website logo
HomeShopDocsBlogForum
⌘K
Flipper Zero Documentation
Basics
🐬First start
MicroSD card setup
Firmware update
Pet dolphin
Power
Reboot
Controls
Settings
Sub-GHz
Reading signals
Reading RAW signals
Adding new remotes
Supported Sub-GHz vendors
Frequencies
125 kHz RFID
Reading 125 kHz RFID cards
Adding 125 kHz cards manually
Writing data to T5577 cards
Animal microchips
NFC
Reading NFC cards
Recovering keys with MFKey32
Unlocking cards with passwords
Writing data to magic cards
Infrared
Reading infrared signals
Using universal remotes
GPIO & modules
iButton
Bad USB
U2F (Universal 2nd Factor)
Apps
HID controllers
Flipper Mobile App
Reporting Mobile App bugs
qFlipper
Troubleshooting drivers on Windows
Development
Hardware
Blueprints
Docs powered by
Archbee
NFC

Recovering keys with MFKey32

Document image


If you couldn't read all the MIFARE Classic® card's sectors with the Read function or the sectors you read aren't enough to get access, try to use the Detect Reader function. The Detect Reader function performs the MFKey32 attack, which exploits weaknesses in the Crypto-1 encryption algorithm. MFKey32 is the name of a tool/algorithm to recover the MIFARE Classic keys from the reader’s Crypto-1 nonce pairs. It works by recovering the initial state of the Crypto-1 Linear Feedback Shift Register, which contains the key. On this page, you will learn how to conduct the MFKey32 attack with and without the access card.



If you have access to the card

The best way to conduct the MFKey32 attack is to have access to the card, even if not all sectors were read. By getting the reader's key, you can read more sectors of the card, which might be enough to open the door.

To get the reader's keys and read the MIFARE Classic card, do the following:

1

Read and save the card with your Flipper Zero.

2

Go to Main Menu -> NFC -> Saved -> Name of the saved card -> Detect reader. Flipper Zero will emulate this card for the MFKey32 attack.

Your Flipper Zero is ready to collect the reader's nonces
Your Flipper Zero is ready to collect the reader's nonces

3

Tap the reader with your Flipper Zero, as shown below. When near the reader, your Flipper Zero will collect the reader's nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero up to 10 times in order to simulate several card authentications. On your Flipper Zero's screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn't increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.

To collect nonces, tap the reader with your Flipper Zero
To collect nonces, tap the reader with your Flipper Zero

4

Press %ok%OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs is collected, the screen will display a Completed message. After that, you can press the %ok%OK button to view the captured data, including the sector and key from which it was obtained.

Once nonces are collected, you can save them onto the microSD card
Once nonces are collected, you can save them onto the microSD card

5

Recover keys from the collected nonces. You can do it via: Flipper Mobile App

  1. On your phone, run Flipper Mobile App and synchronize it with your Flipper Zero.
  2. Go to Hub -> NFC tools -> Mfkey32 (Detect Reader).

lab.flipper.net

  1. Connect your Flipper Zero to your computer via a USB-C cable.
  2. On your computer, go to lab.flipper.net.
  3. Go to NFC tools, then click the GIVE ME THE KEYS button.

Mfkey32 app

<div class="info flipper-callout">
    <div class="callout-header"></div>
You need to download the <a href="https://lab.flipper.net/apps/mfkey32" onclick="next.router.push('https://lab.flipper.net/apps/mfkey32')"><u>Mfkey32</u> app to your Flipper Zero from <a href="https://docs.flipper.net/apps" onclick="next.router.push('https://docs.flipper.net/apps')"><u>Apps</u> to use this feature.
</div>


If you don't have access to a smartphone or computer, you can recover keys from the collected nonces using only your Flipper Zero. Keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device.

  1. On your Flipper Zero, go to Main Menu -> Apps -> NFC.
  2. Run the Mfkey32 app and press the %ok%OK button.

The recovered keys will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces due to the reader not recognizing your Flipper Zero’s emulation properly.

6

Once new keys are added to the User dictionary, read the card again. The number of found keys and read sectors may increase, which indicates that necessary data is collected.

7

Emulate the card and hold your Flipper Zero near the reader to get access.

While emulating the NFC card, hold your Flipper Zero near the reader
While emulating the NFC card, hold your Flipper Zero near the reader

<div class="warning flipper-callout">
    <div class="callout-header"></div>
    If the emulated card doesn't open the door, try to do steps 1 through 6 again in case your reader reads multiple sectors sequentially.<br><br>
    If, after repeating steps 1 through 6, the number of the card's keys and sectors read by your Flipper Zero didn’t increase, then the reader and the card aren't in the same system, or the reader isn't vulnerable to the MFKey32 attack.  
</div>



If you don't have access to the card

Even if you don't have access to the card, you can try to get the reader's keys and then add them to the User dictionary to expand it.

To get and save the reader's keys, do the following:

1

Go to Main Menu -> NFC -> Detect reader. Flipper Zero will emulate an NFC card for the MFKey32 attack.

Your Flipper Zero is ready to collect the reader's nonces
Your Flipper Zero is ready to collect the reader's nonces

2

Tap the reader with your Flipper Zero as shown below. When near the reader, your Flipper Zero will collect the reader's nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero up to 10 times in order to simulate several card authentications. On your Flipper Zero's screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn't increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.

To collect nonces, tap the reader with your Flipper Zero
To collect nonces, tap the reader with your Flipper Zero

3

Press %ok%OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs is collected, the screen will display a Completed message. After that, you can press the %ok%OK button to view the captured data, including the sector and key from which it was obtained.

Once nonces are collected, you can save them onto the microSD card
Once nonces are collected, you can save them onto the microSD card

4

Recover keys from the collected nonces. You can do it via: Flipper Mobile App

  1. On your phone, run Flipper Mobile App and synchronize it with your Flipper Zero.
  2. Go to Hub -> NFC tools -> Mfkey32 (Detect Reader).

lab.flipper.net

  1. Connect your Flipper Zero to your computer via a USB-C cable.
  2. On your computer, go to lab.flipper.net.
  3. Go to NFC tools, then click the GIVE ME THE KEYS button.

Mfkey32 application If you don't have access to a smartphone or computer, you can recover keys from the collected nonces using only your Flipper Zero. Keep in mind that it takes several minutes to recover the keys due to the limited computing power of the device.

  1. On your Flipper Zero, go to Main Menu -> Applications -> NFC.
  2. Run the Mfkey32 application and press the %ok%OK button.

The recovered keys and sector numbers will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces due to the reader not recognizing your Flipper Zero’s emulation properly.



MIFARE and MIFARE Classic are registered trademarks of NXP B.V.

Updated 15 Sep 2023
Did this page help you?
PREVIOUS
Reading NFC cards
NEXT
Unlocking cards with passwords
Docs powered by
Archbee
TABLE OF CONTENTS
If you have access to the card
If you don't have access to the card
Docs powered by
Archbee

Community

Kickstarter Habr.com Discord Forum Blog

For developers

Documentation GitHub Design Guide

Distributors

Lab401 Joom How to buy Become a Partner

About

Contacts Jobs Compliance Company Abuse Report Privacy Policy

Copyright © 2023 Flipper Devices Inc.