[Android mod] MifareSpy (Mifare Classic key extraction)

[Stackprotector]

Hi guys!,

The railroads company in the netherlands use a Mifare Classic chip card  to travel with the trains and other public transport. Now the Mifare Classic cards made by NXP are easily exploitable in most cases so the companies who need security but still need the laim Mifare Classic protocol use a even more smarter chip card (made by infineon in this case) who emulates Mifare Classic but throws of the regular attack against weak Crypto part.

So now our public transit cards are not readable for the public anymore...

But.. The companies announced to release an app who will read the card and can give you offline card information, this is where my android mod "MifareSpy" comes in. MifareSpy logs the Mifare Classic keys to the android logging system for you to read and thus giving you the possibility to tinker with YOUR OWN card

It's basically this piece of code inside of android_frameworks_base / core / java / android / nfc / tech / MifareClassic.java

Code: (java) [Select]

                //MifareSpy 1
                StringBuffer sb = new StringBuffer();
                for (byte b : key) {
                     sb.append(String.format("%02X", b));
                }
                Log.i("MifareSpy1", ":"+keyA+":"+sector+":"+sb.toString()+":");
                //End MifareSpy 1

I have tried it and it works great with adb logcat.

The modded file:
https://github.com/Factionwars/android_frameworks_base/blob/cm-11.0/core/java/android/nfc/tech/MifareClassic.java

My fork:
https://github.com/Factionwars/android_frameworks_base/

You can apply this to your own android source and compile it, you can ask me to compile it for your device, download the cyanogenmod-11 source and at the frameworks/base folder use my repo (you can ask me to get it uptodate) or you can just stop being interested in what is on your card

More android (preferably nfc) mods to come!

[Kulverstukas]

This is cool. But android chips are just readers, they can't write to the cards?

[Stackprotector]

Yes they can write, this also extracts the b (writing) key. Even since 4.4 or cm10 android is able to do HCE (host card emulation) so it can emulate specific card which don't use any form of timing. You can emulate the paypass or MasterCard wave system with the phone without a embedded secure element. Though mifare classic can't be emulated by android without the se element because it's too slow.  I did too many research on this because I wanted to emulate my public transit chip card but I need access to the secure element which Samsung of course only gives to the big boys.

[0E 800]

I live in San Fran and the transit company also uses similar cards. The MIFARE DESFire.

There is also an android app called FareBot that will show your remaining balance, recent trips, and other information from contact-less public transit cards using a NFC Android phone.
Pretty sure they use the same code to implement that.

   

You could swipe your phone or brush it against someones backpocket to be able to see a log of where that person gets on and gets off a bus or train.

Here is a list of phone that include NFC:
http://www.nfcworld.com/nfc-phones-list/

I am very interested in rfid exploits. Thank you for sharing how to enable the feature.

[Stackprotector]

I live in San Fran and the transit company also uses similar cards. The MIFARE DESFire.

There is also an android app called FareBot that will show your remaining balance, recent trips, and other information from contact-less public transit cards using a NFC Android phone.
Pretty sure they use the same code to implement that.

   

You could swipe your phone or brush it against someones backpocket to be able to see a log of where that person gets on and gets off a bus or train.

Here is a list of phone that include NFC:
http://www.nfcworld.com/nfc-phones-list/

I am very interested in rfid exploits. Thank you for sharing how to enable the feature.

Yes i also used farebot a year ago a lot! But because they implemented the new Infineon chips i can't extract the keys from my new card anymore so no farebotting for me

[gray-fox]

This is cool. But android chips are just readers, they can't write to the cards?

There is apps for writing nfc tags/ mifare cards in play store so i imagine you should be able to write also with androids chip. Altough i haven't use any of the apps to see if they work.

Edit: oh, i was a little late on answering. I guess i had update issues with tapatalk. Sorry.

Edit2: @OP This does seem very cool. In here Finland the railroad company uses Mifare cards also so i definitely have to take closer look on this.

[Rodrigo Luiz da Silva]

Hello, I liked this post, I would put to work on my phone, help me?
thank you   I am from Brazil

[Stackprotector]

Hello, I liked this post, I would put to work on my phone, help me?
thank you   I am from Brazil

What do you want to try with it ?

[Rodrigo Luiz da Silva]

Can  change data of my public transport card?

[Stackprotector]

Can  change data of my public transport card?

Not if there is no app on your phone that is reading the data from it. Otherwise buy a reader and use MFOC

[Rodrigo Luiz da Silva]

I have a LG G2 and he read the card, the more I can not make the change, only reading the data

[Stackprotector]

I have a LG G2 and he read the card, the more I can not make the change, only reading the data

What kind of card is it

[Rodrigo Luiz da Silva]

Mifare Classic 1K /  Mifare Plus 2K SL1

[Rodrigo Luiz da Silva]

Or back up information

[proxx]

Yes they can write, this also extracts the b (writing) key. Even since 4.4 or cm10 android is able to do HCE (host card emulation) so it can emulate specific card which don't use any form of timing. You can emulate the paypass or MasterCard wave system with the phone without a embedded secure element. Though mifare classic can't be emulated by android without the se element because it's too slow.  I did too many research on this because I wanted to emulate my public transit chip card but I need access to the secure element which Samsung of course only gives to the big boys.

I am really late, is it the transmitter itself that is too slow or the cycles you need?
In the last case you can probably do that offsite and transer the data, just a suggestion.