Help and Info

Table of Contents

1. General Information

This tool provides several features to interact with (and only with) MIFARE Classic RFID-Tags. It is designed for users who have at least basic familiarity with the MIFARE Classic technology. You also need an understanding of the hexadecimal number system, because all data input and output is in hexadecimal.

Some important things are: For further information about MIFARE Classic check Wikipedia, do some Google searches or read the MIFARE Classic (1k) 'Datasheet' (PDF) from NXP.

This application is free software under the GPLv3 License. The source code is available on github.

1.1 Features

1.2 License

This application was originally developed by Gerhard Klostermeier in cooperation with SySS GmbH (www.syss.de) and Aalen University (www.htw-aalen.de) in 2012/2013. It is free software under the GNU General Public License v3.0 (GPLv3).

Icons used in this application: MIFARE® is a registered trademark of NXP Semiconductors.

2. Getting Started

First of all, you need the keys for the tag you want to read. Due to some weaknesses in MIFARE Classic, you can retrieve all the keys (A and B) of a tag with tools like the Proxmark3 or normal RFID-Readers and some special software (mfcuk, mfoc).

The application comes with standard key files called std.keys and extended-std.keys, which contains the well known keys and some standard keys from a short Google search. You can try to read a tag with this key file using "Read Tag" from main menu.

Once you know some keys, you cam to put them into a simple text file (one key per line). You can do this on your PC and transfer the file to the MifareClassicTool/key-files/ directory (on external storage), or you can create a new key file via "Edit or Add Key File" from main menu. If you are finished setting up your key file, you can read a tag using "Read Tag" from main menu.

Advantages of the Key Files Concept: This dictionary-attack based mapping process (keys <-> sectors) makes it easy for you to read as much as possible with the keys you know!

3. Read Tag

Technically speaking, reading an RFID-Tag is done in two steps:

4. Write Tag

If you want to write data to a MIFARE Classic tag, it is important that you understand what you are doing. Writing the wrong data to certain blocks may cause irreparable damage to the tag.

4.1 Write Block

First you have to specify to which block you want to write to. Typical (MIFARE Classic 1k) ranges are: sector 0-15, block 0-3. The second step is to enter the data you want to write. This is done in hexadecimal format with a length of 16 bytes (32 characters). After pressing the button, the last step is to chose key files which (possibly) contain the key with privilege to write for this sector/block.

4.2 Write Dump (Clone)

With this method you can write a dump (or some sectors of it) to a tag. If you want to clone a tag, you first have to read and then dump the original tag. The second step is to restore the dumped data on another tag (for which you know the keys). You need the keys with write privileges for all sectors you want to write.
After selecting the dump, the sectors and the key files, the App will check everything for you! If there are issues like 'block is read-only', 'key with write access not known', etc., you will get a report before writing.


4.3 Factory Format

This will try to format the tag back to factory/delivery state. In this state, all data block bytes are 0x00 and the sector trailers contain 0xFFFFFFFFFFFF as key A/B and 0xFF078000 as access conditions.

4.4 Incr./Decr. Value Block

With this method you can increment or decrement and than transfer a Value Block. If an increment or decrement fails, it is due to one of the following reasons: If a increment or decrement fails due to an interrupted and therefore incomplete transaction, the Value Block could become unusable.

If you don't know what a MIFARE Classic Value Block is, you should read chapter of the MIFARE Classic (1k) Datasheet (PDF).

5. Edit Tag Dump File

The tag editor is a simple hex-editor with some highlighting. This editor can be accessed by two different ways: You can save a dump into a file by pressing the save toolbar button (or menu item). The dumps will be saved in the MifareClassicTool/dump-files/ directory (on external storage).

5.1 Share a Dump

From the dump editor you can share a dump (via toolbar or menu item). You can choose between Apps that are willing to process the dump file. Note that some Apps fail to process the dump.
Apps which are known to work with MCT: Gmail, Bluetooth, etc.

5.2 Display Data as ASCII

From the dump editor you can display the data in 7-Bit US-ASCII (via menu). Non printable characters are replaced with a dot ("."). The last block of a sector, the sector trailer, will not be translated to ASCII.

