Recovering MIFARE Classic keys
If you couldn’t read all the MIFARE Classic® card’s sectors with the Read function or the sectors you read aren’t enough to get access, try exploiting vulnerabilities in MIFARE Classic NFC cards to get access.
On this page, you’ll learn how to conduct the MFKey32 attack, both with and without physical access to the card, as well as card-only attacks for which you don’t need access to the reader to calculate the keys.
The MFKey32 attack exploits weaknesses in the Crypto-1 encryption algorithm. MFKey32 is the name of a tool/algorithm used to recover the MIFARE Classic keys from the reader’s Crypto-1 nonce pairs. It works by recovering the initial state of the Crypto-1 Linear Feedback Shift Register which contains the key.
The best way to conduct the MFKey32 attack is to have access to the card, even if not all sectors were read. After getting the reader’s key, you can read more sectors of the card, which might be enough to get access.
To get the reader’s keys and read the MIFARE Classic card, do the following:
Read and save the card with your Flipper Zero.
Go to Main Menu -> NFC -> Saved -> Name of the saved card -> Extract MF Keys. Flipper Zero will emulate this card for the MFKey32 attack.
Tap the reader with your Flipper Zero, as shown below. When near the reader, your Flipper Zero will collect the reader’s nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero several times until all 10 out 10 nonces are collected. On your Flipper Zero’s screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn’t increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.
Press %ok%OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs is collected, the screen will display a Completed message. After that, you can press the %ok%OK button to view the captured data, including the sector and key from which it was obtained.
Recover keys from the collected nonces. You can do it via: Flipper Mobile App
- Go to Tools -> Mfkey32 (Extract MF Keys).
Flipper Lab
- Connect your Flipper Zero to your computer via a USB-C cable.
- Go to NFC tools, then click the GIVE ME THE KEYS button.
MFKey app
If you don’t have access to a smartphone or computer, you can recover keys from the collected nonces using only your Flipper Zero. Keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device.
- On your Flipper Zero, go to Main Menu -> Apps -> NFC.
- Run the MFKey app and press the %ok%OK button.
The recovered keys will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces due to the reader not recognizing the Flipper Zero’s emulation properly.
Once new keys are added to the User dictionary, read the card again. The number of found keys and read sectors may increase, which indicates that necessary data is collected.
Emulate the card and hold your Flipper Zero near the reader to get access.
Even if you don’t have access to the card, you can try to get the reader’s keys and then add them to the User dictionary to expand it.
To get and save the reader’s keys, do the following:
Go to Main Menu -> NFC -> Extract MF Keys. Flipper Zero will emulate an NFC card for the MFKey32 attack.
Tap the reader with your Flipper Zero as shown below. When near the reader, your Flipper Zero will collect the reader’s nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero several times until all 10 out 10 nonces are collected. On your Flipper Zero’s screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn’t increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.
Press %ok%OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs is collected, the screen will display a Completed message. After that, you can press the %ok%OK button to view the captured data, including the sector and key from which it was obtained.
Recover keys from the collected nonces. You can do it via: Flipper Mobile App
- Go to Tools -> Mfkey32 (Extract MF Keys).
Flipper Lab
- Connect your Flipper Zero to your computer via a USB-C cable.
- Go to NFC tools, then click the GIVE ME THE KEYS button.
MFKey app
If you don’t have access to a smartphone or computer, you can recover keys from the collected nonces using only your Flipper Zero. Keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device.
- On your Flipper Zero, go to Main Menu -> Apps -> NFC.
- Run the MFKey app and press the %ok%OK button.
The recovered keys and sector numbers will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces because the reader won’t recognize the Flipper Zero emulation properly.
This type of attacks can be performed directly on the card exploiting vulnerabilities in MIFARE Classic cards. The goal of these attacks is to recover the card’s data and keys, so that you can clone and emulate the card.
There are several card-only attacks that Flipper Zero performs based on the card type and available data: nested attacks, static nested attack, and hardnested attack. These attacks begin at the stage of reading the card (NFC -> Read). If card reading fails, Flipper Zero collects and saves card nonces to later calculate the keys via the MFKey app. The calculated keys are then added to the User dictionary of MIFARE Classic keys.
To get the card’s keys and emulate the card, do the following:
Read the card to collect nonces, if you haven’t already.
(Optional) Check if the file with nonces is created on your Flipper Zero at /ext/nfc/.nested.log.
On your Flipper Zero, run the MFKey app by going to Main Menu -> Apps -> NFC -> MFKey and press %ok%ОК.
Wait until the card keys are calculated from the collected nonces — this takes a few minutes. After that, the new keys will be added to the User dictionary automatically.
Read the card again to unlock the sectors that were protected with the calculated key.
Emulate the card and hold your Flipper Zero against the reader to get access.
- Reboot your Flipper Zero by pressing and holding the %left%LEFT and %back%BACK buttons for 5 seconds.
- Delete the file with collected nonces, located at /ext/nfc/.nested.log. Then try collecting the nonces again and run MFKey.
- Delete the file containing user keys, located at /ext/nfc/assets/mf_classic_dict_user.nfc. Then try collecting the nonces again and run MFKey. This action will permanently delete all the user keys. If you wish to retain your keys, back them up before deleting by downloading the file to your computer.
MIFARE and MIFARE Classic are registered trademarks of NXP B.V.
