Thoughts of a geek

18 February 2010

Your fare is Mifare

Filed under: Computers, University — Tags: , , , , , — qwandor @ 9:22 pm

Or rather, your student ID.

I recently bought a Snapper Feeder to have a play with, as I had heard that they were supported by libnfc under all the major operating systems and could talk to a variety of contactless smartcards. I tried any cards I could get my hands on, and other than the Snapper card itself I found that our building access cards were not compatible (using a different frequency, perhaps?) but the Vic student ID cards were recognised. Furthermore, it turns out that these ID cards are MIFARE Classic 4k cards.

Now, this is interesting because encryption scheme used by the Mifare Classic was broken and research published explaining the vulnerabilities as early as 2007, and this is even acknowledged by the manufacturer. Anyway, being the curious sort I am, I went about trying to see what I could see about the Vic student ID cards. I have not yet been able to replicate the card-only crack to recover the keys, but I have had a bit of a look at how the cards are formatted.

Firstly, a bit of background. The Mifare Classic 4k has 40 sectors, each of which has 2 48-bit encryption keys (called A and B) and 12 configuration bits which control which of the keys allow read and write access to the sector’s data and configuration. Each sector is broken down into a number of 16 byte blocks. The first 32 sectors have 4 such blocks (64 bytes total), while the last 8 sectors each have 16 blocks (256 bytes per sector). The last block of each sector is called the sector trailer and contains the encryption keys and configuration bits previously mentioned. Note that the configuration and keys for each sector is independent of all the other sectors. Reading from and writing to the card is done on a block by block basis. Accessing a block is a two step process. First you must authenticate to the sector with either the A or the B key, then you can read or write one of the blocks in that sector.

With this in mind, here is what I have found so far about Vic’s student ID cards. I used the micmd tool, which provides a fairly simple interface to access Mifare Classic cards using libnfc, and a few other bits and pieces. Authentication to all sectors except sector 15 worked using FFFFFFFFFFFF (a common default key) as either key A or key B. However, despite the successful authentication, I was only able to read the blocks of sector 0. (Admittedly I did not try all of the other sectors, but all that I did try failed to read.) This may indicate that these sectors are configured to not to be accessible by either key, as a way of permanently disabling them, or it may be a problem with my reader. The reason I suspect my reader is that it would often lock up after certain operations, not responding at all until I unplugged it and plugged it back in again. I am not sure what is causing this; if anyone has any ideas do say.

Sector 15 appears to be using a proper key, and is probably where the real data of the card is stored.

Sector 0, the one sector I did manage to successfully read, does not appear to hold much of interest. On one card, with a UID of D4 EE 01 6E, the four blocks were

0: D4EE016E55980200648E565165603905
1: 800F0000000000000000000000000000
2: 00000000000000000000000000001248
3: 000000000000787788C1000000000000

Block 0 of sector 0 apparently holds read-only data set by the manufacturer, so is not that exciting. It appears that the first 4 bytes are the UID of the card. The 5th byte also seems to vary between cards (on the 3 cards I tried the values were 0x55, 0x5F and 0x61). The remaining 11 bytes of block 0 were the same on all 3 cards I tried. Blocks 1, 2 and 3 (the trailer block) were also the same on all 3 cards, which suggests that they are unlikely to be interesting.

I did attempt to use the nested authentication attach (I believe) as implemented by mfoc and MFCUK to recover the keys for sector 15, but for some reason both implementations failed, possibly due to the reader ceasing to respond part-way through as mentioned above. Any suggestions on how to get past this are welcomed.

Does anyone have any other interesting smartcards?

Advertisements

16 Comments »

  1. When did Vic even start phasing in the chip-based cards? Seem to recall 2007? Maybe I’m just too old.

    I would be very interested in hearing if you manage to crack them.

    Comment by Stephen — 19 February 2010 @ 3:25 am

    • Was it that early? I had thought it was more recently, but I cannot really remember.

      I will let you know if I get any further, but at the moment I am a bit stuck. Do you have access to any other contactless readers, by any chance? I am suspecting my problems may be due to the reader, so it would be interesting to see whether a different reader gives more success. Or it would even be worthwhile to try a different Snapper Feeder to see whether you have the same problem.

      Comment by qwandor — 19 February 2010 @ 6:44 am

      • Try an OmniKey reader, I’ve found them quite robust with Mifare Cards.

        Comment by GOS — 8 September 2010 @ 10:58 am

      • OmniKey readers seem to cost about $150. That is more than I would want to spend just to have a bit of a play around. For comparison, the Snapper Feeder was $40, though even that seems rather expensive for what it is.

        Comment by qwandor — 9 September 2010 @ 2:35 am

  2. I’ll be keen to have a play around if that’s ok with you.

    I’m currently doing a course on Information security here in Germany, although I never had any practical experience with it I have some basic knowledge of how they work.

    Have fun with it

    -Cheers

    F.

    Comment by Felix — 19 February 2010 @ 4:58 pm

    • No need to ask me — go play! The Snapper Feeder has the advantage of only costing NZ$25, but I would be keen to hear your experience with other readers if you have access to them, to see whether the problems I was having were specific to the Snapper Feeder.

      Comment by qwandor — 19 February 2010 @ 6:20 pm

  3. Hello,

    It would be nice (in case you manage to get the keys and then the dump alltogether) to contribute to this MFCUK wiki:

    http://code.google.com/p/mfcuk/wiki/MifareClassicKnownCardsDataFormat

    You can contact me by email in case you have any ideas/comments.

    Thanks a lot

    Comment by zveriu — 8 April 2010 @ 9:09 pm

  4. I’ve tried getting the keys from some MiFare 4k cards (including the student card at my university!) using the Snapper Feeder, with no success. From the libnfc forums, the consensus appears to be that the first generation touchtag/tikitag is the hardware of choice for mfoc and mfcuk.

    Sector 0 on the Mifare Classic is just a manufacturer data field, afaik there is a format around for it.

    Comment by Mathew McBride — 13 April 2010 @ 10:26 pm

    • Well that is a pity. Let me know if you do have any success with the Snapper Feeder, it is a convenient and cheap little reader, and would be handy if it could be used with mfoc / mfcuk.

      Comment by qwandor — 13 April 2010 @ 10:32 pm

  5. the problem with the reader comes from a timing problem in mfoc.sometimes the mfoc overuses the reader and the reader breaks completly…
    some dutch guy, named Valentijn, patched mfoc so it won’t happen: http://valentijn.sessink.nl/?p=259

    i know it’s 1 year old, and mfoc is kinda old by now 😉 but hey…you never know 🙂

    Comment by nuit — 18 February 2011 @ 1:20 pm

    • Aha! Thankyou for the tip, I will have a look at that when I get a chance. I think my reader is broken for good now though, so I might have to get a new one first.

      Comment by qwandor — 18 February 2011 @ 7:51 pm

  6. Hi guys, a friend of mine has come to me two weeks ago. From Ukraine, Kiev. And we’ve tried to crack their Mifare card (from subway). I’ve never seen such a cheat. 2 hours, and we have all the keys. 🙂 Look at this:

    ACTION RESULTS MATRIX AFTER RECOVER – UID XX XX XX XX – TYPE 0x08 (MC1K)
    ———————————————————————
    Sector | Key A |ACTS | RESL | Key B |ACTS | RESL
    ———————————————————————
    0 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    1 | 8fe644038790 | . R | . R | XXXXXXXXXXXX | . R | . R
    2 | f14ee7cae863 | . R | . R | XXXXXXXXXXXX | . R | . R
    3 | 632193be1c3c | . R | . R | XXXXXXXXXXXX | . R | . R
    4 | 632193be1c3c | . R | . R | XXXXXXXXXXXX | . R | . R
    5 | 569369c5a0e5 | . R | . R | XXXXXXXXXXXX | . R | . R
    6 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    7 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    8 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    9 | 9de89e07X277 | . R | . R | XXXXXXXXXXXX | . R | . R
    10 | eff603e1Xfe9 | . R | . R | XXXXXXXXXXXX | . R | . R
    11 | 644672bdXafe | . R | . R | XXXXXXXXXXXX | . R | . R
    12 | ffffffffXfff | . R | . R | ffffffffffff | . R | . R
    13 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    14 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R
    15 | ffffffffXfff | . R | . R | XXXXXXXXXXXX | . R | . R

    (I can show XXXX 🙂

    If somebody needs detailed info, send me an email or drop a PM.

    Kazimir

    Comment by kazimir — 18 May 2011 @ 2:23 am

  7. Hi,
    It is a great job. How can you do this?
    I have bought a PM3 board recently, and want to do this, can you tell me the details of how to?
    My email is xfpga@hotmail.com

    Thx.

    Comment by michael — 23 May 2011 @ 2:36 am

    • I would start by checking out mfoc and MFCUK.

      Comment by qwandor — 23 May 2011 @ 7:55 am

      • what is the hardware you used ?

        openpcd? or proxmark3?

        Comment by michael — 23 May 2011 @ 12:34 pm

  8. As I said in the post, I used a Snapper Feeder, which according to http://www.libnfc.org/documentation/hardware/compatibility is based on a PN531 v3.4. I did not find it very reliable though. In theory any reader supported by libnfc should be possible to use.

    Comment by qwandor — 23 May 2011 @ 7:28 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: