xM1+ doesn't work for use case. šŸ˜­ Can't crack Mifare Classic

So, I bought the xM1+ and had it placed in my hand by a local body piercer about a month back.
(Iā€™ll upload the video another time.)

Unfortunately, the chip under my skin canā€™t be read by the door scanners where I intended to use it. The LED Field Tester it came with lights up (dimly, Iā€™ll admit). So, I assumed the xM1 Plus would also make contact. Though, it appears the door readers are simply not strong enough. Which is unfortunate, as this use case was the entire reason I decided to get my first implant. :expressionless: Oh well, life goes on.

Per @amal 's instructional article I purchased the ACR122U (as the proxmark3 was out of budget) and it arrived in the mail today! Pairing it with the recommended drivers and software, I went on a mission to crack a Mifare Classic card. The MiFare Offline Cracker tool worked great on the demo cards that arrived with the reader, giving me a dump of all the data in under 5 seconds. Though, the Mifare Classic card that I needed it to crack, didnā€™t have the same luck.

It ran for over an hour, before the program crashed. As I type, it has been running again for over two hours without making progress. It jumped directly to Sector 15, type A and it has been in the same spot. It has now made it past probe 285 of the same sector, but I expect it to crash before getting even this one key.

All this being said, I was initially under the impression that my use case only actually needs the cardā€™s UID. Based on the trouble Iā€™m having cracking the card, I may be wrong. Though, I thought it would be worth a try to only clone block 0. My problem is not knowing how to have the ACR122U give me block 0 without needing to crack the entire card. Also, how would I go about writing this information (without having to compile a full dump) using the recommended Card Recovery tool?

Thanks for any insight or suggestions @amal !

One thing to be careful of is that NXP now sells ā€œMifare Classic 1kā€ cards that are not the same old chip versionā€¦ they look exactly the same, but the crypto-1 key cracking problem has been solved on these. Sometimes they are called Mifare S50 EV1 chips, but basically they are not vulnerable to cracking like the original mifare S50 1k chips areā€¦ it might be that you do have one of these newer chips in your desired source card. If possible, can you try reading your source card with TagInfo on an Android phone that supports reading non-NFC compliant Mifare cards and posting the info screens here?

Iā€™d be shocked if they went with EV1 cards. Seems like the type of place that would buy whatever is cheapest. Though, it looks as though I may have been wrong in that assumption.

Once I get my hands on an Android phone, Iā€™ll get that information for you. Thanks @amal !

Any other ideas as to what I can do with my xM1+ implant? Can the ACR122U be used to output the UID as keystrokes, to facilitate unlocking a laptop?

You could use the kbr1 reader to output the uid as keystrokes, but the acr122u would need some serious programming to do thatā€¦ itā€™s a PC/SC reader.

You can break the EV1-version of the cards if they are set to Classic compatible mode (mode 1 or something like that), but itā€™s not trivial. You need to use a Proxmark, or your ACR122U-reader with the CraptEV1-library on linux or equivalent.

https://github.com/ilumitr/miLazyCracker has done an excellent job at simplifying it, but itā€™s still pretty involved and hard to get the libraries.

Have there been C&Ds issued to people hosting such libraries?

Not that I know of (I assume you mean from NXP or some company). Proxmark uses a similar library for its hardnested EV1 attack.
However, the developer that calls himself ā€œblaā€, has put a very strict license on the code which forbids redistribution and most people abide by it. If I recally correctly the reasoning was that he didnā€™t want to put out any competing code to Proxmarkā€™s solutions. For which reasons, I can only guess.

You can, however, email him directly and ask if he could send it to you, he at least did send it out earlier if you asked nicely. It works very well (but using it is complicated, especially given the rules in the header).

  • Permission is granted for non-commercial use only.
  • No redistribution. No modifications.
1 Like

Hereā€™s a video we did at our Hackerspace on cracking Mifare Classic:

We use this method quite frequently to play with Mifare Classic cards.

2 Likes

Thanks for the info. Looks like I may just need to buy a Proxmark at some point.