Sector: 15, type B, probe 0, distance 18502. Sector: 14, type B, probe 2, distance 18502. Sector: 14, type B, probe 1, distance 18502. Sector: 14, type B, probe 0, distance 18500. Sector: 13, type B, probe 0, distance 18502. Sector: 12, type B, probe 0, distance 18504. Sector 15 - FOUND_KEY Sector 15 - UNKNOWN_KEY Sector 14 - FOUND_KEY Sector 14 - UNKNOWN_KEY Sector 13 - FOUND_KEY Sector 13 - UNKNOWN_KEY Sector 12 - FOUND_KEY Sector 12 - UNKNOWN_KEY
Sector 11 - FOUND_KEY Sector 11 - FOUND_KEY Sector 10 - FOUND_KEY Sector 10 - FOUND_KEY Sector 09 - FOUND_KEY Sector 09 - FOUND_KEY Sector 08 - FOUND_KEY Sector 08 - FOUND_KEY Sector 07 - FOUND_KEY Sector 07 - FOUND_KEY Sector 06 - FOUND_KEY Sector 06 - FOUND_KEY Sector 05 - FOUND_KEY Sector 05 - FOUND_KEY
Sector 04 - FOUND_KEY Sector 04 - FOUND_KEY Sector 03 - FOUND_KEY Sector 03 - FOUND_KEY Sector 02 - FOUND_KEY Sector 02 - FOUND_KEY Sector 01 - FOUND_KEY Sector 01 - FOUND_KEY Sector 00 - FOUND_KEY Sector 00 - FOUND_KEY ' no key found, '/ ' A key found, '\ ' B key found, 'x ' both keys found Try to authenticate to all sectors with default keys. Other possible matches based on ATQA & SAK values: * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1 TODOįingerprinting based on MIFARE type Identification Procedure: I spent a lot of time finding this out, so please boot into a linux live cd for the following example or use a Raspberry Pi. Connecting a NFC device to a VM running linux will not work reliable because the drivers mess with this timing. Important notice: NFC and the used attack depend a lot on timing. Here is a basically memory layout of a Mifare Classic tag: This section is only writeable on some special chinese tags. Sector 0 Block 0 also contains a non changeable UID (the tags unique ID) and some manufacturer data. As an example you can define to use Key A for reading the block and Key B for writing to it. Each sector has two keys: Key A and Key B Each of the 16 sectors can define it’s own access right and wich key is needed for a particular action.
Before reading a sector, the reader must authenticate to the tag with a secret access key. Each of these sectors has 3 blocks of data storage and 1 block for storing the secret access keys and access controls. There are also other types like the “Mifare Classic 4k” and the “Mifare Mini” each having a different memory size.Ī Mifare Classic 1k tag contains 16 sectors. 1k stands for the size of data the tag can store. The NFC tag I analyzed is a so called “Mifare Classic 1k” tag.