Proxmark 3 - Mifare 1K

1 - Implementation of the Tool

In the first step, I will equip myself with my tool:

Proxmark

The Proxmark 3 Easy, you can find this little gadget on AliExpress for around 50€. It has two antennas, one for low frequency and one for high frequency.

To use it, you will need a tool called Iceman. YouTube tutorial for updating the firmware and installing Iceman: https://www.youtube.com/watch?v=n1Xt-1ZmjM0&feature=emb_imp_woyt

2 - Identifying the Badge

To identify the badge, we will use the ‘auto’ command, which allows scanning across different frequencies (high and low frequencies).

img

In our case, we observe that the badge is a MIFARE Classic 1k. (Information about the badge: https://www.stronglink-rfid.com/fr/rfid-cards/mifare-1k.html ) This type of badge is used for sports facilities, coffee machines, and more.

Its identifier is 0F 4A 83 3D. This is a unique identifier that allows the reader to recognize the badge before accessing the various information it contains.

3 - Memory Dump

“It’s time to perform a memory dump: ‘hf mf autopwn’ (hf = high frequency, mf = mifare)”

img

We have three files available in the ‘Client’ folder, a .bin, a .json, and a .eml. What we are interested in is the .eml file.

4 - Badge Analysis

Using a text editor like Notepad++, it is possible to examine the 64 blocks.

img

On the first line, you can find the badge identifier. We will set the identifier for our future badge to 12 34 56 78.

Data

Line 23: We have data, such as a price or access. You will need to compare the memory yourself. (Price, Access, …)

Price: Compare the memory between two uses of the card. Access: Compare it with another security badge.

5 - Sending the modified memory to a new badge

CAUTION: To duplicate or clone a badge, you need a badge of the same type or a Magic Card.

We will use the command ‘hf mf cload -f " yourmodifiedfile.eml"

img

And there you have it! We will verify that the rewriting of the UID has worked correctly.

img

We have an error because during the modification of the tag, I did not adhere to the MIFARE tag naming convention. Let’s go back to our .EML file to correct our mistake!

img

The black square is our UID: 12 34 56 78.

The red square is our BCC: 0xFA. We will use a MIFARE BCC calculator to modify the red square.

URL: https://nric.biz/mifare-bcc-calculator.html

img

We get the correct result, 8. If we look at the screenshot of the error, the software expects a BCC of 0x08. All that’s left is to modify our BCC. We re-upload using the command: ‘hf mf cload -f yourmodifiedfile.eml’.

We verify the UID using the command ‘HF search’ (High-frequency search).

img

We have successfully modified our UID!

Chic0s

(lambda hex_str: [print(chr(int(hex_str[i:i+2], 16))) for i in range(0, len(hex_str), 2)])(“45534e412053747564656e74”)

Walking

How to modify a UID with a proxmark 3

By Chic0s, 2023-11-05