====== FreakCard ======
{{template>:project:infobox|
name=FreakCard collection|
image=access.jpg|
founder=[[user:niekt0]]|
interested=[[user:sargon]]\\ [[user:biiter]]\\ [[user:jenda]]\\ [[user:ruza]]\\ [[user:lukash]]\\ [[user:stick]]|
hw=various|
sw=various|
}}
~~META:
status = active
~~
Aim of this project is to collect all physical access methods used these days,
and analyze possibilities of reading, copying and emulating their
tokens.
As a result, this document should provide practical guide for working with access tokens.
======= Proxmark =======
The most versatile tool for card reading and emulation is [[http://www.proxmark.org/ | Proxmark3]]. There are two repositories containing code of x86 client, FPGA and ARM firmware:
* old [[https://code.google.com/p/proxmark3/source/checkout | SVN repo from code.google.com]]
* new [[https://github.com/Proxmark/proxmark3 | github repo]]
* [[https://github.com/iceman1001/proxmark3 || iceman's fork]] - needed for full Ultralight EV1 simulation, has some extra Desfire client stuff
The best revision for OS code is rev 838 from old SVN repo. All the stuff that I checked that should work works.
The latest versions of new repo cause always bootloader to be somehow bricked and requires JTAG to reflash old bootloader (even if fullimage is flashed - bootloader + OS + FPGA image). Instructions for unbricking can be found at the end of [[https://brmlab.cz/project/arm_debugging | ARM debugging]] page.
There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https://github.com/islog/liblogicalaccess/wiki
======= Proxmark new versions - RDV4, EVO and pack with PN532 reader with Chameleon mini =======
There are new versions of Proxmark, which are more compact, see the comparison table in the links at the bottom of the page
* https://lab401.com/collections/hardware/products/proxmark-3-rdv4
* https://lab401.com/collections/hardware/products/proxmark-3-evo
* https://lab401.com/collections/hardware/products/rfid-pentester-pack?variant=12470762307695 (has Proxmark + Chameleon + PN532 reader)
* https://lab401.com/products/chameleon-mini-reve-rebooted
* https://lab401.com/collections/hardware/products/usb-rfid-reader-writer-scl-3711
======= PN532-based readers =======
PN532 based readers:
* https://www.acs.com.hk/en/products/3/acr122u-usb-nfc-reader/
* https://www.acs.com.hk/en/products/109/acr122t-usb-tokens-nfc-reader/
* https://www.adafruit.com/product/789 - there are two board versions, one as Arduino shield, other has different pinout, but are in essence the same
* [[http://nfc-tools.org/index.php/Devices_compatibility_matrix | compatibility matrix with libnfc]]
======= Software for PN532 readers =======
* https://github.com/nfc-tools/libnfc
* https://github.com/nfc-tools/libfreefare
* [[https://github.com/KaiQ/dat | Desfire Access Tool]] - there is ''v2.0'' branch with new stuff and rewrite
====== Decision tree. ======
Suppose, that you have unknown token in your hand,
and you don't know anything about access tokens.
Idiot's guide goes here:
1. Is it contact or contactless? Contact: goto 2, Contactless: goto 100.
2. Does it have only 2 contacts or more? If two, goto 4, if more, goto 10.
4. It is probably dalas ibutton, using 1-wire protocol
{{:project:freakcard:ibutton1.png?200|}}
10. It is probably some type of contact smartcard. Can you recognize the access interface? If it is usb, (XX picture) goto 15. If it looks like smart card (XXX picture)
goto 20.
15. Deskey? XXX
20. Smartcard, XXX
100. Contactless token. If you see "HID" written somewhere on the token, you may try to
go directly to 150. Otherwise go to 101.
101. You need to start reading token. Try HF (high frequency) RFID reader and run
isotype or lsnfc on the token. Is it recognized? If yes, goto 120. If no, It is probably LF (low frequency) card. Go to 140.
120. High frequency RFID card. (XXX link) So, now determine type of card. In output
of isotype or lsnfc you should see some identification string. This is hard to
describe in algorithmic way, so use your intelligence and go to 125 or XXX
125. Mifare. In output of isotype or lsnfc you should see some identification string.
If you see exact type, go to 127, 128 o 129. If not you can try readmifare1k.
If readmifare1k fails (no login failed or unknown key messages, but completely failed
to read other sectors), it is probable Mifare Ultralight. UltraLight "cards" tend to be
quite small, often flexible. Goto 127. If you can read other sectors, or get login failed messages, it is Mifare Classic or Desfire. Try cracking it with mfoc. XXX link
If you succeed, it is Classic, goto 128. Otherwise, it is probably Desfire, goto 129.
127. Mifare UltraLight. See XXX
{{:project:freakcard:mifare_ultralight.jpg?100|}}
128. Mifare Classic. Can have 1K or 4K capacity. See XXX
129. Mifare Desfire. Can have 1K or 4K capacity. See XXX
140. Low frequency RFID card. (XXX picture or link) You need to start reading token. Try LF (high frequency) RFID reader and run (on proxmark)
lf search
Is it recognized? If no, goto 200.
145. HID
150. EM Microelectronic
200. You are in trouble, the token was not recognized. Try walking whole tree one more time, maybe you made some mistake. Alternatively, you can try to look for all pictures in this document, and identify tag visually. Otherwise, it may be token not known to authors of this guide, or not available at the time of writing. You are dead, sorry.
====== Tokens used in wild ======
===== RFID =====
==== High Frequency (HF) card ====
Tools:
* nfc-tools ( https://code.google.com/p/nfc-tools/ ),
* nfcutils from nfc-tools contains lsnfc (renamed to "nfc-list" now) for card identification (see https://code.google.com/p/nfc-tools/wiki/nfcutils)
* RFIDIOt ( http://rfidiot.org/ ),
* pcscd (in your distro repository) - required by RFIDIOT and lsnfc
* Alternative to default pcscd driver (XXX), that seems to timeout quite often is ACR122U driver (see http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic#ACR122U_driver for more info). We highly recommend ACR122U driver.
=== MIFARE ===
Mifare cards can have various forms. Here are some examples: Token that can be
caried on keys, plain card, and isic card.
{{:project:freakcard:mifare_token.png?170|}}{{:project:freakcard:mifare_plain.png?200|}}{{:project:freakcard:mifare_isic1.png?200|}}{{:project:mifareclassic.jpg?200|}}
== Ultralight ==
{{:project:freakcard:mifare_ultralight.jpg?100 |}}
Very basic device, only UID transmitter.
Get id:
~> lsnfc
device = ACS ACR38U-CCID 00 00 / ACR122U102 - PN532 v1.4 (0x07)
UID=042cad51962280
* NXP MIFARE UltraLight
1 tag(s) on device.
== Classic ==
Get id: Id is stored in first sector, not encrypted (Answer to Reset contains UID, reading Block 00 should not be necessary to get UID only). For example touchatag can be used for quick read of ID.
lsnfc:
UID=1ca8xxxx
Several possible matches:
* NXP MIFARE Classic 4k
* NXP MIFARE Plus 4k
Full read: Use MFOC form nfc-tool to decrypt all encrypted sectors, then whole card can be read, for example by
mfoc -P 500 -O dump.file
./readmifare -r 0
from RFIdiot or
./readmifare -r 0
dumps the card after cracking all keys as well.
MFOC employs the "nested attack" and requires that at least one of the keys is a default key (i.e. requires one known key). Cracking the first key can be done via Proxmark (may not work if the card is new and has PRNG fixed):
hf mf mifare
After the first key is cracked, Proxmark also has an implementation of nested attack (A0A1A2A3A4A5 is the known key, the "1" stands for 1K card, "0" means the key is for sector 0):
hf mf nested 1 0 A A0A1A2A3A4A5
Scripting the attack is possible via Lua script, see HOWTO [[http://www.swende.se/blog/Proxmark_Scripting_1.html|part 1]] and [[http://www.swende.se/blog/Proxmark_Scripting_2.html|part 2]].
Clone: There is problem with cloning first sector. All other sectors can be cloned, once decrypted. No completly rewritable cards available on the market now afaik. You can get 1K and 4K mifare classic rewritable cards on many eshops.
== Chinese "Magic" Mifare Classic 1K ==
These Mifare Classic cards have a special HW modification that allows writing block 0 and read/write without knowing A|B key. Writing the first block with UID (01020304 here in sample):
hf mf csetblk 0 01020304040804000910111213141516
First four bytes of sector 0 are the UID.
Important: offset 0x04 is BCC, which is XOR of four previous UID bytes. If you set wrong BCC, you may render the card unselectable (=brick it). Especially if you use first byte of UID 0x88, which is magic number for "Cascading Tag". It is not possible to emulate more than 4-byte UID - the card does not support SELECT cascading level 2 (command 0x95).
Offset 0x5 contains SAK, two bytes at 0x06 denote ATQA (you might fool readers that card is of different type by changing SAK). In the above example, SAK 0x8 stands for Mifare Classic, ATQA 0x0004 means that anticollision is supported by the card (mind the reversed byte order).
Reading and writing chinse magic mifare can be done in "unlocked" mode with libfnc's utility nfc-mfclassic:
nfc-mfclassic R A magic.mfd #read whole card without specifying key
nfc-mfclassic W A magic.mfd #write whole card without specifying key, including rewrite of sector 0
Unbricking Chinese Magic Mifare Classic:
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
hf 14a raw -a -p -b 7 40
hf 14a raw -p 43
hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
Alternatively, libfnc has nfc-mfsetuid utility that can set UID of the magic card or can revert bad BCC (may not always work). If stuck, put together a working normal Mifare card and a bricked magic Mifare card, then run nfc-mfsetuid (anticollision will work with first card, but the bricked card will "hear" the change sector commands).
Proxmark currently implements "chinese backdoor check" as extra functionality (tested on version 2.3.0 from April 2016). It's implemented via 0x40 and 0x43 backdoor commands:
proxmark3> hf 14a reader
UID : 34 79 5f ad
ATQA : 00 04
SAK : 88 [2]
TYPE : Infineon MIFARE CLASSIC 1K
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: YES
== Chinese "Magic" Mifare Classic 4K ==
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special "unlocked" read/write like in "magic Mifare 1k" version.
Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
== UID emulation with Proxmark ==
hf mf sim 123456AB
123456AB is card id in this example.
Currently, proxmark have an issue, so you may need to set mode first:
hf mf eset 0 123456AB112233445566778899001122
to tell proxmark to use 8-byte ID. The longe number here is the firs sector of card.
(containing ID, btw)
* ID emulation works fine, however with current code, there are timing problems
with emulation of whole card.
* If sector data are used to auth to a reader you have to be lucky. If a reader is tolerant enough to wait for Proxmark, it'll work. But most of the times you'll run into timing issues with production readers (NXP cards respond in microseconds while Proxmark does in milliseconds, auch)
Many of proxmark3 revisions are buggy when it comes to simulating, known good revision is for example old SVN rev 839.
== Desfire ==
Multiple versions available
* MIFARE DESFire D40
* MIFARE DESFire EV1
* MIFARE DESFire EV2
In order to find out you have Desfire, check SAK in anticollision. Then use get version command to see which Desfire version it is.
Has "applications" and several file types, but much more limited than Javacard (read, write, increase, decrease, add record, ..., see specs below). Some features:
* Virtually no limitation on number of applications per PICC (new)
* Up to 32 files in each application (6 file types available: Standard Data file, Back-up Data file, Value file, Linear Record file, Cyclic Record file and Transaction MAC file)
* File size is determined during creation (not for Transaction MAC file)
* DES, 3DES, AES encryption, depending on version
* EV2 supports proximity check against relay and ECC signature for UID (originality check)
Command specifications (non-NDAed), with detailed formats for command data request and response formats: [[https://www.jadaktech.com/skyetekfiles/docs/m2/desfire.pdf]]
Short [[https://www.nxp.com/docs/en/data-sheet/MF3DX2_MF3DHX2_SDS.pdf|MF3D(H)x2 MIFARE DESFire EV2 contactless multi-application IC]]. Contains command list, memory organization, file types, etc.
[[https://github.com/KaiQ/dat|Desfire Access Tool]] - old Qt4 application for accessing and managing Desfire cards. Still works as of Nov 2018, though expect bugs. Uses libfreefare, which in turn uses libnfc and PN53x readers.
Has native and wrapped ISO 7816 command modes: [[https://ridrix.wordpress.com/tag/desfire-commands/]]
Full read: No working crpyto attack so far, unencrypted sectors can be read, also you can try to look for default keys.
Clone: probably require full read
Emulate: probably require full read
* MF3ICD40 hacked: [[http://www.theregister.co.uk/2011/10/10/mifare_desfire_smartcard_broken/|theregister]], [[http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2011/10/10/desfire_2011_extended_1.pdf|paper]]
Relay: see Relay attack; EV2 spec says it has relay attack protection, but no details.
== Ultralight C, Ultralight EV1 and NTAG2 ==
EV1 compared to old Ultralight has added 32-bit password for read/write access, ECC signature (static over UID, so copyable), OTP.
