Flipper Zero MIFARE Classic 1K Improvement
Flipper Zero MIFARE Classic 1K Improvement: Enhancing Security and Efficiency
Introduction
The Flipper Zero is a powerful tool for working with various types of RFID tags, including MIFARE Classic 1K. However, during testing, several serious issues were discovered that need to be addressed. These problems are particularly acute when working with tags that have an MF3 filter. In this article, we will discuss the issues discovered, the required improvements, and how to verify these improvements.
Issues Discovered
Problems with Standard Keys
When attempting to scan an original tag with an MF3 filter that uses standard keys FF FF FF FF FF FF, the Flipper Zero failed to correctly copy these keys. For comparison, I also tried Proxmark3 easy, but it also performed unsatisfactorily. What's particularly noticeable is the substitution of the tag's UID. The correct UID of the original tag is 2573B480, but during copying it changes to E68487F3. I tried writing both versions to empty MF3 tags, but neither could open my intercom door.
Interestingly, other devices (TMD-5S and SMKey) with the ikeybase express software successfully handled this task - they correctly identified the keys and created a working copy. This highlights the need for improvement in the Flipper Zero's key copying functionality, particularly when dealing with standard keys and MF3 filters.
Problems with Unknown Keys
I also tested another tag with UID 96B8A921 (with MF3 filter), whose keys were unknown to me. The key recovery methods built into Flipper Zero proved ineffective - it takes too much time. I tried using various known vulnerabilities (nested, hardnested, darkside), but none of them helped. However, TMD-5S and SMKey with ikeybase express software very quickly recovered the keys through their server algorithm:
- Key A: EF 41 40 37 DC F6
- Key B: B6 DA 90 FE 2D E0
When I took these keys and used Flipper Zero to write to an empty MF3 tag, the result was successful - the copy opened the intercom door. This demonstrates the need for a more efficient key recovery algorithm in the Flipper Zero, particularly when dealing with unknown keys and MF3 filters.
Problems with Reading Sectors
I also noticed that Flipper Zero doesn't always reliably read all sectors. This depends on the type of tag - some are read completely, others only partially. This highlights the need for improvement in the Flipper Zero's sector reading algorithm, particularly for problematic tag types.
Required Improvements
Working with Standard Keys
I believe that Flipper Zero should correctly copy tags with standard keys FF FF FF FF FF FF. It's especially important to fix the UID substitution problem - the device should preserve the original UID (in my case 2573B480 instead of E68487F3).
Recovery of Unknown Keys
I propose implementing a fast key recovery algorithm similar to that used in ikeybase express. Existing methods (nested, hardnested, darkside) should be optimized to work more effectively with MF3 tags. It would be useful to add the ability to send tag data to an external server for quick key recovery (similar to ikeybase express).
Reading Stability
I recommend improving the sector reading algorithm, especially for problematic tag types. It would be worth implementing automatic retry attempts with different signal parameters if the first attempt fails.
How I Will Verify Improvements
Test 1: Copying Standard Keys
Original tag with MF3 filter and standard keys FF FF FF FF FF FF, I will scan it and verify that:
- Keys are correctly copied
- UID is preserved correctly (2573B480)
- When written to an empty MF3 tag, the copy works the same as the original (opens the intercom door)
Test 2: Recovery of Unknown Keys
Tag with unknown keys (for example, with UID 96B8A921) and I will verify that:
- Keys are recovered within a reasonable time (no more than 2 minutes)
- The recovered keys are correct (for example, Key A: EF 41 40 37 DC F6, Key B: B6 DA 90 FE 2D E0)
- When writing data to an empty MF3 tag, the copy works like the original
Test 3: Reading Stability
I will check various types of tags with MF3 filter and be convinced that:
- All sectors are successfully read
- If there are problems with any sector, the system automatically retries and fixes
- Reading results are stable during repeated scans of the same tag
Conclusion
The Flipper Zero is a powerful tool for working with RFID tags, but it requires improvement in several areas, particularly when dealing with MIFARE Classic 1K tags with MF3 filters. By implementing a fast key recovery algorithm, improving the sector reading algorithm, and fixing the UID substitution problem, the Flipper Zero can become an even more effective and efficient tool for RFID enthusiasts and professionals.
Flipper Zero MIFARE Classic 1K Improvement: Q&A
Introduction
In our previous article, we discussed the issues discovered with the Flipper Zero when working with MIFARE Classic 1K tags with MF3 filters. We also outlined the required improvements to enhance the security and efficiency of the device. In this article, we will answer some frequently asked questions (FAQs) related to the Flipper Zero MIFARE Classic 1K improvement.
Q: What are the main issues with the Flipper Zero when working with MIFARE Classic 1K tags with MF3 filters?
A: The main issues with the Flipper Zero when working with MIFARE Classic 1K tags with MF3 filters are:
- Incorrect copying of standard keys
- Inefficient key recovery for unknown keys
- Unreliable sector reading
Q: Why is it important to fix the UID substitution problem?
A: The UID substitution problem is particularly important because it can lead to incorrect identification of the tag, which can result in failed attempts to copy or read the tag's data.
Q: What is the proposed fast key recovery algorithm, and how does it differ from the existing methods?
A: The proposed fast key recovery algorithm is similar to the one used in ikeybase express. It uses a server-based approach to quickly recover keys, which is more efficient than the existing methods (nested, hardnested, darkside).
Q: How will the improved sector reading algorithm work?
A: The improved sector reading algorithm will automatically retry attempts with different signal parameters if the first attempt fails. This will ensure that all sectors are successfully read, even for problematic tag types.
Q: Will the improved Flipper Zero be compatible with existing software and hardware?
A: Yes, the improved Flipper Zero will be compatible with existing software and hardware. The improvements will be implemented in a way that does not affect the existing functionality of the device.
Q: How long will it take to implement the improvements?
A: The exact timeline for implementing the improvements is not yet determined. However, we are working to prioritize the development of the improved Flipper Zero and aim to release it as soon as possible.
Q: Will the improved Flipper Zero be available for purchase?
A: Yes, the improved Flipper Zero will be available for purchase. We will provide updates on the availability and pricing of the device as more information becomes available.
Q: Can I contribute to the development of the improved Flipper Zero?
A: Yes, we welcome contributions from the community. If you have expertise in RFID development or would like to contribute to the development of the improved Flipper Zero, please contact us to discuss further.
Q: What are the benefits of the improved Flipper Zero?
A: The benefits of the improved Flipper Zero include:
- Improved security and efficiency
- Correct copying of standard keys
- Efficient key recovery for unknown keys
- Reliable sector reading
- Compatibility with existing software and hardware
Conclusion
The Flipper Zero MIFARE Classic 1K improvement is an exciting development that will enhance the security and efficiency of the device. We hope that this Q&A article has provided valuable information and insights into the improvements and their benefits. If you have any further questions or would like to contribute to the development of the improved Flipper Zero, please do not hesitate to contact us.