• Registered: 2009-11-19
  • Posts: 30

Topic: Mifare command utility

Some time ago, I was looking for utility to work with mifare classic tags on a "higher" level, not only dumping/writing the whole card. I couldn't find any, working with my ACR122U, so I started to build my own.

It can perform authentication with both A and B on specified block, read, write and parse trailer block data (it can also display a matrix for C1 C2 C3 bits for blocks 0 1 2 and 3/trailer/ of corresponding sector)

In the new 0.01, Value block commands are also implemented.

MiCmd was firstly designed for my private usage (e.g. not to be published anywhere), so it now has only Windows version of binary available, however, if you would like to have this available under linux, unix as well, feel free to download the code, make changes, if necessary, create makefile and post it smile

EDIT:
The link: http://code.google.com/p/micmd/

Last edited by whitewash (2009-12-14 17:08:37)

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

hi whitewash

Can you share the code?Because zip is only the binary
I would like to probe it under linux

cheers!

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Hello,
you should be able to anonymously svn-checkout the source, as described in the Source tab.

Nevertheless, I've added a .src.zip (see the Downloads tab)

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

i am testing the binary,the first i type "o",connection is opened,then i type "a" and i get authentication with key A in block 0
Now i want to read the block and I type "r", and "Could not read  the data block!,and I  try again and i read it
sometimes it reads,sometimes it not read!!!
I think that it isnt working well!!!
i have another script that it reads perfectly!

Regards

Excuse me for my english!

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Hello,
just for info, when authenticating, you need to type the sector number, whereas when reading/writing, you need to type the block number. Although I don't think this is the problem.

I've made a sample video, reading my old mifare card, it works perfectly for me:
http://www.screencast.com/t/NzAwOGIz

Which reader are you using?
Well, I've also experienced occasional read failures using nfc-mftool (under Ubuntu), when it suddenly said it couldn't connect, in the middle of a read process. After repeating the process, it worked (in the meantime, I've also tried to move the tag a bit on the reader, but I don't think this is the issue)

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

whitewash wrote:

Hello,
just for info, when authenticating, you need to type the sector number, whereas when reading/writing, you need to type the block number. Although I don't think this is the problem.

i type o,a,BLOCK,key,sometimes Succesful!,r ,BLOCK!
the same block,once and again if not works....this isnt the problem
can you probe another card?

I've made a sample video, reading my old mifare card, it works perfectly for me:
http://www.screencast.com/t/NzAwOGIz

wink

Which reader are you using?
Well, I've also experienced occasional read failures using nfc-mftool (under Ubuntu), when it suddenly said it couldn't connect, in the middle of a read process. After repeating the process, it worked (in the meantime, I've also tried to move the tag a bit on the reader, but I don't think this is the issue)

My touchatag reader works perfectly with debian and libnfc ,and I read all the blocks with authentication
The problem is that i cant use mftool ,and i dont write mifare 1k

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Haven't tried on debian. I've also read my other mifare card, this is the 4k model, works without a glitch.

Are you trying this binary for windows (natively on windows or emulated) or have you compiled your own? If so, what compiler options are you using?

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

whitewash wrote:

Haven't tried on debian. I've also read my other mifare card, this is the 4k model, works without a glitch.

Are you trying this binary for windows (natively on windows or emulated) or have you compiled your own? If so, what compiler options are you using?

yes,i am trying this binary for windows(native in xp),i want to compile for linux...
But i´m not having time,because i have a lot of exams
However,i will compile this code for linux  wink

How do you compile in windows the source?

g++ MiCmd.cpp -o Micmdunix -c includes/

Last edited by *dudux (2009-11-25 23:04:49)

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

I also use WinXP (sp3), with driver downloaded from ACS' site (not touchatag's, I think ACS has the newer version)

Edit:
Visual Studio invokes the compiler with following options:

/O2 /Oi /GL /I "include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /FD /EHsc /MD /Gy /Yu"stdafx.h" /Fp"Release\MiCmd.pch" /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /nologo /c /TP /errorReport:prompt

This is the legend:
http://msdn.microsoft.com/en-us/library … S.71).aspx

Last edited by whitewash (2009-11-25 23:16:23)

  • Andy
  • Member
  • Offline
  • Registered: 2009-11-11
  • Posts: 18

Re: Mifare command utility

Hi there,
Nice tool!!! It works fine for me until I make a mistake. If I write wrong key or sector for instance the program reject the right key too.  Then I just  close and open connection and start again.
Analysing trailer data will be more useful if instead of matrix there is a information about the state of the trailer and data access bits. There are nice figures and tables in "Making the Best of Mifare Classic". www.sos.cs.ru.nl/applications/rfid/2008-thebest.pdf
Something like this:
Trailer access bits C1,C2,C3 = 011 - this mean that you may change using key B: access bits and the keys.
Regards, Andy

  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Hello and thanks! wink

I know about that "issue" (mifare refusing any operation after attempt to do something invalid/forbidden), my guess is, that it is probably due to how the mifare chip works, it seems like it "closes connection" when you try to do something illegal (the same way SSH server does after too many unsuccessful authentication attempts) so you need to reconnect.
In one case, the program does this automatically, in the next version, I will make the program do reconnect after any failed operation automatically.
EDIT: Yup, it's true, the mifare chip comes to a 'halt' state in this case, which requires the anti-collision and select sequence to be carried out again. As mentioned, will fix (add an auto-reconnect) in next version. However, the reader will still lose access to authenticated blocks.

Analysing trailer data will be more useful if instead of matrix there is a information about the state of the trailer and data access bits. There are nice figures and tables in "Making the Best of Mifare Classic". www.sos.cs.ru.nl/applications/rfid/2008-thebest.pdf

You're right, that's what I was (and still am) planning, however, in the meantime, I've decided to release the 0.01alpha. To be implemented in the next version wink I've downloaded the mifare spec. directly from the NXP site.

Last edited by whitewash (2009-11-26 22:41:59)

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

Has anyone tried to compile under linux?

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Wil try when there's enough time. Also if there is a solid multiplatform native-library calling mechanism for Java, I can make a nice Java GUI application for this...

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

whitewash wrote:

Wil try when there's enough time. Also if there is a solid multiplatform native-library calling mechanism for Java, I can make a nice Java GUI application for this...

yes!! a java GUI is perfect!alpha-gui!!
good lucky! We are waiting

Regards whitewash!

Last edited by *dudux (2009-11-27 06:22:50)

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Well, the Java application is not to be seen so soon, as it is quite complicated to use JNI in java, especially when libnfc works heavily with pointers, which is impossible in Java sad

In the meantime, I've made a tarball available for linux users, see the google code project's page.

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

whitewash wrote:

Well, the Java application is not to be seen so soon, as it is quite complicated to use JNI in java, especially when libnfc works heavily with pointers, which is impossible in Java sad

In the meantime, I've made a tarball available for linux users, see the google code project's page.

Congratulations!   a lot of thanks


guepardo micmd-0.01alpha # micmd

*** MiCmd 0.01alpha -- MIFARE(R) command line***

Main menu:
h - display main menu
o - Open connection
at - analyse manually input trailer data
cls - Clear screen
q - Exit

-- After connection is successfully opened, you may use following
-- additional commands:
a - Authenticate with A key
b - Authenticate with B key
r - Read specific block data
w - Write specific block data
t - Transfer value block to volatile memory
d - Decrement value block
i - Increment value block
s - Store value block
c - Close existing connection


You are NOT connected, additional commands will not work.
Type h for help.
MiCmd 0.01alpha>
developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Alright, I've posted next version (0.01) on the Google Code project's page.

What has changed:

- According to Andy's proposal, the trailer block analysis also shows brief description of C1C2C3 states for all blocks in sector. It does, however, NOT verify the internal validity of AC data in a trailer block (during the matrix calculation, inverse bits are completely ignored, so the program won't tell you if that value is safe - won't corrupt your Access Conditions, killing whole sector. It only reads AC matrix from existing value)

- MiCmd now supports value block operations as well

- Added auto-reconnect feature (after any invalid operation, the tag itself halts, so all further commands are rejected. MiCmd now reconnects after every failed operation, so the tag can be used again)

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

Hi whitewash,i am testing  new version with touchatag.

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> a

Enter sector number: 4
Enter key (6B HEX value, WITHOUT spaces): cb5ed0e57b08
Authentication FAILURE! :'( Tag halted, reconnecting...
Closing connection to ACR122U102 - PN532 v1.4 (0x07)
Connection closed.
Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> a

Enter sector number: 4
Enter key (6B HEX value, WITHOUT spaces): cb5ed0e57b08
Authentication FAILURE! :'( Tag halted, reconnecting...
Closing connection to ACR122U102 - PN532 v1.4 (0x07)
Connection closed.
Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> c

Closing connection to ACR122U102 - PN532 v1.4 (0x07)
Connection closed.

You are NOT connected, additional commands will not work.
Type h for help.
MiCmd 0.01> o

Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> a

Enter sector number: 4
Enter key (6B HEX value, WITHOUT spaces): cb5ed0e57b08
Authentication FAILURE! :'( Tag halted, reconnecting...
Closing connection to ACR122U102 - PN532 v1.4 (0x07)
Connection closed.
Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> a

Enter sector number: 4
Enter key (6B HEX value, WITHOUT spaces): cb5ed0e57b08
Authentication FAILURE! :'( Tag halted, reconnecting...
Closing connection to ACR122U102 - PN532 v1.4 (0x07)
Connection closed.
Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01> ^C
livecd RFIDIOt-1.0a # ./readmifaresimple.py -r 0 4 7  cb5ed0e57b08
readmifaresimple v0.1f (using RFIDIOt v1.0a)
  Reader: PCSC ACS ACR 38U-CCID 00 00
          (Firmware: ACR122U102,  SAM Serial: 11B28D0D6244088F,  SAM ID: 003349)

  Card ID: DA3A42E0

    Reading from 04 to 07, key CB5ED0E57B08 (AA)

    Block 004: OK (CB5ED0E57B08 AA) Data: 113038260000000000200000000000E0 .08&..... ......
    Block 005: OK (CB5ED0E57B08 AA) Data: 010000000A000000000000000000004C ...............L
    Block 006: OK (CB5ED0E57B08 AA) Data: 010000000A000000000000000000004C ...............L
    Block 007: OK (CB5ED0E57B08 AA) Data: 0000000000007E178869000000000000 ......~..i......

  Total blocks read: 4
  Total blocks locked: 0

livecd RFIDIOt-1.0a #

Why arent autenthicating well??and RFDIOT yes?

developing the future!
  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Hello,
Are you sure you entered correct key? I mean, not only the key itself, but also whether it is key A or B. You cannot send Authenticate with A key and use key B, and vice versa.
I've just tried both keys to randomly-chosen sector on my card, both authentications were successful.

EDIT: rfidiot uses different driver, as you can see, ACR models detected by micmd (libnfc) and rfidiot are different, so maybe you need to somehow change the libnfc's driver definition

Last edited by whitewash (2009-12-08 10:25:16)

  • Registered: 2009-12-01
  • Posts: 2

Re: Mifare command utility

@dudux, is strange as whitewash said, It's working for me with the same ACR hardware
¿What you did in order to get rfidiot working?

great tool!

Last edited by mifarre (2009-12-09 23:42:04)

  • Registered: 2009-12-05
  • Posts: 11

Re: Mifare command utility

if RFIDIOt is working, you can just use '-d' for debug mode to monitor all the APDUs that are being sent and maybe you can spot the difference...

BTW, RFIDIOt now has libnfc support (but unfortunately it was released just as the new api changes were being committed to the libnfc repo, so it only works with 1.2.1 - the wrapper developer should be porting to the new api shortly) so it might be interesting to see if there's a difference between running RFIDIOt tools with PCSC and libnfc...

  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

Connected to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01alpha> a

Enter sector number: 1
Enter key: cb5ed0e57b08
Authentication successful. :-P

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01alpha> r

Enter block number: 4
11 30 38 26 00 00 00 00 00 20 00 00 00 00 00 E0  ( 113038260000000000200000000000E0 )

You are CONNECTED to ACR122U102 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: DA 3A 42 E0
Type h for help.
MiCmd 0.01alpha> ^C

guepardo RFIDIOt-1.0a # ./readmifaresimple.py 4 7 cb5ed0e57b08
readmifaresimple v0.1f (using RFIDIOt v1.0a)
  Reader: PCSC ACS ACR 38U-CCID 00 00
          (Firmware: ACR122U102,  SAM Serial: 11B28D0D44244088F,  SAM ID: 003669)

  Card ID: DA3A42E0

    Reading from 04 to 07, key CB5ED0E57B08 (AA)

    Block 004: OK (CB5ED0E57B08 AA) Data: 113038260000000000200000000000E0 .08&..... ......
    Block 005: OK (CB5ED0E57B08 AA) Data: 01000000090324446215A900000020A0 ......$Db..... .
    Block 006: OK (CB5ED0E57B08 AA) Data: 01000000090324446215A900000020A0 ......$Db..... .
    Block 007: OK (CB5ED0E57B08 AA) Data: 0000000000007E178869000000000000 ......~..i......

  Total blocks read: 4
  Total blocks locked: 0

guepardo RFIDIOt-1.0a #

@whitewash: Sorry!! I was changing keys...its working perfectly!Sorry wink

@mifarre: of course,too me! sorry.
                if you want use rfidiot ,you must compile a lot of dependencies.....(pyscard,pycrypto,pyserial ,swig........)
                you have to visit rfidiot.org and you can test the new release of november 09
                Where do you stop in the install?

@adam: yes adam,RFIDIOt is working,and debug mode is very interesting.Thanks
                

guepardo RFIDIOt-1.0a # ./readmifaresimple.py -d  4 7 cb5ed0e57b08
Reader Subtype: 7                                                 
connecting to ACS ACR 38U-CCID 00 00                              
>  FF 00 00 00 06 D4 32 05 00 00 00                               
<  []  61 4                                                       
>  FF C0 00 00 04                                                 
<  D5 33 90 0                                                     
readmifaresimple v0.1f (using RFIDIOt v1.0a)                      
>  FF 00 00 00 04 D4 32 01 00                                     
<  []  61 4                                                       
>  FF C0 00 00 04                                                 
<  D5 33 90 0                                                     
>  FF 00 00 00 04 D4 32 01 01                                     
<  []  61 4                                                       
>  FF C0 00 00 04                                                 
<  D5 33 90 0                                                     
  Reader: PCSC ACS ACR 38U-CCID 00 00                             
disconnecting from ACS ACR 38U-CCID 00 00
developing the future!
  • Registered: 2009-11-15
  • Posts: 40

Re: Mifare command utility

@whitewash: Are you thinking in a MicmdGUI??¿¿¿

developing the future!
  • Registered: 2009-03-04
  • Posts: 14

Re: Mifare command utility

I have try MIcmd with ACR122. It work with auth .but a error come out when i try to read according blocks .

Message shows:

You are CONNECTED to ACR122U203 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: C2 3A 6D 3D
Type h for help.
MiCmd 0.01> a

Enter sector number: 1
Enter key (6B HEX value, WITHOUT spaces): ffffffffffff
Authentication successful. :-P

You are CONNECTED to ACR122U203 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: C2 3A 6D 3D
Type h for help.
MiCmd 0.01> r

Enter block number: 5
Could not read the data block! Tag halted, reconnecting...
Closing connection to ACR122U203 - PN532 v1.4 (0x07)
Connection closed.
Connected to ACR122U203 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: C2 3A 6D 3D

You are CONNECTED to ACR122U203 - PN532 v1.4 (0x07)
Found MIFARE Classic 1K tag, UID: C2 3A 6D 3D
Type h for help.
MiCmd 0.01>

  • Registered: 2009-11-19
  • Posts: 30

Re: Mifare command utility

Hello,
Does that specific sector and block work with other software?

Have you checked if Access Conditions permit reading that block with key A? I see You are using one of the default keys used in transport mode, so maybe the access is somehow limited (see your AC for details).