Topic: Copy door key tag onto mifare implant

Hi!

I have some locks on my doors which uses Mifare Classic Tags to open the door. These locks are programmed by the company who installed the system. I would like to put a mifare implant inside of my hand and use it for my doors to open, but the company refuses to program the implant.

I want to make a copy of the key tag and dump it onto a mifare implant.  First I would like to try with a normal chinese magic card, to see if it is even possible to copy the key tag.

This is what I have done so far:

I downloaded Kali Linux and and made a live bootable USB drive.

I have a acr122u reader I ordered from ebay. It also included 5 chinese writeable mifare cards.

I booted up in Kali Linux and used MFOC to read and dump the key tag. I used this command:

mfoc -P 500 -O cardtocopy.dmp

After a while I got this (and ALOT of numbers):

Auth with all sectors succeeded, dumping keys to a file!


So after this I remove my key tag and put my chinese magic card on the reader and do this command:

mfoc -P 500 -O blank-chinese.dmp

After about 10 seconds I get this:

Auth with all sectors succeeded, dumping keys to a file!


So, so far so good yeah?
Now I would like to copy the key tag onto the chinese card. So this is what I do:

nfc-mfclassic W b cardtocopy.dmp blank-chinese.dmp

And this is the result:

NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): b1  f2  c2  bf 
      SAK (SEL_RES): 08 
Guessing size: seems to be a 1024-byte card
Sent bits:     50  00  57  cd 
Sent bits:     40 (7 bits)
unlock failure!


Now after this I try with a non capital W

nfc-mfclassic w b cardtocopy.dmp blank-chinese.dmp

Result:

Done, 63 of 64 blocks written.

So is it possible that my chinese magic cards are not really magic after all? Any idea why this is happening?

I really hope someone can help me smile
Thanks guys! smile

Re: Copy door key tag onto mifare implant

hello, try this
capital X and capital W

nfc-mfclassic W X cardtocopy.dmp blank-chinese.dmp

you probably have to redo a blanck-chinise.dmp before, cause you have change original dump of the chinise tag...

Re: Copy door key tag onto mifare implant

Hi.

I just tried now. This is what I got:

root@kali:~# nfc-mfclassic W X cardtocopy.dmp blank-chinese.dmp
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): c1  f6  c2  bf 
      SAK (SEL_RES): 08 
Guessing size: seems to be a 1024-byte card
Sent bits:     50  00  57  cd 
Sent bits:     40 (7 bits)
unlock failure!

I am starting to suspect that my cards are not writeable in sector 0? I asked the seller on ebay and he said that they are writeable.

The item can writeable in block 0 for UID (sector 0)

Wish you can understand that


This is the reader and card I ordered (not able to post direct link, please copy paste):

NFC ACR122U RFID Contactless Smart Reader & Writer/USB + 5X Mifare IC Card BU
ebay.com/itm/251797678525?euid=8e77915fb6784f90a9d990c84d221696&cp=1&exe=12808&ext=32575&sojTags=exe=exe,ext=ext

Thanks again! smile

4 (edited by gambit 2015-09-07 18:15:04)

Re: Copy door key tag onto mifare implant

hello
this kind of kit isn't supposed to be sold with "chinese card" just usual mifare.

try this :

sudo nfc-list

nfc-list uses libnfc 1.7.1
NFC device: SCM Micro / SCL3711-NFC&RW opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): a0  b1  c2  d3 
      SAK (SEL_RES): 08 

then do that : trying to change serial number - uid - sector 0 with,
sudo nfc-mfsetuid a1b2c3d4     to be sure you can write sector 0 on the fly

NFC reader: SCM Micro / SCL3711-NFC&RW opened
Sent bits:     26 (7 bits)
Received bits: 04  00 
Sent bits:     93  20 
Received bits: a0  b1  c2  d3  00 
Sent bits:     93  70  a0  b1  c2  d3  00  0e  84 
Received bits: 08  b6  dd 

Found tag with
UID: a0b1c2d3
ATQA: 0004
SAK: 08

Sent bits:     50  00  57  cd 
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43 
Received bits: 0a 
Sent bits:     a0  00  5f  b1 
Received bits: 0a 
Sent bits:     a1  b2  c3  d4  04  08  04  00  46  59  25  58  49  10  23  02  6c  fb 
Received bits: 0a 

you can confirm immadiatly with a
sudo nfc-list    again

nfc-list uses libnfc 1.7.1
NFC device: SCM Micro / SCL3711-NFC&RW opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): a1  b2  c3  d4 
      SAK (SEL_RES): 08 

another result will say that none of your cards are uido rewritable.
process had to be confirmed by another user to be sure

good luck

Re: Copy door key tag onto mifare implant

\root@kali:~# sudo nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): c1  f6  c2  bf 
      SAK (SEL_RES): 08 

root@kali:~#

root@kali:~# sudo nfc-mfsetuid a1b2c3d4
sudo: nfc-mfsetuid: command not found

root@kali:~# apt-get install libnfc-examples
Reading package lists... Done
........................................
Unpacking libnfc-examples (1.7.1-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libnfc-examples (1.7.1-2) ...
root@kali:~#

root@kali:~# sudo nfc-mfsetuid a1b2c3d4
NFC reader: ACS / ACR122U PICC Interface opened
Sent bits:     26 (7 bits)
Received bits: 04  00 
Sent bits:     93  20 
Received bits: c1  f6  c2  bf  4a 
Sent bits:     93  70  c1  f6  c2  bf  4a  c4  4e 
Received bits: 08  b6  dd 

Found tag with
UID: c1f6c2bf
ATQA: 0004
SAK: 08

Sent bits:     50  00  57  cd 
Sent bits:     40 (7 bits)
Sent bits:     43 
Sent bits:     a0  00  5f  b1 
Sent bits:     a1  b2  c3  d4  04  08  04  00  46  59  25  58  49  10  23  02  6c  fb 
root@kali:~#

root@kali:~# sudo nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04 
       UID (NFCID1): c1  f6  c2  bf 
      SAK (SEL_RES): 08 

root@kali:~#


So I am not getting any error message, but the UID has not changed.

Thank you for your time and help! smile

Re: Copy door key tag onto mifare implant

hello
as i was almost sure than your cards were not UID0 RE/Writable,
now you are sure.
sorry.
buy one of these.

type UID Changeable in ebay.

Re: Copy door key tag onto mifare implant

Great, I will try this.

Thank you! smile

Re: Copy door key tag onto mifare implant

smile
by the way, i you find implant with UID0 rewritable,
put the link smile)))

Re: Copy door key tag onto mifare implant

I will do that!

I am looking for one now, but I have not found one. I am also looking for the possibility to copy the key to my android phone.

Do you know if this is possible?

Re: Copy door key tag onto mifare implant

hello
what do you want to do ?
manage cards with software ?
emulate a card ?
some phones works better than other due to the nfc chip, best samsung was galaxy s3.
s4 s5 are not working so well to "hack" nfc

11 (edited by Montana 2015-09-26 11:10:58)

Re: Copy door key tag onto mifare implant

I want to emulate my door key (mifare classic) with my phone. Which means I will be able to open my door with my phone. I have already sucsessfully copied the key to my computer with mfoc so I can easily send it to my phone. I just need to emulate the key with my phone, is this posible?

I have galaxy note 3 but I am willing to buy a new phone if the chip in my phone is not able to do this.

Re: Copy door key tag onto mifare implant

in my favorites i had only emulation with an acr122 and basicly pn532 chip, not with a phone. my bad.
try : emulate mifare 1k phone in google.
can't help more.

Re: Copy door key tag onto mifare implant

hello
https://dangerousthings.com/
mifare implant smile i think not re writable smile

emulator
https://github.com/emsec/ChameleonMini/wiki