Help and Info

Table of Contents

• 1. General Information
  • 1.1 Features
  • 1.2 License
• 2. Getting Started
• 3 Read Tag
• 4 Write Tags
  • 4.1 Write Block
  • 4.2 Write Dump (Clone)
  • 4.3 Factory Format
• 5. Edit Tag Dump File
  • 5.1 Share a Dump
  • 5.1 Display Data as ASCII
  • 5.2 Display Access Conditions
  • 5.3 Display Value Blocks as Integer
• 6. Edit or Add Key File
• 7. Tools
  • 7.1 Display Tag Info
  • 7.2 Value Block Decoder/Encoder
  • 7.3 Access Condition Decoder/Encoder

1. General Information

This tool provides several features to interact with (and only with) Mifare Classic RFID-Tags. It is designed for users who are at least a bit familiar with the Mifare Classic technology. You also need an understanding of the hexadecimal number system, because all data input and output is in hexadecimal.

Some important thing are:

• The features this tool provides are really basic. There are no such fancy things like saving an URL to a RFID-Tag with a nice looking graphical user interface. If you want so save things on a tag, you have to input the raw hexadecimal data.
• This App can not crack/hack any Mifare Classic keys. If you want to read/write a RFID-Tag, you first need keys for this specific tag. For additional information please read/see chapter Getting Started.
• There will be no "brute-force" attack possibility in this application. It is way to slow due to the protocol.

1.1 Features

• Read Mifare Classic tags
• Save, edit and share the tag data you read
• Write to Mifare Classic tags (block-wise)
• Clone Mifare Classic tags
  (Write dump of a tag to another tag; write 'dump-wise')
• Key management based on dictionary-attack
  (Write the keys you know in a file (dictionary).
  MCT will try to authenticate with these keys against all sectors
  and read as much as possible. See chapter Getting Started.)
• Format a tag back to the factory/delivery state
• Write the manufacturer block of special Mifare Classic tags
• Create, edit, save and share key files (dictionaries)
• Decode & Encode Mifare Classic Value Blocks
• Decode & Encode Mifare Classic Access Conditions
• Display generic tag information
• Display the tag data as highlighted hex
• Display the tag data as 7-Bit US-ASCII
• Display the Mifare Classic Access Conditions as a table
• Display Mifare Classic Value Blocks as integer
• In-App (offline) help and information
• It's open source ;)

1.2 License

This application is originally developed by Gerhard Klostermeier in cooperation with SySS GmbH (www.syss.de) and Aalen University (www.htw-aalen.de) in 2012/2013. It is fee software under the GNU General Public License v3.0 (GPLv3).

Icons used in this application:

• Oxygen Icons: www.oxygen-icons.org
  (GNU Library General Public License)
• RFID Tag: www.nfc-tag.de
  (Creative Commons 3.0)

2. Getting Started

First of all you need the keys for the tag you want to read. Due to some weaknesses in Mifare Classic, you can retrieve all the keys (A and B) of a tag with tools like the Proxmark3 or normal RFID-Readers and some special software (mfcuk, mfoc).

The application comes with a standard key file called std.keys, which only contains the well known keys and some standard keys from a short Google search. You can try to read a tag with this key file using "Read Tag" from main menu.

Once you know some keys, you cam to put them into a simple text file (one key per line). You can do this on your PC and transfer the file to the MifareClassicTool/key-files/ directory (on external storage), or you can create a new key file via "Edit or Add Key File" from main menu. If you are finished setting up your key file, you can read a tag using "Read Tag" from main menu.

Advantages of the Key Files Concept:

• You don't have to worry about which key is for which sector.
  The application tries to authenticate with all keys from the key file against all sectors (like a dictionary-attack).
• You don't have to know all the keys.
  If neither key A nor key B for a specific sector is found in the key file (dictionary), the application will skip reading this sector.

3. Read Tag

Technical speaking, reading a RFID-Tag is done in two steps:

• Choose a key file.
  Press "Read Tag" from main menu. Now select key files which (perhaps) contain the keys for the tag. You can also specify the range of sectors you want to read. Start the mapping process with the lower right button.
  But: For large key files this could take quite some time!
• Read tag.
  After the keys are mapped to sectors based on a kind of dictionary-attack, the application will instantly start to read the tag. The result will be displayed in a simple editor (See chapter Edit Tag Dump File.)

4. Write Tag

If you want to write data to a Mifare Classic tag, it is important that you understand what you are doing. Writing the wrong data to certain blocks may cause irreparable damage to the tag.

4.1 Write Block

First you have to specify to what block you want to write to. Typical (Mifare Classic 1k) ranges are: sector 0-15, block 0-3. The second step is to enter the data you want to write. This is done in hexadecimal format with a length of 16 bytes (32 characters). After pressing the button the last step is to chose key files which (possibly) contain the key with privilege to write for this sector/block.

4.2 Write Dump (Clone)

If you want to clone a tag, you first have to read and then dump the original tag. The second step is to restore the dumped data on another tag (for which you know the keys). You need the keys with write privileges for all sectors of the dump. If the dump consists of e.g. 5 sectors you only need the keys for these 5 sectors.
After selecting the dump and the key files the App will check everything for you! If there are issues like 'block is read-only', 'key with write access not known', etc., you will get a report before writing!

Options:

• Use static (custom) Access Conditions:
  By enabling this option, all Access Conditions from the dump will be replaced with the chosen ones.
  This will become in handy if the dump contains Access Conditions that will be permanent for a tag. In case the reader does not check them, you can easily use custom ones to make the tag reusable.
• Write to Manufacturer Block:
  The first block of the first sector of an original Mifare Classic tag is read-only and therefore not writable. But there are special Mifare Classic tags that support writing to the manufacturer block with a simple write command. This App is able to write to such tags and can therefore create fully correct clones.
  However, some special tags require a special command sequence to put them into the state where writing to the manufacturer block is possible. These tags will not work.

4.3 Factory Format

This will try to format the tag back to factory/delivery state. In this state, all data block bytes are 0x00 and the sector trailers contain 0xFFFFFFFFFFFF as key A/B and 0xFF078000 as access conditions.

5. Edit Tag Dump File

The tag editor is a simple hex-editor with some highlighting. This editor can be accessed by two different ways:

• Read a tag.
  After reading a tag the result is displayed in this editor (See chapter Read Tag.)
• Open a saved tag.
  You can edit a saved dump via "Edit Tag Dump" from main menu.

5.1 Share a Dump

From the dump editor you can share a dump (via toolbar or menu item). You can choose between Apps that are willing to process the dump file. Note that some Apps fail to process the dump.
Apps which are known for working with MCT: Gmail, Bluetooth, etc.

5.2 Display Data as ASCII

From the dump editor you can display the data in 7-Bit US-ASCII (via menu). Non printable characters are replaced with a dot ("."). The last block of a sector, the sector trailer, will not be translated to ASCII.

5.3 Display Access Conditions

From the dump editor you can display the Mifare Classic Access Conditions as table (via menu). If you do not know what they are, you can read chapter 8.6.3 and 8.7 (and subchapters) from the Mifare Classic (1k) Datasheet (PDF).

5.4 Display Value Blocks as Integer

From the dump editor you can decode blocks formatted as Mifare Classic Value Block to integer format (via menu). For further information regarding Value Blocks read/see chapter 8.6.2.1 from the Mifare Classic (1k) Datasheet (PDF).

6. Edit or Add Key File

There are two ways to create a key file:

• This Application
  You can create a new key file via "Edit/Add Key File" from main menu.
• On your Computer
  You can create a simple text file on your computer and transmit to MifareClassicTool/key-files/ on external storage.

7. Tools

This section provides some general tools to work with Mifare Classic.

7.1 Display Tag Info

In this view you can see some generic information (like UID, ATQA, SAK, Tag size, etc.) about the RFID-Tag.

If your device does not support Mifare Classic, this is the only thing you can do with this App. :(

Tag type and manufacturer identification:
The identification mechanism is based on this website. If you want to have a closer look at Mifare tag identification read the NXP MIFARE Type Identification Procedure (PDF). Another helpful file for ATS (ATR) based identification is provided by the PCSC project.

The tag type and manufacturer determined by MCT might be wrong for several reasons:

• The Tag has a customized ATS
• There are multiple tags in the reader field

7.2 Value Block Decoder/Encoder

This tool is able of decoding Mifare Classic Blocks into integer and the other way around (encode integer to a Mifare Classic Value Block). If you don't know what a Mifare Classic Value Block is, you should read chapter 8.6.2.1 of the Mifare Classic (1k) Datasheet (PDF).

In most cases the "Addr" of a value block is 00 (hex) because it is not used. However, according to NXP it
"can be used to save the storage address of a block, when implementing a powerful backup management.".

7.3 Access Condition Decoder/Encoder

This tool is able of decoding Mifare Classic Access Conditions into a more human readable format and the other way around (encode to Mifare Classic Access Conditions). If you don't know what Mifare Classic Access Conditions are, you should read chapter 8.7 of the Mifare Classic (1k) Datasheet (PDF).