How to Use Nexus 5 to forge a access card
Some of the technologies mentioned in this article may be offensive and only for safe learning and teaching purposes. Illegal use is prohibited.
0 × 00 Preface
A year ago, an old community in Hangzhou, where I rented a house, witnessed a so-called "renting and killing" incident. After the incident, police and uncles assigned access control to every unit in the community, all tenants must register at the property department. The property staff will ask you to provide your ID card or bus card for registration. After registration, you can swipe your card to enter the house.
But for some reason, I don't want to register a access card. I just have a nexus5 on hand. As we all know, nexus5 has nfc functions, I thought I could not use the nfc function of nexus5 to forge a access card? After some attempts, the following methods are available. (I have never been in touch with wireless security, and I have no idea about Proxmark3, acr122u, and other devices. You can laugh at me)
0 × 01 analysis
Because identity cards, bus cards, and many other cards can be used as access cards, it is basically sure that this access control is just a simple read of the card id and will not decrypt the content in it, you only need to simulate a card with the same id to open the door.
0 × 02 "sampling"
We downloaded an android app named "TagInfo" and used it to read information that can now be used to open the access control card. (Borrowed from my sister in the same building)
For example:
Card id: D2: 69: 76: 5B
Next, let's look for another nexus5 to see the original id of the mobile phone. The id of this nexus5 is constantly changing, for example:
For security reasons, the android mobile phone id is a random id of 4 bytes in length. Each connection changes and starts with "0 × 80.
Android does not provide any api to specify the nfc id, but we can directly modify the configuration file, provided that the mobile phone must be root.
0 × 03Just Do IT
1, to the phone/etc/directory to find a file name for the libnfc-brcm-20791b05.conf, by default, the file NFA_DM_START_UP_CFG configuration item is such a value:
{45: CB: 01: 01: A5: 01: 01: CA: 17: 00: 00: 00: 00: 06: 00: 00: 00: 00: 00: 0F: 00: 00: 00: 00: E0: 67: 35: 00: 14: 01: 00: 00: 00: 10: B5: 03: 01: 02: FF: 80: 01: 01: C9: 03: 03: 0F: AB: 5B: 01: 00: B2: 04: E8: 03: 00: 00: CF: 02: 02: 08: B1: 06: 00: 20: 00: 00: 00: 12: C2: 02: 00: C8}
2. You can change the id by modifying this value. Download the file to your computer. First add a 0 × 33 sign at the end, and then connect the length of the id to be specified. In the current situation, it is 0 × 04, finally, connect the id "0xD2, 0 × 69,0 × 76, 0x5B" to the end, then change the number at the beginning, and add the length of the string we added in total, here we need to add 6, so the final configuration item becomes:
{4B: CB: 01: 01: A5: 01: 01: CA: 17: 00: 00: 00: 00: 06: 00: 00: 00: 00: 00: 0F: 00: 00: 00: 00: E0: 67: 35: 00: 14: 01: 00: 00: 00: 10: B5: 03: 01: 02: FF: 80: 01: 01: C9: 03: 03: 0F: AB: 5B: 01: 00: B2: 04: E8: 03: 00: 00: CF: 02: 02: 08: B1: 06: 00: 20: 00: 00: 00: 12: C2: 02: 00: C8: 33: 04: D2: 69: 76: 5B}
3. Use adb to overwrite the original file in the system, and then restart
Adb root
Adb remount
Adb push libnfc-brcm-20791b05.conf/etc/
Adb reboot
After the restart, we found that the nexus5 id has been changed to what we wanted.
Take the changed nexus5 and try it? Remember that nfc is valid only when the screen is awakened.
0 × 04 Demo Video