What are the Mifare classic keys for and how do I use them?

Is it a brute force app, and if so, how do I use it?

Assuming you are talking about the key file for MiFare Classics, then yes, it is a brute-force LIST to be used by the NFC reading app.

First, a little background on the MiFare Classics:
(This is mostly a summary of info found here:https://kb.supremainc.com/knowledge/doku.php?id=en:1xfaq_how_to_configure_mifare_card_memory_layout and my knowledge of these systems.)

The MiFare CanaNFC-based NFC based chip following the ISO 14443A standard. The memory of this chip (assuming we are talking about the Classic 1K) is divided into 16 sectors of 64 bytes each. Like most, if not all, NFC cards it also contains UID and other data. Each sector can contain 2 keys as well as access condition information. All of these sectors can be encrypted with the Crypto1 algorithm to protect the data from being copied. Each key in each sector can be used to open a door (or anything else) in a sequence that goes something like this:

  1. Reader detects NFC card and sends out information to unlock at least 1 sector on the MiFare Classic chip
  2. Assuming the MiFare classic is programmed for this door, it sends back the key and access conditions
  3. The reader validates the key and access conditions it receives and checks if the UID of the key is valid or within a specified range
  4. If everything is in order, the reader opens the door

Now, this sequence presents a problem for a Flipper (or any other reader not programmed for that key) to read and copy the data. MiFare Classic tags are not designed to be read by just any reader like NTAGs. Crypto1 has already been cracked which allows for some more advanced methods of duplicating a key, but that is not something the Flipper is capable of (at least not yet). What the Flipper does when you try to read a MiFare Classic is a brute-force attack on all the sectors by trying every key it knows about on each sector. That is why these tags can take so long to read; the Flipper has to try hundreds to thousands of keys on multiple sectors to try and copy all of the data. This process may work and it may not, it just all depends on whether people have added the keys used to secure your MiFare Classic’s sectors to the list that the Flipper uses.

Now, what can you do if it doesn’t know the correct keys for your tag? There is a tool for that too called “Detect Reader”. What this does is collect data from the reader that can be used to calculate keys that may unlock sectors of a MiFare Classic tag that would have access granted by that reader. You collect nonces from the reader, and then use Mfkey32 from the mobile Flipper app to calculate keys to add to your personal key list. After doing this enough times to enough readers your tag works on, you should have more success (ie. more sectors and keys found) the next time you use the Flipper to read your tag.

TL;DR - It is a brute-force list of known keys for MiFare Classic tags used when trying to read those tags. You can add your own entries using the “Detect Reader” function of the Flipper in conjunction with the “Mfkey32” tool on the Flipper mobile app.

Hopefully, this helps you understand your Flipper and these access control tags just a little better! Let me know if you have any other questions!

6 Likes

How do I add the brute force app?

I have a little better understanding now. Thank you!