Ultralight C has 3DES authentication on top of Ultralight features.
[[https://www.nxp.com/docs/en/data-sheet/NTAG213F_216F.pdf | NTAG2]] is succesor to NTAG1, serves as NDEF Forum Type 2 tag. Has ECC signature, read counter, 7 byte UID, SLEEP mode (enable/disable card).
Proxmark3 can simulate some of the features of Ultralight EV1/C, though the ECC signature seems missing (read works). There is [[https://github.com/iceman1001/proxmark3 | iceman's fork]]
which [[http://www.proxmark.org/forum/viewtopic.php?id=3850 | seems to be able to simulate EV1]].
Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark.
== Magic NTAG2x, magic Ultralight C and magic Desfire ==
[[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others.
There is a special [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | Lua script for proxmark to program them]].
Information about the cards from proxmark (hf mfu i):
proxmark3> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight (MF0ICU1)
UID : 11 22 33 55 66 77 88
UID[0] : 11, Emosyn-EM Microelectronics USA
BCC0 : 44, crc should be 88
BCC1 : FF, crc should be CC
Internal : FF, not default
Lock : ff ff - 1111111111111111
OneTimePad : ff ff ff ff - 11111111111111111111111111111111
proxmark3> hf mfu i
--- Tag Information ---------
-------------------------------------------------------------
TYPE : MIFARE Ultralight C (MF0ULC)
UID : 00 00 00 00 00 00 00
UID[0] : 00, no tag-info available
BCC0 : 00, crc should be 88
BCC1 : 00, Ok
Internal : 00, not default
Lock : 00 00 - 0000000000000000
OneTimePad : 00 00 00 00 - 00000000000000000000000000000000
--- UL-C Configuration
Higher Lockbits [40/0x28] : 00 00 00 00 - 0000000000000000
Counter [41/0x29] : 00 00 00 00 - 0000000000000000
Auth0 [42/0x2A] : 00 00 00 00 default
Auth1 [43/0x2B] : 00 00 00 00 read and write access restricted
deskey1 [44/0x2C] : 00 00 00 00 []
deskey1 [45/0x2D] : 00 00 00 00 []
deskey2 [46/0x2E] : 00 00 00 00 []
deskey2 [47/0x2F] : 00 00 00 00 []
3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
This shop sells [[https://www.rfxsecure.com/product/gen2-uid-changeable-fobs-1k-mf-4k-mf-ul-ul-c-df-ntag21x/ | lot of different changeable UID cards and keyfobs, 4-byte and 7-byte, including UID changeable Desfire]]/
== Magic Desfire ==
The "magic Desfire" is far from real Desfire, e.g.
* writing NDEF file seems to succeed, but read fails, you get just zeros
* libfreefare segfaults with the magic Desfire
* any SELECT APDU is responded to with OK, but there are no real applications
In short, waste of money.
Setting UID on magic Desfire with Proxmark:
hf 14a raw -s -c 02 00 ab 00 00 07 UID
== other mifare cards ==
There are some other types of mifare cards,
but now widely deployed, at least no in .cz and .sk:
* SmartMX
* DESFire EV1
* Plus
* SAM AV2
see http://en.wikipedia.org/wiki/Mifare for more info.
== Relay attack ==
**All** MIFARE cards are prone to relay attack (cz: přepojovací útok). It will be interresting to design a low-cost relaying device. Google 'mifare relay attack' for more…
NXP claims the the upcoming DESFire EV2 will have countermeasures against relay attack, but there is no available documentation as of now.
You need two PN532 devices to use with libnfc and use ''nfc-relay-picc''. There is an issue if you use forwarding over TCP/IP as described in the manual - it doesn't work, [[https://code.google.com/p/libnfc/issues/detail?id=280&colspec=ID%20Type%20Status%20Priority%20Milestone%20Opsys%20Owner%20Summary|see patch]].
You need a third reader if you want to test it (not necessarily PN532). Two devices relay and the third will be your "original reader"
If the third device is Proxmark, you can send APDUs like this (an example how to read NDEF 4 Forum tag) :
hf 14a raw -p -b 7 -a 26
hf 14a raw -p 93 20
hf 14a raw -p -c 93 70 88 04 3a 14 a2
hf 14a raw -p 95 20
hf 14a raw -p -c 95 70 82 cc 22 80 ec
hf 14a raw -p -c e0 50
hf 14a raw -p -c 02 00 a4 04 00 07 d2 76 00 00 85 01 01
hf 14a raw -p -c 03 00 a4 00 0c 02 e1 04
hf 14a raw -p -c 02 00 b0 00 00 00
The lines with '93 20' and '95 20' commands contain two halves of Desfire 7-byte UID, 0x88 is the cascading tag. An example with 4-byte UID (happens usually when relaying via nfc-relay-picc) :
hf 14a raw -p -b 7 -a 26
hf 14a raw -p 93 20
hf 14a raw -p -c 93 70 08 3A 14 82 A4
hf 14a raw -p -c e0 50
hf 14a raw -p -c 02 00 a4 04 00 07 d2 76 00 00 85 01 01
hf 14a raw -p -c 03 00 a4 00 0c 02 e1 04
hf 14a raw -p -c 02 00 b0 00 00 00
=== ISO 15693 cards ===
These are vicinity cards on 13.56 MHz that are commonly found on ski lifts. In theory ISO15693 is designed to work up to 1.5 m distance.
Proxmark can read them and so can some android phones.
They contain UID and 4-byte blocks of data. Reading with proxmark can be done with:
pm3 --> hf 15 reader
UID : E0 16 24 66 1E C1 A5 AD
TYPE : EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
pm3 --> hf 15 dump
[=] Using UID as filename
Reading memory from tag UID E0 16 24 66 1E C1 A5 AD
....................................................[-] Tag returned Error 15: Unknown error.
block# | data |lck| ascii
---------+--------------+---+----------
0/0x00 | 3F 08 1A 4D | 0 | ?..M
1/0x01 | 82 18 60 20 | 0 | ..`
2/0x02 | 00 38 00 50 | 0 | .8.P
3/0x03 | 1C 48 33 00 | 0 | .H3.
4/0x04 | 1B 00 00 00 | 0 | ....
5/0x05 | 00 00 00 00 | 0 | ....
6/0x06 | 00 00 00 00 | 0 | ....
7/0x07 | 00 00 00 00 | 0 | ....
8/0x08 | 00 00 00 00 | 0 | ....
9/0x09 | 00 00 00 00 | 0 | ....
10/0x0A | 00 00 00 00 | 0 | ....
11/0x0B | 00 00 00 00 | 0 | ....
12/0x0C | 00 00 00 00 | 0 | ....
13/0x0D | 00 00 00 00 | 0 | ....
14/0x0E | 00 00 00 00 | 0 | ....
15/0x0F | 00 00 00 00 | 0 | ....
16/0x10 | 00 00 00 00 | 0 | ....
17/0x11 | 00 00 00 00 | 0 | ....
18/0x12 | 00 00 00 00 | 0 | ....
19/0x13 | 00 00 00 00 | 0 | ....
20/0x14 | 00 00 00 00 | 0 | ....
21/0x15 | 00 00 00 00 | 0 | ....
22/0x16 | 00 00 00 00 | 0 | ....
23/0x17 | 00 00 00 00 | 0 | ....
24/0x18 | 00 00 00 00 | 0 | ....
25/0x19 | 00 00 00 00 | 0 | ....
26/0x1A | 00 00 00 00 | 0 | ....
27/0x1B | 00 00 00 00 | 0 | ....
28/0x1C | 2A 80 53 42 | 0 | *.SB
29/0x1D | 1F 90 53 42 | 0 | ..SB
30/0x1E | 33 00 00 00 | 0 | 3...
31/0x1F | 00 00 00 00 | 0 | ....
32/0x20 | 00 00 00 00 | 0 | ....
33/0x21 | 00 00 00 00 | 0 | ....
34/0x22 | 00 00 00 00 | 0 | ....
35/0x23 | 00 00 00 00 | 0 | ....
36/0x24 | 00 00 00 00 | 0 | ....
37/0x25 | 00 00 00 00 | 0 | ....
38/0x26 | 00 00 00 00 | 0 | ....
39/0x27 | 00 00 00 00 | 0 | ....
40/0x28 | 00 00 00 00 | 0 | ....
41/0x29 | 00 00 00 00 | 0 | ....
42/0x2A | 22 00 E1 23 | 0 | "..#
43/0x2B | C0 05 1B 01 | 0 | ....
44/0x2C | 4A 5C A0 1D | 0 | J\..
45/0x2D | 1A 30 00 12 | 0 | .0..
46/0x2E | 50 E7 AB EC | 0 | P...
47/0x2F | 60 00 00 00 | 0 | `...
48/0x30 | 00 00 40 7B | 0 | ..@{
49/0x31 | 00 68 20 15 | 0 | .h .
50/0x32 | 00 00 00 00 | 0 | ....
51/0x33 | 00 00 00 00 | 0 | ....
Rfxsecure.com sells magic ISO-15693 cards with changeable UID. Either you need the iso15_magic from RRG repo or "hf 15 csetuid" from the official repo. The official repo's client segfaults on this right now, although it seems to change UID before segfault (signed/unsigned integer confusion, negative received octet count, etc). Proxmark developers have abysmal code standards and can't even use tags in repos.
Changing UID, depending on repo (you need iso15_magic from RRG + read15.lua) or the segfaulting official repo with "hf 15 csetuid":
proxmark3> hf 15 reader
#db# 12 octets read from IDENTIFY request:
#db# NoErr CrcOK
#db# 00 00 bf a5 c1 1e 66 24
#db# 16 e0 56 a3
#db# UID = E01624661EC1A5BF
proxmark3> hf 15 csetuid E01624661EC1A5CA
new UID | e0 16 24 66 1e c1 a5 ca
Using backdoor Magic tag function
received -1 octets
Thread 4 "WorkerThread" received signal SIGSEGV, Segmentation fault.
With the magic scripts:
script run iso15_magic.lua -u E004013344556677
Neither will work on the first time likely. Retry at least 3 times. Same with "hf 15 dump" and "hf 15 restore".
Note on cloned skipass ISO-15693 cards - they have counter in sector 2, so as soon as your cloned cards will desync, one of them will stop working.
==== Low Frequency card ====
Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)
proxmark - determine LF card type:
New: You can use command
lf search
Manual way
http://code.google.com/p/proxmark3/wiki/TagOps (outdated, bud principles are still same)
in short:
proxmark> lf read
proxmark> data samples 2000
proxmark> data plot
XXX
=== HID ===
Usage around: Quite common building access system
Get id/Read:
Put tag onto the antenna, following code will read HID tags in a loop:
proxmark3> lf hid fskdemod
Emulate:
proxmark3> lf hid sim 01020304
Clone:
proxmark3> lf hid clone
Cloning requires writable [[http://xfpga.com/html_products/T5557--T5567--T5577-card-125khz-read-writeable-64.html | T55xx]] card.
Proxmark has a standalone mode that will [[http://code.google.com/p/proxmark3/wiki/RunningPM3#Standalone_Mode_-_HID_Prox_emulation | read and then emulate HID Prox card]].
=== EM Microelectronic ===
Usage around: several parking lots in Prague, some building access systems
Get id/Read:
proxmark> lf em4x em410xwatch
The em410xwatch command may not always correctly guess the clock speed on some cards. You might have to specify clock speed as last parameter of 'em410xread' command (may take several tries). Here is an example for a 134 kHz card (note the 'h' after 'lf read')
proxmark3> lf read h
proxmark3> data samples 40000
proxmark3> lf em4x em410xread 32
Emulate:
Emulation with Proxmark works great
Emulator like this http://www.t4f.org/en/projects/open-rfid-tag/57 in progress ([[user:lukash]] working on it)
EDIT: site is down right now, downloaded data available at http://kyberia.cz/~niekt0/openrfid/ and http://pain.backstep.net/lukash/openrfidtag/
Clone:
XXX This hw works http://www.dealextreme.com/p/125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230
XXX cloning/writing with proxmark?
Cloning to [[http://xfpga.com/html_products/T5557--T5567--T5577-card-125khz-read-writeable-64.html | writable T55xx ]] should work.
=== indala ===
Get id/Read:
proxmark data samples 1000
proxmark> lf indalademod
Emulate:
Clone:
XXX
=== Paradox ===
Usage around: building access system
This information pertains to model Paradox C704. Full decoding in proxmark is implemented, in the latest git version. The modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:
proxmark3> lf read
proxmark3> data samples 40000
loaded 40000 samples
proxmark3> data plot
proxmark3> lf paradox demod
Paradox TAG ID: 000328176 (Full ID: 0ca05dadf) - FC: 50 - Card: 33142 - Checksum: b7 - RAW: 0f555555a5995566a699a6aa
Emulate:
Latest proxmark code has clone Paradox to T5577 command. Iceman's fork has emulation.
pm3 --> lf paradox sim 50 33142
Simulating Paradox - Facility Code: 50, CardNumber: 33142
=== T55x7 universal emulation card ===
The T55x7 card can be configured to emulate many of the 125 kHz tags. [[http://www.proxmark.org/forum/viewtopic.php?pid=8544#p8544 |Proxmark forum]] gives general configuration and also some specific configurations for common cards.
HID cards have [[https://www.kumari.net/index.php/projects/cloning-and-hid-card | explicit command in Proxmark client]]:
lf hid clone 2006ca4b3b
Similarly, [[https://github.com/Proxmark/proxmark3/wiki/commands | there are builtin commands]] to clone EM410x, Indala cards, for example:
lf indalaclone 50920439d
lf em4x em410xwrite 1a007940fd 1 64
==== Wiegand ====
Wiegand is:
- A specific reader-to-card interface
- A specific binary reader-to-controller interface
- An electronic signal carrying data
- The standard 26-bit binary card data format
- An electromagnetic effect
- A card technology
* [[wp>Wiegand interface]]
* [[http://www.hidglobal.com/documents/understandCardDataFormats_wp_en.pdf]]
* [[http://www.hidglobal.com/technology.php?tech_cat=4&subcat_id=10]]
===== Biometric passports with ISO-14443A NFC chip, chip emulation =====
Passports can be read with [[http://rfidiot.org/ | RFIdiot]], e.g.
python2 mrpkey.py -g -R READER_LIBNFC 'L898902C<36908061940619406236<<<<<<<<<<<<<08'
Note the code is old, you need python2 and some patching to make it run.
There is also attempt at emulation of passport - https://is.muni.cz/th/tc83s/ (in Slovak). It has code for emulation for first Proxmark.
Run with in proxmark3 shell (use old client, old bootloader, old fullimage)
hf 14a sim 5 01020304
It is quite difficult to build now, also you will definitely need JTAG adapter as you would otherwise brick Proxmark in process.
Everything on passport chip is plaintext except fingerprint.
Prebuilt image (flash bootloader.elf and fullimage.elf in one session):
{{ :project:freakcard:passport_emulator.zip |}}
===== RF Theory and antennas =====
[[http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf|Microchip antenna/coil design guide ]]
[[http://fens.sabanciuniv.edu/telecom/eng/RWL/report.pdf|HF antenna example]]
[[http://www.ti.com/rfid/docs/manuals/appNotes/HFAntennaCookbook.pdf|HF antenna cookbook ]]
[[http://eprint.iacr.org/2006/054.pdf|Low budget RFID skimmer]]
===== Magnetic card =====
{{:project:512px-magnetic_stripe_card_-_hotel_key_card.jpg?nolink&512|}}
Magnetic cards can be relatively easily readed and modified.
Typicall card contains 2 or 3 track, each with few dozens of characters.
More detailed information can be found on [[http://en.wikipedia.org/wiki/Magnetic_card|Wikipedia]]
We made a HIGH POWER MagneticCard emulator based on [[http://www.soniktech.com/sdmce.php|MAgnetic card sp00fer ]].
We used [[project:brmduino:start]] for generating the signal so the coil is powered only by 5V (the laptop is just the power source for brmduino). [[project:freakcard:magnetic_card_emulator.pde|Source code download. (magnetic_card_emulator.pde)]]
{{youtube>mOR5NeLRuGQ?medium}}
{{:project:magnetic_card_emulator_civka.jpg?400|}}
Another solution is to use professional reader/writer.
At brmlab, we have available MSR605 reader/writer
supporting 3 tracks, working under Linux.
[[http://www.triades.net/msr605-driver.html|userland driver and documentation available here]]
Reading values from the card:
$ python msr.py -r -d /dev/ttyUSB0
1=None
2=;1234567890?
3=None
Writing values to the card:
$ python msr.py -w -d /dev/ttyUSB0 -t 23 --write "1234" "5678"
===== iButton =====
Pictures of SALTO iButton, typically used as an access token.
{{:project:freakcard:ibutton1.png?200|}}{{:project:freakcard:ibutton2.png?200|}}
=== DS1990A - 64 Bit ID (in fact only 56 bits are used) ===
Datasheet here: http://www.maxim-ic.com/datasheet/index.mvp/id/2829
Get id (~= read): It's very easy to read this tag with Arduino, you need OneWire library to make it even easier, downloadable here: http://www.pjrc.com/teensy/td_libs_OneWire.html
Schematics:
http://tushev.org/images/stories/arduino/scheme4ibutton.png (forget the display, code has been modified for Serial only!)
