Project

General

Profile

Wiki » History » Version 5

Peter, 12/27/2012 02:49 PM

1 2 Peter
h1. RFID Tools
2
3
*Welcome to the RFID Tools Project*
4
5
We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages.
6
7
{{toc}}
8
9
h2. RFID Reader Hardware
10
11
The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc.
12
13
h3. Where to buy a reader?
14
15
16
*ACS122u "touchatag"*
17
* *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools.
18
http://store.touchatag.com/acatalog/touchatag_starter_pack.html
19
20
*Proxmark*
21
* Shops that ship Proxmark are listed here: http://www.proxmark.org/order
22
23
*Other Readers*
24
* In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.
25
26
h2. Tools
27
28
*NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. 
29
30
*RFID Tools as .deb*
31
* binary .deb Package for Ubuntu x64 *only*
32
* containing mfok, fcuk and RFIDLab
33 5 Peter
* download attachment:rfid-tools_1.0.0_amd64.deb 
34 2 Peter
* install prequesists:
35
<pre> sudo apt-get install pcscd</pre>
36
* edit /etc/libccid_Info.plist
37
<pre><key>ifdDriverOptions</key>
38
<string>0x0004</string></pre>
39
* install:
40
<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>
41
42
*Bootable USB-Stick image*
43
* bootable Debian USB-Stick image file
44
* containing mfoc, fcuk, RFIDLab and the cyberflex-shell
45 4 Peter
* download attachment:rfid_tool_usb_stick.img
46 2 Peter
* write to USB-Stick:
47
<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>
48
* user: root pw: toor
49
50
h2. Howto
51
52
These are some small Tutorials that show you how to
53
54
* Recover Keys on Micfare Classic
55
* Editing Mifare Classic Cards
56
* Change UIDS on Mifare Classic Crads
57
* Read (german) Passports
58
59
60
h3. Key Recovery on Mifare Classic
61
62
The short summary is:
63
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
64
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.
65
66
*mfcuk*
67
68
* Can be used if all keys on a Card have been set to non default keys
69
* Takes ~20 min to recover one key
70
* Recover a key of a single sector an write it to a keyfile:
71
<pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre>
72
This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc
73
74
*mfoc*
75
76
* Can be used if at least one key on the Card is a default key and dump the cards content:
77
<pre>mfoc -O out.mfd</pre>
78
* or if one key already have been recovered with mfcuk
79
<pre>mfoc -O out.mfd -K keys.mfcuk</pre>
80
81
h3. Editing Mifare Classic Cards
82
83
*RFIDLab*
84
85
* Get the current dump as *.mfd file
86
* Dump the card you want to edit.
87
* Use mfoc or, if the card doesn't use any default keys use mfcuk.
88
89
*Editing and writing back to the card*
90
91
Start by using RFID-LABS with: <pre>rl</pre>
92
You can always see the menu again with <pre>?</pre>
93
Enter mifare classic terminal: <pre>c</pre>
94
Maybe you have to adjust the size of the console to see the entire menu.
95
Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.
96
Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>
97
If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
98
If you have the rights to change the accessbits, do it with <pre>I</pre>
99
If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
100
Now that you have the rights to write to the block start editing the values on the card.
101
Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.
102
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
103
Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>
104
Then write the buffer content to the card with <pre>H</pre>
105
You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
106
't always be read. So just look for your block.
107
If necessary for your application, you now have to change the accesbits back to normal.
108
109
Done!
110
111
Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.
112
113
You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 
114
115
*Changing the UID*
116
117
The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.
118
119
First look up the original card:
120
121
<pre>
122
$ nfc-list
123
nfc-list uses libnfc 1.5.1 (r1175)
124
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
125
1 ISO14443A passive target(s) found:
126
    ATQA (SENS_RES): 00  04  
127
       UID (NFCID1): de  ad  be  ef  
128
      SAK (SEL_RES): 08  
129
</pre>
130
131
Then lay down the chinese card and to this:
132
133
<pre>
134
$ nfc-mfsetuid deadbeef
135
</pre>
136
137
138
And now the uid should be changed:
139
140
<pre>
141
$ nfc-list
142
nfc-list uses libnfc 1.5.1 (r1175)
143
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
144
1 ISO14443A passive target(s) found:
145
    ATQA (SENS_RES): 00  04  
146
       UID (NFCID1): de  ad  be  ef  
147
      SAK (SEL_RES): 08  
148
</pre>
149
150
h3. Reading Passports
151
152
*cyberflex-shell*
153
154
The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell
155
156
* Start X
157
<pre> startx </pre>
158
159
* Open xterm an start the passport reader application
160
<pre> cd cyberflex-shell
161
 ./readpass -i -r 1</pre>
162
163
* Type the second line of the MTR into the correspondent form an click "open"
164
165
h2. Licenses and Credits
166
167
*mfoc*
168
mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc
169
170
*mfcuk*
171
mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/
172
173
*RFIDLab*
174
RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab
175
176
*cyberflex-shell*
177
cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell