Wiki » History » Version 9
Peter, 12/27/2012 07:39 PM
1 | 2 | Peter | h1. RFID Tools |
---|---|---|---|
2 | |||
3 | *Welcome to the RFID Tools Project* |
||
4 | |||
5 | We want to provide a compilation of OpenSource RFID Tools in a "ready to use" state. To make it as easy as possible for you to start "hacking" RFID we decided to provide some Software packages. |
||
6 | |||
7 | 8 | Peter | {{toc}} |
8 | |||
9 | 6 | Peter | *Downloads* |
10 | |||
11 | 7 | Peter | USB-Stick Image |
12 | 9 | Peter | attachment:rfid_tool_usb_stick.img |
13 | 7 | Peter | |
14 | 6 | Peter | Ubuntu .deb for x64 |
15 | 9 | Peter | attachment:rfid-tools_1.0.0_amd64.deb |
16 | 2 | Peter | |
17 | h2. RFID Reader Hardware |
||
18 | |||
19 | The Tools provided are tested for the ACS122u NFC Reader alias "touchatag". But the are supposed to work with any reader supported by libnfc. |
||
20 | |||
21 | h3. Where to buy a reader? |
||
22 | |||
23 | |||
24 | *ACS122u "touchatag"* |
||
25 | * *HURRY!* The "touchatag" reader can be purchased with the touchatag project for €19,99 till *31.12.2012*. Afterwards it will be more difficult and much more expansive to get a decent NFC reader to use with this tools. |
||
26 | http://store.touchatag.com/acatalog/touchatag_starter_pack.html |
||
27 | |||
28 | *Proxmark* |
||
29 | * Shops that ship Proxmark are listed here: http://www.proxmark.org/order |
||
30 | |||
31 | *Other Readers* |
||
32 | * In general all readers that are supported by "libnfc":http://www.libnfc.org/documentation/introduction are supported by your tools. Readers are not always cheap and easy to find. Probably the best way is to check ebay or alibaba. |
||
33 | |||
34 | h2. Tools |
||
35 | |||
36 | *NOTICE*: These tools are *not* running in a Virtual Machine as far as we know. There are timing problems communicating with the reader. |
||
37 | |||
38 | *RFID Tools as .deb* |
||
39 | * binary .deb Package for Ubuntu x64 *only* |
||
40 | * containing mfok, fcuk and RFIDLab |
||
41 | 5 | Peter | * download attachment:rfid-tools_1.0.0_amd64.deb |
42 | 2 | Peter | * install prequesists: |
43 | <pre> sudo apt-get install pcscd</pre> |
||
44 | * edit /etc/libccid_Info.plist |
||
45 | <pre><key>ifdDriverOptions</key> |
||
46 | <string>0x0004</string></pre> |
||
47 | * install: |
||
48 | <pre> sudo dpkg -i rfid-tools_1.0.0_amd64.deb </pre> |
||
49 | |||
50 | *Bootable USB-Stick image* |
||
51 | * bootable Debian USB-Stick image file |
||
52 | * containing mfoc, fcuk, RFIDLab and the cyberflex-shell |
||
53 | 4 | Peter | * download attachment:rfid_tool_usb_stick.img |
54 | 2 | Peter | * write to USB-Stick: |
55 | <pre> sudo dd if=rfid-tools_usb.img of=/dev/sdX bs=4096 count=262144 </pre> |
||
56 | * user: root pw: toor |
||
57 | |||
58 | h2. Howto |
||
59 | |||
60 | These are some small Tutorials that show you how to |
||
61 | |||
62 | * Recover Keys on Micfare Classic |
||
63 | * Editing Mifare Classic Cards |
||
64 | * Change UIDS on Mifare Classic Crads |
||
65 | * Read (german) Passports |
||
66 | |||
67 | |||
68 | h3. Key Recovery on Mifare Classic |
||
69 | |||
70 | The short summary is: |
||
71 | Mifare Classic 1k card is organized in 16(0 until 15) sectors with 4(0 until 3) Blocks each with 16 bytes each. |
||
72 | Every 4th Block contains Keys A and B and accessbits, which set the rights to access the according sector. |
||
73 | |||
74 | *mfcuk* |
||
75 | |||
76 | * Can be used if all keys on a Card have been set to non default keys |
||
77 | * Takes ~20 min to recover one key |
||
78 | * Recover a key of a single sector an write it to a keyfile: |
||
79 | <pre>mfcuk -C -v 1 -R 0:A -k keys.mfcuk</pre> |
||
80 | This will recover the key of the first sector(A), which can now be used to recover all keys with mfoc |
||
81 | |||
82 | *mfoc* |
||
83 | |||
84 | * Can be used if at least one key on the Card is a default key and dump the cards content: |
||
85 | <pre>mfoc -O out.mfd</pre> |
||
86 | * or if one key already have been recovered with mfcuk |
||
87 | <pre>mfoc -O out.mfd -K keys.mfcuk</pre> |
||
88 | |||
89 | h3. Editing Mifare Classic Cards |
||
90 | |||
91 | *RFIDLab* |
||
92 | |||
93 | * Get the current dump as *.mfd file |
||
94 | * Dump the card you want to edit. |
||
95 | * Use mfoc or, if the card doesn't use any default keys use mfcuk. |
||
96 | |||
97 | *Editing and writing back to the card* |
||
98 | |||
99 | Start by using RFID-LABS with: <pre>rl</pre> |
||
100 | You can always see the menu again with <pre>?</pre> |
||
101 | Enter mifare classic terminal: <pre>c</pre> |
||
102 | Maybe you have to adjust the size of the console to see the entire menu. |
||
103 | Import the dumped card <pre>n</pre>. Use the *.mdf fiel you made in Step 1. |
||
104 | Look whether you have the rights, to write onto the blocks, you want to change <pre>L</pre> then <pre>Y</pre> |
||
105 | If you have the rights good, if not look in the table, whether you have the rights to change the accesbits. |
||
106 | If you have the rights to change the accessbits, do it with <pre>I</pre> |
||
107 | If you don't have the rights to change the accessbits and can't write values to the desired block you can't change the value on that card. You may need a new empty or old card for your project. You can never edit the values of Sector 0 Block 0. |
||
108 | Now that you have the rights to write to the block start editing the values on the card. |
||
109 | Edit the values in the buffer content with <pre>E</pre> or <pre>B</pre> to the values you wish. |
||
110 | Edit the values with the commands shown, if you make a mistake you can always recover the buffer, before you save. |
||
111 | Afterwards don't forget to save with <pre>S</pre>, before you leave with <pre>X</pre> |
||
112 | Then write the buffer content to the card with <pre>H</pre> |
||
113 | You can verify your work with <V>, note that Blocks with keys are often falsfully recognized as wrong because keys can |
||
114 | 't always be read. So just look for your block. |
||
115 | If necessary for your application, you now have to change the accesbits back to normal. |
||
116 | |||
117 | Done! |
||
118 | |||
119 | Complete card modifications can either be made step by step with the above method or by using a common hexeditor to change all values in your dump to the desired ones (maybe values from a dump from a card you want to clone), before importing it into rfid-lab. But be careful not to overwrite the key and accessbits block, because rfid-lab needs real ones for accessing the card. |
||
120 | |||
121 | You also have the option to use a changeable-uid-mifare card. These are counterfied mifare-cards which are available on the chinese market. The changeable-uid function originally intended to replace cards in a legacy installation. We will use this function to make an exact copy of an existing mifare card. |
||
122 | |||
123 | *Changing the UID* |
||
124 | |||
125 | The UID is stored in sector 0, block 0 right at the beginning but it is a non writeable section. This is also the same with the chinese mifare card so special commands are required. Fortunately this is all mainline and when you have a properly installed libnfc on your computer you already have all the necessary tools installed. |
||
126 | |||
127 | First look up the original card: |
||
128 | |||
129 | <pre> |
||
130 | $ nfc-list |
||
131 | nfc-list uses libnfc 1.5.1 (r1175) |
||
132 | Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07) |
||
133 | 1 ISO14443A passive target(s) found: |
||
134 | ATQA (SENS_RES): 00 04 |
||
135 | UID (NFCID1): de ad be ef |
||
136 | SAK (SEL_RES): 08 |
||
137 | </pre> |
||
138 | |||
139 | Then lay down the chinese card and to this: |
||
140 | |||
141 | <pre> |
||
142 | $ nfc-mfsetuid deadbeef |
||
143 | </pre> |
||
144 | |||
145 | |||
146 | And now the uid should be changed: |
||
147 | |||
148 | <pre> |
||
149 | $ nfc-list |
||
150 | nfc-list uses libnfc 1.5.1 (r1175) |
||
151 | Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U203 - PN532 v1.4 (0x07) |
||
152 | 1 ISO14443A passive target(s) found: |
||
153 | ATQA (SENS_RES): 00 04 |
||
154 | UID (NFCID1): de ad be ef |
||
155 | SAK (SEL_RES): 08 |
||
156 | </pre> |
||
157 | |||
158 | h3. Reading Passports |
||
159 | |||
160 | *cyberflex-shell* |
||
161 | |||
162 | The cyberflex-shell is only available on USB-Stick Package or from "github":https://github.com/henryk/cyberflex-shell |
||
163 | |||
164 | * Start X |
||
165 | <pre> startx </pre> |
||
166 | |||
167 | * Open xterm an start the passport reader application |
||
168 | <pre> cd cyberflex-shell |
||
169 | ./readpass -i -r 1</pre> |
||
170 | |||
171 | * Type the second line of the MTR into the correspondent form an click "open" |
||
172 | |||
173 | h2. Licenses and Credits |
||
174 | |||
175 | *mfoc* |
||
176 | mfoc is available under "GPLv3":https://www.gnu.org/licenses/gpl.html at https://code.google.com/p/nfc-tools/wiki/mfoc |
||
177 | |||
178 | *mfcuk* |
||
179 | mfcuk is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://code.google.com/p/mfcuk/ |
||
180 | |||
181 | *RFIDLab* |
||
182 | RFIDLab is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at http://runningserver.com/?page=runningserver.content.download.rfidlab |
||
183 | |||
184 | *cyberflex-shell* |
||
185 | cyberflex-shell is available under "GPLv2":https://www.gnu.org/licenses/old-licenses/gpl-2.0.html at https://github.com/henryk/cyberflex-shell |