Cloning Mifare 1k "classic" chips to an xM1 with the Proxmark3

Dangerous Things

27 May 202115:01

Summary

TLDRThis video explores the MyFair 1K Classic S50 legacy chip, a high-frequency RFID chip used in transit ticketing and access control. It delves into the chip's memory structure, keying system, and cloning process using a modified Proxmark device. The tutorial demonstrates how to read, attack, and clone the chip's ID and key, highlighting the importance of verification in data writing.

Takeaways

📱 The video discusses the MyFair 1k Classic S50 legacy chip, which was one of the first high-frequency 13.56 MHz chips with a proprietary algorithm called Crypto1 for security.
🔒 The Crypto1 algorithm was designed for authenticity checks and allowed for the creation of different sectors with varying permissions, making the chip versatile for various applications like transit ticketing and access control.
🔑 Despite its security features, the proprietary Crypto1 algorithm had vulnerabilities due to the limitations of early chips, which could not use standardized encryptions.
💡 The chip's ubiquity in infrastructure perpetuates its use, even with known vulnerabilities, due to the high cost of replacing the entire system.
🌐 The video mentions the use of the chip in various systems, such as a legitimate access control system popular in Europe and Chuck E. Cheese's play pass.
🛠️ The presenter demonstrates how to use a modified Proxmark device to clone the MyFair 1k Classic chip, including accessing and manipulating the memory structure of the chip.
🔍 The memory structure of the chip is explored, showing different sectors and their default keys, with an emphasis on the use of keys for authentication rather than data protection.
🔄 The process of cloning involves using the 'auto pwn' command in the Proxmark 3 client to recover the key and dump file, which contains all necessary information for cloning.
📁 The video explains the importance of verifying the data written to a digital medium, such as an RFID implant, to ensure successful cloning without data loss.
🔄 The 'c load' command is used to load the dump file onto the XM1 implantable device, effectively cloning the MyFair 1k Classic chip.
👨‍💻 The video credits Chris Herman and Iceman for their work on the Proxmark firmware, making the process of cloning and manipulating RFID chips more accessible and user-friendly.

Q & A

What is the Myfair 1k Classic S50 legacy chip?
-The Myfair 1k Classic S50 legacy chip is one of the first high-frequency, 13.56 megahertz chip types that used a proprietary algorithm called Crypto1 for security. It was designed to secure the authenticity of the card and could be used for applications like transit ticketing, laundry tokens, and food tokens.
What is the purpose of the Crypto1 algorithm?
-The Crypto1 algorithm was used to secure the authenticity of the card. It allowed for the creation and definition of different sectors with different keys or permissions, enhancing the security of the card.
Why were the early chips vulnerable despite using Crypto1?
-Early chips were limited in power and processing capabilities, which prevented them from using standardized encryptions. This made the Crypto1 algorithm vulnerable to attacks.
What is the significance of the ubiquity of the Myfair 1k Classic chip?
-The ubiquity of the Myfair 1k Classic chip is significant because it became a standard for various applications due to its versatility. Even with known vulnerabilities, the widespread infrastructure supporting this chip type makes it costly to replace, perpetuating its use.
What are some examples of applications where the Myfair 1k Classic chip is used?
-Examples of applications where the Myfair 1k Classic chip is used include transit ticketing, laundry tokens, and food tokens, where additional security is desirable.
What is the difference between a standard Proxmark and the modified Proxmark used in the video?
-The standard Proxmark has the LF antenna on the top and an HF antenna on the bottom PCB. The modified Proxmark used in the video has the HF antenna on the lower PCB, with the middle PCB removed, which is important for dealing with devices like the XM1.
What is the XM1 device and how is it related to the Myfair 1k Classic chip?
-The XM1 is a magic Myfair 1k Classic chip that allows changes to be made to sector 0, including the ID number. It is used for cloning classic 1k cards, making it a versatile tool for applications that require secure card cloning.
What is the memory structure of the Myfair 1k Classic chip like?
-The memory structure of the Myfair 1k Classic chip includes sector zero, where the ID and other important information reside, and additional sectors that can be set up for different applications or with different keys.
How does the cloning process of the Myfair 1k Classic chip work?
-The cloning process involves using a modified Proxmark to read the card's memory structure, including the ID and keys, and then writing this data to an XM1 implant. This creates a perfect clone of the original card on the implantable device.
What is the importance of verifying the data after writing it to a digital medium?
-Verifying the data after writing it to a digital medium is crucial because the writing process does not automatically check if the data has been successfully retained. Verification ensures that the memory storage medium has accurately stored the written data.
What are the challenges associated with updating the infrastructure to support more advanced card types or chip types?
-Updating the infrastructure to support more advanced card types or chip types involves significant costs, including replacing all cards and reissuing them, as well as reconfiguring the entire system. This can be more expensive than dealing with potential fraud or security breaches associated with the older technology.