RFID Tools Collection

h1. RFID Tools

*Welcome to the RFID Tools Project*

We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages.

*Downloads*

attachment:rfid-tools_1.0.0_amd64.deb 

attachment:rfid_tool_usb_stick.img

{{toc}}

h2. RFID Reader Hardware

The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc.

h3. Where to buy a reader?

*ACS122u "touchatag"*

* *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools.

http://store.touchatag.com/acatalog/touchatag_starter_pack.html

*Proxmark*

* Shops that ship Proxmark are listed here: http://www.proxmark.org/order

*Other Readers*

* In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.

h2. Tools

*NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. 

*RFID Tools as .deb*

* binary .deb Package for Ubuntu x64 *only*

* containing mfok, fcuk and RFIDLab

* download attachment:rfid-tools_1.0.0_amd64.deb 

* install prequesists:

<pre> sudo apt-get install pcscd</pre>

* edit /etc/libccid_Info.plist

<pre><key>ifdDriverOptions</key>

<string>0x0004</string></pre>

* install:

<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>

*Bootable USB-Stick image*

* bootable Debian USB-Stick image file

* containing mfoc, fcuk, RFIDLab and the cyberflex-shell

* download attachment:rfid_tool_usb_stick.img

* write to USB-Stick:

<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>

* user: root pw: toor

h2. Howto

These are some small Tutorials that show you how to

* Recover Keys on Micfare Classic

* Editing Mifare Classic Cards

* Change UIDS on Mifare Classic Crads

* Read (german) Passports

h3. Key Recovery on Mifare Classic

The short summary is:

Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.

Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.

*mfcuk*

* Can be used if all keys on a Card have been set to non default keys

* Takes ~20 min to recover one key

* Recover a key of a single sector an write it to a keyfile:

<pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre>

This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc

*mfoc*

* Can be used if at least one key on the Card is a default key and dump the cards content:

<pre>mfoc -O out.mfd</pre>

* or if one key already have been recovered with mfcuk

<pre>mfoc -O out.mfd -K keys.mfcuk</pre>

h3. Editing Mifare Classic Cards

*RFIDLab*

* Get the current dump as *.mfd file

* Dump the card you want to edit.

* Use mfoc or, if the card doesn't use any default keys use mfcuk.

*Editing and writing back to the card*

Start by using RFID-LABS with: <pre>rl</pre>

You can always see the menu again with <pre>?</pre>

Enter mifare classic terminal: <pre>c</pre>

Maybe you have to adjust the size of the console to see the entire menu.

Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.

Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>

If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.

If you have the rights to change the accessbits, do it with <pre>I</pre>

If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.

Now that you have the rights to write to the block start editing the values on the card.

Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.

Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.

Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>

Then write the buffer content to the card with <pre>H</pre>

You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can

't always be read. So just look for your block.

If necessary for your application, you now have to change the accesbits back to normal.

Done!

Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.

You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 

*Changing the UID*

The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.

First look up the original card:

<pre>

$ nfc-list

nfc-list uses libnfc 1.5.1 (r1175)

Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)

1 ISO14443A passive target(s) found:

    ATQA (SENS_RES): 00  04  

       UID (NFCID1): de  ad  be  ef  

      SAK (SEL_RES): 08  

</pre>

Then lay down the chinese card and to this:

<pre>

$ nfc-mfsetuid deadbeef

</pre>

And now the uid should be changed:

<pre>

$ nfc-list

nfc-list uses libnfc 1.5.1 (r1175)

Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)

1 ISO14443A passive target(s) found:

    ATQA (SENS_RES): 00  04  

       UID (NFCID1): de  ad  be  ef  

      SAK (SEL_RES): 08  

</pre>

h3. Reading Passports

*cyberflex-shell*

The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell

* Start X

<pre> startx </pre>

* Open xterm an start the passport reader application

<pre> cd cyberflex-shell

 ./readpass -i -r 1</pre>

* Type the second line of the MTR into the correspondent form an click "open"

h2. Licenses and Credits

*mfoc*

mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc

*mfcuk*

mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/

*RFIDLab*

RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab

*cyberflex-shell*

cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell