Flipper :flipper: & MiFare

I have a Mifare Classic 1K that I use at work and I’m trying to get the FlipperZero to scan it. It only seems to scan part of the card.
I tried scanning one of the cards I got with the ProxMark3 Easy and it read totally fine.

1 Like

Looks like there are some keys that are not default keys and thus, the sector will not be readable.

I believe that flipper cannot crack keys itself, but if you have a Proxmark3, you can do hf mf autopwn on it to try and coax the keys out of it.

I don’t have a flippery myself (yet!), but I assume that once you have the keys from the autopwn, you could input them into the flipper and get a full read. (Again, just a hypothesis.)

1 Like

the flipper can crack the keys you just have to use an alternate method https://github.com/equipter/mfkey32v2


Ok… so explain something to me like I’m 5

Why are there multiple keys?

I can understand the whole chip being encrypted, but why does each sector have (2?) keys

Also… is lacking the key prevent reading that sector or prevent changing it?…
Is the KEY what systems are looking for or what the key hides?

Mifare doesn’t click for me :sweat:, trying to lean what I can before the con… on the off chance I need to help someone with THAT side of it

I also, roughly understand the concept of the flipper using a dictionary attack… it has a list of possibilities it runs through

But how is the proxmark more capable here?

i’m gonna go smoke this joint then i gotchu

1 Like

Probably the best when dealing with me

1 Like

Yoooo that was totally it. Why didnt I think of that?
I used the PM3 and got the missing keys. Added em to my FZ and then boom! Full read.
Thanks friend :smiley:

I’ll have to bookmark this github page for my next Mifare card.
Appreciate the info :slight_smile:

I just put two and two together, this is your github page. Thanks for the tool

I know hf means High Frequency and then pair that with mf my radio tech brain goes “oh medium frequency.” Not MiFare.

The Mifare Classic EV1 1K Datasheet is a good read if you want to get into the technicals of the format. It’s honestly where I learned most of what I know about it.

1 Like

Like I’m 5 bro lol… I didnt say a Mensa 5

1 Like

mifare classic comes in many sizes some of which change the format of the datastructure but for this we will be covering mifare classic 1k

each M1K is split into 64 blocks contained to 16 sectors which are protected by 2 keys (keyA and keyB respectively) and a 3 byte access bits in the middle of the keys.

each sector is 4 blocks big, the first three are data and can be used however the client needs
the final block is those two keys and their access bits.

the first block of a mifare classic card is block 0 and contains the uid, ask and atqa and optional manufacture info. this block usually cannot be edited.

there is two keys for every sector for a few reasons, the main being that two keys allows for diversified access, you can change the access bits to be read/write/increase/decrease at either or both keys. it allows for better protection when you need 2 keys instead of one to access as it does eliminate some of the known attacks out there.

mifare classic 1ks contain 720 bytes of usable data, the rest is keys, access bits or the block 0 identification block

1 Like

I would write you an eli5, but I’ve got to get to bed, lol. I’m sure Equipter will do a better job than me anyways. Maybe if you’re still in need tomorrow, I can help. :slightly_smiling_face:

thats a brief less technical overview i can go much deeper if needed

I think I can digest that… but I might need to borrow that joint

1 Like

If you’re more of a visual learner (like I) the datasheet has some nice figures describing it as well.

1 Like

Hrmm I appreciate the help. That will take a minute to click… but I think it will help :dizzy_face:

There are certainly better illustrations out there, but again. Must sleep… Why is it so hard to sleep… :sleeping:

1 Like

Because I’m so entertaining / engaging / dumb lol

And I’m horribly nocturnal with non intentionally horrible regard for diurnal circadian rhythms

i recommend not going through and fully understanding access bit structure and doing calc on the fly