Recovering keys with MFKey32
If you couldn't read all the MFC card's sectors with the Read function or the sectors you read aren't enough to get access, try to use the Detect Reader function. The Detect Reader function performs the MFKey32 attack, which exploits weaknesses in the Crypto-1 encryption algorithm. MFKey32 is the name of a tool/algorithm to recover the MFC keys from the reader’s Crypto-1 nonce pairs. It works by recovering the initial state of the Crypto-1 Linear Feedback Shift Register, which contains the key. On this page, you will learn how to conduct the MFKey32 attack with and without the access card.
If you have access to the card
The best way to conduct the MFKey32 attack is to have access to the card, even if not all sectors were read. By getting the reader's key, you can read more sectors of the card, which might be enough to open the door. To get the reader's keys and read the MFC card, do the following:
Go to Main Menu → NFC → Saved → Name of the saved card → Detect reader. Flipper Zero will emulate this card for the MFKey32 attack.
Your Flipper Zero is ready to collect the reader's noncesTap the reader with your Flipper Zero, as shown below. When near the reader, your Flipper Zero will collect the reader's nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero up to 10 times in order to simulate several card authentications. On your Flipper Zero's screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn't increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.
To collect nonces, tap the reader with your Flipper ZeroPress :ok:OK to save the collected nonce pairs to the microSD card. When the necessary number of nonce pairs is collected, the screen will show the Completed message, after which you can review what sectors and keys (A/B) have been captured.
Once nonces are collected, you can save them on the microSD card- Recover keys from the collected nonces. You can do it via: Flipper Mobile App a) On your phone, run Flipper Mobile App and synchronize with your Flipper Zero. b) Go to Hub → NFC tools → Mfkey32 (Detect Reader). lab.flipper.net a) Connect your Flipper Zero to your computer via a USB cable. b) On your computer, go to lab.flipper.net. c) Go to NFC tools, then click the GIVE ME THE KEYS button. The recovered keys will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces due to the reader not recognizing your Flipper Zero’s emulation properly.
- Once new keys are added to the User dictionary, read the card again. The number of found keys and read sectors may increase, which indicates that necessary data is collected.
Emulate the card and hold your Flipper Zero near the reader to get access.
If you don't have access to the card
Even if you don't have access to the card, you can try to get the reader's keys - it might be enough to get access to poorly designed control systems. You will need to create a virtual MFC card and manually edit it to enter the recovered keys. To get the reader's keys and edit the virtual card's data, do the following:
Go to Main Menu → NFC → Detect reader. Flipper Zero will emulate an MFC 1K card for the MFKey32 attack.
Your Flipper Zero is ready to collect the reader's noncesTap the reader with your Flipper Zero as shown below. When near the reader, your Flipper Zero will collect the reader's nonces. Depending on the reader, you may need to tap the reader with your Flipper Zero up to 10 times in order to simulate several card authentications. On your Flipper Zero's screen, the number of collected nonce pairs should increase with each new tap of the reader. If the number of nonce pairs doesn't increase, the reader is not trying to authenticate the card emulated by your Flipper Zero.
To collect nonces, tap the reader with your Flipper ZeroPress :ok:OK to save the collected nonce pairs to the microSD card. When the necessary number of nonce pairs is collected, the screen will show the Completed message, after which you can review what sectors and keys (A/B) have been captured.
Once nonces collected, you can save them on the microSD card- Recover keys from the collected nonces. You can do it via: Flipper Mobile App a) On your phone, run Flipper Mobile App and synchronize with your Flipper Zero. b) Go to Hub → NFC tools → Mfkey32 (Detect Reader). lab.flipper.net a) Connect your Flipper Zero to your computer via a USB cable. b) On your computer, go to lab.flipper.net. c) Go to NFC tools, then click the GIVE ME THE KEYS button. The recovered keys will be displayed on the screen. After that, they can be added to the User dictionary. In some cases, the keys can’t be recovered from the nonces due to the reader not recognizing your Flipper Zero’s emulation properly.
- Create a virtual MFC card, by doing the following: a) Go to Main Menu → NFC → Add Manually. b) Select MFC 1k 4 bytes and press :ok:OK. c) Go to More → Save, then name the card.
Edit the dump of the saved virtual MFC card via Flipper Mobile App or in any text editor by replacing the default keys with the recovered keys. To edit the dump via Flipper Mobile App, do the following: a) Go to Archive → NFC. b) Selects and tap the manually created card, then tap Edit Dump. c) Tap the values you want to replace, then enter the new values. d) Once finished editing, tap Save.
You can edit the card's dump via Flipper Mobile AppEmulate the edited card and hold your Flipper Zero near the reader.
While emulating the NFC card, hold your Flipper Zero near the reader
In some cases, just having the correct key (without the card’s UID or the contents of the sectors) might be enough for poorly designed access control systems to grant access. However, this won’t work in most cases, and you will need a card from the access control system to clone.
