Strange behavior of conuterfeit MIFARE tags

atmel9077 · 2017-06-28 15:38:35

Hello

I have a cheap RC522 $5 reader module for arduino

The module came with a card and a key fob, both MIFARE Classic

These tags have a strange behavior...
According to the nxp documentation with the default access conditions it's not possible to authenticate with key b. On my tags I have set the key A but after I still managed to authenticate with key B

Then I scanned it with my Android phone (NXP tagIngo app) and it says "IC manufacturer: unknown" and "IC type: Cloned IC". Not surprising for Chinese products...

The tag does not seems to respond to the "magic backdoor " command, and I did not manage to write block0. So it's not a kind of "magic tag"

On some datasheets of counterfeit mifare chips they omitted to say that kay B cannot be used in default configuration. That might be a clue since my chip is detected as counterfeit by tagInfo

The block 0 looks like this: (if this can help identify which chip it is?)

Ac c9 de 20 9b 08 04 00 01 a4 a5 52 e9 64 16 1d

Last edited by atmel9077 (2017-06-28 18:40:02)

piwi · 2017-06-28 16:18:22

So?

atmel9077 · 2017-06-28 16:26:16

I would like to know if anybody has ever seen tags with this strange behavior

piwi · 2017-06-28 16:38:41

I cannot see a strange behavior at all.

marshmellow · 2017-06-28 16:59:41

what are the access bits set to?

atmel9077 · 2017-06-28 18:23:48

marshmellow wrote:

what are the access bits set to?

The default value FF 07 80 69

piwi wrote:

I cannot see a strange behavior at all.

Sorry if my post was confuse. My tag has the sector3 with default access conditions, a custom key A that I programmed and the default key B. According with the NXP datasheet with the default access conditions key B cannot be used for authentication but on my counterfeit tag I managed to dump that sector by authenticating with the key B which is set to the default value (0xFFFFFFFFFFFF). I'm wondering if anybodyhas already seen this strange behavior on counterfeit mifare classic tags.

Last edited by atmel9077 (2017-06-28 18:26:04)

Jason · 2017-06-28 18:38:48

Anyway, the question was asked already: Whats the access bits are exactly?
Telling "I have programmed the NXP default access condition" does not really help... Theres no real default. It depends on the the manufacture and/or programmer how get in touch with the card. Please quote the last sector block here.

Edit: Of... you posted in the time I was reading here Nevermind....

Last edited by Jason (2017-06-28 18:40:07)

Jason · 2017-06-28 18:51:20

atmel9077 wrote:

The default value FF 07 80 69

In fact, this is the NXP default... but I (also) don't know where the problem should be!?

The access rights are the follows:

Block 0: Key A (RWDI) / Key B (RWDI)
Block 1: Key A (RWDI) / Key B (RWDI)
Block 2: Key A (RWDI) / Key B (RWDI)
Trailor: Key A (-W/RW/RW) / Key B (--/--/--)

In this configuration you can use Key A or B for reading/writing data block, but only key A for writing trailor block (key B will not return usefull data or may fail to read the block - depands on what kind of chip clone).

marshmellow · 2017-06-28 20:26:05

atmel9077 wrote:

I'm wondering if anybody has already seen this strange behavior on counterfeit mifare classic tags.

i have seen many clone mifare tags that do not follow the mifare protocol sheets exactly yes.

some don't NACK or ACK when they should or they do when they shouldn't...

but i have not tested the sector trailer key restrictions (as is your case), but i would anticipate some clones won't obey the rules nxp sets just like they don't always obey the protocol rules.

Some even have backdoor commands and may not have any real security...

atmel9077 · 2017-06-28 20:46:12

Jason wrote:

but I (also) don't know where the problem should be!?

The NXP datasheet states:

In transport configuration key A must be used for authentication

Since the card is in transport configuration, key B may be read.

if Key B may be read in the corresponding Sector Trailer it cannot serve for authentication (all grey marked lines in previous table). Consequences: If the reader tries to authenticate any block of a sector with key B using grey marked access conditions, the card will refuse any subsequent memory access after authentication.

(mf1s50 datasheet)

I should not be allowed to read after authentication with key B

Last edited by atmel9077 (2017-06-28 20:47:16)

piwi · 2017-06-29 08:17:06

Finally I understand your issue and you are right. With the given trailer Access Conditions a genuine Mifare card would not allow to access any block using key B, although the block Access Conditions would allow it. Your clone's behaviour differs - as marshmellow stated, such deviations have to be expected. You can call it both a bug and a feature.

atmel9077 · 2017-06-29 09:38:27

I did not think semiconductors were subject to counterfeiting... I've found not less than 7 different clones of MIFARE classic and 3 clones of the RC522 reader chip

Proxmark3 community

Announcement

#1 2017-06-28 15:38:35

Strange behavior of conuterfeit MIFARE tags

#2 2017-06-28 16:18:22

Re: Strange behavior of conuterfeit MIFARE tags

#3 2017-06-28 16:26:16

Re: Strange behavior of conuterfeit MIFARE tags

#4 2017-06-28 16:38:41

Re: Strange behavior of conuterfeit MIFARE tags

#5 2017-06-28 16:59:41

Re: Strange behavior of conuterfeit MIFARE tags

#6 2017-06-28 18:23:48

Re: Strange behavior of conuterfeit MIFARE tags

#7 2017-06-28 18:38:48

Re: Strange behavior of conuterfeit MIFARE tags

#8 2017-06-28 18:51:20

Re: Strange behavior of conuterfeit MIFARE tags

#9 2017-06-28 20:26:05

Re: Strange behavior of conuterfeit MIFARE tags

#10 2017-06-28 20:46:12

Re: Strange behavior of conuterfeit MIFARE tags

#11 2017-06-29 08:17:06

Re: Strange behavior of conuterfeit MIFARE tags

#12 2017-06-29 09:38:27

Re: Strange behavior of conuterfeit MIFARE tags

Board footer