The Mifare “classic” S50 1k chip?
For many years the Mifare MF1ICS50 1k chip was used for all kinds of applications as a “secure chip” for everything from access control to stored value cards, and used for making localized payments within closed systems like public transit and laundry services. However, it uses a security mechanism called “crypto1” which is a simple, proprietary encryption mechanism that hardly has anything to do with modern cryptography. It has been broken for many years now, but the sheer number of systems out there that still use it means the Mifare S50 1k will continue to be used by legacy systems around the world for years to come.
However, the ability to break crypto1 and get at the normally protected data does not necessarily help you if you want to copy that data to another Mifare S50 1k card, fob, or tag. That’s because real Mifare chips do not allow you to change the data in sector 0, which is where special manufacturing information is held as well as the 4 byte non-unique ID or serial number of the chip. You could copy all the data from the user memory sectors to a new Mifare 1k chip, but basically any machine reading the cloned card will know that the serial number doesn’t match or is not registered with the system and will likely ignore the card or even alert security to a possible attempt at something malicious.
“magic” Mifare 1k chips
A “magic” Mifare chip (or magic chip) is a special grey-market chip made in China that can emulate the memory structure and functionality of real Mifare chips, but also allow sector 0 to be modified. This means the serial number and manufacturing data of a Mifare “magic” chip can be changed to act as a perfect clone of a real Mifare S50 1k chip… even the serial number.
gen1a vs gen2
There are now several “generations” of these types of chips, but the most common are still gen1a and gen2. Other types of “magic” chips include the ability to emulate more than just mifare “classic” S50 1k chips, but here we will focus just on the magic Mifare S50 1k (4 byte ID) chip emulators.
More details…
gen1a
The gen1a magic Mifare chip requires a special back door command that opens up all sectors to writing, including sector 0. The advantage of this is that even if you have accidentally locked any memory sectors or lost the crypto1 keys for any particular sector, you can still read and overwrite all sectors after issuing the back door command. In short, the back door command removes all security completely for every sector.
The down side is, the back door command is issued to the chip after it supposedly enters the halt state, which means only certain devices can issue the back door command. Smartphones generally cannot do this because the chips and firmware in the phone do not allow further communications after the halt state has been entered. Furthermore, certain readers, especially in Asia, look for magic chips by issuing the back door command and if the chip answers, it shuts down to avoid allowing a possibly cloned chip to access whatever door or service the reader is attached to.
gen2
The gen2 magic Mifare chip has no back door command. All sectors are equally open for writing, as long as access bit permissions and keys allow. The advantage of the gen2 magic chip is that even NFC capable smartphones can issue standard write commands for any sector, including sector 0. This means a smartphone app like MCT could be used change the ID of the chip along with all the data in the manufacturing block. In addition to this, readers looking for magic chips ultimately have no good way to really tell if the chip is a magic chip or not.
The down side is that the real Mifare S50 1k chip’s operation is emulated completely and accurately. There is no back door, so if one or more sectors on the chip become protected by access bit changes, you need valid keys in order to make further changes. In addition to this, if the access bits are misconfigured or bad data is written, the sector becomes unreadable and locked, and there is no way to recover that sector… it will be locked forever.
Changing the ID of a “magic” Mifare chip
Writing to sector 0 of a “magic” chip in order to change it’s ID depends on which version you have.
gen1a
To change the ID of a gen1a magic chip, you will need to use a proxmark3 or some special software that can issue the gen1a back door command to the magic chip through a common reader like the ARC122U.
-todo-
gen2
You can write to sector 0 of a magic gen2 chip like any other sector on a Mifare “classic” S50 1k chip. That means you can even use an NFC smartphone and an app to do it.
-todo-
Cloning card data to a “magic” chip
The first thing you have to do is ensure your source card or fob is a 4 byte “Classic” 1k card, not a new 7 byte “Mifare 1k” card. With the discovery of Crypto1 vulnerabilities in the “Classic” Mifare S50 1k and S70 4k chips, NXP (the company who makes Mifare chips) released a number of different updated versions of Mifare chips. These include Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. The memory structures of these new chips are identical to the real “Classic” 1k chips but they have 7 byte UIDs not 4 byte IDs. While new attacks on these new chip types do exist, success is limited and you will not be able to copy the complete 7 byte ID number to the gen1a chip since it only supports 4 byte IDs.
gen1a
By far the most powerful tool to use is the Proxmark3 - an RFID diagnostics and security research tool that is open source, so it comes in many flavors, shapes, an sizes. It’s flexibility and ability to update the firmware to support the latest security tactics and tools means it’s a great investment for anyone wanting to experiment with RFID. While we do not offer a guide for how to use the Proxmark3 to clone Mifare cards to a “magic” chip, there are plenty of other guides already written that detail how it’s done.
- RyscCorp page on cloning a 4 byte ID to a “Magic” gen1 chip
- https://www.gavinjl.me/proxmark-3-cloning-a-mifare-classic-1k
- https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html
If you don’t have a proxmark3 but you do have a USB reader like the ACR122U, there are a few tools you can use. Here’s an example of how to use them.
gen2
If you have a gen2 chip and want to clone some data to it, you can use an Android smartphone app called MCT. It’s not the most friendly tool, but it works.
The video embedded below drops you right into the section at 42 seconds in which talks about how to program and update the gen2 magic chip in our Magic Ring product using the MCT app for Android.
The video below explores how to use the proxmark3 to dump a complete Mifare Classic 1k chip and use the MCT app to make a complete copy of that chip in a product containing a magic 1k gen2 chip.