W!K!

人在阳光下,怎能不阳光

Home MTools Archive Tags

How to use NFC as a mifare card reader - Read

# PN532 # ACR122U # MTools # Android # NFC # RFID # DIY # Hacker

NFC has been widely used on Android Pay, Apple Pay and Device Connection.
With NFC on Android Phone, it's even easy to read datas in the mifare card, such as Metro Card, RFID Parking card and etc.
This article shows how to use NFC as a mifare reader to read the amount remaining in the card.

Device & APP

  1. Android Phone with NFC
  2. Android APP: MTools or MCT

Keys for sector

Mifare 1K Card is organized in 16 sectors of 4 blocks and one block consists of 16 byte.
The keyA or keyB is necessary to access the data in each block.
To crack keys, you have to use external device such as ACR122U, PN532, PM3. Or you can try your luck with another APP named MKeys. Mkeys works with Enumeration, not hacking with the libnfc.

Find sector with valid data

Mostly, the manufacture only use 1 or 2 sectors to store the valid data. So try to read all datas in MCT and compare to dump file with another amount. Then you'll find out.

Add Card and sector

With MTools, it's easy to add card and keys for sector with valid data. Now, try to read data in that sector.

Mark money bytes

There has 16 bytes in each block, mostly consequent 2 or 3 bytes stands for the amount.
Here's an example of Card with a current balance of $50.00.

8813000077ECFFFF8813000012ED12ED
00000000000000000000000000000000
8813000077ECFFFF8813000012ED12ED

Decimal 5000 to Hex is 0x1388.
Only need to mark the first two bytes: 88 and 13.
Click Reverse and choose Rate 100 then it will show $50.00 correctly.

About check bytes

Check byte is the byte that change alsong with the money byte regularly. So it has expression to calculate.
Currently, we only need to read how much money remain in the card. So no need to mark any check byte.
Just click OK or SAVE.

How to read

Just to Record Fragment, now tap card near to NFC antenna.
Now it has the balance shown.

Last but not least

The expressions and rule are blank, so when you click $ button in Record Fragment, only the first two bytes will change and it's not valide data. Long press $ button to preview the data before charging.
I'll show you how to charge with this regular rule in next post.

Introducing on YouTube

Witness the ❤️ Between Wilson & Karina | RSS