Hardware Hacks Featured

Mifare 1k key recovery - with concealed reader

Afonso Duarte

3 min read
Mifare 1k key recovery - with concealed reader

I'm a practical learner and sometimes you learn by simply doing - sometimes you fail, sometimes you succeed. Today, I succeeded.

This post is about NFC cards that need you can top up with some amount of money (for laundry, car wash, et al), then you simply insert them in the reader and some amount of money is deducted from the card. When the funds are exhausted, you simply go to the store and they'll "charge" the card.

This post is regarding a Mifare Classic 1k system, a.k.a. ISO 14443-3 (NFC-A).

There are two types of systems:

  • An offline system - where the card has all the information and the reader will deduct money/tokens from the card
  • Online systems - where the card simply presents a unique identifier to a centralised system which holds all the billing information.

The first one is obviously simpler, and sometimes the only solution - because it isn't feasible to have online communication between readers and a centralised system. But it can be easily hacked as I'll explain.

⁉️
For an unspecified system, I asked myself: can I top up the card, dump its content, use the card, and then restore from a backup?

In theory I could, but while reading the card only a few sectors could be unlocked using the Flipper Zero. There's a lengthy wordlist, but even then, it wasn't possible.

This was my dump. Question marks after sector 19 give it all away.

Flipper allows to tap the reader in order to extract nonces to break encryption, but that would imply to have access to the reader. Which I did, but the reader was inside a card slot and unreachable from the splitter.

💡
What if I could create a passive NFC repeater?

And that I did.

Building the passive repeater

The idea is quite simple: you have two card connected by a couple of wires. The first card's antenna is excited by the reader which will create an electromagnetic field, and this field travels via the wires to the other card, which will work as an antenna. Then the flipper will receive the signal.

I had two NFC card laying around which I dissolved in 100% acetone (regular nail polish from the supermarket won't work - believe me, I tried!). After 45min, the result is the one below.

Two cards dissolved in 100% acetone bath after 45min.
One of the cards' antenna.

Carefully, separate the plastic from the loop antenna. The antenna has two terminations and is easily damaged/deformed.

I then proceeded to glue the antenna to two other cards as below - these CANNOT be NFC cards in order to avoid interrupting the EM field. Antenna's shape must be kept.

Simply solder the wire to each ends of both antennas.

Finished product.

Let's test it:

0:00
/0:14

Testing the NFC passive repeater.

Now, insert one of the cards into the card slot and follow Flipper Zero's official instructions to extract nonces.

Doing a nested attack

for extracting keys, and dumping the full card

Now, you can do a Nested attack. Here's the official documentation, and below we have the output from my testing.

This is the boring part because it works without effort.

FlipperNested installation
Doing it's thing!

FlipperNested will then unlock all card's sector.

Now you can backup your card and update it every time you need.