Have you also been bombarded with advertisements regarding NFC business cards for 1000 rupees or 2000 rupees. Create one card and never make another. I have been lately (yes, yes, ad blocker yada yada: it’s not simpler ads (insta ads) that can be blocked via pi-hole if you can share any tips I would love to have a cleaner flow for me).

These cards look interesting, but after a little digging I realized a few things that made me park these ideas because it doesn’t seem possible at this point:

  1. Amazon sells programmable cards at a much cheaper rate. Amazon India: LINQS NFC cards, an even cheaper option is to buy them from the supplier itself. LINQS Shop here
  2. The maps in the ads primarily redirect users to a URL that is actually hosted on the map provider’s domain and therefore if the service provider dies (which, to be honest, is far too common these days), the service also dies.
  3. I would like to have such a map but I think I would prefer to have more than just a URL. maybe my full contact details can be more than that, maybe a URL. in short, if I receive such a card, I would like to be able to write things on it.

This month of November is the time for celebrations and festivities in India. What people don’t usually talk about is that it’s also time to clean the house and if you live with your family, that means you need to reduce clutter.

  1. I started cleaning my room and realized that among all the electronic and non-electronic badges we get at various conferences, we also end up receiving several NFC cards.
  2. I remembered those ads and wondered, even though I don’t need an NFC business card, wouldn’t it be cool if I could use those wasted cards for those purposes.

And immediately my geeky mind says, “How hard could it be“. So here’s what I’ve discovered so far and maybe it’s not enough, maybe not much, but I’m just listing a few tips that I’ve learned, a few tools that I’ve explored and some references I found. I hope they help someone else navigate their NFC exploration journey.

Background work

So I started by exploring what NFC actually is and how it works. NFC or near field communication is closely associated with RFID or radio frequency identification.

To focus on learning the basics, I visited my common sources: Null community presentations on the topic of NFC and RFID. This tells me that it’s not a popular topic but it’s something people have explored in 2019.

My own Hacking Archives of India project on the subject of RFID and NFC lists more references that I can search with a single presentation available by Sarwar and Ashwath which gave good coverage of the basics of NFC. I found this excellent presentation from 2012 @ BlackHat covering different stacks and technology details in detail.

However, I wasn’t going to spend ₹₹₹₹₹ on something because it’s a curiosity. I’m going to spend a lot of time thinking (because that’s who I am: it’s always better to seek to learn more than to throw money at the problem)

So it seems I’m very late to the party, more like a decade late it seems. So going on a wild goose chase is going to be pointless. Let’s try to narrow down exactly what we’re looking for.

  1. I have a lot of NFC cards from hotel stays and conference passes.
  2. I want to find out if I can rewrite them and/or reuse them for my own purposes.

Studying the slides and references and refocusing made me realize that I first needed to clarify what exactly I had. then and only then should I explore the second question. Since I had no plans to purchase hardware, I had to rely on my existing NFC/RFid based device, i.e. my smartphones. So I looked at the Android app to see if there is an app that can help me with this process. This led me to NFC tools. This app was very quickly able to read and identify the cards I had. and I ended up with a few card variations.

  1. MiFare Classic 1K
  2. Mifare UltraLight
  3. Mifare NTAG216
  4. Mifare UltraLight EV1

The reference document on their website clearly stated that all of these chips were supported by the application.

So I tried to see if I could write on these cards. If only life were that simple, I wouldn’t be writing this blog. I encountered a clerical error every time.

Further reading highlighted the fact that there might be write locks on the cards. This becomes the new activity sheet.

  1. See if cards are locked
  2. find a way to open these locks
  3. Once the lock is opened, find a way to use these cards directly or format these cards.
  4. Once the cards are formatted, write the data to the cards.

What else could we do

This is where I look at what is present online. This time I referenced more widely on the internet but more specifically on MiFare cards.

And identified some interesting projects

There is also a lot of discussion about FlipperZero’s ability to decipher these cards. But for me, MiFare Classic Tool (was a good option. However, after digging a little deeper, it’s its fork that catches my attention the most.

Let’s get cracking.

The two Mifare Classic Tools or MCT-bruteforce-key are therefore a good starting point for my exploration of Mifare Classic cards.

In short, the MiFare Classic 1k cards I own contain 1K of memory, 16 sectors or 4 blocks each. Each block is made up of 16 bytes of data, making a total of 1 KB of data that can be stored.

Each sector has 2 keys Key A and Key B. We either need to know the key or brute force it to be able to write to that sector. some cards, due to access requirements, may simply not allow you to write at all.

Since I find myself in a situation where I have cards but not access to a machine that correctly reads the data, I end up with card-only attacks.

  1. Automated nested attacks via
  2. Automated Dark Side Attack via

Both of these attacks had a limitation at this point: they cannot work on Android at the moment. Maybe Kali Nethunter and a custom kernel can help, but that’s something I haven’t checked yet. So we were back to NFCtools and the classic Mifare tool.

I was able to read all sectors of 2-3 different Mifare Classic cards using standard built-in keys. this allowed me to then format them in the factory. Once factory formatted, I can then use the NFC tools to write any data I want to the card. so that solves my current pain.

However, another interesting tool that I found while reading many articles online is this NFC ReTag. This tool works using a different approach because each beacon has a unique identifier, this can be programmed to react differently when near a different map. This doesn’t require keys or brute force, but it’s an interesting concept that if a phone is placed there, it will react differently because it’s near that board.

This enables new ways to explore the world of NFC cards and reuse existing cards without worrying about the content they contain.

That said, where would be the fun if I consider that a project is closed, there must be pending tasks (looking at my 10,000 pending tasks, what harm can an extra 2-3 of them do :P) . That said, my next items to explore at some point in the future are:

  1. Playing with mfoc and mfcuk to see if I can use them on the Android device itself.
  2. To print my own business card on the NFC card using an inkjet printer. I hope I can do it one day and I’ll remember to write about it.

I’m sure I would have missed out on a ton of resources, but my task was accomplished and I would much rather spend my energy on another task. However, if you know of a simpler, simpler way to do things, please share it with me. I’d love to know how you explored the NFC ecosystem.



STechnology

Tags: , ,