Project

General

Profile

Wiki » History » Version 12

Peter, 12/29/2012 07:03 PM

1 11 Karsten
h1. Open Source RFID Tool Collection
2 2 Peter
3
*Welcome to the RFID Tools Project*
4
5 10 Karsten
This site aims to provide a compilation of open source RFID Tools in a "ready to use" software packages.
6 2 Peter
7 8 Peter
{{toc}}
8
9 6 Peter
*Downloads*
10
11 7 Peter
USB-Stick Image
12 9 Peter
attachment:rfid_tool_usb_stick.img
13 7 Peter
14 6 Peter
Ubuntu .deb for x64
15 9 Peter
attachment:rfid-tools_1.0.0_amd64.deb 
16 2 Peter
17
h2. RFID Reader Hardware
18
19 11 Karsten
The provided tools were tested for the ACS122u NFC reader alias "touchatag". The tools should also work with any other reader supported by libnfc.
20 1 Peter
21 11 Karsten
Where to buy a reader?
22 2 Peter
23 11 Karsten
h3. ACS122u "touchatag"
24 1 Peter
25 11 Karsten
*HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 until *31.12.2012*. Afterwards it will be more difficult (and possibly more expansive) to get a decent NFC reader to use with the current open source RFID tools.
26 1 Peter
http://store.touchatag.com/acatalog/touchatag_starter_pack.html
27
28 11 Karsten
h3. Other libnfc Readers
29 2 Peter
30 11 Karsten
In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.
31 1 Peter
32 11 Karsten
h3. Proxmark
33
34
The Proxmark reader can be freely programmed to read and emulate 13,56 MHz and 125 kHz tags. It is the most flexible reader device but also the hardest to program and use.
35
36
Shops that ship Proxmark are listed here: http://www.proxmark.org/order
37
38 2 Peter
h2. Tools
39
40 11 Karsten
*NOTICE*: These tools are *not* running inside virtual machines as far as we know. There are USB timing problems communicating with the reader. 
41 2 Peter
42 11 Karsten
h3. RFID Tools as .deb
43
44 1 Peter
* binary .deb Package for Ubuntu x64 *only*
45 2 Peter
* containing mfok, fcuk and RFIDLab
46
* download attachment:rfid-tools_1.0.0_amd64.deb 
47
* install prequesists:
48
<pre> sudo apt-get install pcscd</pre>
49
* edit /etc/libccid_Info.plist
50
<pre><key>ifdDriverOptions</key>
51 4 Peter
<string>0x0004</string></pre>
52 2 Peter
* install:
53
<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>
54
55 11 Karsten
h3. Bootable USB-Stick image
56
57 2 Peter
* bootable Debian USB-Stick image file
58
* containing mfoc, fcuk, RFIDLab and the cyberflex-shell
59
* download attachment:rfid_tool_usb_stick.img
60
* write to USB-Stick:
61
<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>
62
* user: root pw: toor
63
64 11 Karsten
h2. Tutorials
65 2 Peter
66
h3. Key Recovery on Mifare Classic
67
68
The short summary is:
69
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
70
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.
71
72
*mfcuk*
73
74
* Can be used if all keys on a Card have been set to non default keys
75
* Takes ~20 min to recover one key
76
* Recover a key of a single sector an write it to a keyfile:
77 12 Peter
<pre>mfcuk -C -v 1 -R 0:A</pre>
78 2 Peter
This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc
79
80
*mfoc*
81
82
* Can be used if at least one key on the Card is a default key and dump the cards content:
83
<pre>mfoc -O out.mfd</pre>
84
* or if one key already have been recovered with mfcuk
85 12 Peter
<pre>mfoc -O out.mfd -K [KEY]</pre>
86 2 Peter
87
h3. Editing Mifare Classic Cards
88
89
*RFIDLab*
90
91
* Get the current dump as *.mfd file
92
* Dump the card you want to edit.
93
* Use mfoc or, if the card doesn't use any default keys use mfcuk.
94
95
*Editing and writing back to the card*
96
97
Start by using RFID-LABS with: <pre>rl</pre>
98
You can always see the menu again with <pre>?</pre>
99
Enter mifare classic terminal: <pre>c</pre>
100
Maybe you have to adjust the size of the console to see the entire menu.
101
Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.
102
Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>
103
If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
104
If you have the rights to change the accessbits, do it with <pre>I</pre>
105
If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
106
Now that you have the rights to write to the block start editing the values on the card.
107
Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.
108
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
109
Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>
110
Then write the buffer content to the card with <pre>H</pre>
111
You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
112
't always be read. So just look for your block.
113
If necessary for your application, you now have to change the accesbits back to normal.
114
115
Done!
116
117
Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.
118
119
You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 
120
121
*Changing the UID*
122
123
The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.
124
125
First look up the original card:
126
127
<pre>
128
$ nfc-list
129
nfc-list uses libnfc 1.5.1 (r1175)
130
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
131
1 ISO14443A passive target(s) found:
132
    ATQA (SENS_RES): 00  04  
133
       UID (NFCID1): de  ad  be  ef  
134
      SAK (SEL_RES): 08  
135
</pre>
136
137
Then lay down the chinese card and to this:
138
139
<pre>
140
$ nfc-mfsetuid deadbeef
141
</pre>
142
143
144
And now the uid should be changed:
145
146
<pre>
147
$ nfc-list
148
nfc-list uses libnfc 1.5.1 (r1175)
149
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
150
1 ISO14443A passive target(s) found:
151
    ATQA (SENS_RES): 00  04  
152
       UID (NFCID1): de  ad  be  ef  
153
      SAK (SEL_RES): 08  
154
</pre>
155
156
h3. Reading Passports
157
158
*cyberflex-shell*
159
160
The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell
161
162
* Start X
163
<pre> startx </pre>
164
165
* Open xterm an start the passport reader application
166
<pre> cd cyberflex-shell
167
 ./readpass -i -r 1</pre>
168
169
* Type the second line of the MTR into the correspondent form an click "open"
170
171
h2. Licenses and Credits
172
173
*mfoc*
174
mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc
175
176
*mfcuk*
177
mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/
178
179
*RFIDLab*
180
RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab
181
182
*cyberflex-shell*
183
cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell