Flipper :flipper: & MiFare

if you wanna crack on your proxmark and simply take the file from the proxmark and put it on your flipper to not mess around with having to crack it twice i made a nifty lil python script to convert from binary format to flippers custom NFC format


in short, the memory sectors of the mifare classic card can be used to store raw data but they can also be configured as a “digital purse” to store value, which enables certain commands like increment and decrement and balance. in these types of scenarios, the two keys work like this;

Imagine a college that wants to deploy a student ID card that can be used to pay for things in vending machines around campus.

  • the vending machines have key A, and key A only has permissions (determined by the access bits for the sector) to decrement the value of the purse, but not see the balance and not write to it. vending machines are located all over campus and not very secure.

  • the top-up machine, which is located in a physically secured area like the commons or in an office area. the top-up machine has key B, which has full permissions - it can increment, decrement, get balance, and even change the access bit configuration for the sector.

Now imagine a situation like a concert venue where all the vendors have key A and can decrement a purse value, and the venue runs the top-up machines, which can increment (add money). The difference here is that the vendors and the venue are not affiliated, so it would be a huge mistake to simply share a single key that would have full permissions to do everything. In that scenario, a vendor could use the key to create fake money and “spend” it at other vendor booths and rip off everyone.

Make sense?



Starting to lol


haha well… just think of it this way … if there is only one key, then everyone who needs to interact with the card in a secure way will need to share that key… and in many situations that is a show-stopper. by supporting two separate keys in a way that each key can have it’s own permissions to the shared memory sector, you can have at least two parties interact with the memory in only the way they are allowed to interact with it.

think of it like a safety deposit box with two keys… A and B… the key you have (key B) has been given permissions that only allow you to put stuff in the box, but you can’t see what’s already in the box or remove anything from the box… and the other key (key A) has been given permission to see what’s in the box and take stuff out of the box, but not put anything in the box. That’s the value of having two keys vs a single key.

or like… your bank account… your employer is given key A so they can wire you funds via direct deposit… but they can’t see your bank balance or take your money out… and you have key B with full permissions… this is the value of separate keys :slight_smile:

That part makes sense mostly

I’m trying to visualize the communication between the card and a read / proxmark

There’s a lot more back and forth than a t5577 or ntag just spitting out it’s contents

I have an old hotel key I had kicking around, I’m almost positive it’s mifare classic…

If I can get proxmark to read it, I’ll try to autopwn it and dump it… see if I can make sense of what I see

Would it be possible to run this on the flipper locally at some point in the future, or is it just not powerful enough? I can probably run the script from my phone with termux, but it would be great to be able to do everything on-device

Hmm went to scan the clone I made and the reader gave me a key error. UID issue mayhaps?
Clone might be the wrong word. Not 100%. I scanned the card with the Flipper and then emulated it.

Aren’t some readers capable of detecting clones? Could that be part of it?

I have the Flipper and the Proxmark3 Easy. The Proxmark3 Easy has a steep learning curve, that I am still climbing, but for $89 it is a toy worth having for RFIDs.

1 Like

How much success have you had?

Using a proxmark3 RDV4 on the latest release I helped a friend find all keys for a Mifare 1K classic card and it appeared we had everything needed to emulate or copy the key but when I emulated the key on the Flipper and read it back with the Proxmark it was missing a signature from the manufacturer and indeed did not work on the access control.

I can only assume the system is looking for and trying to verify that signature.

Did you ever solve this one Ethan?

Nope, never figured it out but I will ask my friend who was doing the testing and see if he worked anything out.

If you find an answer I would be very much interested. Thanks for the info so far.

I’m making an assumption here, you are in this thread asking for help, so you have a Flipper correct?

If so, I would direct you to this tool created by a community member

if you have a ProxMark3

hf mf autopwn

I am interested in the Flipper and would like to get one in the near future, but have yet to buy one. I do have a PM3.

That said, I was referring to the signature issue. If you or anyone else knows how to copy the signature or work around it I would love to read about your process. I do apologize for the ambiguity.

I appreciate your time and kindness. I am new to much of this am am trying to learn all that I can.

The originality signature? You can’t copy it.

No I have not been able to, but like I said I am new and perhaps missing something simple. I am trying to copy a NXP Mifare Classic MFC1C14_x

No, I’m saying it’s not possible.

1 Like

luckily barely any systems noted in checking for originality sig ob ev1s because they didn’t know it was there lmao

Yup. Only one I’ve heard of is the toothbrush.