Supplementary information:
Black programmer system to their restaurant meal card charge money, technology is a double-edged sword, be careful, be careful!
Foreword
from M1 card validation vulnerability is found to the present day, after another break device, so fast break fool a key focus of this article is not, the young driver from this article to obtain the following skills.
If you want quick and easy to use, you can choose ACR122-like, Proxmark3 and other simple devices operate easy to buy, or there is an NFC-enabled and equipped with Android Mifare Classic Tool (MCT) software for mobile phones is a good select.
Based on the Raspberry Pi plus RC522, PN532 module test, if you are just getting started Geek lovers may wish to read this article, I will briefly mention the SPI interface protocol and part of the RC522 driver code.
This article refers to crack are obtained KeyA, KeyB for Mifare Classic card, the sector data read.
This paper aims to initiate Caishuxueqian, if wrong also please let me know.
M1 card structure
Mifare NXP is produced by a series of compliance with ISO14443A standard RF cards, including Mifare S50, Mifare S70, Mifare UltraLight , Mifare Pro, Mifare Desfire and so on. Mifare S50 1K bytes of capacity, often referred to as Mifare Standard, also called the Mifare 1, it is to comply with the standard ISO14443A cards most widely used, the most influential one. S50 card type (ATQA) is 0004H.
Use MCT blank card read Mifare Classic 1k (S50) on the phone with an NFC-enabled, we can see that the card storage structure intuitively.
M1 card has a total of from 0 to 15 of 16 sectors (Sectors), and each sector has its own code, each sector from 0 to 3 with a total of four blocks (Block), 16 sectors absolute address 64 blocks numbered from 0 to 63, each block 16 can be saved, the byte to a total 16X4X16 = 1024byte.
Paragraph 4 of each sector for holding KeyA, KeyB and control bits (ACs control read and write access).
0 sector 0 is a special data block, for storing a manufacturer code, includes a chip serial number, this block is read-only.
SPI interface
SPI Serial Peripheral Interface (Serial Peripheral Interface) is a high-speed, full-duplex, synchronous communication bus, SPI communication to the primary (master) from (slave) mode, this mode is usually a master device and (unidirectional transmission) from one or more devices, at least four lines, in fact, may be three. All are based on the total SPI devices are SDI (data input MISO), SDO (data output MOSI), SCLK (clock SCK), CS (SS chip select).
CS to control whether the chip is selected, that is to say only when the chip select signal to the enable signal (a high potential or low potential) is predetermined, the operation is valid for this chip.
Communication data is exchanged through two bidirectional shift register. SPI is a serial communication protocol, the data transmission is a one (always the first high byte sent or received MSB data). SCLK provides clock pulses, data changes when the clock rising or falling edge through the SDO output line is immediately read on the falling edge or the rising edge, a bit data transmission is completed. Accordingly, at least eight times to change the clock signal to complete the transfer of the 8-bit data 1byte.
SPI protocol is a way of how to transmit data, by integrating a Raspberry Pi hardware SPI controller, we do not need to be complicated software simulation SPI, we just use the relevant library bcm2835 send and receive data on the line. Like a crawler transporter on the assembly line, we have to do is put the goods on top (and not have to think of ways how to build a transport aircraft), of course, we have to know how to put, let's learn to control RC522 module.
MFRC522
several important characteristics
14443A supports the ISO / the MIFARE
64-byte transmit and receive FIFO buffers
3V supply
support SPI, I2C, UART interfaces
how to communicate with the card M1?
Request standard / all. After the power-on reset Power-On Reset (POR), M1 card sends ATQA code (card type code, such as 00 04h Representative MF1S503yX) WUPA wakeup request or response command REQA.
Anti-collision mechanism. If the reader sensing area there is more than one card, they need to own identifier (SN sending 4 bytes and 1-byte checksum) and to distinguish only the selected one card to the next step.
Election card. Command to select the option card reader using a card as the authentication and storage-related operation, the card returns a response SAK select code (card capacity).
Three mutual authentication. After the card selection, the card reader specified memory address, using the appropriate password verification step was completed three times each. After validation by the operation of all the memory is encrypted.
Memory operation.
