Playing with NFC Cards

Have you also been bombarded with ads about the NFC Visting Cards for 1000 rupees or 2000 rupees. Make one card and never make another. I have been lately (ya ya, ad blocker yada yada : these are not simpler ad’s (insta ads) that can be blocked via pi-hole if you can do share tips would love a cleaner feed for myself).

These cards look interesting but after a bit of digging to them i realised a few things, that made me park that ideas coz that doesn’t seem possible at that point:

1. Amazon sells programmable cards at lot cheaper rate. Amazon India: LINQS NFC Cards an even more cheaper option is to buy from the vendor themselves LINQS Shop here
2. The cards in ads are mostly redirecting users to be a URL which is effectively hosted on the card providers domain and hence if the service provider dies (which to be honest is far too frequent now a days) the service dies with it too.
3. I would like to have such a card but i think i would prefer having more then just a URL. may be my full contact info may be more then that, may be a URL. in short If I get such a card i would love to have access to write stuff on it.

This month of November is the time for celebrations and festivities in India. What people dont talk about in general is this is also the time for house cleanup and if you live with your family that means you got to reduce the clutter.

1. I started cleanup up my room and realised, amongst all the electronic and non electronic badges that we obtain from various conference we also end up receiving multiple NFC Cards.
2. I recalled those ad’s and I wondered, although i dont have a need of a NFC visting Card, wouldn’t it be cool if i can use these wasted cards for that purposes.

And immediately my geek mind goes “How hard it could be“. So here is what I have discovered so far and this might not be enough might not be a lot but i am just listing a few tricks that i learned few tools that I explored and references that I found. Hope they help someone else fiddling around with their NFC exploration journey.

Background work

So i started with exploring what NFC really is and how does it ticks. NFC or near field communication is closely associated with RFID or Radio Frequency ID.

To focus on getting the basics i visited my common sources : Null community presentations on topic NFC and RFID. This tells me its not a popular topic but its something people have explored in 2019.

My own project Hacking Archives of India for topic RFID and NFC lists more references for me to lookup with only one presentation available by Sarwar and Ashwath that did gave a good coverage of basics on NFC. Found this excellent presentation from 2012 @ BlackHat covering in detail different stacks and technological details.

However I was not going to spend ₹₹₹₹ on something coz its a curiosity. I will spend a lot of time thought (coz thats who i am : quests for learning more is always better then throwing money at the problem)

So it seems i am very late to the party rather a decade late it seems. So going on a wild goose chase is going to be pointless lets try to narrow down what exactly we are looking for.

1. I have lots of NFC based cards from hotel stays and conference passes.
2. I want to explore whether I can rewrite them and or reuse them for my own purposes.

The study of the slides and references plus this refocus made me realize i first need to narrow down on what exactly do i have. then and only then should i explore the second question. As i was not planning on buying hardware I needed to rely on my existing NFC/RFid based device i.e. my smartphones. So I looked up at android application to see if there is some application which can help me with this process. That lead me to NFC Tools. This app very quickly was able to read and identify the cards that I had. and I ended up with a few variations of cards.

1. MiFare Classic 1K
2. Mifare UltraLight
3. Mifare NTAG216
4. Mifare UltraLight EV1

Reference document on their website made it clear that all these chips were supported by the application.

So i attempted to see if i can write to those cards. If only life was this simple then i wouldn’t be writing this blog. I was met with a write error every single time.

More reading pointed to the fact that there might be write locks on the cards. So the new activity sheet becomes.

1. See if cards are locked
2. find a way to open those locks
3. Once the lock open either find a way to use those cards directly or format those cards.
4. Once cards are formatted write the data in the cards.

What else could be done

This is were i look back at what else is present online. This time i referenced more widely over the internet but more specifically on MiFare cards.

And identified a few interesting projects

There is also a lot of chatter about FlipperZero being able to crack these cards. But for me MiFare Classic Tool (https://github.com/ikarus23/MifareClassicTool) was a good option. However after a bit more digging its fork https://github.com/NokisDemox/MCT-bruteforce-key draw my attention the most.

Lets get cracking.

So Mifare Classic Tools or MCT-bruteforce-key both tools are a good start point for my exploration on mifare classic cards.

In short MiFare Classic 1k cards that i have contain 1K memory, 16 sectors or 4 block each. each block consisting of 16 bytes of data so total 1K bytes of data that can be stored.

Each sector has 2 keys Key A and Key B. We need to either know the key or bruteforce the key to be able to write to that sector. some cards due to access conditions may simply not allow you to write at all.

Since I am having a situation where I have cards but not the access to machine which correctly reads the data I am left with card only attacks.

These two attacks had a limitation at this point that they cant work on android as of now. May be kali nethunter and a custom kernel can help but thats something i have not checked yet. So we were back to NFCtools and mifare classic tool.

I was able to read all the sectors for 2-3 differnt mifare classic cards using standard keys inbuilt. that allowed me to then go and factory format them. Once factory formatted i am then able to leverage NFCtools to write any data of my choice into the card. so that sorts my current pain.

However another interesting tool that I found while reading lots and lots of articles online is this NFC ReTag. This tool works takes a different approach as each tag has a unique ID, this can be programmed to react differently when it is in proximity of a different card. This doesn’t need keys or brute-forcing but its an interesting concept that if a phone is placed at this location it will react differently coz its in proximity to this card.

This does allows for new ways to explore the world of NFC cards and reuse the existing cards without worrying about the content inside it.

With that said where would be the fun if I consider a project closed, there has got to be some pending tasks (looking at my 10000’s of pending tasks what harm 2-3 of them more can do :P). So with that said my next items to explore at some point in future are:

1. Playing around with mfoc and mfcuk to see if i can use them in android device itself.
2. To print my own visiting card on top of the nfc card using inkject printer. Will hopefully get to do it one day and will remember to write about it.

I am sure i would have missed a tonne of resources but my task was done and I would much rather put my energy in an alternate task. However if you know of a easier of simple way of doing things, do share with me. Would love to know how you have explored the NFC ecosystem.