Cracking keys
This information is intended to help give some pointers about the actual cracking process of cards, so you can load keys to use with Metrodroid.
Please don't file GitHub issues about this. I can't give email support about this process either, or do a crack-by-mail service.
It is not possible to crack a card with just your Android phone, as it does not permit low level access to the NFC hardware.
MIFARE Classic (MFC) is used by many older public transit smartcard systems.
Practical attacks against Crypto-1 (the encryption and authentication algorithm used by MIFARE Classic) have been publicly known since at least 2008, and the manufacturer no longer recommends using these cards in "any security relevant application" since 2015.
Metrodroid does not include any agency-specific keys, even static ones. Even when "supported", this will always come up as a "fully locked card". You need to install keys for your card, which you get by cracking it.
These cards use a "default" key, eg: all-FF, all-00, the MIFARE Application Directory (MAD) or NDEF keys.
These cards use the same key on every card in that network (ie: every CharlieCard has the same keys).
- METRO Q
- CharlieCard
- Troika
- Podorozhnik
- Zolotaya Korona (but exact keys differ per deployment)
- Kiev Metro Card
- Otago GoCard (now superseded by the Bee Card)
- MetroMoney
- RicaricaMi
- Tarragona
- RKF (but exact keys differ per deployment)
- Tolyatti cards
- Kazan cards
- Warsaw Karta Mijeska
- Alicante
- Bonobus (Cadiz)
- bip! (Santiago de Chile)
Some keys are unique per-card (and you need to crack them), but at least 1 is common to every card, and therefore can be cracked offline.
- Strelka
- OV-chipkaart
- ERG MFC, including Manly Fast Ferry and Metrocard (Christchurch)
- SmartRider
- Komuterlink
- Gautrain
- Umarsh cards (but static keys are different per deployment)
- Bilhete Único
Every card only uses keys that are unique to that card. No two cards of the same type have any of the same keys, so you'll need to extract it from a reader.
- Cubic Nextfare MFC including Go (SEQ), Transit Access Card and MspGoto
- EasyCard
- Touch 'n Go (key diversification algorithm is known, see tng2json.py)
-
MIFARE Classic: the original card, which can be cracked even if you don't know any keys.
-
MIFARE Classic EV1 / MIFARE Plus: newer revisions, which can emulate a MIFARE Classic card. It has less security flaws (in MFC mode), but can still be cracked if you know at least 1 key (eg: sniffed from a reader).
-
Clone cards: there are many manufacturers of "clone" cards, most of them are not licensed by the manufacturer. Most of them don't implement countermeasures against cracking, some of them implement Crypto-1 poorly (eg: weak RNG), or have backdoors.
Unfortunately, there's not always an easy way to tell what card you have, so at worst you may be out some money if you buy the wrong hardware. On some of the transit card pages, there may be a way to check based on the appearance of the card -- but these are specific to each agency.
In order to continue, you'll need a Linux computer with a libnfc-compatible NFC device. You'll also need to be familiar with compiling software on Linux, and fetching specific git versions of things.
However, if you're using the proxmark3 you can also run on non-Linux systems.
In order to read MIFARE Classic cards with your phone, you'll also need an Android phone with an NXP NFC chipset. You can verify MIFARE Classic support in Metrodroid's about screen. If your phone doesn't support MIFARE Classic, or you don't have an Android device, this exercise is pretty much pointless.
However, you can always still sideload card dumps onto your phone or the emulator to read them. But this novelty is not for everyone. 
-
PN532 is the "cheap, basic and slow" option, which uses the software packages described below.
It's a pain to get the code required built, and it only works on Linux. If your time isn't valuable to you, and you're comfortable patching specific git versions of software, go this way.
-
Proxmark3 is the "expensive, powerful and quick" option.
It's easy to get the software built, but it's a significant investment to buy the hardware. If you're interested in more experimentation with RFID technology, buy this device.
I've personally bought all three of these devices, and after buying the Proxmark3 I don't use my PN532 kits much anymore.
I'd recommend trying to build the software before committing to a hardware purchase. Then you will be less frustrated if you've made the "wrong choice".
- 1 x FTDI Serial TTL-232 USB Cable = 17.95 USD
- 1 x PN532 NFC/RFID controller breakout board = 39.95 USD
To assemble, you'll need to solder the headers for the FTDICABLE port of the board. The cable will simply work after that (black wire is ground). There's no need to solder other jumpers for the headers.
You may want to use a cable tie to secure the FTDI cable to the board.
- 1 x DMDG 13.56MHz PN532 On-board Antenna NFC module = 20.58 USD
- 1 x 3.3V ~ 5V USB to TTL FT232RL Module = 4.42 USD
- Jumper wires
- USB Mini-B cable
This also will require some jumper wires and a USB mini-B cable. You'll need to connect TX on the RFID board to RX on the FTDI module, and vice versa, as well as connect GND and 5v/VCC.
You'll need to set both SET0 and SET1 to L (UART). By default it is setup for SPI mode on the Raspberry Pi header.
It won't require any soldering unless you want to make it permanent.