5.3 Display Access Conditions

From the dump editor you can display the MIFARE Classic Access Conditions as a table (via the menu). If you do not know what they are, you can read chapter 8.6.3 and 8.7 (and subchapters) from the MIFARE Classic (1k) Datasheet (PDF).

5.4 Display Value Blocks as Integers

From the dump editor you can decode blocks formatted as MIFARE Classic Value Block to integer format (via the menu). For further information regarding Value Blocks read/see chapter from the MIFARE Classic (1k) Datasheet (PDF).

5.5 Display the date of manufacture

From the dump editor you can decode the date of manufacture (via the menu).

The last 2 bytes of the manufacturer block (sector 0, block 0) are representing the date of manufacture. They should be in binary coded decimal format (BCD, only digits, no letters). The first byte represents the week of manufacture and must be between 1 and 53. The second byte represents the year of manufacture and must be between 0 and the current year (e.g. 12, meaning 2012).

This is not a standard. Some manufacturers don't stick to this. So it is possible that MCT can't display the date of manufacture or display a wrong one.

5.6 Write Dump

You can write dumps directly from the dump editor. For writing dumps see Write Dump (Clone)

5.7 Compare Dump

You can compare the current dump to another dump directly from the dump editor. For comparing dumps see Diff Tool (Compare Dumps)

5.8 Save Keys

You can save the keys of the currently viewed tag into a key file. This could be used to speed up the mapping process for the corresponding tag because the new key file will only contain valid keys.

6. Edit or Add Key File

There are two ways to create a key file: Key files are simple text files which contain one MIFARE Classic key per line (hexadecimal, 6 bytes, 12 characters). Lines starting with # as well as empty lines are ignored.

You can edit key files any time you want with "Edit/Add Key File" from main menu.

Because key files are used like dictionaries in dictionary-attacks, it is sufficient to enter only different keys (even if the key is used for multiple sectors). You can remove duplicates in a key file (via menu) from the key editor. Also it is possible to share key files like dump files (see chapter Share a Dump).

For other advantages see chapter Getting Started, section "Advantages of the key files concept".

7. Tools

This section provides some general tools to work with MIFARE Classic.

7.1 Display Tag Info

In this view you can see some generic information (like UID, ATQA, SAK, Tag size, etc.) about the RFID-Tag.

If your device does not support MIFARE Classic, this is the only thing you can do with this App. :(

Tag type and manufacturer identification:
The identification mechanism is based on this website. If you want to have a closer look at MIFARE tag identification read the NXP MIFARE Type Identification Procedure (PDF). Another helpful file for ATS (ATR) based identification is provided by the PCSC project.

The tag type and manufacturer determined by MCT could be wrong for several reasons:

7.2 Value Block Decoder/Encoder

This tool is capable of decoding MIFARE Classic Blocks into integer and the other way around (encode integer to a MIFARE Classic Value Block). If you don't know what a MIFARE Classic Value Block is, you should read chapter of the MIFARE Classic (1k) Datasheet (PDF).

In most cases the "Addr" of a value block is 00 (hex) because it is not used. However, according to NXP it
"can be used to save the storage address of a block, when implementing a powerful backup management.".

7.3 Access Condition Decoder/Encoder

This tool is capable of decoding MIFARE Classic Access Conditions into a more human readable format and the other way around (encode to MIFARE Classic Access Conditions). If you don't know what MIFARE Classic Access Conditions are, you should read chapter 8.7 of the MIFARE Classic (1k) Datasheet (PDF).

7.4 Diff Tool (Compare Dumps)

This tool is capable of showing you the difference between two dumps. Just select the dumps you want to compare and tool will highlight all the sections where the two dumps differ from each other.

7.5 BCC Calculator

This tool can calculate the Bit Count Check (BCC) value. For MIFARE Classic tags with a 4 byte UID, the BCC must be the 5th byte of the very first block (manufacturers block).

More information about calculating the BCC and how it is used during the anti-collision phase can be found in NXP's AN10927.

8. External NFC

MCT can be used with External NFC. This app allows you to connect an external USB-based RFID reader to your Android device. Not every RFID reader is supported by External NFC and your Android device must be USB-OTG enabled.

Readers which should work: For questions regarding the External NFC app please have a look at its Play Store page and/or contact its developer.