nfc_initiator_mifare_cmd Timeout

If you get the following error when cloning RFID Mifare :

mfoc -O test
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04

  • UID size: single

  • bit frame anticollision supported
    UID (NFCID1): 37 08 xx xx
    SAK (SEL_RES): 88

    • Not compliant with ISO/IEC 14443-4
    • Not compliant with ISO/IEC 18092

    Fingerprinting based on MIFARE type Identification Procedure:

    • SmartMX with MIFARE 1K emulation
      Other possible matches based on ATQA & SAK values:
    • Mifare Classic 1K Infineon

    Try to authenticate to all sectors with default keys...
    Symbols: '.' no key found, '/' A key found, '' B key found, 'x' both keys found
    [Key: ffffffffffff] -> [nfc_initiator_mifare_cmd: Timeout

1. Edit the blacklist-libnfc.conf

vim /etc/modprobe.d/blacklist-libnfc.conf

Make sure the file contains and save it

blacklist nfc
blacklist pn533
blacklist pn533_usb

2. Unplug your nfc reader and plug it again

nfc-list

Try mfoc again and it should work, tadam !

If you happen to have :

mfoc: ERROR:

No sector encrypted with the default key has been found, exiting..

1. Try cracking the keys (thanks Mathieu Daitauha)

mfcuk -C -R 0:A -s 50 -S 50 -O original.dmp -v 3

It might take a while (it took me 1hr), but eventually, the command will finish.

The output should say something like the following:

INFO: block 3 recovered KEY: 1234567890AB
1 2 3 4 5 6 7 8 9 a b c d e f
ACTION RESULTS MATRIX AFTER RECOVER - UID ae 1a 5d d6 - TYPE 0x08 (MC1K)
-----------------------------------------------------------------
Sector | Key A        | ACTS | RESL | Key B        | ACTS | RESL
-----------------------------------------------------------------
0      | 1234567890AB | . R  | . R  | 000000000000 | . .  | . .
1      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
2      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
3      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
4      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
5      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
6      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
7      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
8      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
9      | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
10     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
11     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
12     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
13     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
14     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
15     | 000000000000 | . .  | . .  | 000000000000 | . .  | . .
INFO: saved extended tag dump file to 'original.dmp'

This means mfcuk succeeded in cracking the encryption. In the above example, the secret key is 1234567890AB. Note the one you obtained for your tag. In the rest of this page, I will refer to the key as ${KEY}.

Armed with the secret key, try again dumping the tag: (this is essentially the same as the first step, but specifying the key)

$ mfoc -P 500 -k ${KEY} -O original.dmp
The custom key 0x1234567890AB has been added to the default keys
Found Mifare Classic 1k tag
...

This might again take some time (on my laptop it took around 1h40), but when the command eventually finishes, you should see the following: (among other things)

...
Auth with all sectors succeeded, dumping keys to a file!
...

At this point, the original.dmp file is a full dump of your original tag.

2. Dump the new, empty tag

This seems to be necessary, to make the new tag writable.

Replace the original tag by the new one on the reader, then run the following:

$ mfoc -P 500 -O new.dmp
Found Mifare Classic 1k tag
...

3. Write to the new tag

You can now copy the dump of the original onto the new tag:

$ nfc-mfclassic W a original.dmp new.dmp
...

Once this finishes, your new tag should be an exact copy of the original one. Congratulations, you’re done. Go and try your new tag.