[[FreakCard]]
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
project:freakcard [2012/10/09 11:28]
stick added Wiegand
project:freakcard [2014/07/02 22:06] (current)
abyssal [High Frequency (HF) card]
Line 75: Line 75:
 Tools: Tools:
   * nfc-tools ( https://​code.google.com/​p/​nfc-tools/​ ),    * nfc-tools ( https://​code.google.com/​p/​nfc-tools/​ ), 
-  * nfcutils from nfc-tools contains lsnfc for card identification (see https://​code.google.com/​p/​nfc-tools/​wiki/​nfcutils)+  * nfcutils from nfc-tools contains lsnfc (renamed to "​nfc-list"​ now) for card identification (see https://​code.google.com/​p/​nfc-tools/​wiki/​nfcutils)
   * RFIDIOt ( http://​rfidiot.org/​ ),    * RFIDIOt ( http://​rfidiot.org/​ ), 
   * pcscd (in your distro repository) - required by RFIDIOT and lsnfc   * pcscd (in your distro repository) - required by RFIDIOT and lsnfc
Line 121: Line 121:
 dumps the card after cracking all keys as well. dumps the card after cracking all keys as well.
  
-Clone: There is problem with cloning ​first sector. All other sectors ​can be cloned, once decrypted. No completly rewritable cards available on the market now afaik. XXX see http://​www.proxmark.org/​forum/​viewtopic.php?​id=896 , but email provided there is not responding.+MFOC employs the "​nested attack"​ and requires that at least one of the keys is a default key (i.e. requires one known key). Cracking the first key can be done via Proxmark (may not work if the card is new and has PRNG fixed):
  
-Emulate:+<​code>​ 
 +hf mf mifare 
 +</​code>​
  
-ID emulation ​with proxmark:+After the first key is cracked, Proxmark also has an implementation of nested attack (A0A1A2A3A4A5 is the known key, the "​1"​ stands for 1K card, "​0"​ means the key is for sector 0): 
 + 
 +<​code>​ 
 +hf mf nested 1 0 A A0A1A2A3A4A5 
 +</​code>​ 
 + 
 +Scripting the attack is possible via Lua script, see HOWTO [[http://​www.swende.se/​blog/​Proxmark_Scripting_1.html|part 1]] and [[http://​www.swende.se/​blog/​Proxmark_Scripting_2.html|part 2]]. 
 + 
 +Clone: There is problem ​with cloning first sector. All other sectors can be cloned, once decrypted.<​del>​ No completly rewritable cards available on the market now afaik</​del>​. You can get 1K and 4K mifare classic rewritable cards on many eshops. 
 + 
 +== Chinese "​Magic"​ Mifare Classic 1K == 
 + 
 +These Mifare Classic cards have a special HW modification that allows writing block 0 and read/write without knowing A|B key. Writing the first block with UID (01020304 here in sample): 
 + 
 +<​code>​ 
 +hf mf csetblk 0 01020304040804000910111213141516 
 +</​code>​ 
 + 
 +First four bytes of sector 0 are the UID. 
 + 
 +Important: offset 0x04 is BCC, which is XOR of four previous UID bytes. If you set wrong BCC, you may render the card unselectable (=brick it). Especially if you use first byte of UID 0x88, which is magic number for "​Cascading Tag". It is not possible to emulate more than 4-byte UID - the card does not support SELECT cascading level 2 (command 0x95). 
 + 
 +Offset 0x5 contains SAK, two bytes at 0x06 denote ATQA (you might fool readers that card is of different type by changing SAK). In the above example, SAK 0x8 stands for Mifare Classic, ATQA 0x0004 means that anticollision is supported by the card (mind the reversed byte order). 
 + 
 +Reading and writing chinse magic mifare can be done in "​unlocked"​ mode with libfnc'​s utility nfc-mfclassic:​ 
 + 
 +<​code>​ 
 +nfc-mfclassic R A magic.mfd ​ #read whole card without specifying key 
 +nfc-mfclassic W A magic.mfd ​ #write whole card without specifying key, including rewrite of sector 0 
 +</​code>​ 
 + 
 +Unbricking Chinese Magic Mifare Classic: 
 + 
 +If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark: 
 + 
 +<​code>​ 
 +hf 14a raw -a -p -b 7 40 
 +hf 14a raw -p 43 
 +hf 14a raw -p -c a0 00 
 +hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02 
 +</​code>​ 
 + 
 +Alternatively,​ libfnc has nfc-mfsetuid utility that can set UID of the magic card or can revert bad BCC (may not always work). If stuck, put together a working normal Mifare card and a bricked magic Mifare card, then run nfc-mfsetuid (anticollision will work with first card, but the bricked card will "​hear"​ the change sector commands). 
 + 
 +== Chinese "​Magic"​ Mifare Classic 4K == 
 + 
 +Block 0 is writable through normal Mifare Classic commands, i.e. there is not special "​unlocked"​ read/write like in "magic Mifare 1k" version. 
 + 
 +Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:​ 
 + 
 +<​code>​ 
 +hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000 
 +</​code>​ 
 + 
 +Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it). 
 + 
 +== UID emulation with Proxmark ==
  
 <​code>​ <​code>​
Line 141: Line 199:
 with emulation of whole card. with emulation of whole card.
   * If sector data are used to auth to a reader you have to be lucky. If a reader is tolerant enough to wait for Proxmark, it'll work. But most of the times you'll run into timing issues with production readers (NXP cards respond in microseconds while Proxmark does in milliseconds,​ auch)   * If sector data are used to auth to a reader you have to be lucky. If a reader is tolerant enough to wait for Proxmark, it'll work. But most of the times you'll run into timing issues with production readers (NXP cards respond in microseconds while Proxmark does in milliseconds,​ auch)
 +
 +Many of proxmark3 revisions are buggy when it comes to simulating, known good revision is for example old SVN rev 839.
  
 == Desfire == == Desfire ==
Line 181: Line 241:
 **All** MIFARE cards are prone to relay attack (cz: přepojovací útok). It will be interresting to design a low-cost relaying device. Google '​mifare relay attack'​ for more… **All** MIFARE cards are prone to relay attack (cz: přepojovací útok). It will be interresting to design a low-cost relaying device. Google '​mifare relay attack'​ for more…
  
-XXX http://www.eng.tau.ac.il/~yash/kw-usenix06/+You need two PN532 devices to use with libnfc and use ''​nfc-relay-picc''​. There is an issue if you use forwarding over TCP/IP as described in the manual - it doesn'​t work, [[https://code.google.com/p/libnfc/issues/​detail?​id=280&​colspec=ID%20Type%20Status%20Priority%20Milestone%20Opsys%20Owner%20Summary|see patch]].
  
-  * RFID LAB @ FIT ČVUT has required hardware! Try to contact them?+You need a third reader if you want to test it (not necessarily PN532). Two devices relay and the third will be your "​original reader"​ 
 + 
 +If the third device is Proxmark, you can send APDUs like this (an example how to read NDEF 4 Forum tag) : 
 + 
 +<​code>​ 
 +hf 14a raw -p -b 7 -a 26 
 +hf 14a raw -p 93 20 
 +hf 14a raw -p -c 93 70 88 04 3a 14 a2 
 +hf 14a raw -p 95 20 
 +hf 14a raw -p -c 95 70 82 cc 22 80 ec 
 +hf 14a raw -p -c e0 50 
 +hf 14a raw -p -c 02  00  a4  04  00  07  d2  76  00  00  85  01  01 
 +hf 14a raw -p -c 03  00  a4  00  0c  02  e1  04 
 +hf 14a raw -p -c 02  00  b0  00  00  00 
 +</​code>​ 
 + 
 +The lines with '93 20' and '95 20' commands contain two halves of Desfire 7-byte UID, 0x88 is the cascading tag. An example with 4-byte UID (happens usually when relaying via nfc-relay-picc) : 
 + 
 +<​code>​ 
 +hf 14a raw -p -b 7 -a 26 
 +hf 14a raw -p 93 20 
 +hf 14a raw -p -c 93 70 08 3A 14 82 A4 
 +hf 14a raw -p -c e0 50 
 +hf 14a raw -p -c 02  00  a4  04  00  07  d2  76  00  00  85  01  01 
 +hf 14a raw -p -c 03  00  a4  00  0c  02  e1  04 
 +hf 14a raw -p -c 02  00  b0  00  00  00 
 +</​code>​
 ==== Low Frequency card ==== ==== Low Frequency card ====
 Emulation in general: http://​www.t4f.org/​en/​projects/​open-rfid-tag/​55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :) Emulation in general: http://​www.t4f.org/​en/​projects/​open-rfid-tag/​55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)
Line 192: Line 278:
 in short: ​ in short: ​
 <​code>​ <​code>​
-proxmark> ​hw tune+proxmark> ​lf read
  
 proxmark>​ data samples 2000 proxmark>​ data samples 2000
Line 205: Line 291:
  
 Get id/​Read: ​ Get id/​Read: ​
 +
 +Put tag onto the antenna, following code will read HID tags in a loop:
 +
 +<​code>​
 +proxmark3>​ lf hid fskdemod
 +</​code>​
 +
  
 Emulate: Emulate:
 +<​code>​
 +proxmark3>​ lf hid sim 01020304
 +</​code>​
  
 Clone: Clone:
 +<​code>​
 +proxmark3>​ lf hid clone
 +</​code>​
  
-XXX+Cloning requires writable [[http://​xfpga.com/​html_products/​T5557--T5567--T5577-card-125khz-read-writeable-64.html | T55xx]] card. 
 + 
 +Proxmark has a standalone mode that will [[http://​code.google.com/​p/​proxmark3/​wiki/​RunningPM3#​Standalone_Mode_-_HID_Prox_emulation | read and then emulate HID Prox card]].
  
 === EM Microelectronic === === EM Microelectronic ===
Line 219: Line 320:
 <​code>​ <​code>​
 proxmark>​ lf em4x em410xwatch proxmark>​ lf em4x em410xwatch
 +</​code>​
 +
 +The em410xwatch command may not always correctly guess the clock speed on some cards. You might have to specify clock speed as last parameter of  '​em410xread'​ command (may take several tries). Here is an example for a 134 kHz card (note the '​h'​ after 'lf read')
 +
 +<​code>​
 +proxmark3>​ lf read h
 +proxmark3>​ data samples 40000
 +proxmark3>​ lf em4x em410xread 32
 </​code>​ </​code>​
  
Line 232: Line 341:
 XXX This hw works http://​www.dealextreme.com/​p/​125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230 XXX This hw works http://​www.dealextreme.com/​p/​125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230
 XXX cloning/​writing with proxmark? ​ XXX cloning/​writing with proxmark? ​
 +
 +Cloning to [[http://​xfpga.com/​html_products/​T5557--T5567--T5577-card-125khz-read-writeable-64.html | writable T55xx ]] should work.
  
 === indala === === indala ===
Line 259: Line 370:
   * [[wp>​Wiegand interface]]   * [[wp>​Wiegand interface]]
   * [[http://​www.hidglobal.com/​documents/​understandCardDataFormats_wp_en.pdf]]   * [[http://​www.hidglobal.com/​documents/​understandCardDataFormats_wp_en.pdf]]
 +  * [[http://​www.hidglobal.com/​technology.php?​tech_cat=4&​subcat_id=10]]
  
 ===== Radio chips XXX ===== ===== Radio chips XXX =====
Line 280: Line 392:
  
 ===== Magnetic card ===== ===== Magnetic card =====
 +
 +{{:​project:​512px-magnetic_stripe_card_-_hotel_key_card.jpg?​nolink&​512|}}
 +
 +Magnetic cards can be relatively easily readed and modified.
 +Typicall card contains 2 or 3 track, each with few dozens of characters.
 +More detailed information can be found on [[http://​en.wikipedia.org/​wiki/​Magnetic_card|Wikipedia]]
  
 We made a HIGH POWER MagneticCard emulator based on [[http://​www.soniktech.com/​sdmce.php|MAgnetic card sp00fer ]]. We made a HIGH POWER MagneticCard emulator based on [[http://​www.soniktech.com/​sdmce.php|MAgnetic card sp00fer ]].
Line 288: Line 406:
 {{:​project:​magnetic_card_emulator_civka.jpg?​400|}} {{:​project:​magnetic_card_emulator_civka.jpg?​400|}}
  
 +Another solution is to use professional reader/​writer.
 +At brmlab, we have available MSR605 reader/​writer
 +supporting 3 tracks, working under Linux.
 +
 +[[http://​www.triades.net/​msr605-driver.html|userland driver and documentation available here]]
 +
 +Reading values from the card:
 +
 +<​code>​
 +$ python msr.py -r -d /​dev/​ttyUSB0
 +1=None
 +2=;​1234567890?​
 +3=None
 +</​code>​
 +
 +Writing values to the card:
 +
 +<​code>​
 +$ python msr.py -w -d /​dev/​ttyUSB0 -t 23 --write "​1234"​ "​5678"​
 +</​code>​
  
  
Line 421: Line 559:
 ===== HW missing in brmlab ===== ===== HW missing in brmlab =====
  
-  * Proxmark HF antenna made of wire only, no PCB (might be useful in some situations) 
   * 1 wire emulator   * 1 wire emulator
   * http://​www.dealextreme.com/​p/​125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230 ?   * http://​www.dealextreme.com/​p/​125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230 ?
Line 436: Line 573:
   * [[http://​crypto.hyperlink.cz/​picnic.htm|PicNic - yet another emulator/​spyware for HF RFID]]   * [[http://​crypto.hyperlink.cz/​picnic.htm|PicNic - yet another emulator/​spyware for HF RFID]]
   * [[http://​www.backtrack-linux.org/​wiki/​index.php/​RFID_Cooking_with_Mifare_Classic|RFID_Cooking_with_Mifare_Classic]]   * [[http://​www.backtrack-linux.org/​wiki/​index.php/​RFID_Cooking_with_Mifare_Classic|RFID_Cooking_with_Mifare_Classic]]
 +  * [[http://​www.acs.com.hk/​en/​products/​109/​acr122t-usb-tokn-nfc-reader/​|ACR122T USB reader with PN532 PIN]] (functional equivalent of Touchatag)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki