Didier Stevens

Monday 23 February 2009

Shellcode On a MIFARE RFID Tag

Filed under: RFID,smart card — Didier Stevens @ 21:29

This posts kicks-off a series of posts on smart cards and RFID tags.

First a little bit of fun. I’ve written a Python program to read and write 1K MIFARE RFID tags with my ACR122 contactless reader/writer.


I store shellcode on an MIFARE tag (MIFAREACR122.py write shellcode.bin); and then I read it from the tag and execute it (MIFAREACR122.py shellcode).


Of course, this is just a little trick, it’s not a vulnerability. Just find it funny to store shellcode on a RFID tag.


  1. I dont find it funny

    Comment by juano — Tuesday 24 February 2009 @ 0:36

  2. And the title is misleading

    Comment by juano — Tuesday 24 February 2009 @ 0:36

  3. Don’t do this again, please.

    Comment by juano — Tuesday 24 February 2009 @ 0:36

  4. 还以为是溢出RFID卡呢,原来是标题党,囧

    Comment by void — Tuesday 24 February 2009 @ 3:18

  5. @juano No sense of humor?

    Comment by Didier Stevens — Tuesday 24 February 2009 @ 21:51

  6. […] Poken Peek Filed under: Encryption, My Software, RFID — Didier Stevens @ 7:35 OK, after getting side-tracked by /JBIG2Decode PDFs, let’s get back on the smartcard and RFID track. […]

    Pingback by Poken Peek « Didier Stevens — Thursday 26 March 2009 @ 7:35

  7. Hi Didier Stevens

    Appear nice. But not sure if I’m really dumb, but what is the goal of do it? I mean, in a real case, what an attacker can do with ti?


    nice blog!

    Comment by Rick — Wednesday 1 April 2009 @ 3:58

  8. Well, the Shellcode is just a joke, I don’t always blog about attacks. But the program shows you how to read and write a file to a MIFARE tag with Python.

    Comment by Didier Stevens — Wednesday 1 April 2009 @ 6:50

  9. Do you recall what this did?

    data = self.TransmitCommand(smartcard.util.toBytes(‘FF00000004D44A0100’))

    i can’t figure out what this APDU is supposed to be doing.

    i was hoping to see if your code would work with myfair ultralights , but they don’t seem to like that command

    Comment by jonathan — Sunday 12 September 2010 @ 0:35

  10. @jonathan I use this to poll the card and get its properties.

    Comment by Didier Stevens — Sunday 12 September 2010 @ 21:26

  11. Hi didier ! that looks great ! do you know if this python script can work with an ACR120 reader also ?
    And did u already try to read some mifare ultralights tags which don’t contain any key to log in a specific sector ???

    Thanks in advance

    Comment by blacksad — Tuesday 16 November 2010 @ 14:47

  12. @blacksad Don’t know, haven’t tested with acr120 or ultra.

    Comment by Didier Stevens — Tuesday 16 November 2010 @ 17:31

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.