NExT and MIFARE Plus SL1

Hey all,

I have my NExT chip installed, and Proxmark3 handy, and first item on the agenda was to clone my work fob.

I’ve read a bunch of posts so just trying to string together bits of information.

Running hf mfp info on my fob gives:

[=] --- Tag Information ---------------------------

[+]  UID: 01 23 45 67 78 90 12
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 75 77 80 02 C1 05 21 30 10 F6 D1 [ D3 00 ]
[=]      0C...............  TL    length is 12 bytes
[=]         75............  T0    TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=]            77.........  TA1   different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=]               80......  TB1   SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[=]                  02...  TC1   NAD is NOT supported, CID is supported

[=] -------------------- Historical bytes --------------------
[=]     C1 05 21 30 10 F6 D1      
[+]     C1.....................   Mifare or (multiple) virtual cards of various type
[+]        05..................   length is 5 bytes
[+]           2x...............   MIFARE Plus
[+]           x1...............   1 kByte
[+]              x0............   Generation 1
[+]                 x0.........   Only VCSL supported
[?] Hint: try `hf mfp info`

[=] --- Fingerprint
[=]           SIZE: 2K (7 UID)
[=]             SAK: 2K 7b UID
[=] --- Security Level (SL)
[+]        SL mode: SL1
[=]   SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication

Running hf mf autopwn doesn’t do much:

[!] ⚠️  no known key was supplied, key recovery might fail
[+] loaded 59 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[-] ⛔ No usable key was found!

As far as I understand, because it’s SL1, I might be in luck downgrading it to a MIFARE Classic?

Edit: just read the NExT can’t do MIFARE Classic anyway, but only MIFARE Ultralight.

I can choose a fob or an access card. Do you think the access card would have any less security on it? Or be the exact same setup as the fob?

Otherwise, the security guys would be happy to enrol my chip if possible but would I have to confirm they allow MIFARE Ultralight?

Would appreciate any help from here!

SL1 is backwards compatible with mifare classic proving you are able to get the keys. given that autopwn doesn’t work you would need to sniff the communications between reader and card

(hf 14a sniff) with the proxmark between the card and reader
(hf mf list) when you’ve finished to view the trace in a mifare classic command context

you’re right in the mifare classic and ultralight not being cross compatible unfortunately your only option would be to enroll providing the system has support for ultralight which likely they don’t, but if they’re able to add a credential on the UID only basis you should be able to do it.

there would be likely no difference between fobs and cards in terms of security unless one of them happens to be using mifare classic instead of mfp SL1, either way neither of them is helpful to you in the long run

The next can not emulate any HF card (ie: you can not clone a card to an ntag), it has an ntag216 on the HF side.
Ntag are fixed UID and more design to share data and command push with smartphones. If you want to use it for access control, you will have to enroll it in the system.

On the LF side, teh T5577 can emulate just about any LF chipset

Thanks for the info here.

So the NExT is unlikely to be useful for any modern security fob.

What would be the best implant for access then? xM1? Will there be something coming out that can do the more advanced MIFARE protocols even if you have to enroll it?

i would go for the xmagic.
containing a mifare classic magic and a T5577 it covers most of your bases when dealing with mifare classic and any non-RTF low frequency fobs.

something coming out that can do the more advanced MIFARE protocols even if you have to enroll it?

this already exists, there’s the x/flexDF2 which is a desfire ev2 you can enroll where applicable.

the xmagic is what i would consider the height of versatility for cloning as mifare classic makes up a lot of domestic medium stakes security like hospitality in a lot of countries and low frequency simple fobs are still widely used and deployed so you could potentially run into them and it’s always good to be prepared.

outside of the above, what implant you get would be down to what you need it for, what chipset you’re using and whether or not it can be cloned or if it needs to be enrolled.

I would stay away from blanket statement, it depends of what access system you’re looking at.
(There are a lot of LF systems still being developed and deployed in new environment, that do/can have some security and a lot of advantages for the end user)

This is absolutely true

The reality about RFID is that not everything can be cloned. Again, it all depends of the access system you’re trying to use.
For all “exotic” chipset, you will probably have to go the custom route, ie source the chipset yourself and have it encapsulated.

Update here…

I was able to get an enrolled card running MIFARE Classic MFC1C14_x from our building security.

Using the Proxmark, when I run hf mf info I can confirm the card UID is 4 bytes:

[usb] pm3 --> hf mf info

[=] --- ISO14443-a Information ---------------------
[+]  UID: 12 34 56 78 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[=] 
[=] --- Tag Signature
[=]  IC signature public key name: NXP MIFARE Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 8583CA0FA1F7DB6ED4AFB0C11204CD8628CBB6D0A429306C50C3616120EC4500
[+]        Signature verification: successful

[=] --- Keys Information
[=] [0] key FF FF FF FF FF FF 
[+] loaded 1 keys supplied by user 
[+] loaded 59 keys from hardcoded default array
[=] <N/A>

[=] --- Magic Tag Information
[=] <N/A>

[=] --- PRNG Information
[+] Prng................. hard

If I run hf mf autopwn it seems to pretty happy to dump the keys (all green for all sectors/keys).

I understand that the NExT NTAG216 can’t change UID.

But am I still in luck for cloning this to my NExT chip?

And if so, what commands do I need?

Thanks again.

NTAG and MIFARE are not compatible, sorry. Your NExT cannot do MIFARE. A xM1 or xMagic would do the trick.

Appreciate the quick reply here.

I was under the impression the NExT couldn’t do MIFARE 1k, but could MIFARE Ultralight?

What if I have my NTAG enrolled in their system, since the ID can’t be programmed?

If their system uses MIFARE, I doubt an NTAG transponder can be enrolled. MIFARE is targeted towards secure access control. It uses proprietary shenanigans to accomplish this. Ultralight is not cloneable, from what I recall.

Edited to add: don’t let my skepticism keep you from trying to enroll it. I would love to be wrong!

Mifare is a marketing term that has been bastardized so badly...

So are you saying I’m in luck or not?

Mifare is not meaningful here because they took the technical term mifare and applied it to their ultralight family as a marketing term… at which time mifare lost all meaning as a technical term.

In short, mifare s50 1k chips are in no way compatible with ultralight chips.

The NExT has an ntag family chip inside which is an improvement on ultralight, so it’s still not compatible with mifare “classic” s50 1k

Do you have any more info on this part?

I found this screenshot from the documentation of the system:

I suspect “Proximity token 1356.” I’m assuming 1356 is a reference to 13.56Mhz.

What are you wanting to do?
Amal got great video on YouTube on how it all works in the implant realm. If we know what you’re trying to do we can point you in the right direction