Help and Info

1. General Information
2. Getting Started
3 Read Tag
4 Write Tags
5. Edit/Analyze Tag Dump File
6. Edit or Add Key File
7. Tools
8. External NFC

1. General Information

This tool provides several features to interact with (and only with) MIFARE Classic RFID-Tags. It is designed for users who have at least basic familiarity with the MIFARE Classic technology. You also need an understanding of the hexadecimal number system, because all data input and output is in hexadecimal.

Some important things are:

The features this tool provides are very basic. There are no such fancy things as saving a URL to an RFID-Tag with a nice looking graphical user interface. If you want to save things on a tag, you have to input the raw hexadecimal data.
This App can not crack/hack any MIFARE Classic keys. If you want to read/write an RFID-Tag, you first need keys for this specific tag. For additional information please read/see chapter Getting Started.
There will be no "brute-force" attack capability in this application. It is way too slow due to the protocol.
This app will not work on some devices because their hardware (NFC-controller) does not support MIFARE Classic (read more). You can find a list of incompatible devices at the GitHub page of MCT.

For further information about MIFARE Classic check Wikipedia, do some Google searches or read the MIFARE Classic (1k) 'Datasheet' (PDF) from NXP.

This application is free software under the GPLv3 License. The source code is available on GitHub.

1.1 Features

Read MIFARE Classic tags
Save, edit and share the tag data you read
Write to MIFARE Classic tags (block-wise)
Clone MIFARE Classic tags
(Write dump of a tag to another tag; write 'dump-wise')
Key management based on dictionary-attack
(Write the keys you know in a file (dictionary).
MCT will try to authenticate with these keys against all sectors
and read as much as possible. See chapter Getting Started.)
Format a tag back to the factory/delivery state
Write the manufacturer block of special MIFARE Classic tags
Use external NFC readers like ACR 122U
(See chapter External NFC)
Create, edit, save and share key files (dictionaries)
Decode & Encode MIFARE Classic Value Blocks
Decode & Encode MIFARE Classic Access Conditions
Display generic tag information
Display the tag data as highlighted hex
Display the tag data as 7-Bit US-ASCII
Display the MIFARE Classic Access Conditions as a table
Display MIFARE Classic Value Blocks as integer
Calcualate the BCC
Quick UID clone feature
Import/export/convert files
In-App (offline) help and information
It's open source ;)

1.2 Data Storage

This app stores data in the app-specific, internal storage. Files like a saved dump from a read-out tag can not be accessed by any other app or with a computer (USB). If you want to use them elsewhere, you can use the share button or MCT's Import/Export Tool.

Be aware! Uninstalling this app will delete all files (dumps/keys) permanently.

Updating from version < 4.0.0: If you updated this app from a version prior to 4.0.0 it might appear, that all dump and key files are gone. This is not the case. With version 4.0.0 MCT's file storage model has changed. You can get your files back by simply using the Import/Export Tool. The old files are stored on the external storage (SD card) in a folder named MifareClassicTool. Dump files are in the format .mct and key files are in the format .keys. It is possible to import multiple files at once.

Dump files: /sdcard/MifareClassicTool/dump-files/ (import as .mct)
Key files: /sdcard/MifareClassicTool/key-files/ (import as .keys)

The regular version and the donate version of MCT can not share the same storage. Therefore each version has its own dump an key files.

1.3 License

This application was originally developed by Gerhard Klostermeier in cooperation with SySS GmbH (www.syss.de) and Aalen University (www.htw-aalen.de) in 2012/2013. It is free software under the GNU General Public License v3.0 (GPLv3).

Icons used in this application:

Logo: Beneke Traub
(Creative Commons 4.0)
Oxygen Icons: www.oxygen-icons.org
(GNU Lesser General Public License)
RFID Tag: www.nfc-tag.de
(Creative Commons 3.0)

MIFARE® is a registered trademark of NXP Semiconductors.

2. Getting Started

First of all, you need the keys for the tag you want to read. Due to some weaknesses in MIFARE Classic, you can retrieve all the keys (A and B) of a tag with tools like the Proxmark3 or normal RFID-Readers and some special software (mfcuk, mfoc).

The application comes with standard key files called std.keys and extended-std.keys, which contains the well known keys and some standard keys from a short Google search. You can try to read a tag with these key files using "Read Tag" from the main menu. Changes to these key files will be lost. Create your own key file for your keys.

Once you know some keys, you cam to put them into a simple text file (one key per line). You can do this on your PC and import the file using MCT's Import/Export Tool, or you can create a new key file via "Edit or Add Key File" from the main menu. If you are finished setting up your key file, you can read a tag using "Read Tag" from the main menu.

Advantages of the Key Files Concept:

You don't have to worry about which key is for which sector.
The application tries to authenticate with all keys from the key file against all sectors (like a dictionary-attack).
You don't have to know all the keys.
If neither key A nor key B for a specific sector is found in the key file (dictionary), the application will skip reading said sector.

This dictionary-attack based mapping process (keys <-> sectors) makes it easy for you to read as much as possible with the keys you know!

3. Read Tag

Technically speaking, reading an RFID-Tag is done in two steps:

Choose a key file
Press "Read Tag" in the main menu. Now select key files which (perhaps) contain the keys for the tag. You can also specify the range of sectors you want to read. Start the mapping process with the lower right button.
But: For large key files this could take quite some time!
Read tag
After the keys are mapped to sectors based on a kind of dictionary-attack, the application will instantly start to read the tag. The result will be displayed in a simple editor (See chapter Edit Tag Dump File.)

4. Write Tag

If you want to write data to a MIFARE Classic tag, it is important that you understand what you are doing. Writing the wrong data to certain blocks may cause irreparable damage to the tag.

4.1 Write Block

First, you have to specify to which block you want to write to. Typical (MIFARE Classic 1k) ranges are: sector 0-15, block 0-3. The second step is to enter the data you want to write. This is done in hexadecimal format with a length of 16 bytes (32 characters). After pressing the button, the last step is to choose key files which (possibly) contain the key with the privilege to write for this sector/block.

4.2 Write Dump (Clone)

With this method, you can write a dump (or some sectors of it) to a tag. If you want to clone a tag, you first have to read and then dump the original tag. The second step is to restore the dumped data on another tag (for which you know the keys). You need the keys with write privileges for all sectors you want to write.
After selecting the dump, the sectors, and the key files, the App will check everything for you! If there are issues like 'block is read-only', 'key with write access not known', etc., you will get a report before writing.

Options:

Use static (custom) Access Conditions
By enabling this option, all Access Conditions from the dump will be replaced with the chosen ones.
This is useful if the dump contains Access Conditions that will be permanent for a tag. In case the reader does not check them, you can easily use custom ones to make the tag reusable.
Write to Manufacturer Block
The first block of the first sector of an original MIFARE Classic tag is read-only i.e. not writable. But there are special MIFARE Classic tags (aka magic tags 2nd gen/gen2) that support writing to the manufacturer block with a simple write command. This App is able to write to such tags and can therefore create fully correct clones.
However, some special tags require a special command sequence to put them into the state where writing to the manufacturer block is possible. These tags will not work.
Also, make sure the BCC value (see BCC Calculator), the SAK and the ATQA values are correct. If you just want to clone a UID, please use the Clone UID Tool.

4.3 Factory Format

This will try to format the tag back to the factory/delivery state. In this state, all data block bytes are 0x00 and the sector trailers contain 0xFFFFFFFFFFFF as key A/B and 0xFF078000 as access conditions.

4.4 Incr./Decr. Value Block

With this method, you can increment or decrement and then transfer a Value Block. If an increment or decrement fails, it is due to one of the following reasons:

The selected target block is not a Value Block.
The Access Conditions don't allow to increment or decrement the Value Block.
The provided value is incorrect. This happens if you try to increment a Value Block to a value above the upper limit (2,147,483,647) or if you try to decrement it to a value under the lower limit (-2,147,483,648).

If a increment or decrement fails due to an interrupted and therefore incomplete transaction, the Value Block could become unusable.

If you don't know what a MIFARE Classic Value Block is, you should read chapter 8.6.2.1 of the MIFARE Classic (1k) Datasheet (PDF).

5. Edit Tag Dump File

The tag editor is a simple hex-editor with some highlighting. This editor can be accessed by two different ways:

Read a tag
After reading a tag the result is displayed in this editor (See chapter Read Tag.)
Open a saved tag
You can edit a saved dump via "Edit Tag Dump" from the main menu.

You can save a dump into a file by pressing the save toolbar button (or menu item).

5.1 Share a Dump

From the dump editor, you can share a dump (via toolbar or menu item). You can choose between Apps that are willing to process the dump file. Note that some Apps fail to process the dump.
Apps which are known to work with MCT: Gmail, Bluetooth, etc.

5.2 Display Data as ASCII

From the dump editor, you can display the data in 7-Bit US-ASCII (via menu). Non-printable characters are replaced with a dot ("."). The last block of a sector, the sector trailer, will not be translated to ASCII.

5.3 Display Access Conditions

From the dump editor, you can display the MIFARE Classic Access Conditions as a table (via the menu). If you do not know what they are, you can read chapter 8.6.3 and 8.7 (and subchapters) from the MIFARE Classic (1k) Datasheet (PDF).

5.4 Display Value Blocks as Integers

From the dump editor, you can decode blocks formatted as MIFARE Classic Value Block to integer format (via the menu). For further information regarding Value Blocks read/see chapter 8.6.2.1 from the MIFARE Classic (1k) Datasheet (PDF).

5.5 Display the date of manufacture

From the dump editor, you can decode the date of manufacture (via the menu).

The last 2 bytes of the manufacturer block (sector 0, block 0) are representing the date of manufacture. They should be in binary coded decimal format (BCD, only digits, no letters). The first byte represents the week of manufacture and must be between 1 and 53. The second byte represents the year of manufacture and must be between 0 and the current year (e.g. 12, meaning 2012).

This is not a standard. Some manufacturers don't stick to this. So it is possible that MCT can't display the date of manufacture or display a wrong one.

5.6 Write Dump

You can write dumps directly from the dump editor. For writing dumps see Write Dump (Clone)

5.7 Compare Dump

You can compare the current dump to another dump directly from the dump editor. For comparing dumps see Diff Tool (Compare Dumps)

5.8 Save Keys

You can save the keys of the currently viewed tag into a key file. This could be used to speed up the mapping process for the corresponding tag because the new key file will only contain valid keys.

6. Edit or Add Key File

There are two ways to create a key file:

This Application
You can create a new key file via "Edit/Add Key File" from the main menu.
On your Computer
You can create a simple text file on your computer and import it using MCT's Import/Export Tool.

Key files are simple text files which contain one MIFARE Classic key per line (hexadecimal, 6 bytes, 12 characters). Lines starting with # as well as empty lines are ignored.

You can edit key files any time you want with "Edit/Add Key File" from the main menu.

Because key files are used like dictionaries in dictionary-attacks, it is sufficient to enter only different keys (even if the key is used for multiple sectors). You can remove duplicates in a key file (via menu) from the key editor. Also it is possible to share key files like dump files (see chapter Share a Dump).

For other advantages see chapter Getting Started, section "Advantages of the key files concept".

7. Tools

This section provides some general tools to work with MIFARE Classic.

7.1 Display Tag Info

In this view, you can see some generic information (like UID, ATQA, SAK, Tag size, etc.) about the RFID-Tag.

If your device does not support MIFARE Classic, this is the only thing you can do with this App. :(

Tag type and manufacturer identification:
The identification mechanism is based on this website. If you want to have a closer look at MIFARE tag identification read the NXP MIFARE Type Identification Procedure (PDF). Another helpful file for ATS (ATR) based identification is provided by the PCSC project.

The tag type and manufacturer determined by MCT could be wrong for several reasons:

The Tag has a customized ATS
There are multiple tags in the reader field

7.2 Value Block Decoder/Encoder

This tool is capable of decoding MIFARE Classic Blocks into integer and the other way around (encode integer to a MIFARE Classic Value Block). If you don't know what a MIFARE Classic Value Block is, you should read chapter 8.6.2.1 of the MIFARE Classic (1k) Datasheet (PDF).

In most cases, the "Addr" of a value block is 00 (hex) because it is not used. However, according to NXP it
"can be used to save the storage address of a block, when implementing a powerful backup management.".

7.3 Access Condition Decoder/Encoder

This tool is capable of decoding MIFARE Classic Access Conditions into a more human-readable format and the other way around (encode to MIFARE Classic Access Conditions). If you don't know what MIFARE Classic Access Conditions are, you should read chapter 8.7 of the MIFARE Classic (1k) Datasheet (PDF).

7.4 Diff Tool (Compare Dumps)

This tool is capable of showing you the difference between the two dumps. Just select the dumps you want to compare and the tool will highlight all the sections where the two dumps differ from each other.

7.5 BCC Calculator

This tool can calculate the Bit Count Check (BCC) value. For MIFARE Classic tags with a 4-byte UID, the BCC must be the 5th byte of the very first block (manufacturers block).

More information about calculating the BCC and how it is used during the anti-collision phase can be found in NXP's AN10927.

7.6 Clone UID

This tool helps to clone UIDs easily. Just touch the original tag to read its UID, hit the button, and then place a compatible tag ("magic tag 2nd gen") in the reader field. Regarding the compatible tags, please have a look at the "Write to Manufacturer Block" section of the Write Dump (Clone) chapter.

7.7 Import/Export/Convert Files

This tool can import and export dump and key files with different file types. Supported are .mct (MIFARE Classic Tool), .keys (MIFARE Classic Tool), .bin/.mfd/.dump (Proxmark, libnfc, mfoc, others), .eml (Proxmark emulator) and .json (Proxmark, Chameleon Mini GUI). For converting a dump file from e.g. .bin to .json, it can be simply imported and then exported again.

It is possible to import multiple files at once. To do so, just select multiple files. But only use Android's default file manager, because third party file managers not always support selecting multiple files. In some cases the option "show internal storage" must be enabled first.

A full backup of all dump and key files can be made using the backup function. The data will be saved as a ZIP archive.

7.8 Convert Data

This tool can convert data (bytes) to and from different formats. So far the following data types are supported.

ASCII
Hexadecimal
Binary

7.9 UID Log

This tool shows the log of discovered tags. A log entry consists of the date, time, and the UID of the discovered tag. The log file can be cleared or shared with other apps.

8. External NFC

MCT can be used with External NFC. This app allows you to connect an external USB-based RFID reader to your Android device. Not every RFID reader is supported by External NFC and your Android device must be USB-OTG enabled.

Readers which should work:

ACR 122U
MFRC522 via USB-UART adapters
PN532 via USB-UART adapters

According to user reports, the ACR 122U reader works the best.

For questions regarding the External NFC app please have a look at its Play Store page and/or contact its developer.