UID "bruteforce"

Use case: simple access controls based on Mifare cards. Read UID from card and allow access to a place based on that. The Reader has a cache of allowed UIDs or asks live to a server.
Blank cards are distributed in batches within which UIDs are sequential, for example AA BB CC 00 → AA BB CC FF.
So to a person having UID 00 is given access to a place where there is a reader, then cards until 09 are given out to other personnel not having that access. Then UID 10 has again access to that place.
So if I tried all the 11 UIDs on a reader I would have found that 00 and 10 open the door, assuming no lockout.
The request is for a function that allows setting the parameters for the card (maybe start from a saved card to be easier), and loop the emulation for all the UIDs in a range.
Parameters: UIDs range, time between each iteration, number of iterations to stop for an extra time (avoid locking when possible). Example:
UID AABBCC00, wait 1000 ms
UID AABBCC01, wait 1000 ms
UID AABBCC02, wait 1000 ms
UID AABBCC03, wait 1000 ms
UID AABBCC04, wait 5000 ms (after 5 UIDs wait 5000 ms)
UID AABBCC05, wait 1000 ms

You have no feedback other than looking at the reader or listening to sounds, but would be easier than generate and load hundreds of cards using navigation buttons. Pressing a button when the reader accepts the code will stop the bruteforce and keep the last N (like 5?) to see which worked and avoid situations like garage bruteforcing where you have to guess the code by narrowing a pool.
Sounds reasonable?
I’m not able to implement anything like that, just thinking about proposing it as a feature on github if sounds good.
Maybe some code can be reused to bruteforce/loop the garage* subghz, instead of generating tons of files

Seems an extended version of this: NFC UID bruteforcing · Issue #1522 · flipperdevices/flipperzero-firmware (github.com)

UIDs for blank card are random, They will not follow the AA BB CC XX trend.

Also, the combinations of all the UID possible are (16)^8, assuming it takes 1000ms for a single try, as you suggested, it will take (16)^8/(60×60×24×365)=136 years for your flipper to go through all of them. That is, if all the keys are FFFFFFFFFFFF (default, and they are most likely not goning to be). I mean, you can try, but time is not on your side.

I wrote this after observing the badges in my company. People who was hired in the same period have badges with UIDs in the same range, some units apart. Also as you see above I did not wanted to span the full n-bytes space, just rolling the last byte as this was the one changing in my case.
Same with the hotel I was 2 weeks ago. My girlfriend and I had a key 31 numbers away one from the other.
So Maybe sometimes UIDs are random, but I will not consider this absolute.

That’s very unusual. If I have to guess, your company brought those FUID or CUID cards and changed the UID of those cards before giving them to you and your colleagues. But this is not normal. The UIDs of genuine Mifare Classic cards made by NXP are random and fixed when manufactured. So brute force UID have little to no practical purpose for most people. Also, replicating other people’s cards without authorise is a criminal offence.

Maybe not all the Mifare cards are used the same way, don’t you think?. Since programmable block 0 exists someone is going to use that. After the holidays closure I’ll jump to the guy who keeps the blank cards and check how UIDs are allocated, before and after deploying them to people.
About the last part, we should shut down the forum and the Flipper project itself methinks. Half of the threads are about cloning or brute forcing things, from cards to garage doors to vehicles.
Of course we’re testing in our own lab and responsible for our actions.

Cloning and brute forcing your own card/key is DIFFERENT than others. Also, pointing out other people’s illegal activity doesn’t make your case better.

Please read (an possibly understand) my last line,

Of course we’re testing in our own lab and responsible for our actions.

you’re repeating what I already said.
BTW I expect you to post in every thread on this forum, I’m curious to see the response from the Flipper community. I advise you to just put “brute” in the search box and start your battle against evil “illegal” forces.
Uh, don’t look at the firmware repo on Github, lots of “illegality” also there…

No, you don’t understand what I said. And yes, if I have time, I will definitely say that everytime I see idotic questions like this.

Thread locked due to the discussion becoming toxic

1 Like