xM1+ Tools for Windows

It recently came to our attention that one of our customers (supposedly) uploaded some Windows software tools applicable to the xM1+ to the interweb tubes. We downloaded them and tested them on a fresh virtual machine and they seemed to work. However, there was no source code provided for either of these tools so USE THESE TOOLS AT YOUR OWN RISK. The tools in question came from here;

http://anonfile.com/1d73paf2b9/xM1-Plus-Tools.zip

You will have to wade through a significant amount of crappy ads, fake virus alerts, pop-ups, and click re-directs, but it will eventually trigger a real file download. You’re probably going to catch some viruses too from some of those re-directs, so again, we suggest trying this in a totally fresh virtualized guest machine you can obliterate later.

The recommended tool for all RFID tinkering is the proxmark3, and it’s what we suggest be used to write data to your xM1+. If you do not have a proxmark3 or are unable to afford one, these tools might be helpful for you.

Windows + ACR122U

Inside the ZIP file are two tools which work with Windows and the ACR122U reader. You must have the PC/SC drivers installed for this reader for these tools to work.

mfocGUI - MiFare Offline Cracking GUI

The first tool is called mfocGUI, which has many repos on GitHub, but no source came with this particular compiled EXE, so again… use at your own risk!

As the title indicates, this tool will have a decent chance of cracking Mifare “Classic” S50 1k and S70 4k chip keys. This will not work on the later released “EV1” versions of the Mifare “Classic” 1k since the whole point of EV1 was to fix the broken crypto1 algorithm… so there are “Mifare Classic S50 1k” chips (the old version with vulnerable crypto1 algorithm) and “Mifare Classic EV1 1k” chips which have a fixed version of crypto1 algorithm and cannot be cracked. If you have keys however, you can clone the data to an xM1+ just fine.

The software was originally created to be able to crack and fiddle with the contents of transit cards used in the Netherlands, specifically the Amsterdam metro area transit system. It was a big embarrassment to have these cracked, because the Mifare S50 1k chip is made by NXP, which is a company headquartered in the Netherlands. Quickly after the tool’s release, ticketing and transit cards were changed to new chip types that are, as of yet, uncracked… but the tool remains. This is why you will see all of the extra tabs and text fields that relate to amount of credit left on the card, transit history, etc. which is no longer relevant but remains in the GUI.

You may notice a button called “Write data [Reader]”, however in our experience we could not get this function to work, which is probably why there is another tool included in the ZIP file…

Card Recovery Tool

The next tool is a “card recovery tool” which is made to look like it came from ACS, the company that makes the ACR122U reader. This may or may not be true. It is possible that the software package did come from ACS, but they do not acknowledge this at all when questioned about it, so who knows. In short, it will take a data dump file created from the mfocGUI software and write that data to the xM1+ via the ACR122U.

Walk-through

For this test, we used a “play pass” card used to store play tokens for a children’s pizza place here in the USA called Chuck E. Cheese, which has video games that used to take physical tokens but now use a tap card. The chip in the card is an original Mifare Classic S50 1k chip which is crackable. You might be wondering why such an old chip with a serious vulnerability is still being used in new card production to this day… but it all comes down to cost. The old chip type is slightly cheaper to buy and use in card production than the newer EV1 version, so when you are producing millions of cards for various applications, that small difference in price can add up to a lot of money… so unless a customer is knowledgeable enough to specifically request a more secure chip type, they are getting the cheaper cards.

This is our source card. Place your source card on to the ACR122U to begin!

CEC-Play-Pass

  • Extract the ZIP file somewhere… c:\temp is fine.

  • Go into the mfocGUI folder and launch mfocGUI.exe

  • The tool defaults should be correct, but check them, then click the “Read data” button
  1. ensure your reader is visible here. If it is not, then check your drivers, etc.
  2. check the dump file box
  3. ensure this directory is correct (it exists, and you can write files there)
  4. change the set count to 8 (should already be, but check it)
  5. ensure “Use Key A” is checked
  6. ensure “Use Key B” is checked
  7. click the “Read data (Reader)” button (the source card should already be on the reader)

  • The software begins working…
  1. the ID of the source card is shown
  2. current progress is displayed here

  • A possible key has been found!

  • Done! The process can take anywhere from a minute to an hour.

  • Keys will be stored separately from dump files (but also included in the dump files as block data), typically in a subfolder of the EXE file called “keys”.

  • Now remove your source card and launch the “card recovery tool” EXE file

  • Get ready to write to the card! Place your xM1+ on to the reader now in this approximate location and rotation, so the xM1+ sits perpendicular to the antenna coil inside the ACR122U. You will get a beep and solid green light once a good coupling is made with to the xM1+.
  1. Click Initialize to open a connection to the reader. You should see your ACR122U appear.
  2. With the xM1+ on the reader and ready to go, click Connect to connect reader to xM1+
  3. Click the Browse button to find your dump file.

  • Select your dump file generated by mfocGUI

  • Click Copy Card to begin writing

  • You should see a series of writes, completing with successful write of block 63.

You should now have completely cloned a Mifare Classic S50 1k card to your xM1+

7 Likes