This is an old revision of the document!


FreakCard collection
founder: niekt0
depends on:
interested: sargon
software license: various
hardware license: various
status: active

Aim of this project is to collect all physical access methods used these days, and analyze possibilities of reading, copying and emulating their tokens.

As a result, this document should provide practical guide for working with access tokens.

Decision tree.

Suppose, that you have unknown token in your hand, and you don't know anything about access tokens. Idiot's guide goes here:

1. Is it contact or contactless? Contact: goto 2, Contactless: goto 100.

2. Does it have only 2 contacts or more? If two, goto 4, if more, goto 10.

4. It is probably dalas ibutton, using 1-wire protocol

10. It is probably some type of contact smartcard. Can you recognize the access interface? If it is usb, (XX picture) goto 15. If it looks like smart card (XXX picture) goto 20.

15. Deskey? XXX

20. Smartcard, XXX

100. Contactless token. If you see “HID” written somewhere on the token, you may try to go directly to 150. Otherwise go to 101.

101. You need to start reading token. Try HF (high frequency) RFID reader and run isotype or lsnfc on the token. Is it recognized? If yes, goto 120. If no, It is probably LF (low frequency) card. Go to 140.

120. High frequency RFID card. (XXX link) So, now determine type of card. In output of isotype or lsnfc you should see some identification string. This is hard to describe in algorithmic way, so use your intelligence and go to 125 or XXX

125. Mifare. In output of isotype or lsnfc you should see some identification string. If you see exact type, go to 127, 128 o 129. If not you can try readmifare1k. If readmifare1k fails (no login failed or unknown key messages, but completely failed to read other sectors), it is probable Mifare Ultralight. UltraLight “cards” tend to be quite small, often flexible. Goto 127. If you can read other sectors, or get login failed messages, it is Mifare Classic or Desfire. Try cracking it with mfoc. XXX link If you succeed, it is Classic, goto 128. Otherwise, it is probably Desfire, goto 129.

127. Mifare UltraLight. See XXX

128. Mifare Classic. Can have 1K or 4K capacity. See XXX

129. Mifare Desfire. Can have 1K or 4K capacity. See XXX

140. Low frequency RFID card. (XXX picture or link) You need to start reading token. Try LF (high frequency) RFID reader and run XXX. Is it recognized? If no, goto 200.

145. HID

150. EM Microelectronic

200. You are in trouble, the token was not recognized. Try walking whole tree one more time, maybe you made some mistake. Alternatively, you can try to look for all pictures in this document, and identify tag visually. Otherwise, it may be token not known to authors of this guide, or not available at the time of writing. You are dead, sorry.

Tokens used in wild


High Frequency (HF) card



Mifare cards can have various forms. Here are some examples: Token that can be caried on keys, plain card, and isic card.


Very basic device, only UID transmitter. Get id:

~> lsnfc 
device = ACS ACR38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)
* NXP MIFARE UltraLight
1 tag(s) on device.

Get id: Id is stored in first sector, not encrypted (Answer to Reset contains UID, reading Block 00 should not be necessary to get UID only). For example touchatag can be used for quick read of ID.

Several possible matches:
* NXP MIFARE Classic 4k
* NXP MIFARE Plus 4k

Full read: Use MFOC form nfc-tool to decrypt all encrypted sectors, then whole card can be read, for example by

mfoc -P 500 -O dump.file
./readmifare -r 0

from RFIdiot or

./readmifare -r 0

dumps the card after cracking all keys as well.

Clone: There is problem with cloning first sector. All other sectors can be cloned, once decrypted. No completly rewritable cards available on the market now afaik. XXX see http://www.proxmark.org/forum/viewtopic.php?id=896 , but email provided there is not responding.


ID emulation with proxmark:

hf mf sim 123456AB

123456AB is card id in this example.

Currently, proxmark have an issue, so you may need to set mode first:

hf mf eset 0 123456AB112233445566778899001122

to tell proxmark to use 8-byte ID. The longe number here is the firs sector of card. (containing ID, btw)

  • ID emulation works fine, however with current code, there are timing problems

with emulation of whole card.

  • If sector data are used to auth to a reader you have to be lucky. If a reader is tolerant enough to wait for Proxmark, it'll work. But most of the times you'll run into timing issues with production readers (NXP cards respond in microseconds while Proxmark does in milliseconds, auch)

Get id: Same as Mifare Classic.

lsnfc: (opencard)
Several possible matches:
* NXP MIFARE Plus 1k
* NXP MIFARE Plus 4k
* NXP JCOP31 or JCOP41

Full read: No working crpyto attack so far, unencrypted sectors can be read, also you can try to look for default keys.

Clone: probably require full read

Emulate: probably require full read

Relay: see Relay attack

other mifare cards

There are some other types of mifare cards, but now widely deployed, at least no in .cz and .sk:

  • Ultralight C
  • SmartMX
  • DESFire EV1
  • Plus
  • SAM AV2

see http://en.wikipedia.org/wiki/Mifare for more info.

Relay attack

All MIFARE cards are prone to relay attack (cz: přepojovací útok). It will be interresting to design a low-cost relaying device. Google 'mifare relay attack' for more…

XXX http://www.eng.tau.ac.il/~yash/kw-usenix06/

  • RFID LAB @ FIT ČVUT has required hardware! Try to contact them?

Low Frequency card

Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)

proxmark - determine LF card type: http://code.google.com/p/proxmark3/wiki/TagOps (outdated, bud principles are still same)

in short:

proxmark> hw tune

proxmark> data samples 2000

proxmark> data plot



Usage around: Quite common building access system

Get id/Read:




EM Microelectronic

Usage around: several parking lots in Prague, some building access systems

Get id/Read:

proxmark> lf em4x em410xwatch


Emulation with Proxmark works great Emulator like this http://www.t4f.org/en/projects/open-rfid-tag/57 in progress (lukash working on it)

EDIT: site is down right now, downloaded data available at http://kyberia.cz/~niekt0/openrfid/ and http://pain.backstep.net/lukash/openrfidtag/


XXX This hw works http://www.dealextreme.com/p/125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230 XXX cloning/writing with proxmark?


Get id/Read:

proxmark data samples 1000
proxmark> lf indalademod





Wiegand is:

  1. A specific reader-to-card interface
  2. A specific binary reader-to-controller interface
  3. An electronic signal carrying data
  4. The standard 26-bit binary card data format
  5. An electromagnetic effect
  6. A card technology

Radio chips XXX

  • hcs300 ( KEELOQ )
    • Can be broken XXX
  • NXP UCODE (passive UHF)

RF Theory and antennas

Magnetic card

We made a HIGH POWER MagneticCard emulator based on MAgnetic card sp00fer . We used Brmduino for generating the signal so the coil is powered only by 5V (the laptop is just the power source for brmduino). Source code download. (magnetic_card_emulator.pde)

The Adobe Flash Plugin is needed to display this content.


Pictures of SALTO iButton, typically used as an access token.

DS1990A - 64 Bit ID (in fact only 56 bits are used)

Datasheet here: http://www.maxim-ic.com/datasheet/index.mvp/id/2829

Get id (~= read): It's very easy to read this tag with Arduino, you need OneWire library to make it even easier, downloadable here: http://www.pjrc.com/teensy/td_libs_OneWire.html

Schematics: http://tushev.org/images/stories/arduino/scheme4ibutton.png (forget the display, code has been modified for Serial only!)

Code for Arduino:

#include <OneWire.h>

OneWire ds(12);
byte addr[8];
String keyStatus="";

void setup(void) {

void loop(void) {
  Serial.println("Reading now..");
      for(int j = 0; j < sizeof(addr); j++) {
           Serial.print(addr[j], HEX);
           if (j<sizeof(addr)-1) {
  else if (keyStatus!="") { Serial.print(keyStatus);}

void getKeyCode(){
  byte present = 0;
  byte data[12];
  if ( !ds.search(addr)) {

  if ( OneWire::crc8( addr, 7) != addr[7]) {
      keyStatus="CRC invalid";
  if ( addr[0] != 0x01) {
      keyStatus="not DS1990A";

Example output:

Reading now..
Reading now..
Reading now..


0x1 - 1 byte - Tag identifier
0xAA - 0xFF - 6 bytes - UID itself
0x2F - 1 byte - CRC8 over previous 7 bytes


nice emulation for ID-only iButtons: http://www.reteam.org/board/showthread.php?t=1332

Writing/cloning: http://www.youtube.com/watch?v=KBX_BcFEcAI XXX

Contact Smart cards

smart card emulator project …


What wikipedia tell us about ISO/IEC 7816


Biometric sensors


Iris recognition

Retinal scan

Voice recognition


Mechanical safes

Physical keys ;)

Proof of concept for printing FAB keys: http://kyberia.cz/~niekt0/fap-fap

TODO: OpenScad program to be released under gnu-gpl, input: long/short, profile number (int), key combination (from 00000 to 99999)

ala http://eclecti.cc/hardware/physical-keygen-duplicating-house-keys-on-a-3d-printer

TODO: key combination extraction from photography, ala http://vision.ucsd.edu/~blaxton/sneakey.html

HW available in brmlab

  • HF reader/writer Touchatag (for mifare cards), (+1 niekt0, +1 lukash), Mifare Classic cards (ruza)
  • Proxmark + LF & HF antenna (niekt0, lukash)
  • Reprap(s)
  • Eclo 1 wire USB reader (niekt0)
  • DIY magnetic strip reader/writer
  • OMRON V3A-1K magnetic stripe reader (lukash - let me know if you want to try something out) - works great as a reader with Arduino, code for reading: omron_binary_read.pde, you can then easily interpret these binary data, it only depends whether it's ALPHA or NUMERIC encoded, refer to this paper to read more. You can use scripts to parse these data: parse_alpha.php and parse_numeric.php

HW missing in brmlab


Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki