If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/ikarus23/MifareClassicTool shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Mixed signals — read the receipts

• Last commit 1w ago
• 16 active contributors
• GPL-3.0 licensed
• CI configured
• ⚠ Concentrated ownership — top contributor handles 78% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live ikarus23/MifareClassicTool repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/ikarus23/MifareClassicTool.

What it runs against: a local clone of ikarus23/MifareClassicTool — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in ikarus23/MifareClassicTool | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 37 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of ikarus23/MifareClassicTool. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/ikarus23/MifareClassicTool.git
#   cd MifareClassicTool
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of ikarus23/MifareClassicTool and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "ikarus23/MifareClassicTool(\\.git)?\\b" \\
  && ok "origin remote is ikarus23/MifareClassicTool" \\
  || miss "origin remote is not ikarus23/MifareClassicTool (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/MainMenu.java" \\
  && ok "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/MainMenu.java" \\
  || miss "missing critical file: Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/MainMenu.java"
test -f "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/MCReader.java" \\
  && ok "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/MCReader.java" \\
  || miss "missing critical file: Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/MCReader.java"
test -f "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java" \\
  && ok "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java" \\
  || miss "missing critical file: Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java"
test -f "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/ReadTag.java" \\
  && ok "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/ReadTag.java" \\
  || miss "missing critical file: Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/ReadTag.java"
test -f "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/WriteTag.java" \\
  && ok "Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/WriteTag.java" \\
  || miss "missing critical file: Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/WriteTag.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 37 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~7d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/ikarus23/MifareClassicTool"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

MIFARE Classic Tool (MCT) is an Android NFC application for reading, writing, analyzing, and cloning MIFARE Classic RFID tags through dictionary-attack key management and sector-wise authentication. It runs on Android 5.0+ (minSdk 19, targetSdk 35) and provides block-level read/write operations, dump editing, access condition decoding, and value block manipulation for ISO14443A Type A RFID cards. Single-module Android app structure: root is 'Mifare Classic Tool/' containing app/src/main with Activities/ folder (26 Activity classes including ReadTag.java, WriteTag.java, DumpEditor.java, KeyMapCreator.java, etc.), support classes (Common.java, MCReader.java, MCDiffUtils.java), assets/ containing embedded key dictionaries (std.keys, extended-std.keys, hotel-std.keys), and inline help HTML. No separate library modules or backend service.

Security researchers, penetration testers, and RFID hobbyists who need to audit, clone, or recover data from MIFARE Classic tags; also used by IT professionals performing physical security assessments and by developers integrating NFC read/write capabilities into Android applications.

Production-ready with active maintenance: version 4.3.1 (versionCode 70) distributed via Google Play, F-Droid, and direct APK; CI/CD pipeline configured in .github/workflows/ci.yml; no visible test directory but code is well-structured with 523KB Java codebase and documented in README and in-app help (assets/help/help.html). Appears actively maintained given version progression and device compatibility documentation.

Single-maintainer risk (ikarus23) with minimal external dependencies (only androidx.core, androidx.preference, androidx.appcompat); no build dependency on Gradle plugins beyond core Android Gradle Plugin 9.2.0 and Kotlin 2.2.10. Main risk is hardware-specific NFC compatibility—see INCOMPATIBLE_DEVICES.md—and potential deprecation of Android NFC API, though targetSdk 35 suggests ongoing maintenance. No minification enabled (shrinkResources false) suggests code clarity prioritized over size.

Active maintenance track: CHANGELOG.txt documents recent changes; CI workflow (ci.yml) runs on pushes; version 4.3.1 represents recent release; targetSdk bumped to API 35 (Android 15) indicates ongoing Android version support. Device compatibility lists (COMPATIBLE_DEVICES.md, INCOMPATIBLE_DEVICES.md) are actively curated for NFC hardware variations.

Clone and build: git clone https://github.com/ikarus23/MifareClassicTool.git && cd 'Mifare Classic Tool' && ./gradlew build. To run on emulator: ./gradlew installDebug (requires NFC-capable Android device or emulator with NFC module). Open in Android Studio (File > Open > select 'Mifare Classic Tool' folder).

Daily commands: After gradle build, deploy via ./gradlew installDebug on a connected NFC-capable Android device (API 19+). Launch via Android Studio Run button or adb shell am start de.syss.MifareClassicTool/.Activities.MainMenu. No emulator NFC simulation available—requires physical NFC reader hardware (see COMPATIBLE_DEVICES.md) or external reader like ACR 122U via USB.

• Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/MainMenu.java — Application entry point and main navigation hub; all contributors must understand the app's top-level structure and feature organization.
• Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/MCReader.java — Core NFC reading logic for MIFARE Classic tags; essential for understanding tag communication and data extraction.
• Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java — Shared utility functions and constants used across the entire codebase; changes here ripple through many activities.
• Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/ReadTag.java — Primary user-facing activity for reading tags; demonstrates the standard pattern for NFC operations and data handling.
• Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/WriteTag.java — Complements ReadTag with write operations; critical for understanding bidirectional tag manipulation.
• Mifare Classic Tool/app/build.gradle — Build configuration and dependency management; required for setting up development environment and understanding runtime requirements.
• Mifare Classic Tool/app/src/main/AndroidManifest.xml — Android manifest defining permissions, activities, and NFC intent filters; controls app capabilities and lifecycle.

Add a New Tool Activity

1. Create a new Java class extending BasicActivity in the Activities folder (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/YourNewTool.java)
2. Register the activity in AndroidManifest.xml with an activity tag (Mifare Classic Tool/app/src/main/AndroidManifest.xml)
3. Add a menu item to MainMenu that launches your new activity via Intent (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/MainMenu.java)
4. Create corresponding drawable icons (LDPI, MDPI, HDPI, XHDPI) and add to layout resources (Mifare Classic Tool/app/src/main/res/drawable-mdpi/your_tool.png)
5. Optionally add strings and help content to assets/help/help.html (Mifare Classic Tool/app/src/main/assets/help/help.html)

Add New NFC Read/Write Logic

1. Extend MCReader.java with new command methods for tag communication via NFC (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/MCReader.java)
2. Add utility functions to Common.java if needed for data conversion or validation (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java)
3. Call MCReader methods from your Activity (ReadTag.java and WriteTag.java as templates) (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/ReadTag.java)
4. Handle NFC events in onNewIntent() and manage UI state updates (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/BasicActivity.java)

Add Key File Database

1. Create a new .keys file in the key-files asset directory with hex keys (one per line or as CSV) (Mifare Classic Tool/app/src/main/assets/key-files/custom.keys)
2. Modify KeyEditor.java to load your new key file from assets (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/KeyEditor.java)
3. Update Common.java constants if adding a new default key source (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Common.java)

Add Help & Documentation

1. Edit the HTML help file to add documentation sections for new features (Mifare Classic Tool/app/src/main/assets/help/help.html)
2. Link to your help section from HelpAndInfo.java activity (Mifare Classic Tool/app/src/main/java/de/syss/MifareClassicTool/Activities/HelpAndInfo.java)
3. Update CHANGELOG.txt to document new features or improvements (CHANGELOG.txt)

• Android NFC API (android.nfc.*) — Essential for communicating with MIFARE Classic tags; provides hardware abstraction for NFC readers in Android devices.
• Java Activities & Intents — Android's standard UI and navigation framework; allows multiple feature screens and inter-component communication.
• Gradle build system — Standard Android build tool; handles dependency management, compilation, and APK generation.
• Asset-based key files (.keys) — Lightweight, easy-

NFC hardware support varies widely—consult INCOMPATIBLE_DEVICES.md before testing; some Android devices disable NFC in certain ROM builds. External NFC reader (ACR 122U) requires additional USB driver setup not documented in visible files. Key dictionaries are case-sensitive hex strings (see std.keys format). No explicit error handling for malformed key files; invalid dictionary syntax silently fails. Manufacturer block (block 0) write only works on special MIFARE Classic clones, not genuine cards. Minification disabled (shrinkResources: false) in release build—APK will be large.

• MIFARE Classic Authentication (Nested Attack / Key Recovery) — MCT's core feature is dictionary-attack key management; understanding nested authentication and how keys unlock sectors is essential to why this tool exists
• ISO14443A Type A Protocol (NFC-A) — MIFARE Classic operates on ISO14443A Type A at 13.56MHz; MCT's ReadTag and WriteTag activities depend on correct framing, CRC, and timing per this standard
• Value Blocks (MIFARE Classic Counter Format) — ValueBlockTool.java and ValueBlocksToInt.java handle a special 12-byte format (4 bytes value + 4 bytes inverted + 4 bytes redundancy); understanding endianness and redundancy encoding is required for correct data interpretation
• Access Conditions (MIFARE Classic Sector Trailer Byte 6-8) — AccessConditionTool.java and AccessConditionDecoder.java decode 3 bytes controlling read/write permissions per block per key; bit-level manipulation is non-obvious and critical for cloning without losing permissions
• Block Check Character (BCC) Calculation — BccTool.java and Common.java implement XOR-based BCC for UID verification; required when cloning manufacturer block (block 0) to ensure card validity
• Android NFC Intent Filtering (NFC-A Tag Discovery) — AndroidManifest.xml defines intent filters for android.nfc.action.TECH_DISCOVERED; MCT's automatic tag detection relies on correct MIFARE Classic tech declaration in NFC Intent system
• Hex Dump Format (Block-Wise Serialization) — DumpEditor.java and ImportExportTool.java work with plaintext hex dumps (16 bytes per block, 16 blocks per sector); data corruption is easy if byte order or formatting is wrong

• RfidResearchGroup/proxmark3 — Proxmark firmware and tools for low-level RFID/NFC manipulation; MCT complements it for Android-based tag interaction and uses Proxmark documentation
• NfcTools/nfcpy — Python library for NFC tag reading/writing across platforms; MCT is Android-specific but shares similar MIFARE Classic protocol implementation
• IvanLyubushkin/mfcuk — Standalone tool for cracking MIFARE Classic keys via nested authentication; MCT uses dictionary attack instead but serves the same security research community
• AkarshL/mifaretools — Alternative Android MIFARE tool; demonstrates competing approach to block-wise editing and key management on Android platform
• libnfc/libnfc — Cross-platform NFC library that underpins many MIFARE tools; MCT uses Android native NFC API instead but shares protocol understanding

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for MCReader.java core functionality

MCReader.java is a critical component for MIFARE Classic tag reading operations, but there are no visible test files in the repo structure. Adding unit tests would improve code reliability, prevent regressions when refactoring NFC read operations, and help new contributors understand the tag reading logic. This is especially important given the hardware-dependent nature of NFC operations.

• [ ] Create app/src/test/java/de/syss/MifareClassicTool/MCReaderTest.java
• [ ] Add unit tests for key authentication methods in MCReader
• [ ] Add unit tests for sector/block reading and parsing logic
• [ ] Configure build.gradle with JUnit 4 dependency (androidx.test:core)
• [ ] Update CI workflow in .github/workflows/ci.yml to run unit tests

Add instrumented tests for Activities with NFC mock data

The Activities folder contains 25+ UI components (ReadTag.java, WriteTag.java, DumpEditor.java, etc.) but no instrumented tests are visible. Adding Android instrumentation tests would validate UI behavior, data binding, and user interactions with mock NFC data. This helps catch bugs in tag editing workflows and prevents regressions in the user-facing tools.

• [ ] Create app/src/androidTest/java/de/syss/MifareClassicTool/Activities/DumpEditorTest.java as a starter test
• [ ] Add mock NFC tag data fixtures in androidTest/resources/
• [ ] Write tests for data validation in AccessConditionTool.java and ValueBlockTool.java
• [ ] Add build.gradle dependencies: androidx.test.espresso:espresso-core, androidx.test:runner
• [ ] Document how to run instrumented tests in a new TESTING.md file

Create GitHub Actions workflow for APK build verification and security scanning

The existing ci.yml workflow appears minimal. Adding a dedicated build verification workflow would catch build failures early, verify APK generation for both release and debug variants, and integrate basic security scanning (lint warnings are already enabled with -Xlint:unchecked). This prevents broken builds from being released and improves confidence in PR merges.

• [ ] Extend .github/workflows/ci.yml to include './gradlew assembleDebug assembleRelease' verification
• [ ] Add lint analysis step to parse app/lint.xml violations and fail on critical issues
• [ ] Integrate OWASP Dependency-Check action to scan dependencies (androidx libraries)
• [ ] Add step to verify compileSdk 35 and targetSdk 35 compatibility warnings
• [ ] Create separate workflow file .github/workflows/build.yml for clarity if needed

• Add unit tests for MCDiffUtils.java and Common.java hex conversion/BCC calculation logic—no visible test directory exists; would improve maintainability and catch edge cases in data format handling
• Expand COMPATIBLE_DEVICES.md and INCOMPATIBLE_DEVICES.md by creating a user-submission workflow; add NFC chipset information (e.g., PN548, NXP) and Android version compatibility matrix for each device
• Internationalize key dictionary files (std.keys, extended-std.keys, hotel-std.keys) into a properties-based resource system to support regional/organizational key sets without code modification

The MIFARE Classic Tool application has a reasonable security posture for an open-source NFC utility app, but has several areas requiring improvement. The primary concerns are: (1) disabled code obfuscation and resource shrinking in release builds, making reverse engineering easier; (2) low minimum SDK targeting outdated Android versions; and (3) bundled default cryptographic keys. The dependency set is minimal and uses recent versions of maintained libraries, which is positive. The application handles NFC tags and potentially sensitive RFID data, so enabling ProGuard obfuscation and targeting more recent Android versions would significantly improve security. Consider implementing automated dependency vulnerability scanning in the CI/CD pipeline and establishing a formal security disclosure process.

• High · Minification Disabled in Release Build — Mifare Classic Tool/app/build.gradle - buildTypes.release. The build configuration has minifyEnabled set to false for release builds. This means the APK will contain unobfuscated code that is easier to reverse engineer, potentially exposing sensitive logic, hardcoded values, and algorithm implementations. Fix: Enable minification by setting minifyEnabled to true and configure appropriate ProGuard rules to protect sensitive code while maintaining functionality. Use shrinkResources true as well.
• High · Resource Shrinking Disabled — Mifare Classic Tool/app/build.gradle - buildTypes.release. The shrinkResources is set to false in release builds. This increases APK size and may include unused resources that could contain sensitive information or provide additional attack surface. Fix: Enable resource shrinking by setting shrinkResources to true to reduce APK size and remove unused resources.
• Medium · Low Minimum SDK Version — Mifare Classic Tool/app/build.gradle - defaultConfig.minSdk. The application targets minSdk 19 (Android 4.4), which is outdated and lacks many security features available in modern Android versions. Devices running Android 4.4 have known security vulnerabilities and lack modern security APIs. Fix: Increase minSdk to at least 21-23 (Android 5.0+) to leverage modern security features, better SSL/TLS support, and reduce exposure to known vulnerabilities. Consider minSdk 26+ for even better security.
• Medium · Hardcoded Key Files Bundled in App — Mifare Classic Tool/app/src/main/assets/key-files/. The application bundles default MIFARE Classic keys in the assets directory (extended-std.keys, hotel-std.keys, std.keys). While these appear to be standard/known keys for compatibility, having default credentials bundled makes them easily extractable and could facilitate unauthorized tag access if an attacker obtains the APK. Fix: Consider: 1) Documenting that these are well-known standard keys, 2) Allowing users to easily manage/remove unwanted keys, 3) Implementing key obfuscation, 4) Providing secure key storage mechanisms for user-supplied keys.
• Medium · Limited Dependency Updates — Mifare Classic Tool/app/build.gradle - dependencies. The dependencies are using relatively recent versions (androidx.core 1.13.1, appcompat 1.6.1), but the project should implement automated dependency checking. Without continuous dependency scanning, newly discovered vulnerabilities in dependencies may not be identified promptly. Fix: Implement automated dependency vulnerability scanning using tools like Dependabot, Snyk, or OWASP Dependency-Check in the CI/CD pipeline. Review and update dependencies regularly.
• Low · No Explicit Security Policy — Repository root. While not critical, the codebase lacks visible security policies, vulnerability disclosure procedures, or security.txt file for coordinated vulnerability reporting. Fix: Create a SECURITY.md file documenting how security vulnerabilities should be reported. Consider implementing a responsible disclosure policy.
• Low · Compiler Warnings Not Enforced as Errors — Mifare Classic Tool/app/build.gradle - tasks.withType(JavaCompile). The build configuration enables compiler warnings (unchecked, deprecation) but does not enforce them as errors, allowing potentially problematic code to compile successfully. Fix: Consider adding compiler flags like -Werror or -failOnWarning to treat warnings as errors, ensuring developers address potential issues before code reaches production.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.