search
The Hacker's Notes
githubEdit

Key extraction with MFKey32

On this page you will learn how to perform the MFKey32 attack if you have access to the card and what you can do if you do not.

If you were unable to read all sectors of the MIFARE Classic® card using the Readarrow-up-right function , or if the sectors read were insufficient to gain access, try using the Extract MF Keys function . This function performs the MFKey32 attack, which exploits weaknesses in the arrow-up-rightCrypto-1arrow-up-right encryption algorithm . MFKey32 is the name of a tool/algorithm used to recover MIFARE Classic keys from the reader's Crypto-1 noncearrow-up-right pairs . It works by recovering the initial state of the Crypto-1 Linear Feedback Shift Registerarrow-up-right , which contains the key.

hashtag
Sectors on NFC cards

First, let's understand how the blocks in NFC cards work:

SectorDescriptionKey AKey B

Sector 0

It contains the Manufacturing Block and the UID (Unique Identifier). It cannot be modified on most cards.

Generally FFFFFFFFFFFForA0A1A2A3A4A5

Not always accessible

Sector 1-N

Data storage space, divided into 16-byte blocks . Used to store personalized information, such as identifiers, balances, or encrypted data.

It can be customized according to the system.

Last sector

It contains the trailer block , where keys A and B are stored , along with the access control bits. It is used to define permissions on the data in the sector.

Key to reading and verifying data

Key to write and modify permissions

  • Each sector of an NFC MIFARE Classic card typically has 4 blocks .

  • Key A is used for authentication and reading in some cases.

  • Key B may allow writing or configuration of access.

  • To read and write in protected sectors, you need to know the correct keys .

  • Tools like mfoc or mfcuk can be used to recover keys on some cards.

hashtag
If we have access to the card

The best way to carry out an MFKey32 attack is to gain access to the card, even if not all sectors have been read. By obtaining the reader's key, more sectors of the card can be read, which might be enough to open the door.

To obtain the reader keys and read the MIFARE Classic card, do the following:

  1. Read and save the cardarrow-up-right with your Flipper Zero.

  2. Go to Main Menu -> NFC -> Saved -> Saved Card Name -> Extract MF Keys. Flipper Zero will emulate this card for the MFKey32 attack.

Your Flipper Zero is ready to collect the reader's nonces

Touch the reader with your Flipper Zero, as shown below. When near the reader, your Flipper Zero will collect the nonces from the reader. Depending on the reader, you may need to touch the reader with your Flipper Zero up to 10 times to simulate several card authentications. On the Flipper Zero screen, the number of collected nonce pairs should increase with each new touch of the reader. If the number of nonce pairs does not increase, the reader is not attempting to authenticate the card emulated by Flipper Zero.

To collect nonces, touch the reader with your Flipper Zero.

Press OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs have been collected, the screen will display a " Finished" message . After that, you can press the OK button to view the captured data, including the sector and key from which they were obtained.

Once the nonces have been collected, you can save them to the microSD card.

Retrieve keys for the collected nonces. You can do this using the Flipper mobile app.

  1. On your phone, run the Flipper mobile apparrow-up-right and sync it with your Flipper Zero

  2. Go to Tools -> Mfkey32 (Detect reader)

hashtag
Flipper Lab

  1. Connect your Flipper Zero to your computer using a USB-C cable.

  2. On your computer, go to lab.flipper.netarrow-up-right

  3. Go to NFC tools and then click the GIVE ME THE KEYS button

LogoFlipper Lablab.flipper.netarrow-up-right

hashtag
MFKey Application

To use this feature, you must download the MFKey application to your Flipper Zero from arrow-up-rightApplications.arrow-up-right

If you don't have access to a smartphone or computer, you can retrieve the keys for the collected nonces using only your Flipper Zero. Keep in mind that key retrieval takes several minutes due to the device's limited processing power.

  1. On your Flipper Zero, go to Main Menu -> Applications -> NFC

  2. Run the MFKey application and press the OK button .

The retrieved keys will be displayed on the screen. They can then be added to the user dictionary . In some cases, keys cannot be retrieved from the nonces because the reader does not correctly recognize the Flipper Zero emulation.

Once new keys are added to the user dictionary, reread the card . The number of keys found and sectors read may increase, indicating that the necessary data was collected.

  1. Emulate the card and hold your Flipper Zero near the reader for access.

While emulating the NFC card, hold your Flipper Zero near the reader. If the emulated card does not open the door, try steps 1 through 6 again in case your reader reads multiple sectors sequentially. If, after repeating steps 1 through 6, the number of keys and sectors of the card read by your Flipper Zero does not increase, then the reader and the card are not on the same system or the reader is not vulnerable to the MFKey32 attack.

hashtag
If we don't have access to the card

Even if you don't have access to the card, you can try to obtain the reader's keys and then add them to the user dictionary to expand it.

To obtain and save the reader keys, do the following:

  1. Go to Main Menu -> NFC -> Extract MF Keys . Flipper Zero will emulate an NFC card for the MFKey32 attack.

Your Flipper Zero is ready to collect the reader's nonces

  1. Touch the reader with your Flipper Zero as shown below.

When you're near the reader, your Flipper Zero will collect the nonces from the reader. Depending on the reader, you may need to tap the reader with your Flipper Zero up to 10 times to simulate several card authentications. On the Flipper Zero screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn't increase, the reader isn't attempting to authenticate the card being emulated by Flipper Zero.

To collect nonces, touch the reader with your Flipper Zero.

Press OK to save the collected nonce pairs to the microSD card. Once the required number of nonce pairs have been collected, the screen will display a " Finished" message . After that, you can press the OK button to view the captured data, including the sector and key from which they were obtained.

Once the nonces have been collected, you can save them to the microSD card.

hashtag
Retrieve keys from the collected nonces

You can do it by:

Flipper mobile app

  1. On your phone, run the Flipper mobile apparrow-up-right and sync it with your Flipper Zero

  2. Go to Tools -> Mfkey32 (Detect reader)

Flipper Lab

  1. Connect your Flipper Zero to your computer using a USB-C cable.

  2. On your computer, go to lab.flipper.netarrow-up-right

  3. Go to NFC tools and then click the GIVE ME THE KEYS button

MFKey Application

To use this feature, you must download the MFKey application to your Flipper Zero from arrow-up-rightApplications.arrow-up-right

If you don't have access to a smartphone or computer, you can retrieve the keys for the collected nonces using only your Flipper Zero. Keep in mind that key retrieval takes several minutes due to the device's limited processing power.

  1. On your Flipper Zero, go to Main Menu -> Applications -> NFC

  2. Run the MFKey application and press the OK button .

The retrieved keys and sector numbers will be displayed on the screen. They can then be added to the user dictionary . In some cases, keys cannot be retrieved from the nonces because the reader does not correctly recognize Flipper Zero emulation.

PreviousRFID card readingNextUnlocking cards with passwords

Last updated