Project

General

Profile

Wiki » History » Version 12

Peter, 12/29/2012 07:03 PM

1 11 Karsten
h1. Open Source RFID Tool Collection
2 2 Peter
3 2 Peter
*Welcome to the RFID Tools Project*
4 2 Peter
5 10 Karsten
This site aims to provide a compilation of open source RFID Tools in a "ready to use" software packages.
6 2 Peter
7 8 Peter
{{toc}}
8 8 Peter
9 6 Peter
*Downloads*
10 6 Peter
11 7 Peter
USB-Stick Image
12 9 Peter
attachment:rfid_tool_usb_stick.img
13 7 Peter
14 6 Peter
Ubuntu .deb for x64
15 9 Peter
attachment:rfid-tools_1.0.0_amd64.deb 
16 2 Peter
17 2 Peter
h2. RFID Reader Hardware
18 2 Peter
19 11 Karsten
The provided tools were tested for the ACS122u NFC reader alias "touchatag". The tools should also work with any other reader supported by libnfc.
20 1 Peter
21 11 Karsten
Where to buy a reader?
22 2 Peter
23 11 Karsten
h3. ACS122u "touchatag"
24 1 Peter
25 11 Karsten
*HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 until *31.12.2012*. Afterwards it will be more difficult (and possibly more expansive) to get a decent NFC reader to use with the current open source RFID tools.
26 1 Peter
http://store.touchatag.com/acatalog/touchatag_starter_pack.html
27 1 Peter
28 11 Karsten
h3. Other libnfc Readers
29 2 Peter
30 11 Karsten
In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.
31 1 Peter
32 11 Karsten
h3. Proxmark
33 11 Karsten
34 11 Karsten
The Proxmark reader can be freely programmed to read and emulate 13,56 MHz and 125 kHz tags. It is the most flexible reader device but also the hardest to program and use.
35 11 Karsten
36 11 Karsten
Shops that ship Proxmark are listed here: http://www.proxmark.org/order
37 11 Karsten
38 2 Peter
h2. Tools
39 2 Peter
40 11 Karsten
*NOTICE*: These tools are *not* running inside virtual machines as far as we know. There are USB timing problems communicating with the reader. 
41 2 Peter
42 11 Karsten
h3. RFID Tools as .deb
43 11 Karsten
44 1 Peter
* binary .deb Package for Ubuntu x64 *only*
45 2 Peter
* containing mfok, fcuk and RFIDLab
46 2 Peter
* download attachment:rfid-tools_1.0.0_amd64.deb 
47 2 Peter
* install prequesists:
48 2 Peter
<pre> sudo apt-get install pcscd</pre>
49 2 Peter
* edit /etc/libccid_Info.plist
50 2 Peter
<pre><key>ifdDriverOptions</key>
51 4 Peter
<string>0x0004</string></pre>
52 2 Peter
* install:
53 2 Peter
<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>
54 2 Peter
55 11 Karsten
h3. Bootable USB-Stick image
56 11 Karsten
57 2 Peter
* bootable Debian USB-Stick image file
58 2 Peter
* containing mfoc, fcuk, RFIDLab and the cyberflex-shell
59 2 Peter
* download attachment:rfid_tool_usb_stick.img
60 2 Peter
* write to USB-Stick:
61 2 Peter
<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>
62 2 Peter
* user: root pw: toor
63 2 Peter
64 11 Karsten
h2. Tutorials
65 2 Peter
66 2 Peter
h3. Key Recovery on Mifare Classic
67 2 Peter
68 2 Peter
The short summary is:
69 2 Peter
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
70 2 Peter
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.
71 2 Peter
72 2 Peter
*mfcuk*
73 2 Peter
74 2 Peter
* Can be used if all keys on a Card have been set to non default keys
75 2 Peter
* Takes ~20 min to recover one key
76 2 Peter
* Recover a key of a single sector an write it to a keyfile:
77 12 Peter
<pre>mfcuk -C -v 1 -R 0:A</pre>
78 2 Peter
This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc
79 2 Peter
80 2 Peter
*mfoc*
81 2 Peter
82 2 Peter
* Can be used if at least one key on the Card is a default key and dump the cards content:
83 2 Peter
<pre>mfoc -O out.mfd</pre>
84 2 Peter
* or if one key already have been recovered with mfcuk
85 12 Peter
<pre>mfoc -O out.mfd -K [KEY]</pre>
86 2 Peter
87 2 Peter
h3. Editing Mifare Classic Cards
88 2 Peter
89 2 Peter
*RFIDLab*
90 2 Peter
91 2 Peter
* Get the current dump as *.mfd file
92 2 Peter
* Dump the card you want to edit.
93 2 Peter
* Use mfoc or, if the card doesn't use any default keys use mfcuk.
94 2 Peter
95 2 Peter
*Editing and writing back to the card*
96 2 Peter
97 2 Peter
Start by using RFID-LABS with: <pre>rl</pre>
98 2 Peter
You can always see the menu again with <pre>?</pre>
99 2 Peter
Enter mifare classic terminal: <pre>c</pre>
100 2 Peter
Maybe you have to adjust the size of the console to see the entire menu.
101 2 Peter
Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.
102 2 Peter
Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>
103 2 Peter
If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
104 2 Peter
If you have the rights to change the accessbits, do it with <pre>I</pre>
105 2 Peter
If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
106 2 Peter
Now that you have the rights to write to the block start editing the values on the card.
107 2 Peter
Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.
108 2 Peter
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
109 2 Peter
Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>
110 2 Peter
Then write the buffer content to the card with <pre>H</pre>
111 2 Peter
You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
112 2 Peter
't always be read. So just look for your block.
113 2 Peter
If necessary for your application, you now have to change the accesbits back to normal.
114 2 Peter
115 2 Peter
Done!
116 2 Peter
117 2 Peter
Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.
118 2 Peter
119 2 Peter
You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 
120 2 Peter
121 2 Peter
*Changing the UID*
122 2 Peter
123 2 Peter
The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.
124 2 Peter
125 2 Peter
First look up the original card:
126 2 Peter
127 2 Peter
<pre>
128 2 Peter
$ nfc-list
129 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
130 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
131 2 Peter
1 ISO14443A passive target(s) found:
132 2 Peter
    ATQA (SENS_RES): 00  04  
133 2 Peter
       UID (NFCID1): de  ad  be  ef  
134 2 Peter
      SAK (SEL_RES): 08  
135 2 Peter
</pre>
136 2 Peter
137 2 Peter
Then lay down the chinese card and to this:
138 2 Peter
139 2 Peter
<pre>
140 2 Peter
$ nfc-mfsetuid deadbeef
141 2 Peter
</pre>
142 2 Peter
143 2 Peter
144 2 Peter
And now the uid should be changed:
145 2 Peter
146 2 Peter
<pre>
147 2 Peter
$ nfc-list
148 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
149 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
150 2 Peter
1 ISO14443A passive target(s) found:
151 2 Peter
    ATQA (SENS_RES): 00  04  
152 2 Peter
       UID (NFCID1): de  ad  be  ef  
153 2 Peter
      SAK (SEL_RES): 08  
154 2 Peter
</pre>
155 2 Peter
156 2 Peter
h3. Reading Passports
157 2 Peter
158 2 Peter
*cyberflex-shell*
159 2 Peter
160 2 Peter
The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell
161 2 Peter
162 2 Peter
* Start X
163 2 Peter
<pre> startx </pre>
164 2 Peter
165 2 Peter
* Open xterm an start the passport reader application
166 2 Peter
<pre> cd cyberflex-shell
167 2 Peter
 ./readpass -i -r 1</pre>
168 2 Peter
169 2 Peter
* Type the second line of the MTR into the correspondent form an click "open"
170 2 Peter
171 2 Peter
h2. Licenses and Credits
172 2 Peter
173 2 Peter
*mfoc*
174 2 Peter
mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc
175 2 Peter
176 2 Peter
*mfcuk*
177 2 Peter
mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/
178 2 Peter
179 2 Peter
*RFIDLab*
180 2 Peter
RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab
181 2 Peter
182 2 Peter
*cyberflex-shell*
183 2 Peter
cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell