Go to prison all Raiders Mifare1 Card hack

Supplemental News: Programmer Black Restaurant system to pay for their own rice card, technology is a double-edged sword, careful, careful!

Objective

From the M1 card to verify the vulnerability was found in the present, cracking equipment, so fast fool-type one-click Crack is not the focus of this article, young drivers will be from this article to obtain the following skills.

• If you want to get started quickly and easily, you can choose a simple device that's easy to buy, such as ACR122-LIKE,PROXMARK3, or a mobile phone with an NFC-enabled and installed Android Mifare Classic Tool (MCT) software.
• This article is based on the Raspberry Pi plus rc522,pn532 module test, and if you're just getting started with geek enthusiasts may as well read this article, I'll briefly describe the SPI interface protocol and some RC522 driver code.
• In this paper, all pointers to MIFARE Classic card to obtain keya,keyb, to achieve sector data read.
• The purpose of this article is to Caishuxueqian, if there are errors, please advise.

M1 Card Structure

Mifare is a series of RF cards produced by NXP that comply with ISO14443A standards, including Mifare S50, Mifare S70, Mifare UltraLight, Mifare Pro, Mifare desfire, etc. Mifare S50 's capacity is 1K bytes, often referred to as Mifare Standard, also known as Mifare 1, is the most widely used and most influential member of the card to comply with the iso14443a standards. The S50 card type (ATQA) is 0004H.

Using MCT to read the blank card mifare Classic 1k (S50) on an NFC-enabled phone, we can visually see the storage structure of the card.

M1 cards have a total of 16 sectors (sectors) from 0 to 15, and each sector has a separate password, each sector is equipped with a total of 3 blocks from 0 to 4 (block), 16 sectors of the 64 sector by absolute address number of 0~63, each block can hold 16 bytes of byte content, Total 16x4x16=1024byte.

The 4th segment of each sector is used to hold the keya,keyb and control bits (ACS controls read and write permissions).

0 Sector 0 Blocks are special data blocks that are used to store the manufacturer's code, including the chip serial number, which is read-only.

SPI interface

The SPI Serial Peripheral Interface (Serial peripheral Interface) is a high-speed, full-duplex, synchronous communication bus with SPI Communication in Master (master) from (slave) mode, which typically has a master device and one or more slave devices that require at least 4 wires , the fact that 3 can also be (unidirectional transmission). It is also common to all SPI-based devices, which are SDI (data input miso), SDO (data output Mosi), SCLK (Clock sck), CS (SS-chip Select).

CS is whether the control chip is selected, that is, only the chip selection signal is a pre-defined enable signal (high potential or low potential), the operation of this chip is effective.

Communication is data exchange via two bidirectional shift registers. The SPI is a serial communication protocol in which data is transmitted (always sending or receiving high-byte MSB data first). The SCLK provides a clock pulse that, when output through an SDO line, changes when the clock is rising or falling, and is read on the next falling or rising edge to complete a bit of data transmission. Therefore, at least 8 times the clock signal changes to complete the 8-bit data 1byte transmission.

SPI protocol is a way to transfer data, in the Raspberry Pi integrated SPI hardware controller We do not need to be complex software analog SPI, as long as we will use the relevant library bcm2835 send and receive data on the line. Just like the crawler conveyors on the assembly line, all we have to do is put the goods on top (not to try to figure out how to build the transport), of course, we have to know how to put, below we learn RC522 module control.

MFRC522

Several important features

• Support for ISO 14443a/mifare
• 64 bytes of Send and receive FIFO buffers
• 3V Supply voltage
• Support Spi,i2c,uart Interface

How to communicate with M1 card?

• Request Standard/all. After power-on reset power-on Reset (POR), the M1 card sends a ATQA code (card type code, such as 04h for Mf1s503yx) in response to a REQA request or wake-up Wupa command.
• Conflict prevention mechanisms. If there are multiple cards in the reader's sensing area, they need to be differentiated by their own identifiers (sending 4-byte SN and 1-byte checksum) and only a single card is selected for the next step.
• Card selection. The card reader uses the card selection command to select a card for verification and storage related operations, and the cards return the Select Answer Sak code (card capacity).
• 3 times Mutual verification. After the card is selected, the card reader specifies the storage address and completes 3 mutual authentication steps with the corresponding password. All storage operations are encrypted after the validation is passed.
• Memory operation.

READ: Read data block
Write: Write data block
Impairment (decrement): reduces the number of values in the data block and saves the result in a temporary internal data register
Add Value (Increment): Increase the value in the data block and save the result in the data register
Dump (Restore): Writes the contents of a temporary internal data register to a value block
Pause (Halt): Place the card on hold for status

A few important registers

The input and output data bus of the Fif0datareg,fifo buffer is connected to the Fifodatareg register, which writes a byte of data to the FIFO buffer by writing the Fifodatareg Register, after which the internal FIFO buffer writes the pointer plus 1.

The primary status indicator registers include Comirqreg, Er-rorreg, Status2reg, and Fifolevelreg.

(See the chip manual for more details, which is also required)

(Communication process)
Read and write operations
Write a card in two steps
Step A: Query block status.
Command Code (0XA0) block address
If the block is ready, the Mifare card returns a 4-bit response. If the value is 1010, the next operation is possible, and if the value is not 1010, the block is not ready and must wait until the block is ready.
Step B: Write the data.
Data byte (16 bytes) CRC (2 bytes)
If the write succeeds, the Mifare card returns a 4-bit response with a value of 1010, or a write failure if it is not lOl0.
Read Card
Instruction format
Command Code (0X30) block address
If the execution succeeds, the Mifare card returns a 18-byte reply bit. It is important to note that only 16 bytes are read block data and the other 2 bytes are padding bytes. If the number of bytes is not 18, you can determine the card operation error.

* Letter number: write
 * Function description: Write block data
 * Input parameters: blockAddr--block address; writeData--write 16 bytes of data to the block
unsigned char write (unsigned char blockAddr, unsigned char * writeData)
{
  unsigned char status;
  unsigned int recvBits;
  unsigned char i;
  unsigned char buff [18];
 
  buff [0] = PICC_WRITE;
  buff [1] = blockAddr; // block address 0-63
  calculateCRC (buff, 2, & buff [2]);
// Send instructions
  status = MFRC522ToCard (PCD_TRANSCEIVE, buff, 4, buff, & recvBits);
 
// Judge the return status here
  if ((status! = MI_OK) || (recvBits! = 4) || ((buff [0] & 0x0F)! = 0x0A))
    status = MI_ERR;
  // Prepare 16byte data
  if (status == MI_OK) {
    for (i = 0; i <16; i ++) //? FIFO? 16Byte ?? Datos a la FIFO 16Byte escribir
      buff [i] = * (writeData + i);
    // Calculate check digit
calculateCRC (buff, 16, & buff [16]);
//send data
    status = MFRC522ToCard (PCD_TRANSCEIVE, buff, 18, buff, & recvBits);
    if ((status! = MI_OK) || (recvBits! = 4) || ((buff [0] & 0x0F)! = 0x0A))
      status = MI_ERR;
  }
  return status;
}
I feel that I ca n’t tell what to say. Spend more time on the library file and the MFRC522 Datasheet.

If the above is too complicated, please take your Raspberry Pi and RC522 module to start our happy and simple hands-on.

step

Install the bcm2835 library, enable the Raspberry Pi SPI interface and test whether it is available
Raspberry Pi and RC522 connection
Write programs based on library files and communication flow
test
Install bcm2835 library

bcm2835
Raspberry Pi on Broadcom bcm2835 chip C language library
This is a C library for Raspberry Pi (RPi). It provides access to GPIO and other IO functions on the Broadcom BCM 2835 chip, allowing access to the GPIO pins on the 26 pin IDE plug on the RPi board so you can control and interface with various external devices.

installation
# Download the latest version of the library file, similar to bcm2835-1.xx.tar.gz, and then:
tar zxvf bcm2835-1.xx.tar.gz
cd bcm2835-1.xx
./configure
make
sudo make check
sudo make install
 
Raspberry Pi 2 (RPI2)
Enable the SPI interface on the Raspberry Pi (the new system does not need to modify the configuration files such as the blacklist)

sudo raspi-config

under Advanced Options – A5 SPI
Reboot.

Show modules loaded into the system

[email protected]: ~ # lsmod
Module Size Used by
joydev 9194 0
evdev 11650 2
cfg80211 499234 0
rfkill 21397 2 cfg80211
8192cu 555405 0
snd_bcm2835 23163 0
snd_pcm 95441 1 snd_bcm2835
snd_timer 22396 1 snd_pcm
snd 68368 3 snd_bcm2835, snd_timer, snd_pcm
spi_bcm2835 8032 0 // means open
i2c_bcm2708 5740 0
bcm2835_gpiomem 3823 0
bcm2835_wdt 4133 0
uio_pdrv_genirq 3718 0
uio 10230 1 uio_pdrv_genirq
i2c_dev 6578 0
ipv6 367607 24
Check SPI device (spidev0.0 device appears here means SPI is enabled)

[email protected]: ~ # ls / dev / sp *

/dev/spidev0.0 /dev/spidev0.1

The Raspberry Pi GPIO pins used for SPI are:

    P1-19 (MOSI)
    P1-21 (MISO)
    P1-23 (CLK)
    P1-24 (CE0)
    P1-26 (CE1)
Test SPI interface
http://www.airspayce.com/mikem/bcm2835/spi_8c-example.html
Connect MISO and MOSI, run the program and you will receive the sent data.

spi.c

Shows how to use SPI interface to transfer a byte to and from an SPI device

// spi.c
//
// Example program for bcm2835 library
// Shows how to interface with SPI to transfer a byte to and from an SPI device
//
// After installing bcm2835, you can build this
// with something like:
// gcc -o spi spi.c -l bcm2835
// sudo ./spi
//
// Or you can test it before installing with:
// gcc -o spi -I ../../src ../../src/bcm2835.c spi.c
// sudo ./spi
//
// Author: Mike McCauley
// Copyright (C) 2012 Mike McCauley
// $ Id: RF22.h, v 1.21 2012/05/30 01:51:25 mikem Exp $
#include <bcm2835.h>
#include <stdio.h>
int main (int argc, char ** argv)
{
// If you call this, it will not actually access the GPIO
// Use for testing
// bcm2835_set_debug (1);
if (! bcm2835_init ())
{
printf ("bcm2835_init failed. Are you running as root ?? \ n");
return 1;
}
if (! bcm2835_spi_begin ())
{
printf ("bcm2835_spi_begin failedg. Are you running as root ?? \ n");
return 1;
}
bcm2835_spi_setBitOrder (BCM2835_SPI_BIT_ORDER_MSBFIRST); // The default
bcm2835_spi_setDataMode (BCM2835_SPI_MODE0); // The default
bcm2835_spi_setClockDivider (BCM2835_SPI_CLOCK_DIVIDER_65536); // The default
bcm2835_spi_chipSelect (BCM2835_SPI_CS0); // The default
bcm2835_spi_setChipSelectPolarity (BCM2835_SPI_CS0, LOW); // the default
// Send a byte to the slave and simultaneously read a byte back from the slave
// If you tie MISO to MOSI, you should read back what was sent
uint8_t send_data = 0x23;
uint8_t read_data = bcm2835_spi_transfer (send_data);
printf ("Sent to SPI: 0x% 02X. Read back from SPI: 0x% 02X. \ n", send_data, read_data);
if (send_data! = read_data)
printf ("Do you have the loopback from MOSI to MISO connected? \ n");
bcm2835_spi_end ();
bcm2835_close ();
return 0;
}
Code testing
Raspberry Pi connection RC522

Pins

Name Pin # Pin name
SDA 24 GPIO8
SCK 23 GPIO11
MOSI 19 GPIO10
MISO 21 GPIO9
IRQ None None
GND Any Any Ground
RST 22 GPIO25
3.3V 1 3V3
With PI2 GPIO diagram

Use Raspberry Pi RC522 C language library, library and sample program

Card reading and writing process

findCard-> anticoll conflict detection-> selectTag card selection-> auth authentication password-> read / write

#include "mfrc522.c"

#include <stdio.h>

#include <string.h>

int main () {

int i, count;

unsigned char s;

unsigned char id [10];

unsigned char key [] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};

unsigned char uid [5]; // 4 bytes card serial number, the 5th byte is the check byte

unsigned char str [MAX_LEN];

unsigned char wData [16] = {'h', 'a', 'c', 'k', 'e', 'd', '', 'b', 'y', '', 'r', 'u', 'o'};

int isTrue = 1;

if (! bcm2835_init ()) return -1;

init ();

while (isTrue) {

if (findCard (0x52, & s) == MI_OK) {

if (anticoll (id) == MI_OK) {

memcpy (uid, id, 5);

printf ("CARD UID:");

for (i = 0; i <5; i ++)

printf ("% x", uid [i]);

printf ("\ n");

} else {

printf ("FindCard ERR. \ n");

}

// select Card

selectTag (uid);


// auth

if (auth (0x60,4, key, uid) == MI_OK) {

// write data

if (write (4, wData) == MI_OK) {

printf ("Write data success! \ n");

// isTrue = false;

}


// read data

if (read (4, str) == MI_OK) {

printf ("Hex:");

for (i = 0; i <16; i ++)

printf ("% x", str [i]);

printf ("\ n");

printf ("Data:% s \ n", str);

}

} else {

printf ("Auth faild. \ n");

}

}

halt ();

}

bcm2835_spi_end ();

bcm2835_close ();

return 0;
Other libraries
MFRC522-python
A class that uses the MFRC522 interface on the Raspberry Pi.
https://github.com/mxgxw/MFRC522-python
There are a lot of useless details mentioned above, if you want to rush to break, you should read this chapter first.
Use PN532 NFC module

 

Near field communication (NFC) is a set of standards for smart phones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimeters.

Feature

Small dimension and easy to embed into your project
Support I2C, SPI and HSU (High Speed UART), easy to change between those modes
Support RFID reading and writing, P2P communication with peers, NFC with Android phone
RFID reader / writer supports:
Mifare 1k, 4k, Ultralight, and DesFire cards
ISO / IEC 14443-4 cards such as CD97BX, CD light, Desfire, P5CN072 (SMX)
Innovision Jewel cards such as IRT5001 card
FeliCa cards such as RCS_860 and RCS_854
Up to 5cm ~ 7cm reading distance
On-board level shifter, Standard 5V TTL for I2C and UART, 3.3V TTL SPI
Arduino compatible, plug in and play with our shield
 

Here we use the I2C interface to connect the Raspberry Pi with PN532, install mfoc, mfcuk (Mifare Classic DarkSide Key Recovery Tool) crack software.

The mfoc program is based on nested authentication verification vulnerabilities to crack other KEYs of M1 cards with default passwords.

The mfcuk program cracks the fully encrypted card based on the dackside principle.

Both softwares are developed based on libnfc library, so we also need to install libnfc library.

Libnfc library

http://nfc-tools.org/index.php?title=Libnfc

Libnfc: configuration (interface configuration)

http://nfc-tools.org/index.php?title=Libnfc:configuration

Installation documentation (using libnfc-1.7.1.tar.bz2 package can successfully read to the device, the installation of clone on github cannot find the device)

http://www.jamesrobertson.eu/blog/2016/feb/08/using-a-pn532-nfc-rfid-reader-with-the-raspberry-pi.html

Install mfoc, mfcuk

https://github.com/nfc-tools/

git clone https://github.com/nfc-tools/mfoc.git

cd mfoc /

autoreconf -vis

./configure

make

make install

#mfoc -O test.mfd // Use the default key to try to crack

#mfoc -f key.txt -O test.mfd // Use key dictionary
References

http://blog.sina.com.cn/s/blog_9ed067ad0100z47e.html

http://blog.sina.com.cn/s/blog_683b6e4f0102vtfm.html

http://www.cnblogs.com/lubiao/p/4716965.html?ptvd

http://www.fuzzysecurity.com/tutorials/rfid/2.html

http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf

http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf

http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf

The Mifare1 Card cracking guide