2014-12-20
This article is mainly about Linux under the IC card (M1 card) wireless hack technology.
Equipment: Hardware, a PC, PN532 Development Board set.
Software aspect: Mfoc,mfcuk.
This article uses not to MFCUK, I still give everybody popular science under.
The principle of these I do not talk about the application bar.
MFOC, know the card of a password, in an ultra short time to crack all other passwords.
Mfcuk, by random number, brute force password (do not think it is a random number to act as a password), generally 30 minutes to crack, can not break the words that you are not lucky enough to change the time
Can't help but say M1 card bar.
M1 Card, the general domestic like with 1K card, 1K card has 16 sectors, each sector has 4 blocks, each block has 16 bytes.
The NO. 0 block, the 1th block, and the 2nd block are all data regions.
The 3rd block is the Keya, the control section, the keyb storage area, respectively 6 bytes, 4 bytes, 6 bytes.
In particular, the No. 0 sector of the NO. 0 block is relatively special, the inside is read-only, non-modified, storage is the manufacturer of some information.
(some cards are generated by this area to generate random passwords and then the normal M1 blank card can not be copied, because to copy only the No. 0 sector of the NO. 0 block of things AH. Unless there is a No. 0 sector of God, the No. 0 piece of M1 card can be written, the landlord has a OH. )
Because this wireless hack landlord has been engaged in a long time, so some software compiled I did not, in the following first put the code out of it.
1. Because the landlord with the PC and PN532 Development Board to be connected, and PN532 with the UART serial port.
So I used a USB to the UART board, two things to connect up.
Then install the necessary drivers.
Installation: Libpcsclite-dev and Libusb-dev
Apt-get Install Libpcsclite-dev Libusb-dev
Installation: Libccid and PCSCD
Apt-get Install libusb-0.1-4 libpcsclite1 libccid PCSCD
To Googlecode inside download libnfc-1.6.0-rc1.tar.gz
And then a section of the following command, make a sh can also.
The following instructions do not understand the basis of the compensation.
Tar xzvf libnfc-1.6.0-rc1.tar.gz
CD libnfc-1.6.0-rc1/
Autoreconf-vis
./configure--with-drivers=pn532_uart--enable-serial-autoprobe
Make clean
Make
Make install
Ldconfig
Then execute the next libnfc inside the nfc-list try (to put the card on the device above OH. )
Look above, the installation is successful.
mfoc-0.10.3 is installed below.
First go to Googlecode next source, then execute the following command.
Tar xzvf mfoc-0.10.3.tar.gz
CD mfoc-0.10.3
./configure
Make
See if you succeed, such as:
Start cracking below. Execute command
./mfoc-k-O Test.file
See no, the above part of the password has been found, because there are some useless in the card area with the default password.
A default password for this card is FFFFFFFFFFFF
(So everyone is also available./mfoc-k ffffffffffff-o test.file This command, interested friends can Google a bit).
Many cards have this default password.
The following is explored with probes and soon results are available.
The results come out.
What can we do with the results?
There are two kinds of acts. First, copy the card; second, modify the card.
The copy card is the simplest.
Because the normal M1 card does not retrieve the No. 0 sector NO. 0 block of data. So the copy is feasible.
If you have a 10 Yuan water card, campus card, cards, or access card other 7788 card (anyway, domestic is basically 1K M1 card).
You copy to another card inside can, you export the data yourself (with the password can not be exported ...).
Run out of 10 pieces, and then write the data into the card can be ...
Of course, this is the least technical content ... We are going to analyze the data.
So we came to the second way: data analysis, modification of data.
If you've ever played the game, used the modifier, the cheat, you will know that the principle of our analysis of the data, is to see where the change, brush card, see where the change. It's probably okay.
Can only say that the change of data is not necessarily our useful data ah, because the manufacturer of the card will be so stupid ah, will definitely add redundant data to verify AH.
Of course, the data of these checks are by the addition, the, or, non-, heterogeneous or formation of useful data, the CRC seems to be relatively small.
Then some are fixed redundancy, no need to.
For the diagram above. I found the data segment, the control block for that sector with the password. I'm not going to say it.
The 4 bytes of that control block indicate that the entire sector has Keya control.
To understand more things, we still have to understand the principle of M1 ah. You can look at the M1 document.
The area of the red circle in the graph above is the data segment.
We can change the value of the card by modifying the data segment.
The landlord is indeed a success .... From 10 pieces of data into 99 pieces.
Of course, everything is a test, don't do bad things ha. (The landlord uses what card everybody will not guess.)
Here is the import of the data:
command is
Nfc-mfclassic W a test.file test.file
Note that the previous test.file is the file that represents your key, which can be thought of as MFOC.
The back test.file is the file you want to write.
Two files are the same, but the meaning of the representative is different.
Here is a picture of the successful import. (get20 is my revised file, equivalent to Text.file modified file)
Break it to the end of it.
Here is a way to install MFCUK.
Tar xzvf mfcuk
CD Mfcuk
Autoreconf-is
./configure
Make
Modify Src/makefile before Ps:make, copy the value of Libnfc_libs to the back of Libs
Forget to remind everyone that the googlecode because it is open source, so many Mfoc and Mfcuk code is not exactly correct.
I remember the latest version of MFOC and Mfcuk (built on the LIBNFC 1.7 platform) seems to be missing A & in a C file, that is, the pointer error, resulting in the compilation is unsuccessful.
Under the RFID Linux use PN532 to M1 card (rice card,