Skip to content

Instantly share code, notes, and snippets.

@alphazo
Created August 9, 2012 11:03
Show Gist options
  • Save alphazo/3303282 to your computer and use it in GitHub Desktop.
Save alphazo/3303282 to your computer and use it in GitHub Desktop.
Clone MiFare cards using chinesse UUID writable cards

libnfc supports UUID writable cards and even has some dedicated tools for them.

However it doesn't work with some of the cards found on eBay that are even simpler to use. Sector 0 is unlocked and can be written without any additional commands. libnfc requires a small patch to get it working.

Following has been tested under ArchLinux with modified libnfc 1.5.1, mfoc 0.10.2 and a SCL3711 dongle.

Patch & recompile libnfc

The patch is fairly simple, open libnfc-1.5.1/utils/nfc-mfclassic.c and comment 2 lines (it was lines 384 and 385 for me):

  // Try to write the trailer
  if (nfc_initiator_mifare_cmd (pnd, MC_WRITE, uiBlock, &mp) == false) {
    printf ("failed to write trailer block %d \n", uiBlock);
    bFailure = true;
  }
} else {
  // The first block 0x00 is read only, skip this
// COMMENT THIS      if (uiBlock == 0 && ! write_block_zero)
// COMMENT THIS        continue;

Recompile and install.

Connect the SCL3711 dongle

I manually have to remove the pn533 module in order to get libnfc to work. This needs to be done everytime you re-plug the SCL3711 dongle.

# sudo rmmod pn533

Dump the blank Chinese card

Read the fresh blank chinese card

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
 ATQA (SENS_RES): 00  04  
   UID (NFCID1): 00  00  00  00  
   SAK (SEL_RES): 08  

Dump the blank chinese card card to get the keys

# mfoc -P 500 -O blank-chinese.dmp

Now remove the chinese card and put the card you want to copy and dump it

Dump the Mifare card your want to copy

Let's read the card to clone first

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
ATQA (SENS_RES): 00  04  
    UID (NFCID1): 9b  97  4f  19  
    SAK (SEL_RES): 08  

Time to dump the target card

# mfoc -P 500 -O cardtocopy.dmp

Put the chinese card back and clone the card

Write the Chinese card with the content of the other card including UUID

# nfc-mfclassic w b cardtocopy.dmp blank-chinese.dmp

or

# nfc-mfclassic w a cardtocopy.dmp blank-chinese.dmp

Check that the card is the same:

# nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: SCM Micro / SCL3711-NFC&RW - PN533 v2.7 (0x07)
1 ISO14443A passive target(s) found:
  ATQA (SENS_RES): 00  04  
   UID (NFCID1): 9b  97  4f  19  
   SAK (SEL_RES): 08  

Go back to blank card

# nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp

or

# nfc-mfclassic w a blank-chinese.dmp cardtocopy.dmp
@Ambroos
Copy link

Ambroos commented Dec 3, 2013

Cool, going to try this soon. You should try using a default unadjusted nfc-mfclassic too, with a capital W parameter it should attempt to write the UUID too. Haven't tested it with my SCL3711 yet.

@lanoiraude
Copy link

hello from france.

it works with my SCL3711 and raspbian.
we can write uuid with a capital W and a capital X for wrting booth keys.
i buy cards on ebay from clonemykey. (not only him) but this seller is fast and furious, tx to him.

so, tx for this patch(actually still working with libnfc1.7.1)

@hermes55555
Copy link

Hi,

the capital W parameter seems to work with a writable UUID card. Mostly... Curiously, while trying to write a blank chinese card with one of my other backups, I get the following error message: "incorrect bcc in mfd file". What happens if the UUID is written with a hex that doesn't conform with the BCC check? Thanks.

@y0d4a
Copy link

y0d4a commented Dec 4, 2016

hi, i got nxp pn532 and want to try clone my door card.
I have connected with arduino, can i use "nfc-mfclassic" in this option?
if yes, is there some code for arduino how to set, so "nfc-mfclassic" can read it?

thank you..

@Kinny092
Copy link

my cards and tokens came with default UID, they are writable, i had followed your instructions closely but the UID of the blank card does not seem to change at all. Permission of Block 1 and 2 seems to have changed. thanks

@duchenpaul
Copy link

duchenpaul commented May 11, 2017

Nice manual, but there is a defect.
In section:
Write the Chinese card with the content of the other card including UUID
nfc-mfclassic w b blank-chinese.dmp cardtocopy.dmp
should be
nfc-mfclassic W b blank-chinese.dmp cardtocopy.dmp

the manual of nfc-mfclassic says

The W option allows writing of special MIFARE cards that can be 'unlocked' to allow block 0 to be overwritten.

@hramrach
Copy link

you see, the author of the patch specifically says that this is for cards that do not have to be unlocked to allow overwriting the sector 0 and may fail to write when an unlock is attempted

@tinue
Copy link

tinue commented Aug 30, 2017

The current 1.7x libnfc includes support for these cards, so the patch is not necessary. But even then, original NXP Mifare Classic cards can't be cloned. While all sectors (including 0) are cloned ok, the clone still behaves differently compared to the original. For example, it reports an SAK of "08", while the clone reports "88" (because "88" is in sector 0). Any modern reader will be able to tell that the card is cloned, so don't bother.

@tamsky
Copy link

tamsky commented May 29, 2018

@tinue have you tried the nfc-mfsetuid command? it correctly sets the SAK for me.

@bokub
Copy link

bokub commented May 31, 2018

@tamsky Thanks so much, that worked like a charm 🎉

@ldraminski
Copy link

Hi, It will work with ACR122?

@Fusseldieb
Copy link

Fusseldieb commented Mar 29, 2019

But even then, original NXP Mifare Classic cards can't be cloned.

Don't say can't, there's always a way...

@xqyww123
Copy link

xqyww123 commented Apr 7, 2021

Hacking code is perhaps necessary. The original code checks several settings to decides whether a card is unlockable,

    // Chinese magic emulation card, ATS=0978009102:dabc1910
    if ((res == 9)  && (abtRx[5] == 0xda) && (abtRx[6] == 0xbc)
        && (abtRx[7] == 0x19) && (abtRx[8] == 0x10)) {
    magic2 = true;
    }

and also bool write_card(int write_block_zero)

  if (write_block_zero)
    if (!unlock_card())
      return false;

At least for my Chinese card, the original unlock operation fails at bool unlock_card(void) function.
It's not hard to imagine, Chinese card pretends as 'a normal card' to bypass some firewall, and cannot be recognized by the original code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment