Project

General

Profile

Wiki » History » Version 6

Peter, 12/27/2012 02:52 PM

1 2 Peter
h1. RFID Tools
2 2 Peter
3 2 Peter
*Welcome to the RFID Tools Project*
4 2 Peter
5 2 Peter
We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages.
6 2 Peter
7 6 Peter
*Downloads*
8 6 Peter
9 6 Peter
attachment:rfid-tools_1.0.0_amd64.deb 
10 6 Peter
attachment:rfid_tool_usb_stick.img
11 6 Peter
12 2 Peter
{{toc}}
13 2 Peter
14 2 Peter
h2. RFID Reader Hardware
15 2 Peter
16 2 Peter
The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc.
17 2 Peter
18 2 Peter
h3. Where to buy a reader?
19 2 Peter
20 2 Peter
21 2 Peter
*ACS122u "touchatag"*
22 2 Peter
* *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools.
23 2 Peter
http://store.touchatag.com/acatalog/touchatag_starter_pack.html
24 2 Peter
25 2 Peter
*Proxmark*
26 2 Peter
* Shops that ship Proxmark are listed here: http://www.proxmark.org/order
27 2 Peter
28 2 Peter
*Other Readers*
29 2 Peter
* In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba.
30 2 Peter
31 2 Peter
h2. Tools
32 2 Peter
33 2 Peter
*NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. 
34 2 Peter
35 2 Peter
*RFID Tools as .deb*
36 2 Peter
* binary .deb Package for Ubuntu x64 *only*
37 2 Peter
* containing mfok, fcuk and RFIDLab
38 5 Peter
* download attachment:rfid-tools_1.0.0_amd64.deb 
39 2 Peter
* install prequesists:
40 2 Peter
<pre> sudo apt-get install pcscd</pre>
41 2 Peter
* edit /etc/libccid_Info.plist
42 2 Peter
<pre><key>ifdDriverOptions</key>
43 2 Peter
<string>0x0004</string></pre>
44 2 Peter
* install:
45 2 Peter
<pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre>
46 2 Peter
47 2 Peter
*Bootable USB-Stick image*
48 2 Peter
* bootable Debian USB-Stick image file
49 2 Peter
* containing mfoc, fcuk, RFIDLab and the cyberflex-shell
50 4 Peter
* download attachment:rfid_tool_usb_stick.img
51 2 Peter
* write to USB-Stick:
52 2 Peter
<pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre>
53 2 Peter
* user: root pw: toor
54 2 Peter
55 2 Peter
h2. Howto
56 2 Peter
57 2 Peter
These are some small Tutorials that show you how to
58 2 Peter
59 2 Peter
* Recover Keys on Micfare Classic
60 2 Peter
* Editing Mifare Classic Cards
61 2 Peter
* Change UIDS on Mifare Classic Crads
62 2 Peter
* Read (german) Passports
63 2 Peter
64 2 Peter
65 2 Peter
h3. Key Recovery on Mifare Classic
66 2 Peter
67 2 Peter
The short summary is:
68 2 Peter
Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each.
69 2 Peter
Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector.
70 2 Peter
71 2 Peter
*mfcuk*
72 2 Peter
73 2 Peter
* Can be used if all keys on a Card have been set to non default keys
74 2 Peter
* Takes ~20 min to recover one key
75 2 Peter
* Recover a key of a single sector an write it to a keyfile:
76 2 Peter
<pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre>
77 2 Peter
This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc
78 2 Peter
79 2 Peter
*mfoc*
80 2 Peter
81 2 Peter
* Can be used if at least one key on the Card is a default key and dump the cards content:
82 2 Peter
<pre>mfoc -O out.mfd</pre>
83 2 Peter
* or if one key already have been recovered with mfcuk
84 2 Peter
<pre>mfoc -O out.mfd -K keys.mfcuk</pre>
85 2 Peter
86 2 Peter
h3. Editing Mifare Classic Cards
87 2 Peter
88 2 Peter
*RFIDLab*
89 2 Peter
90 2 Peter
* Get the current dump as *.mfd file
91 2 Peter
* Dump the card you want to edit.
92 2 Peter
* Use mfoc or, if the card doesn't use any default keys use mfcuk.
93 2 Peter
94 2 Peter
*Editing and writing back to the card*
95 2 Peter
96 2 Peter
