![](/uploads/1/2/6/3/126327732/945746794.jpg)
![Crack Crack](/uploads/1/2/6/3/126327732/419235788.jpg)
Howto crack Mifare Classic NFC cards using the hardnested attack. Then using the Mifare Classic Tool for Android I was able to modify its contents so I could get more than 3 drinks a day.
It recently came to our attention that one of our customers (supposedly) uploaded some Windows software tools applicable to the xM1+ to the interweb tubes. We downloaded them and tested them on a fresh virtual machine and they seemed to work.
![Mifare classic card recovery tools Mifare classic card recovery tools](/uploads/1/2/6/3/126327732/621930402.jpg)
However, there was no source code provided for either of these tools so USE THESE TOOLS AT YOUR OWN RISK. The tools in question came from here;You will have to wade through a significant amount of crappy ads, fake virus alerts, pop-ups, and click re-directs, but it will eventually trigger a real file download. You’re probably going to catch some viruses too from some of those re-directs, so again, we suggest trying this in a totally fresh virtualized guest machine you can obliterate later.The recommended tool for all RFID tinkering is the, and it’s what be used to write data to your xM1+. If you do not have a proxmark3 or are unable to afford one, these tools might be helpful for you. Windows + ACR122UInside the ZIP file are two tools which work with Windows and the.
You must have the installed for this reader for these tools to work. MfocGUI - MiFare Offline Cracking GUIThe first tool is called mfocGUI, which has, but no source came with this particular compiled EXE, so again use at your own risk!As the title indicates, this tool will have a decent chance of cracking Mifare “Classic” S50 1k and S70 4k chip keys. This will not work on the later released “EV1” versions of the Mifare “Classic” 1k since the whole point of EV1 was to fix the broken crypto1 algorithm so there are “Mifare Classic S50 1k” chips (the old version with vulnerable crypto1 algorithm) and “Mifare Classic EV1 1k” chips which have a fixed version of crypto1 algorithm and cannot be cracked. If you have keys however, you can clone the data to an xM1+ just fine.The software was originally created to be able to crack and fiddle with the contents of transit cards used in the Netherlands, specifically the Amsterdam metro area transit system.
It was a big embarrassment to have these cracked, because the Mifare S50 1k chip is made by NXP, which is a company headquartered in the Netherlands. Quickly after the tool’s release, ticketing and transit cards were changed to new chip types that are, as of yet, uncracked but the tool remains. This is why you will see all of the extra tabs and text fields that relate to amount of credit left on the card, transit history, etc.
Which is no longer relevant but remains in the GUI.You may notice a button called “Write data Reader”, however in our experience we could not get this function to work, which is probably why there is another tool included in the ZIP file Card Recovery ToolThe next tool is a “card recovery tool” which is made to look like it came from ACS, the company that makes the ACR122U reader. This may or may not be true. It is possible that the software package did come from ACS, but they do not acknowledge this at all when questioned about it, so who knows. In short, it will take a data dump file created from the mfocGUI software and write that data to the xM1+ via the ACR122U. Walk-throughFor this test, we used a “play pass” card used to store play tokens for a children’s pizza place here in the USA called, which has video games that used to take physical tokens but now use a tap card.
The chip in the card is an original Mifare Classic S50 1k chip which is crackable. You might be wondering why such an old chip with a serious vulnerability is still being used in new card production to this day but it all comes down to cost. The old chip type is slightly cheaper to buy and use in card production than the newer EV1 version, so when you are producing millions of cards for various applications, that small difference in price can add up to a lot of money so unless a customer is knowledgeable enough to specifically request a more secure chip type, they are getting the cheaper cards.This is our source card. Place your source card on to the ACR122U to begin!.
Extract the ZIP file somewhere c:temp is fine.
![](/uploads/1/2/6/3/126327732/945746794.jpg)