"magic" Mifare chips

The Mifare “classic” S50 1k chip?

For many years the Mifare MF1ICS50 1k chip was used for all kinds of applications as a “secure chip” for everything from access control to stored value cards, and used for making localized payments within closed systems like public transit and laundry services. However, it uses a security mechanism called “crypto1” which is a simple, proprietary encryption mechanism that hardly has anything to do with modern cryptography. It has been broken for many years now, but the sheer number of systems out there that still use it means the Mifare S50 1k will continue to be used by legacy systems around the world for years to come.

However, the ability to break crypto1 and get at the normally protected data does not necessarily help you if you want to copy that data to another Mifare S50 1k card, fob, or tag. That’s because real Mifare chips do not allow you to change the data in sector 0, which is where special manufacturing information is held as well as the 4 byte non-unique ID or serial number of the chip. You could copy all the data from the user sectors to a new card, but basically any machine reading the cloned card will know that the serial number doesn’t match or is not registered with the system and will likely ignore the card or even alert security to a possible attempt at something malicious.

Mifare “magic” 1k chips

A Mifare “magic” chip is a special grey-market chip made in China that can emulate the memory structure and functionality of real Mifare chips, but also allow sector 0 to be modified. This means the serial number and manufacturing data of a Mifare “magic” chip can be changed to act as a perfect clone of a real Mifare S50 1k chip… even the serial number. You can see how this could be irritating to not only NXP, the company that manufactures the Mifare chip, but also all the other companies that rely on the totally broken yet still utilized security features of Mifare “classic” S50 1k chips.

gen1a vs gen2

Basically, gen1a chips are “safer” because you can always recover mistakes, but require special hardware or software to change sector 0 (where the serial number lives) or recover from locked sectors. With gen2 chips, you can easily use an NFC smartphone to write to sector 0 using an app, but if you accidentally lock a sector you cannot recover it (just like a real Mifare “classic” 1k chip). For more info about this exact difference, check out this post.

gen1a
The gen1a magic Mifare chip requires a special back door command that opens up all sectors to writing, including sector 0. The advantage of this is that even if you have lost the crypto1 keys for a particular sector that is marked as protected by the access bits for that sector, you can still overwrite it after issuing the back door command. The down side is, the back door command is issued to the chip after it supposedly enters the halt state, which means only certain devices can issue the back door command. Smartphones generally cannot do this because the chips and firmware in the phone do not allow further communications after the halt state has been entered. Furthermore, certain readers, especially in Asia, look for magic chips by issuing the back door command and if the chip answers, it shuts down to avoid allowing a possibly cloned chip to access whatever door or service the reader is attached to.

gen2
The gen2 magic Mifare chip has no back door command. All sectors are simply open for writing. The advantage of the gen2 magic chip is that even NFC capable smartphones can simply issue write commands for any sector, including sector 0. This means a smartphone app could be used change the ID of the chip along with all the data in the manufacturing block. In addition to this, readers looking for magic chips ultimately have no good way to really tell if the chip is a magic chip or not. The down side is that the real Mifare S50 1k chip’s operation is emulated completely and accurately. There is no back door, so if one or more sectors on the chip become protected by access bit changes, you need valid keys in order to make further changes. In addition to this, if you set access bits such that the sector becomes locked, there is no way to recover that sector… it will be locked forever.

Changing the ID of a “magic” Mifare chip

Writing to sector 0 of a “magic” chip in order to change it’s ID depends on which version you have.

gen1a
To change the ID of a gen1a magic chip, you will need to use a proxmark3 or some special software that can issue the gen1a back door command to the magic chip through a common reader like the ARC122U.

-todo-

gen2
You can write to sector 0 of a magic gen2 chip like any other sector on a Mifare “classic” S50 1k chip. That means you can even use an NFC smartphone and an app to do it.

-todo-

Cloning card data to a “magic” chip

The first thing you have to do is ensure your source card or fob is a 4 byte “Classic” 1k card, not a new 7 byte “Mifare 1k” card. With the discovery of Crypto1 vulnerabilities in the “Classic” Mifare S50 1k and S70 4k chips, NXP (the company who makes Mifare chips) released a number of different updated versions of Mifare chips. These include Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. The memory structures of these new chips are identical to the real “Classic” 1k chips but they have 7 byte UIDs not 4 byte IDs. While new attacks on these new chip types do exist, success is limited and you will not be able to copy the complete 7 byte ID number to the gen1a chip since it only supports 4 byte IDs.

gen1a
By far the most powerful tool to use is the Proxmark3 - an RFID diagnostics and security research tool that is open source, so it comes in many flavors, shapes, an sizes. It’s flexibility and ability to update the firmware to support the latest security tactics and tools means it’s a great investment for anyone wanting to experiment with RFID. While we do not offer a guide for how to use the Proxmark3 to clone Mifare cards to a “magic” chip, there are plenty of other guides already written that detail how it’s done.

If you don’t have a proxmark3 but you do have a USB reader like the ACR122U, there are a few tools you can use. Here’s an example of how to use them.

gen2
If you have a gen2 chip and want to clone some data to it, you can use an Android smartphone app called MCT. It’s not the most friendly tool, but it works.

-todo-

12 Likes