Note: This is for the AU direct site. This has a 30 USD minimum order amount. You may also find these parts on the global and other regional Dealextreme sites, but I haven't tested them. They may have other quirks.
proxmark3 is a RFID Swiss Army Knife. It can also be used for cracking Mifare Classic keys. This doesn't use any of the instructions described here, instead see the proxmark3 wiki page for more information.
The price quoted is for the bare board and HF antenna from Ryscc (US). As this is open hardware, there are many manufacturers of equipment, which have variations, such as different antenna connectors, in-built antennas, and operating from battery without a host.
Wherever you source the hardware from, you will need to do a firmware upgrade of the device, which is fairly easy. While the project started around 2007, it is still has active development from a small but dedicated community.
It is more expensive, however the cracking process is very reliable and quick, taking typically around 5 minutes to fully crack and dump the card (compared to around an hour for the PN532).
If you're interested in more experimentation with RFID, then this is the tool for you, as this device has many features.
It supports Darkside, Nested and Hardnested attacks against MIFARE Classic (including hardened) cards, as well as sniffing RFID communication and extracting keys from a "legitimate" MIFARE Classic reader.
The dumpkeys.bin file generated by the proxmark client can be renamed to have a .farebotkeys extension, and can be loaded straight into Metrodroid. dumpdata.bin is a mfc file like described below.
PN532 is a fairly old NXP NFC chipset that is common in low end devices and NFC readers. The cracking process will only work on Linux, and even then it is slow and not extremely reliable.
$ cat /etc/nfc/libnfc.conf
device.name = "pn532"
device.connstring = "pn532_uart:/dev/ttyUSB0:115200"
This is for a PN532 NFC chipset connected via UART, with a USB-UART adapter on /dev/ttyUSB0. You may need to be in the dialout group in order to write to the serial device.
You'll want to begin by using mfcuk. This tool is basically unmaintained, and does not function against current libnfc. The current master version of mfcuk does not work either. You'll need current libnfc for the second tool, so this will walk through building it in a different prefix.
Check out nfc-tools/libnfc@6752951, and nfc-tools/mfcuk@1b6d022, and install these into a different prefix, eg:
./configure --prefix=$HOME/nfc/prefix --with-drivers=pn532_uart,pn53x_usb --enable-serial-autoprobe
Once you have built both tools, you can then run it with:
LD_LIBRARY_PATH=$HOME/nfc/prefix/lib/ ~/mfcuk/src/mfcuk -C -R 3:A -o mycard.mfc -v 3 -s 250 -S 250
There should be a lot of output given to stdout. You want the diff Nt value to stay below about 300, and auths <= diff Nt * 256. If the numbers stay about the same, or the number of diff Nt increases above 300, then there is either an issue with your reader, or you have a Mifare Plus card.
This process should not take more than an hour, though if the card and/or isn't reliable you'll want to tweak the delay options (-s and -S to make it run slower).
Once this is complete, you will get output with a 6 byte key (represented as 10 hex digits; ie: base16 encoded) for one of the sectors. From here you can proceed with the instructions for "At least 1 known key"
nfc-tools/mfoc works with the current version of libnfc. You should be able to just clone the repository and build it against your system libnfc.
You run the tool, specifying keys like the following:
~/mfoc/src/mfoc -O mycard.mfc -k 112233445566 -k 665544332211
You can specify many keys, and there are also some hard coded default keys you can try.
This should take no more than an hour.
After this is complete, you will have a complete (binary) dump of the card in mycard.mfc, as well as a list of keys.
There are tools around to do this with libnfc compatible readers, but I haven't tried them.
See https://github.com/proxmark/proxmark3/wiki/Mifare%20HowTo
dumpkeys.bin can be loaded straight into Metrodroid if you rename it to have a .farebotkeys extension.
dumpdata.bin is a raw memory dump of the card, and is the same as files with .mfc and .mfd extension.
You only need one of the sets of keys (either the A key or the B key) in order to read the data on the card. You don't need to specify it many times.
In the extra folder there is a tool textkeys_to_farebotkeys which will take a newline separated, base16 encoded list of keys, and turn it into a farebotkeys file:
$ ./extra/textkeys_to_farebotkeys.py keyw.txt -o keys.farebotkeys
16 keys added
You can also convert a card dump into a farebotkeys file with mfcdump_convert.py. This will by default extract the "A" keys from a mfc/mfd dump file (from mfoc) and turn it into a farebotkeys or JSON file (documentation).
$ ./extra/mfcdump_convert.py mycard.mfc -f raw-keys -o mycard.farebotkeys
$ ./extra/mfcdump_convert.py mycard.mfc -f json-keys -o mycard-keys.json
Once this is complete, copy the file to your phone, then open it. Metrodroid will then prompt you to scan the card the keys are for, and it will be added to your local database. After that, you'll be able to read the card with your phone.
If you want to do some testing, or your phone doesn't support Mifare Classic, you can import the mfc dump files from mfoc with mfcdump_convert.py:
$ ./extra/mfcdump_convert.py mycard.mfc -o mycard.xml
You can then copy this to your phone. Then import it with "Scanned Cards" > "Import" > "Import from File". This also works with Google Drive.
Need more information here. Information suggests that this is difficult.
Needs more info -- Metrodroid can't authenticate with these cards yet.
Needs more info -- Metrodroid can't authenticate with these cards yet.