top of page

NFC Hacking With The Flipper Zero (Guide)

Hacking NFC With The Flipper Zero (Guide) | Black Hat HQ

Flipper Zero: NFC Hacking


Here's the full NFC attack playbook for the Flipper Zero. This is a guide on hacking NFC with the Flipper Zero.


NFC Vs. RFID Quick Primer


The Flipper's NFC subsystem operates at 13.56 MHz and covers:


  • ISO 14443-A — MIFARE Classic, MIFARE Ultralight, NTAG, DESFire, Plus

  • ISO 14443-B — Some government IDs and transit cards (rare)

  • ISO 15693 — Vicinity cards, longer read range (labeled "NFC/V" on Flipper)

  • FeliCa — Sony's protocol, used in Japan (Suica, etc.)


You access this through Main Menu → NFC. The internal NFC chip is the ST25R3916, same as the 13.56 MHz HF reader, so NFC and HF use the same physical antenna — they're just different software stacks.


Recon: Identifying the Target


Before attacking, identify what you're dealing with. Hold the card to the back of the Flipper and:


NFC → Read

The output tells you what you're up against:


SAK

ATQA

Protocol

Card Type

Attack Surface

08

00 04

ISO 14443-3

MIFARE Classic 1K

Full break (CRYPTO1)

18

00 02

ISO 14443-3

MIFARE Classic 4K

Full break (CRYPTO1)

00

00 44

ISO 14443-3

MIFARE Ultralight

Clone to magic card

00

00 44

ISO 14443-3

NTAG 213/215/216

Clone to magic card

20

03 xx

ISO 14443-3/4

MIFARE DESFire

Relay attack only

28

01 xx

ISO 14443-3

MIFARE Plus (SL1)

Relay / downgrade

38-3F

ISO 14443-4

Various / Unknown

Fuzz, relay, or skip


The UID (4, 7, or 10 bytes) is the unique serial number. For MIFARE Classic, the UID matters — it's used in key derivation during authentication. Magic cards can spoof UIDs, which is critical for cloning.


MIFARE CLassic: The Full Attack Chain


MIFARE Classic is the holy grail of NFC hacking. The CRYPTO1 cipher is broken, and the Flipper has built-in tools to exploit it.


Phase 1: Key Recovery


NFC → MIFARE Classic → Detect Reader

This reads the card and tests every sector against the Flipper's built-in key dictionary. The default dictionary has about 40 keys. If even ONE sector key is recovered, you proceed to the nested attack.


Dictionary attack output:


Sector 00: Key A: FFFFFFFFFFFF   Key B: FFFFFFFFFFFF
Sector 01: Key A: FFFFFFFFFFFF   Key B: FFFFFFFFFFFF
Sector 02: Key A: --------       Key B: --------
...

Both keys in sector 0 being FFFFFFFFFFFF is the factory default — the card was never configured. This is absurdly common in the real world.


If every sector shows dashes, the default dictionary doesn't have the keys. You need either:


  • Custom firmware with an expanded dictionary (Unleashed ships with ~1,200 keys)

  • A Proxmark3 running hf mf autopwn which performs a full hardnested attack


Phase 2: Static Nested Attack


If at least one key is known:


MIFARE Classic → [select the saved card] → Detect Reader

The Flipper now knows one key and uses it to collect nonces from the card. Nonces are the random numbers the card generates during CRYPTO1 authentication. Because CRYPTO1's LFSR is weak, knowing one key + enough nonces lets you recover ALL remaining keys.


The Flipper will show:


Nonces collected: 47/100
Nested attack running...

It typically needs 100-500 nonces, which takes 1-3 minutes with the card held steady. The Flipper will chime when done. You can let it run longer for stubborn sectors.


What's happening technically: The CRYPTO1 cipher's 48-bit key state is divided into two 24-bit halves. A known key for one sector reveals 24 bits of state. By collecting authentication nonces from other sectors (which partially leak LFSR state), you can solve for the remaining 24 bits. This is the "nested attack" from the 2008 Courtois/Nohl/OVL paper.


Phase 3: Full Sector Dump


Once all keys are recovered:


[card] → Detect Reader → Read All Sectors

This dumps every block of every sector. Save the dump. You now own the card.


Phase 4: Analyze the Dump


NFC → MIFARE Classic → [saved dump] → Edit Dump

This is where it gets interesting. Browse through the sectors:

Sector 0, Block 0 (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx): The UID + manufacturer data. Never changes on genuine cards. This is what you spoof with a magic card.


Regular data blocks (Blocks 0-2 of each sector): These hold application data. Common patterns:


  • Wiegand-encoded access data (facility code + card number, like HID Prox but on HF)

  • ASCII text (names, room numbers, employee IDs)

  • Value blocks for stored-value systems


Sector trailers (Block 3 of each sector):


Key A (6 bytes) | Access Bits (3 bytes) | Key B (6 bytes)

The access bits control read/write/increment/decrement permissions. You can modify these to escalate privileges:


  • Changing read-only blocks to read-write

  • Making a value block incrementable (allowing you to add value without Key B)

  • Setting Key B readable (letting you read Key B using Key A)


Phase 5: Clone to Magic Card


You need a Gen1 (Backdoor) or Gen2 (Gen1a/Password) magic card. Buy these from Proxmark forums or AliExpress. They're typically blank MIFARE Classic 1K S50 cards with a writable Block 0.


NFC → Saved → [select dump] → Write

Hold the magic card to the back of the Flipper. For Gen1 cards, the write just works. For Gen2, the Flipper prompts for the write password (usually 00000000, 7A4B8C9D, or whatever it shipped with).


Critical: If the write succeeds but the card doesn't work, check that Block 0 was written correctly. Run Read on the cloned card and verify the UID matches the original.


MIFARE Classic Value Block Manipulation


If you find value blocks in the dump, you can modify them. A value block looks like:


Block:  34 00 00 00  CB FF FF FF  34 00 00 00  [addr byte]
        ^^^^^^^^^^^  ^^^^^^^^^^^  ^^^^^^^^^^^  ^^^^^^^^^^
        value        ~value       value (copy)  address

The format is: 4 bytes value (little-endian), 4 bytes inverted value, 4 bytes value again, 1 byte address. 0x0034 = 52 cents in this example.


To modify a value:


  1. Calculate the new value in hex (little-endian, 4 bytes)

  2. Calculate the inverted value (bitwise NOT, or subtract from 0xFFFFFFFF)

  3. Repeat the value a third time

  4. Keep the address byte the same


For example, changing 52 to 9999 (0x270F):


Block:  0F 27 00 00  F0 D8 FF FF  0F 27 00 00  [addr]

Edit this directly in the Flipper's Edit Dump screen, then write back to the card.

Important: You can't do this on a genuine card unless the access bits allow write with the keys you have. On a magic card, you always have full write access.


MIFARE Ultralight / NTAG


No authentication, no encryption. Read it once and you have everything:


NFC → Read → Save

Ultralight dumps are much smaller (typically 16 pages of 4 bytes for Ultralight, or 135+ pages for NTAG 216):


Page 00: XX XX XX XX  (UID + BCC)
Page 01: XX XX XX XX  
...
Page 03: XX XX XX XX  (One-Time Programmable lock bits)  
Page 04: XX XX XX XX  (User data starts here)
...
Page 41: XX XX XX XX  (Lock Control TLV might appear here)

Lock Bypass on Ultralight EV1


Some Ultralight EV1 cards use the password protection feature (AUTH0 + PROT bits). If password protection is configured:


  1. The first few user pages are readable but certain pages require a password

  2. The password is 4 bytes (yes, 32 bits — bruteforceable)

  3. If AUTH0 is set to a page number, all pages from that index forward require the password


The Flipper doesn't have built-in Ultralight password cracking, but you can:


  1. Dump whatever pages are readable

  2. Use the Proxmark3: hf mfu pwdgen to generate a password from the UID using common derivation algorithms

  3. Some EV1 cards derive their password via PWD = AES(UID, static_key) — if you have the static key from firmware extraction, you win


Cloning to Magic NTAG


Buy magic NTAG 213/215/216 cards (UID-changeable). The write process is the same as MIFARE Classic magic cards through the Flipper's Write function.


NFC Reader Attacks


The Flipper can emulate a card to interact with a reader. This is different from reading a card — you're the card, and the building's reader becomes your attack target.


Replay Saved Cards


NFC → Saved → [select dump] → Emulate

Hold the Flipper to the reader. The reader sends its polling command, the Flipper responds with the saved UID and proceeds through whatever authentication the card type requires (including CRYPTO1 handshakes for MIFARE Classic if you have the keys).


This is how you badge in with a cloned card without writing to physical media.


UID-only Emulation (MIFARE Classic)


If you only know the UID but not the keys, you can still try UID-only brute-force:


NFC → Add Manually → MIFARE Classic → Enter UID

Then emulate. This won't pass full authentication, but some poorly configured access control systems only check the UID during the anti-collision loop and never even attempt CRYPTO1 authentication. If the door opens just from the UID, the system is catastrophically misconfigured. This is rare but happens often enough to be worth trying.


Sniffing NFC Communication


The Flipper's NFC sniffer captures the ISO 14443-3 initialization sequence:


NFC → Extra Actions → Sniff ISO14443-3

Place the Flipper between a reader and a card, then bring the card near the reader. The Flipper captures:


  • REQA/WUPA (reader polling)

  • ATQA (card response)

  • Anti-collision loop (SELECT / SAK)

  • UID


This is useful for identifying card types in the field without touching a card directly. The Flipper cannot sniff the full encrypted session because it can't do man-in-the-middle at the RF level — for that you need a Proxmark3 with a sniffing antenna setup.


MIFARE DESFire: What You CAN Do


DESFire (EV1/EV2/EV3) is the secure successor to MIFARE Classic. Uses AES or 3DES with proper key derivation. The Flipper cannot break DESFire cryptographically. Full stop.

But you can still:


1. Fingerprint the card


NFC → Read

Record the UID, SAK, ATQA, and any readable application IDs. This tells you if the target uses DESFire, which means you need a different approach entirely.


2. Relay attack (theoretical, Flipper-limited)


The 2009 Hancke relay attack works against DESFire: relay the reader challenge to a legitimate card and the card's response back to the reader, extending the effective range. The Flipper's CPU is fast enough for this conceptually, but no Flipper plugin implements it yet because of timing constraints — ISO 14443-4 requires sub-5ms turnaround. A Proxmark3 can do it.


3. Find readers that support backward-compatibility mode


Some DESFire readers fall back to MIFARE Classic for legacy card support. If you present a MIFARE Classic magic card configured with the right UID range, the reader might authenticate via CRYPTO1 instead of AES. This depends on the reader's configuration.


Custom Firmware Advantages


Stock Flipper firmware is good. Custom firmware is better for pentesting.



  • ~1,200 MIFARE Classic keys in the dictionary (vs ~40 stock)

  • Faster nested attack with adjustable nonce count

  • Additional NFC plugins: NFC Magic, NFC Relay, etc.

  • RFID fuzzer for 125 kHz

  • MARAUDER integration (if you have the WiFi devboard)



  • All of Unleashed plus more plugins

  • Brute-force scripts for various protocols

  • Community plugin marketplace


Flashing is straightforward: download the .dfu or .tgz from their GitHub releases, connect Flipper via USB, and install through qFlipper. The Flipper will reboot with the new firmware. Settings and saved dumps persist.


Real-World Engagement Flow


When you're on-site:


  1. Observe readers first. If you see "MIFARE DESFire" or "iCLASS" logos on the reader bezel, skip straight to relay/social/physical bypass — the Flipper won't help you with the card itself.

  2. Read your own cards if you have them. If the engagement includes legitimate credentials, read them immediately, attempt key recovery, and check what data's stored. This tells you the system's configuration before you try anything hostile.

  3. Watch for unattended cards. Employees leave cards on desks all the time. 30 seconds with a Flipper against an unattended MIFARE Classic badge is all you need.

  4. Test UID-only. On random doors, present a manually-entered UID from the building's facility code range. Cost: 2 seconds per door. Reward: catastrophic access control failure.

  5. Document sector layout. A dumped MIFARE Classic card whose data blocks contain "John D. - IT Admin - Server Room" in ASCII is one of the best pieces of evidence in a pentest report. Screenshot that dump.


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page