libnfc supports UUID writable cards and even has some dedicated tools for them.
Quired for emulating the widespread Mifare Classic, Mifare DESFire and Mifare DESFire EV1 cards. With the developed software, it is possible to simulate the presence of one of these cards with an arbitrarily chosen content and identiļ¬er, and hence spoof real-world systems in vari. Cloning Cryptographic RFID Cards for 25$.
However it doesn't work with some of the cards found on eBay that are even simpler to use. Sector 0 is unlocked and can be written without any additional commands. libnfc requires a small patch to get it working.
Following has been tested under ArchLinux with modified libnfc 1.5.1, mfoc 0.10.2 and a SCL3711 dongle.
Patch & recompile libnfc
The patch is fairly simple, open libnfc-1.5.1/utils/nfc-mfclassic.c and comment 2 lines (it was lines 384 and 385 for me):
Recompile and install.
Connect the SCL3711 dongle
I manually have to remove the pn533 module in order to get libnfc to work. This needs to be done everytime you re-plug the SCL3711 dongle.
Dump the blank Chinese card
Read the fresh blank chinese card
Dump the blank chinese card card to get the keys
Now remove the chinese card and put the card you want to copy and dump it
Dump the Mifare card your want to copy
Let's read the card to clone first
Time to dump the target card
Put the chinese card back and clone the card
Write the Chinese card with the content of the other card including UUID
or
Check that the card is the same:
Go back to blank card
or
MIFARE Tag Operations
Operations can be executed from menu 'hf 14a' or 'hf mf'
Short MIFARE HOWTO can be found here: MIFARE HOW-TO
THERE ARE MORE COMMANDS IN THE LATEST PROXMARK3 EXECUTABLE WHICH ARE NOT DESCRIBED HERE: they are mainly used to interact with Chinese Changeable UID Mifare cards and with Mifare Ultralight/C cards
Command set 'hf 14a'
hf 14a list
It displays the log of communication between the card and either proxmark or reader in 'hf 14a snoop'
Sample:
hf 14a reader
It employs anticollision and reads several parameters from the card
Sample:
hf 14a sim
Simulator up to end of anticollision state of the card.
hf 14a snoop
It sniffs communication between the card and the reader.
Sample of reading card from another reader:
- anticollision
- select [WUPA]
- authenticate sector 1 with key A and key ffffffffffff
- read block 4 (<09090909090909090909090909090909>)
- halt
Command set 'hf mf'
hf mf dbg
It sets debug level of commands in 'hf mf' menu.
Debug levels:0 - no debug messages
1 - error messages
2 - all messages
4 - extended debug mode
1 - error messages
2 - all messages
4 - extended debug mode
Level 1 or 0 is recommended. With advanced debugging, some commands may work abnormally (because of the time required to print debug message).
hf mf rdbl
It reads block from a mifare card.
hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>
- block number must be between 0x00 and 0xFF
- key must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- key must be 12 hex symbols (for example: FFFFFFFFFFFF)
Command to read block 0 from mifare card with authentication params: key A, key FFFFFFFFFFFF:
correct execution
isOk:01
- the command is executed correctly 'data:...' - block dataincorrect execution
Can't select card
- text error.isOk:00
- the command is not executed.hf mf rdsc
It reads sector from a mifare card.
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
- sector number must be between 0x00 and 0x3F
- key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- key must be 12 hex symbols (for example: FFFFFFFFFFFF)
Command to read sector 0 from mifare card with authentication params: key A, key FFFFFFFFFFFF:
correct execution
isOk:01
- the command is executed correctly.data:...
- sector data. blocks 0-4 of sector.incorrect execution
Key is not correct
- text error.isOk:00
the command is not executed.hf mf wrbl
It writes block onto mifare card.
hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>
- block number must be between 0x00 and 0xFF
- key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
- block data must be 32 hex symbols (16 bytes) (for example: FFFFFFFFFFFF)
Do not try to write into the sector trailers unless you know what you are doing!!!
It may damage the card!
correct execution
isOk:01
- the command is executed correctly.After that, I have issued the read command to check:
incorrect execution
Can't select card
- text error.isOk:00
the command is not executed.hf mf chk
It checks several keys (up to 8) in specific card sector.
hf mf chk <block number> <key A/B> [<key (12 hex symbols)>]
- block number must be between 0x00 and 0xFF
- key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
Sample:
isOk:01
- the command is executed correctly.valid key
- the correct keyhf mf mifare
It implements mifare 'darkside' attack.
hf mf mifare [wrong Nt]
- wrong Nt - it dont use this Nt to collect statistical information.
It is recommended that if 'hf mf mifare' found wrong key then run hf mf mifare , where Nt - from previous run of the command.
After executing of the attack it tests key. If it found an invalid key it prints
Found invalid key. ( Nt=XXXXXXXX
.Example of a correct execution:
If it founds an invalid key (for example ec49e598), run this:
Result is ok.
hf mf nested
It implements mifare 'nested authentication' attack. It needs to know at least one sector key to use it.
There are 2 main modes:
- all sectors attack.
Firstly it tries public keys for all sector, then makes nested attack and then tests the keys. It makes up to 10 attempts to attack one sector. You can cpecify a block number and it calculates offset from the beginning of the sector (block shift) and attacks all the rest sectors with this offset. hf mf nested <key A/B> <key (12 hex symbols)> [t] - one sector attack. It attacks only one sector. It intends to use for testing if card can be broken via this attack.
hf mf nested o <key A/B> <key (12 hex symbols)> <target key A/B> [t]
Where:
- Card memory: 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K
- block number must be between 0x00 and 0xFF
- key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- key must be 12 hex symbols (8 bytes) (for example: FFFFFFFFFFFF)
- target block number must be between 0x00 and 0xFF
- target key type must be either 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
- t - transfer keys into emulator memory. Fills the emulator memory with extracted keys.
Example of one sector attack:
Example of all sectors attack:
hf mf sim
It simulates MIFARE classic tag. Tag contents is stored into the emulator memory and can be read and written by the following commands.
hf mf sim <UID 8 hex digits>
- 4 byte UID if specified - replaces UID that is stored into the emulator memory. However, the replacement doesn't get loaded into the memory.
hf mf eclr
It fills the memory of emulator of a blank MIFARE 1K card with default (0xFFFFFFFFFFFF) keys.
hf mf eget
It gets blocks from the card emulator dump.
hf mf eget <block number>
- block number must be between 0x00 and 0x63
Example of use:
hf mf eset
It sets block in the card emulator dump.
hf mf eset <block number> <block data (32 hex symbols)>
- block number must be between 0x00 and 0x63
- block data - '000102030405060708090a0b0c0d0e0f'
Example of use:
proxmark3> hf mf eset 1 000102030405060708090a0b0c0d0e0f
Just to make sure:hf mf eload
It loads dump to the card emulator memory.
hf mf eload <file name>
- file name without '.eml' extension.
hf mf esave
It saves dump from the card emulator memory.
hf mf esave <file name>
- file name without '.eml' extension. If the file name is empty, the file name will be the first 7 bytes in hex from emulator memory. (UID location).
hf mf ecfill
It fills the memory of MIFARE card emulator. It uses keys from the emulator memory (to view the keys: 'hf mf ekeyprn')
hf mf efill <key A/B>
- key must be 'A' or 'B' (authentication command is 0x60 for 'A' and 0x61 for 'B')
hf mf ekeyprn
It prints keys from the emulator memory (MIFARE classic 1K).