Code for Arduino:
#include
OneWire ds(12);
byte addr[8];
String keyStatus="";
void setup(void) {
Serial.begin(115200);
}
void loop(void) {
Serial.println("Reading now..");
getKeyCode();
if(keyStatus=="ok"){
for(int j = 0; j < sizeof(addr); j++) {
Serial.print(addr[j], HEX);
if (j
Example output:
Reading now..
Reading now..
1:AA:BB:CC:DD:EE:FF:2F
Reading now..
Explanation:
**0x1** - 1 byte - Tag identifier \\
**0xAA - 0xFF** - 6 bytes - UID itself \\
**0x2F** - 1 byte - CRC8 over previous 7 bytes \\
Emulation:
nice emulation for ID-only iButtons: http://www.reteam.org/board/showthread.php?t=1332
Writing/cloning: http://www.youtube.com/watch?v=KBX_BcFEcAI XXX
===== Contact Smart cards =====
smart card emulator project ...
http://www.amendae.com/
What wikipedia tell us about ISO/IEC 7816
http://en.wikipedia.org/wiki/ISO/IEC_7816
===== Biometric sensors =====
==== Fingerprints ====
==== Iris recognition ====
==== Retinal scan ====
==== Voice recognition ====
===== Pinpads ======
===== Mechanical safes =====
Electronic stethoscope - http://siliconchip.com.au/cms/A_112547/article.html
===== Physical keys ;) =====
Proof of concept for printing FAB keys:
http://kyberia.cz/~niekt0/fap-fap
TODO: OpenScad program to be released under gnu-gpl,
input: long/short, profile number (int), key combination (from 00000 to 99999)
ala http://eclecti.cc/hardware/physical-keygen-duplicating-house-keys-on-a-3d-printer
TODO: key combination extraction from photography,
ala http://vision.ucsd.edu/~blaxton/sneakey.html
===== HW available in brmlab =====
* HF reader/writer Touchatag (for mifare cards), (+1 niekt0, +1 lukash), Mifare Classic cards ([[user:ruza]])
* Proxmark + LF & HF antenna (niekt0, lukash)
* Reprap(s)
* Eclo 1 wire USB reader (niekt0)
* DIY magnetic strip reader/writer
* OMRON V3A-1K magnetic stripe reader ([[user:lukash]] - let me know if you want to try something out) - works great as a reader with Arduino, code for reading: [[project:freakcard:omron_binary_read.pde|omron_binary_read.pde]], you can then easily interpret these binary data, it only depends whether it's ALPHA or NUMERIC encoded, refer to [[project:freakcard:magstripe.txt|this paper]] to read more. You can use scripts to parse these data: [[project:freakcard:parse_alpha.php|parse_alpha.php]] and [[project:freakcard:parse_numeric.php|parse_numeric.php]]
===== HW missing in brmlab =====
* 1 wire emulator
* http://www.dealextreme.com/p/125khz-rfid-card-copier-duplicator-with-writable-rfid-card-and-keychain-standalone-operation-17230 ?
===== Links =====
* [[http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf|Anatomy of a subway hack]] - cool presentation about pentesting
* http://tomsik.eu/taxonomy/term/13
* http://mobil.idnes.cz/staci-sikovny-mobil-a-v-plzni-budete-jezdit-zadarmo-fxl-/mob_tech.aspx?c=A110413_150023_mob_tech_hro
* http://www.smartcardforum.cz/prezentation/ke_stazeni/06_Tomas_Rosa_Cervi_diry_v_RFID.pdf
* [[https://www.abclinuxu.cz/clanky/vikend-na-strahove-pocitacova-bezpecnost-a-historie#utok-postrannimi-kanaly-aneb-diferencialni-odberova-analyza-jiri-bucek|Diferenciální odběrová analýza]]
* [[http://secreg.utko.feec.vutbr.cz/sites/default/files/RFID_rosa_v2.pdf|Vybrané aspekty bezpečnosti RFID]]
* [[http://crypto.hyperlink.cz/cryptoprax.htm|Sdělovací technika: Kryptologie pro praxi]]
* [[http://crypto.hyperlink.cz/picnic.htm|PicNic - yet another emulator/spyware for HF RFID]]
* [[http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic|RFID_Cooking_with_Mifare_Classic]]
* [[http://www.acs.com.hk/en/products/109/acr122t-usb-tokn-nfc-reader/|ACR122T USB reader with PN532 PIN]] (functional equivalent of Touchatag)