Passive Detect Reader - Avoid triggering tamper alarms?


I noticed that Flipper Zero has a Detect Reader functionality which is supposedly used to capture some data from a NFC reader to crack the protection of a Mifare Classic card i.e. by using mfkey32. Afaik, this works by having F0 emulate a card and capturing the interactions (nonces). As I read the web I see that this approach has a high chance to trigger security tampering alarms on the readers. I think there was even a thread on Reddit about a guy who lost his job because of this.

Would it be possible to modify this “Detect Reader” functionality in such a way that would avoid triggering any alarms i.e. by having F0 passively eavesdrop on the interaction between the reader and a NFC card? This would of course require the user to own a valid Mifare Classic 1K card. The user would set F0 into NFC passive scan mode, place the NFC card on the back of it and then approach the reader with both devices. The reader will perform its stuff and register the card as normal, but F0 would passively sniff the interaction and capture the required data. This would definitely require the user to repeat the sniff a number of times over longer time period (i.e. daily checking in and checking out at work) to avoid triggering tamper alarms. Once sufficient interactions are recorded, proceed with the cracking as normal.

Can this be done?

That seems plausible but I bet that would take a long time. I would be interested in how long it takes to set off a tamper alarm.

Please forgive me, if I don’t provide you the information you seek, I don’t want to lose my job… or trigger a police response at the local supermarket.

But genuinely, how many scans (or nonces) do we actually need to perform the mfkey32 crack? I’ve seen some flipper screens suggest that 10 of them should be enough? Correct me if I’m wrong, but I’m not sure whether 10 scans would fit into the “that would take a long time” category.

Kind regards.


I don’t see question around here when it only takes 10 scans. People usually come here to complain and ask questions like “is it normal for this to take 30 minutes?” I believe we even had “is an hour too long?” My view might be skewed because of that.

I think I might be able to forgive you for wanting money to eat and keep a roof over your head. However there are some people out there that have permission to test that kind of stuff. If we are lucky one might chime in or perhaps I can find someone to test that for us.

I am one of the lucky people with permission to analyse a RFID access system.
But when it comes to nonces, I am totally lost. I’ve read the source of GitHub - equipter/mfkey32v2: Mifare Classic Key Calculator v2 and some Mifare analysis papers … But I have no clue why it is 10. If 5 will be enough but will take longer. If it even with 10 can be not calculated.

But I would be I tested in any source or idea.

Even a peek to the PM3 community does not give an explanation of the 10: PM3-Scripting pt II
But it says the chance to fail with one nonce is 25% … So in my understanding 4 nonces should be enough to do the math.

I have no experience with the thread topic, but probability doesn’t work that way.

Example: If a coin is tossed, there is a 50% probability that it will land heads. But this does not mean that by tossing two coins, that probability will increase to 100 %, or even to 150 % by tossing three coins.

I’ve seen some NMAP port scans of secure networks take over multiple weeks to avoid triggering IPS alarms, and that was totally acceptable. So, from this point of view the primary objective was to avoid triggering alarms, time cost is secondary. If people are that much impatient then maybe it’s better if they do get fired after all…

Fair point.

A very old school view …
One wisdom, BackTrack teached my back in the days: “the quieter you become, the more you’re able to hear …”
Also valid for the Flipper, just listen and understand. The opposite of “download and attack”.

Or with the words of Pablo Picasso: “Learn the rules like a pro, so you can break them like an artist”

Absolutely, speed really depends on what you’re up against and your method. If we were doing it passively that’s obviously a slower strategy with less risk. I think a normal physical engagement is only around a week. For passive sniffing I think it would be better if there was a device you could leave there like those ESP keys they sniff traffic with. You could collect a lot of data in only a day.

I can’t find the topic, but I remember a reply by @Astra that sounded like “possible in theory, but we have no plans to implement”.

1 Like