Wiki » History » Version 3
Peter, 12/27/2012 02:48 PM
1 | 2 | Peter | h1. RFID Tools |
---|---|---|---|
2 | |||
3 | *Welcome to the RFID Tools Project* |
||
4 | |||
5 | We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages. |
||
6 | |||
7 | {{toc}} |
||
8 | |||
9 | h2. RFID Reader Hardware |
||
10 | |||
11 | The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc. |
||
12 | |||
13 | h3. Where to buy a reader? |
||
14 | |||
15 | |||
16 | *ACS122u "touchatag"* |
||
17 | * *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools. |
||
18 | http://store.touchatag.com/acatalog/touchatag_starter_pack.html |
||
19 | |||
20 | *Proxmark* |
||
21 | * Shops that ship Proxmark are listed here: http://www.proxmark.org/order |
||
22 | |||
23 | *Other Readers* |
||
24 | * In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba. |
||
25 | |||
26 | h2. Tools |
||
27 | |||
28 | *NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. |
||
29 | |||
30 | *RFID Tools as .deb* |
||
31 | * binary .deb Package for Ubuntu x64 *only* |
||
32 | * containing mfok, fcuk and RFIDLab |
||
33 | * download |
||
34 | * install prequesists: |
||
35 | <pre> sudo apt-get install pcscd</pre> |
||
36 | * edit /etc/libccid_Info.plist |
||
37 | <pre><key>ifdDriverOptions</key> |
||
38 | <string>0x0004</string></pre> |
||
39 | * install: |
||
40 | <pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre> |
||
41 | |||
42 | *Bootable USB-Stick image* |
||
43 | * bootable Debian USB-Stick image file |
||
44 | * containing mfoc, fcuk, RFIDLab and the cyberflex-shell |
||
45 | 3 | Peter | * download attachment:rfid-tools_usb.img |
46 | 2 | Peter | * write to USB-Stick: |
47 | <pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre> |
||
48 | * user: root pw: toor |
||
49 | |||
50 | h2. Howto |
||
51 | |||
52 | These are some small Tutorials that show you how to |
||
53 | |||
54 | * Recover Keys on Micfare Classic |
||
55 | * Editing Mifare Classic Cards |
||
56 | * Change UIDS on Mifare Classic Crads |
||
57 | * Read (german) Passports |
||
58 | |||
59 | |||
60 | h3. Key Recovery on Mifare Classic |
||
61 | |||
62 | The short summary is: |
||
63 | Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each. |
||
64 | Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector. |
||
65 | |||
66 | *mfcuk* |
||
67 | |||
68 | * Can be used if all keys on a Card have been set to non default keys |
||
69 | * Takes ~20 min to recover one key |
||
70 | * Recover a key of a single sector an write it to a keyfile: |
||
71 | <pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre> |
||
72 | This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc |
||
73 | |||
74 | *mfoc* |
||
75 | |||
76 | * Can be used if at least one key on the Card is a default key and dump the cards content: |
||
77 | <pre>mfoc -O out.mfd</pre> |
||
78 | * or if one key already have been recovered with mfcuk |
||
79 | <pre>mfoc -O out.mfd -K keys.mfcuk</pre> |
||
80 | |||
81 | h3. Editing Mifare Classic Cards |
||
82 | |||
83 | *RFIDLab* |
||
84 | |||
85 | * Get the current dump as *.mfd file |
||
86 | * Dump the card you want to edit. |
||
87 | * Use mfoc or, if the card doesn't use any default keys use mfcuk. |
||
88 | |||
89 | *Editing and writing back to the card* |
||
90 | |||
91 | Start by using RFID-LABS with: <pre>rl</pre> |
||
92 | You can always see the menu again with <pre>?</pre> |
||
93 | Enter mifare classic terminal: <pre>c</pre> |
||
94 | Maybe you have to adjust the size of the console to see the entire menu. |
||
95 | Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1. |
||
96 | Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre> |
||
97 | If you have the rights good, if not look in the table, whether you have the rights to change the accesbits. |
||
98 | If you have the rights to change the accessbits, do it with <pre>I</pre> |
||
99 | If you don't have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0. |
||
100 | Now that you have the rights to write to the block start editing the values on the card. |
||
101 | Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish. |
||
102 | Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save. |
||
103 | Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre> |
||
104 | Then write the buffer content to the card with <pre>H</pre> |
||
105 | You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can |
||
106 | 't always be read. So just look for your block. |
||
107 | If necessary for your application, you now have to change the accesbits back to normal. |
||
108 | |||
109 | Done! |
||
110 | |||
111 | Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card. |
||
112 | |||
113 | You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. |
||
114 | |||
115 | *Changing the UID* |
||
116 | |||
117 | The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed. |
||
118 | |||
119 | First look up the original card: |
||
120 | |||
121 | <pre> |
||
122 | $ nfc-list |
||
123 | nfc-list uses libnfc 1.5.1 (r1175) |
||
124 | Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07) |
||
125 | 1 ISO14443A passive target(s) found: |
||
126 | ATQA (SENS_RES): 00 04 |
||
127 | UID (NFCID1): de ad be ef |
||
128 | SAK (SEL_RES): 08 |
||
129 | </pre> |
||
130 | |||
131 | Then lay down the chinese card and to this: |
||
132 | |||
133 | <pre> |
||
134 | $ nfc-mfsetuid deadbeef |
||
135 | </pre> |
||
136 | |||
137 | |||
138 | And now the uid should be changed: |
||
139 | |||
140 | <pre> |
||
141 | $ nfc-list |
||
142 | nfc-list uses libnfc 1.5.1 (r1175) |
||
143 | Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07) |
||
144 | 1 ISO14443A passive target(s) found: |
||
145 | ATQA (SENS_RES): 00 04 |
||
146 | UID (NFCID1): de ad be ef |
||
147 | SAK (SEL_RES): 08 |
||
148 | </pre> |
||
149 | |||
150 | h3. Reading Passports |
||
151 | |||
152 | *cyberflex-shell* |
||
153 | |||
154 | The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell |
||
155 | |||
156 | * Start X |
||
157 | <pre> startx </pre> |
||
158 | |||
159 | * Open xterm an start the passport reader application |
||
160 | <pre> cd cyberflex-shell |
||
161 | ./readpass -i -r 1</pre> |
||
162 | |||
163 | * Type the second line of the MTR into the correspondent form an click "open" |
||
164 | |||
165 | h2. Licenses and Credits |
||
166 | |||
167 | *mfoc* |
||
168 | mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc |
||
169 | |||
170 | *mfcuk* |
||
171 | mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/ |
||
172 | |||
173 | *RFIDLab* |
||
174 | RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab |
||
175 | |||
176 | *cyberflex-shell* |
||
177 | cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell |