Cloning Mifare Classic 1k 7-byte UID cards and the world of NFC magic cards for dummies

cloning-mfc-1k-7byte-uid-nfc-card.md

Cloning a 7-byte UID MFC (Mifare Classic) 1k card and more

This is a little blog about my trials of figuring out how to clone a 7-byte 1k MFC card and more I discovered. I'm not an expert, this is just what I found out. I'm writing it down because I couldn't find a single place where this info was grouped together.

A little while ago I bought a Flipper Zero because I was interested in the world of NFC/RFID tags and I wanted to figure out a way to clone my NFC card used to open the underground waste container in my neighbourhood.

Findings

• It turns out most of my NFC cards used for various services are so called MIFARE Classic (MFC) 1K cards. These appear to be the most common card used for semi-secure things. The tag used to enter my office is a MIFARE DESfire card, which as far as I know, isn't clonable unless you have the decryption keys.
  • There is also a MIFARE Classic 4K version which can store more data. I haven't encountered this one yet so nothing I can tell you about it.
• The MFC Classic cards come in two variants. A 4-byte and a 7-byte version.

Magic Cards

In order to 'clone' your NFC card you'll need something called a Magic card. It sounds fancy but it's just a (chinese) backdoored version of a regular card. There are many many version available. Normally a card as a unique ID (UID) that isn't changable. As owner of the system you could buy cards, which come with unique ids, and add them to your allowed database (system). These backdoored cards allow the UID (and block 0, which stores the UID and some other data) to be changed. Allowing you to 'clone' a card by writing the UID of your original card to it.

The versions:

• Gen1A

  • These are the most sold versions on Amazon, Aliexpress etc. Very cheap.
  • They are almost certainly 4-byte version. I haven't found a single 7-byte one.
  • Flipper Zero can write these cards/tags

• Gen2 (Also called CUID)

  • Widely available, cheap.
  • These can be written to using an Android phone and the MIFARE Classic Tool app
  • These can't be used with a Flipper Zero
  • They are also 4-byte

• Gen3 (They aren't usually called gen3 by the sellers)

  • These cards can be written to using the Flipper Zero but it requires you to use the CLI and APDU commands
    • To use the CLI connect Flipper using USB and visit lab.flipper.net
  • I was be able to find 4-byte and 7-byte versions of this card on Aliexpress. One of the sellers is the Piswords store, the other is called XCRFID Store. And that's about the only place I was be able to find them. They are about €5 a piece which is quite a lot more than the Gen1a and Gen2 versions.

Cloning the 7-byte card

So I bought a couple of the 7-byte cards and was ready to write the UID/Block0 to them using the Flipper Zero CLI. Using the APDU command I was be able to change the UID of the 7-byte card successfully. However writing block 0 wasn't a success. This proved to be enough for one card to work, but the other system didn't accept the card with a difference between the UID and the UID in block 0.

I found a couple of posts from different people having the same issue

The seller responded with little words and no help that I should use an ACR122U-A9 with the software he provided. I was already so far down this rabbit hole I might as well buy a ACR122U so I did.

• The software provided is partly in chinese
• It only works on Windows
• If your ACR122U isn't recognized when opening the software (PS/CS Mifare) it could be because you're running windows in a VM or from a remote desktop (which was my problem)
• I connected the ACR122U, followed the instructions as best as I could and it worked.
• I successfully changed the UID and Block0 of the 7-byte Gen3 Magic Card using an ACR122U

It works, partially

• The cloned tag is identical to the original however it doesn't work for the underground waste bin. The second one I cloned (my charging card for my EV) does work.
• The reader doesn't respond to the cloned tag. No error, nothing.
• I've tried locking the card/closing the backdoor, still not working
• I've tried swapping the SAK as explained by Equip. Still not working

Same tools you can also download from here:

https://shop.mtoolstec.com/product/7-byte-uid-s50-1k-magic-key-fob

Password: mtoolstec.com

Thank you! Now waiting for the device 😀

I believe the android version from mtools can copy gen3 too, but it's a paid version

I am fine using the ACR122U device but I wonder how much the app would cost. Have you tried it?

No, I used the windows tool , since it worked for the 7 bytes, I didn't buy it

@Schermbecker the same here . Trying it for my EV card. Just ordered the cards and let's see how far we reach. Keep me posted if you have any luck.

@Schermbecker the same here . Trying it for my EV card. Just ordered the cards and let's see how far we reach. Keep me posted if you have any luck.

Sure! What card is it in your case?

My English isn't the best, but have you tried cloning the cards with Proxmark V3 ?

@gabrielvaf Sadly no, too big of an investment

Got my stuff from China yesterday and tested the tags which were part of the bundle (together with the ACR122U device) I ordered. It is required to use the patched Tool provided by the seller.

I tried a S50 7 byte tag as second charging card. First test with a nearby charger - it worked. I will test it with other public chargers next time.

I also tried a S70 4 byte tag as backup for my gym card and tested it today. The door opened. 😀

Amazing stuff!

@Schermbecker Great, no surprise there. Keep in mind that the tag works on most chargers, but there are a few occasions where it doesn't work. The charger won't recognize the card, just like my underground waste bin problem.

@rickdoesburg do you have the same tags from Piswords? I could imagine that some readers check if the tag is a magic tag and deny service.

@rickdoesburg I have had very much luck cloning the cards? I found out both my garbage card and a friend's access cards are mifare classic, i bought a couple of cuid( gen2) cards and tags on aliexpress and was able to clone both with no issues.

I used the MIFARE Classic tool (MCT) app on android instead of the flipper zero, and it basically worked first try.

Maybe I got lucky? the access card had the keys being in the standard loadout of the app, wherehas i had to find( don't ask me where, i completely forgot) an expanded key set to dump the garbage card, but it worked a charm

@moncapiten CUID cards are 4-byte 1k cards. Those are indeed easy to clone using numerous methods. The problem me and many others are running in to are the 7-byte 4k cards. Those don’t exist in gen 1/2 cuid versions.

don't they? my garbage card yes is 1k i used a normal old cuid card( and a fob) but the access is 4k, i bought this https://a.aliexpress.com/_ExIWJPC ( or a listing that was literally exxactly the same, but the original link don't work anymore, it says nothing found) and it worked well.

Am I misunderstanding the issue? I opened it and it was 4k with 7byte UID( I dont got the dump no more sadly, gave the card back to the friend)

@rickdoesburg I have had very much luck cloning the cards? I found out both my garbage card and a friend's access cards are mifare classic, i bought a couple of cuid( gen2) cards and tags on aliexpress and was able to clone both with no issues.

I used the MIFARE Classic tool (MCT) app on android instead of the flipper zero, and it basically worked first try.

Maybe I got lucky? the access card had the keys being in the standard loadout of the app, wherehas i had to find( don't ask me where, i completely forgot) an expanded key set to dump the garbage card, but it worked a charm

What city/region are you from? It really depends on what system your region uses and if it’s possible or not. Mostly the garbage cans where you pay per disposal are harder to copy.

don't they? my garbage card yes is 1k i used a normal old cuid card( and a fob) but the access is 4k, i bought this https://a.aliexpress.com/_ExIWJPC ( or a listing that was literally exxactly the same, but the original link don't work anymore, it says nothing found) and it worked well.

Am I misunderstanding the issue? I opened it and it was 4k with 7byte UID( I dont got the dump no more sadly, gave the card back to the friend)

We did buy multiple different 7-byte 4k fobs and cards. All of which were only writable with a ACR122U and 'custom' software provided by the seller. However none of these cards or fobs were recognized at all by the readers. Like holding a brick next to the reader. No error, nothing.

Hi,
I recommand you the Proxmark3 device.
You can really clone and "replay" cards with this device.

I think my original card was "MIFARE Classic 1K" but really it's a "NXP MIFARE Classic MFC1C14_x" (who comport a public signature key)

@rickdoesburg you say you were able to use APDU commands on the FZ in order to write on some of the cards.
Do you have any tips on how to do that? Trying to figure out how to install hf on the FZ in order to use the write UID commands but I can't seem to find any documentation anywhere :/

@msrheidema Oof, it has been a while so I'm not sure anymore. It wasn't that useful because it only changed the UID and not block0 causing it not to work on most systems. But if I recall correctly I connected my FZ to Chrome and used the CLI with something along the lines of apdu -d <UID>. See: https://docs.flipper.net/zero/development/cli