Start by using RFID-LABS with: <pre>rl</pre>
97 2 Peter
You can always see the menu again with <pre>?</pre>
98 2 Peter
Enter mifare classic terminal: <pre>c</pre>
99 2 Peter
Maybe you have to adjust the size of the console to see the entire menu.
100 2 Peter
Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1.
101 2 Peter
Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre>
102 2 Peter
If you have the rights good, if not look in the table, whether you have the rights to change the accesbits.
103 2 Peter
If you have the rights to change the accessbits, do it with <pre>I</pre>
104 2 Peter
If you don't  have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0.
105 2 Peter
Now that you have the rights to write to the block start editing the values on the card.
106 2 Peter
Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish.
107 2 Peter
Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save.
108 2 Peter
Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre>
109 2 Peter
Then write the buffer content to the card with <pre>H</pre>
110 2 Peter
You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can
111 2 Peter
't always be read. So just look for your block.
112 2 Peter
If necessary for your application, you now have to change the accesbits back to normal.
113 2 Peter
114 2 Peter
Done!
115 2 Peter
116 2 Peter
Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card.
117 2 Peter
118 2 Peter
You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. 
119 2 Peter
120 2 Peter
*Changing the UID*
121 2 Peter
122 2 Peter
The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed.
123 2 Peter
124 2 Peter
First look up the original card:
125 2 Peter
126 2 Peter
<pre>
127 2 Peter
$ nfc-list
128 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
129 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
130 2 Peter
1 ISO14443A passive target(s) found:
131 2 Peter
    ATQA (SENS_RES): 00  04  
132 2 Peter
       UID (NFCID1): de  ad  be  ef  
133 2 Peter
      SAK (SEL_RES): 08  
134 2 Peter
</pre>
135 2 Peter
136 2 Peter
Then lay down the chinese card and to this:
137 2 Peter
138 2 Peter
<pre>
139 2 Peter
$ nfc-mfsetuid deadbeef
140 2 Peter
</pre>
141 2 Peter
142 2 Peter
143 2 Peter
And now the uid should be changed:
144 2 Peter
145 2 Peter
<pre>
146 2 Peter
$ nfc-list
147 2 Peter
nfc-list uses libnfc 1.5.1 (r1175)
148 2 Peter
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07)
149 2 Peter
1 ISO14443A passive target(s) found:
150 2 Peter
    ATQA (SENS_RES): 00  04  
151 2 Peter
       UID (NFCID1): de  ad  be  ef  
152 2 Peter
      SAK (SEL_RES): 08  
153 2 Peter
</pre>
154 2 Peter
155 2 Peter
h3. Reading Passports
156 2 Peter
157 2 Peter
*cyberflex-shell*
158 2 Peter
159 2 Peter
The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell
160 2 Peter
161 2 Peter
* Start X
162 2 Peter
<pre> startx </pre>
163 2 Peter
164 2 Peter
* Open xterm an start the passport reader application
165 2 Peter
<pre> cd cyberflex-shell
166 2 Peter
 ./readpass -i -r 1</pre>
167 2 Peter
168 2 Peter
* Type the second line of the MTR into the correspondent form an click "open"
169 2 Peter
170 2 Peter
h2. Licenses and Credits
171 2 Peter
172 2 Peter
*mfoc*
173 2 Peter
mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc
174 2 Peter
175 2 Peter
*mfcuk*
176 2 Peter
mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/
177 2 Peter
178 2 Peter
*RFIDLab*
179 2 Peter
RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab
180 2 Peter
181 2 Peter
*cyberflex-shell*
182 2 Peter
cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell