment in a while.
"Do they still show a SAK of 0x08?" Of course.
"Have you checked apps like NFC TagInfo?" Yes, both tags were checked I mean working one and not working one.
Not working one provide just a little: Type A(ISO/IEC 1443 Type A)
RF techology
Type A(ISO/IEC 14443 Type A)
Tag type
ISO/IEC 14443-4 Smart Card
SAK 20
Working one provide me following: Type A(ISO/IEC 1443 Type A)
RF techology
Type A(ISO/IEC 14443 Type A)
Tag type
Mifare Classic 1K
SAK 08
and a lot of data in different formats and access conditions.
"Only if you are sure that your tag is still a Mifare Classic tag with a wrong SAK (for whatever reasion),
it makes sense to edit MCT in order to ignore the SAK." - Could you please try with version, which is not checks SAK even custom one?
Thanks!
Offline
Hi vlader,
thank you for the information. I will look into a MCT version which ignores the strange SAK.
But this will take some time. I'm AFK for about a week. And I'm pretty sure it will not work.
Not because of MCT but because of Android. As the other apps show, Android didn't even
recognize it as a Mifare Classic tag... And there is pretty much nothing I can do about that.
Its part of the Android Tag Dispatch System.
Offline
Here is my situation.
I also have two Mifare Classic tags. Both of them did work before with your application and had SAK of 0x08.
After some time the SAK of one of them have been changed. In my opinion the reason that it has been changed it is because tag was rewritten with "Tag writing machine" (sorry, I don't know how is it called). Probably this machine used different protocol and it caused changing the SAK.
I am sorry, I don't know much about this, but based on what I know I did my guessing.
Here are examples of two Mifare Classic tags I have. Both of them were bought at the same time.
This one works:
This one doesn't :
I modified code of your program that I took from GitHub and deleted SAK checking part from it. Unfortunately I still was unable to write dumb to my tag.
Thank you very much for your answers and help.
Offline
Ok guys ikarus is being very kind. But do some research. Your tags are NOT true mifare classic cards. The tags have been working in a legacy compatibility mode for years until the system they are used in upgraded to a higher security mode. Those higher security cards have been available for over 8 years. You are out of luck with whatever illegal or not activity you are attempting.
True classic mifare cards cannot have their sak changed. It is not possible.
And once your cards are in a high security mode only the system that has the correct authentication can modify or even read it.
Offline
Ok guys ikarus is being very kind. But do some research. Your tags are NOT true mifare classic cards. The tags have been working in a legacy compatibility mode for years until the system they are used in upgraded to a higher security mode. Those higher security cards have been available for over 8 years. You are out of luck with whatever illegal or not activity you are attempting.
True classic mifare cards cannot have their sak changed. It is not possible.
And once your cards are in a high security mode only the system that has the correct authentication can modify or even read it.
I did the research, but like I said before I don't have enough knowledge about NFC tags cause I have never worked with ones.
Thank you very much for your answer.
Offline
Thanks a lot, marshmellow, ikarus!
Offline
@ikarus
if possible can you add the possibility to use external acr122u nfc reader will mfc? I have an incompatible nfc android phone.
I have installed the driver for this reader on my phone
thanks in advance
Offline
roni29180 wrote:hello
is there any possibility to use MCT with external acr122u nfc reader?
i have a samsung note 3 not compatibile with mifare clasicIt is not possible by now. But there are others out there wanting the same feature.
Have a look at: github.com/ikarus23/MifareClassicTool/issues/13
I have read this now.
Waiting
Offline
@simraill
Hi! And sorry for not answering earlier. The error you got there sounds strange. It is most likely
that you've got the wrong tag and the success message is a false positive... There are a lot of
vendors on Aliexpress that claim their tags are "block 0 direct write", but in fact, they aren't.
If you have access to a USB RFID reader (like the ACR122u) you could try to change the UID with
that. Best of luck!
@roni29180
As it stats in the issue ("I'm really low on time lately. ") you might have to wait longer.
I can name you no date or whatsoever.I don't know when I will work on that feature request.
If you really need to do some Mifare Classic stuff, just connect your ACR 122u to a laptop.
If you really need to do some Mifare Classic stuff with your phone (now), there are two options:
1. Get a phone that is capable of interacting with Mifare Classic tags
2. Write the ACR 122u support for MCT yourself
Cheers
ikarus
Offline
I write bcc wrong byte in my magic card uses MCT tools, card don't work now. Help me, how restore this card ?
Offline
I answered in the github issue.
Offline
I have Magick cards with standard and special command with special know how to recover, and with the usual do not know how.
Offline
@ikarus, do you can to do in MCT warning that BCC byte incorrect and don't allow write dump with incorrect BCC byte.
You'll save a lot of Magick card this patch)
Offline
Like I said in github issue #81, I'm planning to implement such a feature.
Offline
Hi, it was successful reading my blank fob from ebay. but couldn't read one apartment key which is mifare classic as well.
It is detected and read on tool menu but can't be read the code inside. It takes longer than blank keys and finally unsuccessful. What is problem with this? Help me please. Thanks,
Offline
Hi supremee,
a blank fob has a default key of FFFFFFFFFFFF for all sectors. Your apartment key has most likely individual keys for all sectors. You can't read a Mifare Classic tag without knowing its key. You can extract those keys with a simple USB RFID reader and software like mfoc. Just do a little research on the internet.
Offline
Hi,
Thank you for all this, it's great !
I have a little question about data in sector 0 block0 : [00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15]
I know this :
[00 01 02 03] : 4 bytes UID
[04] : 00+01+02+03 (with + = xor)
[14] : week of production (as asper noticed it)
[15] : year of production (as asper noticed it)
By analysing frames I think :
[05 06 07] is a block with manufacturer data but what kind of data ?
[08 09 10] (the same)
[11 12] is also a block , maybe function of [05 06 07] and [08 09 10]
[13] is also a block, function of [04], but how ?
I hope I've been quite clear...
Any idea ?
Thanks
Offline
Hi whale, what do you mean by "analyzing frames"? And no, I have no clou what else is inside a block 0 of commen Mifare Classic tags.
Offline
Hi everyone,
could those of you with a Samsung Galaxy S6 or a Galaxy S6 Edge do me a favor?
Could you install the latest version of MCT from here and tell me if you are able
to read and write tags? I'm still not sure if those devices are capable of reading/writing
Mifare Classic tags.
Thanks!
Cheers
ikarus
Offline