Project

General

Profile

Actions

Open Source RFID Tool Collection

Welcome to the RFID Tools Project

This site aims to provide a compilation of open source RFID Tools in a "ready to use" software packages.

Downloads

USB-Stick Image
attachment:rfid_tool_usb_stick.img

Ubuntu .deb for x64
rfid-tools_1.0.0_amd64.deb

RFID Reader Hardware

The provided tools were tested for the ACS122u NFC reader alias "touchatag". The tools should also work with any other reader supported by libnfc.

Where to buy a reader?

ACS122u "touchatag"

HURRY! The "touchatag" reader can be purchased with the touchatag project for €19,99 until 31.12.2012. Afterwards it will be more difficult (and possibly more expansive) to get a decent NFC reader to use with the current open source RFID tools.
http://store.touchatag.com/acatalog/touchatag_starter_pack.html

Other libnfc Readers

In general all readers that are supported by libnfc are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.

Proxmark

The Proxmark reader can be freely programmed to read and emulate 13,56 MHz and 125 kHz tags. It is the most flexible reader device but also the hardest to program and use.

Shops that ship Proxmark are listed here: http://www.proxmark.org/order

Tools

NOTICE: These tools are not running inside virtual machines as far as we know. There are USB timing problems communicating with the reader.

RFID Tools as .deb

  • binary .deb Package for Ubuntu x64 only
  • containing mfok, fcuk and RFIDLab
  • download rfid-tools_1.0.0_amd64.deb
  • install prequesists:
     sudo apt-get install pcscd
  • edit /etc/libccid_Info.plist
    <key>ifdDriverOptions</key>
    <string>0x0004</string>
  • install:
     sudo dpkg -i rfid-tools_1.0.0_amd64.deb 

Bootable USB-Stick image

  • bootable Debian USB-Stick image file
  • containing mfoc, fcuk, RFIDLab and the cyberflex-shell
  • download attachment:rfid_tool_usb_stick.img
  • write to USB-Stick:
     sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 
  • user: root pw: toor

Tutorials

Key Recovery on Mifare Classic

The short summary is:
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.

mfcuk

  • Can be used if all keys on a Card have been set to non default keys
  • Takes ~20 min to recover one key
  • Recover a key of a single sector:
    mfcuk -C -v 1 -R 0:A

    This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc

mfoc

  • Can be used if at least one key on the Card is a default key and dump the cards content:
    mfoc -O out.mfd
  • or if one key already have been recovered with mfcuk
    mfoc -O out.mfd -K [KEY]

Editing Mifare Classic Cards

RFIDLab

  • Get the current dump as *.mfd file
  • Dump the card you want to edit.
  • Use mfoc or, if the card doesn't use any default keys use mfcuk.

Editing and writing back to the card

Start by using RFID-LABS with:

rl

You can always see the menu again with
?

Enter mifare classic terminal:
c

Maybe you have to adjust the size of the console to see the entire menu.
Import the dumped card
n
. Use the *.mdf fiel you made in Step 1.
Look whether you have the rights, to write onto the blocks, you want to change
L
then
Y

If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
If you have the rights to change the accessbits, do it with
I

If you don't have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
Now that you have the rights to write to the block start editing the values on the card.
Edit the values in the buffer content with
E
or
B
to the values you wish.
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
Afterwards don't forget to save with
S
, before you leave with
X

Then write the buffer content to the card with
H

You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
't always be read. So just look for your block.
If necessary for your application, you now have to change the accesbits back to normal.

Done!

Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.

You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card.

Changing the UID

The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.

First look up the original card:

$ nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): de  ad  be  ef  
      SAK (SEL_RES): 08  

Then lay down the chinese card and to this:

$ nfc-mfsetuid deadbeef

And now the uid should be changed:

$ nfc-list
nfc-list uses libnfc 1.5.1 (r1175)
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
1 ISO14443A passive target(s) found:
    ATQA (SENS_RES): 00  04  
       UID (NFCID1): de  ad  be  ef  
      SAK (SEL_RES): 08  

Reading Passports

cyberflex-shell

The cyberflex-shell is only available on USB-Stick Package or from github

  • Start X
     startx 
  • Open xterm an start the passport reader application
     cd cyberflex-shell
     ./readpass -i -r 1
  • Type the second line of the MTR into the correspondent form an click "open"

Licenses and Credits

mfoc
mfoc is available under GPLv3 at https://code.google.com/p/nfc-tools/source/browse/trunk/mfoc/src/mfoc.c?r=977

mfcuk
mfcuk is available under GPLv2 at https://code.google.com/p/mfcuk/

RFIDLab
RFIDLab is available under GPLv2 at http://runningserver.com/?page=runningserver.content.download.rfidlab

cyberflex-shell
cyberflex-shell is available under GPLv2 at https://github.com/henryk/cyberflex-shell

Updated by Peter over 8 years ago · 17 revisions