Project

General

Profile

Wiki » History » Version 3

Peter, 12/27/2012 02:48 PM

1 2 Peter
h1. RFID Tools
2 2 Peter
3 2 Peter
*Welcome to the RFID Tools Project*
4 2 Peter
5 2 Peter
We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages.
6 2 Peter
7 2 Peter
{{toc}}
8 2 Peter
9 2 Peter
h2. RFID Reader Hardware
10 2 Peter
11 2 Peter
The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc.
12 2 Peter
13 2 Peter
h3. Where to buy a reader?
14 2 Peter
15 2 Peter
16 2 Peter
*ACS122u "touchatag"*
17 2 Peter
* *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools.
18 2 Peter
http://store.touchatag.com/acatalog/touchatag_starter_pack.html
19 2 Peter
20 2 Peter
*Proxmark*
21 2 Peter
* Shops that ship Proxmark are listed here: http://www.proxmark.org/order
22 2 Peter
23 2 Peter
*Other Readers*
24 2 Peter
* In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.
25 2 Peter
26 2 Peter
h2. Tools
27 2 Peter
28 2 Peter
*NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. 
29 2 Peter
30 2 Peter
*RFID Tools as .deb*
31 2 Peter
* binary .deb Package for Ubuntu x64 *only*
32 2 Peter
* containing mfok, fcuk and RFIDLab
33 2 Peter
* download
34 2 Peter
* install prequesists:
35 2 Peter
<pre> sudo apt-get install pcscd</pre>
36 2 Peter
* edit /etc/libccid_Info.plist
37 2 Peter
<pre><key>ifdDriverOptions</key>
38 2 Peter
<string>0x0004</string></pre>
39 2 Peter
* install:
40 2 Peter
<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>
41 2 Peter
42 2 Peter
*Bootable USB-Stick image*
43 2 Peter
* bootable Debian USB-Stick image file
44 2 Peter
* containing mfoc, fcuk, RFIDLab and the cyberflex-shell
45 3 Peter
* download attachment:rfid-tools_usb.img
46 2 Peter
* write to USB-Stick:
47 2 Peter
<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>
48 2 Peter
* user: root pw: toor
49 2 Peter
50 2 Peter
h2. Howto
51 2 Peter
52 2 Peter
These are some small Tutorials that show you how to
53 2 Peter
54 2 Peter
* Recover Keys on Micfare Classic
55 2 Peter
* Editing Mifare Classic Cards
56 2 Peter
* Change UIDS on Mifare Classic Crads
57 2 Peter
* Read (german) Passports
58 2 Peter
59 2 Peter
60 2 Peter
h3. Key Recovery on Mifare Classic
61 2 Peter
62 2 Peter
The short summary is:
63 2 Peter
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
64 2 Peter
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.
65 2 Peter
66 2 Peter
*mfcuk*
67 2 Peter
68 2 Peter
* Can be used if all keys on a Card have been set to non default keys
69 2 Peter
* Takes ~20 min to recover one key
70 2 Peter
* Recover a key of a single sector an write it to a keyfile:
71 2 Peter
<pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre>
72 2 Peter
This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc
73 2 Peter
74 2 Peter
*mfoc*
75 2 Peter
76 2 Peter
* Can be used if at least one key on the Card is a default key and dump the cards content:
77 2 Peter
<pre>mfoc -O out.mfd</pre>
78 2 Peter
* or if one key already have been recovered with mfcuk
79 2 Peter
<pre>mfoc -O out.mfd -K keys.mfcuk</pre>
80 2 Peter
81 2 Peter
h3. Editing Mifare Classic Cards
82 2 Peter
83 2 Peter
*RFIDLab*
84 2 Peter
85 2 Peter
* Get the current dump as *.mfd file
86 2 Peter
* Dump the card you want to edit.
87 2 Peter
* Use mfoc or, if the card doesn't use any default keys use mfcuk.
88 2 Peter
89 2 Peter
*Editing and writing back to the card*
90 2 Peter
91 2 Peter
Start by using RFID-LABS with: <pre>rl</pre>
92 2 Peter
You can always see the menu again with <pre>?</pre>
93 2 Peter
Enter mifare classic terminal: <pre>c</pre>
94 2 Peter
Maybe you have to adjust the size of the console to see the entire menu.
95 2 Peter
Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.
96 2 Peter
Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>
97 2 Peter
If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
98 2 Peter
If you have the rights to change the accessbits, do it with <pre>I</pre>
99 2 Peter
If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
100 2 Peter
Now that you have the rights to write to the block start editing the values on the card.
101 2 Peter
Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.
102 2 Peter
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
103 2 Peter
Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>
104 2 Peter
Then write the buffer content to the card with <pre>H</pre>
105 2 Peter
You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
106 2 Peter
't always be read. So just look for your block.
107 2 Peter
If necessary for your application, you now have to change the accesbits back to normal.
108 2 Peter
109 2 Peter
Done!
110 2 Peter
111 2 Peter
Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.
112 2 Peter
113 2 Peter
You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 
114 2 Peter
115 2 Peter
*Changing the UID*
116 2 Peter
117 2 Peter
The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.
118 2 Peter
119 2 Peter
First look up the original card:
120 2 Peter
121 2 Peter
<pre>
122 2 Peter
$ nfc-list
123 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
124 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
125 2 Peter
1 ISO14443A passive target(s) found:
126 2 Peter
    ATQA (SENS_RES): 00  04  
127 2 Peter
       UID (NFCID1): de  ad  be  ef  
128 2 Peter
      SAK (SEL_RES): 08  
129 2 Peter
</pre>
130 2 Peter
131 2 Peter
Then lay down the chinese card and to this:
132 2 Peter
133 2 Peter
<pre>
134 2 Peter
$ nfc-mfsetuid deadbeef
135 2 Peter
</pre>
136 2 Peter
137 2 Peter
138 2 Peter
And now the uid should be changed:
139 2 Peter
140 2 Peter
<pre>
141 2 Peter
$ nfc-list
142 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
143 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
144 2 Peter
1 ISO14443A passive target(s) found:
145 2 Peter
    ATQA (SENS_RES): 00  04  
146 2 Peter
       UID (NFCID1): de  ad  be  ef  
147 2 Peter
      SAK (SEL_RES): 08  
148 2 Peter
</pre>
149 2 Peter
150 2 Peter
h3. Reading Passports
151 2 Peter
152 2 Peter
*cyberflex-shell*
153 2 Peter
154 2 Peter
The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell
155 2 Peter
156 2 Peter
* Start X
157 2 Peter
<pre> startx </pre>
158 2 Peter
159 2 Peter
* Open xterm an start the passport reader application
160 2 Peter
<pre> cd cyberflex-shell
161 2 Peter
 ./readpass -i -r 1</pre>
162 2 Peter
163 2 Peter
* Type the second line of the MTR into the correspondent form an click "open"
164 2 Peter
165 2 Peter
h2. Licenses and Credits
166 2 Peter
167 2 Peter
*mfoc*
168 2 Peter
mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc
169 2 Peter
170 2 Peter
*mfcuk*
171 2 Peter
mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/
172 2 Peter
173 2 Peter
*RFIDLab*
174 2 Peter
RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab
175 2 Peter
176 2 Peter
*cyberflex-shell*
177 2 Peter
cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell