[BUG] Mifare Classic Emulation fails because not all keys are set

eXspir3 · October 1, 2022, 9:24am

Hi there!
I think i found a bug that prevents Mifare Classic Emulation from being succesful.

I have a Mifare Classic 1k 7 Byte UID Access Card with some sectors having Key A and Key B assigned. (2 Keys in total) I added those keys to the user list dictionary to be able to read the card with Flipper Zero.

The Access Controls Bits are set in a way that Key A and Key B can read the Data but only Key B can write Data:

When i now try to read the Card with Flipper it shows:

Even though it has all 32 Keys - it only uses Key A to read the Sectors because that is sufficient and then just stops.

The resulting Dump / Emulation also only Contains Key A and not Key B resulting in the original reader not being able to read the emualted tag as the original Reader probably uses Key B to do that.

Spildit · October 1, 2022, 2:02pm

Interesting finding … Because flipper was able to read all sectors with key A it didn’t bother to get Key B… Even if you were able to write a new card from the flipper dump most likely the card would be different in contet as it wouldn’t have key B this would prevent readers with key B only (and not key A) to read the copy of the card as well…

I think they should attempt to brute force all keys even when all sectors can be read with just one key.

Agree with you. Most likely this should be checked at firmware level to be improved.

equip · October 1, 2022, 6:12pm

have you checked the pcap to verify this is actually happening? checked to see if the flipper actually does check the keyB and was just unsuccessful🧐

Astra · October 2, 2022, 5:50am

Thanks, we’ll fix that asap

eXspir3 · October 2, 2022, 10:08am

I am certain it does not check key B because if it would check for key B then it would try the standard 1200 something keys that come preprogrammed with the flipper as well. This would take some time - but in this case when i present the flipper with my card it reads it within half a second.

So my theory is as soon as all 32 sectors are read (using Key A from User List) it doesnt bother to check further.

Also the keys provided by me are 100% correct as i use those to read the card from my pn532 reader and my phone as well which works as intended

Spildit · October 2, 2022, 3:34pm

Thanks, @Astra !

Astra · October 6, 2022, 8:31am

Hi again! I wasn’t able to reproduce this behaviour, can you please PM me the full card dump and your user dictionary file? @eXspir3

eXspir3 · October 13, 2022, 11:26am

Hi - sorry for late replay - will do so now