Read (Read): Read data block
Write (Write): write block
Impairment (Decrement): decrease the value in the data block, and the results stored in the temporary data register internal
Value (Increment): increase the value in the data block, and the results stored in a data register
Dump (Restore): The contents of the temporary register to the internal data value is written block
Pause (Halt): the card is placed on suspended status for
several important registers
FIF0DataReg, FIFO buffer input and output data bus coupled to FIFODataReg register, by writing into the FIFO buffer register FIFODataReg terms of a byte of data, then the internal FIFO buffer write pointer.
The main status indication register comprises ComIrqReg, Er-rorReg, Status2Reg FIFOLevelReg and the like.
(For more details, please see the chip manual, which is a must)
communication processes)
Read and write operations
Writer two steps
Step A: query block state.
Command code (0xA0) block address
If a block is ready, the 4-bit MIFARE card returns a response. If the value of 1010, the next step may be performed; if the value is not 1010, then the block is not ready to wait until the block is ready so far.
Step B: write data.
Data bytes (16 bytes) CRC (2 bytes)
If the write is successful, then the 4-bit MIFARE card returns a response, the value is still 1010; if not lOl0, it said writing failure.
Reader
Instruction format
Command code (0x30) block address
if successful, the MIFARE card 18 returns a response bit bytes. Note that, where only 16-byte block of data is read, two additional bytes of stuffing bytes. If the number of bytes is not 18, the error can be judged that a card reading operation.
* 函 数 名:write
* 功能描述:写块数据
* 输入参数:blockAddr--块地址;writeData--向块写16字节数据
unsigned char write(unsigned char blockAddr, unsigned char *writeData)
{
unsigned char status;
unsigned int recvBits;
unsigned char i;
unsigned char buff[18];
buff[0] = PICC_WRITE;
buff[1] = blockAddr;//块地址0-63
calculateCRC(buff, 2, &buff[2]);
//发送指令
status = MFRC522ToCard(PCD_TRANSCEIVE, buff, 4, buff, &recvBits);
//这里判断返回状态
if ((status != MI_OK) || (recvBits != 4) || ((buff[0] & 0x0F) != 0x0A))
status = MI_ERR;
//准备16byte数据
if (status == MI_OK){
for (i=0; i<16; i++) //?FIFO?16Byte?? Datos a la FIFO 16Byte escribir
buff[i] = *(writeData+i);
//计算校验位
calculateCRC(buff, 16, &buff[16]);
//发送数据
status = MFRC522ToCard(PCD_TRANSCEIVE, buff, 18, buff, &recvBits);
if ((status != MI_OK) || (recvBits != 4) || ((buff[0] & 0x0F) != 0x0A))
status = MI_ERR;
}
return status;
}
Feel how that has kind of hard to explain the feeling, spend more time in front of the library and MFRC522 Datasheet strong line and show it on!
If it says is too complex, please take the following on your Raspberry Pi and RC522 module start our happy simply make it work.
step
Installation bcm2835 library, open the Raspberry Pi SPI interface and can be used to test whether the
Raspberry Pi RC522 connection with
the preparation of libraries based on communication processes and procedures
to test
the installation bcm2835 library
bcm2835
Raspberries come in bcm2835 Broadcom chip C language library
This is a C library for Raspberry Pi (RPi). It provides access to GPIO and other IO functions on the Broadcom BCM 2835 chip, allowing access to the GPIO pins on the 26 pin IDE plug on the RPi board so you can control and interface with various external devices.
安装
# 下载最新版库文件, 类似bcm2835-1.xx.tar.gz, 然后:
tar zxvf bcm2835-1.xx.tar.gz
cd bcm2835-1.xx
./configure
make
sudo make check
sudo make install
Raspberry Pi 2 (RPI2)
Enable SPI interface (the new system without modifying the configuration file blacklist like) come in raspberry
sudo raspi-config
under Advanced Options – A5 SPI
Reboot.
The display module system has been loaded
root@pi2:~# lsmod
Module Size Used by
joydev 9194 0
evdev 11650 2
cfg80211 499234 0
rfkill 21397 2 cfg80211
8192cu 555405 0
snd_bcm2835 23163 0
snd_pcm 95441 1 snd_bcm2835
snd_timer 22396 1 snd_pcm
snd 68368 3 snd_bcm2835,snd_timer,snd_pcm
spi_bcm2835 8032 0 //表示开启
i2c_bcm2708 5740 0
bcm2835_gpiomem 3823 0
bcm2835_wdt 4133 0
uio_pdrv_genirq 3718 0
uio 10230 1 uio_pdrv_genirq
i2c_dev 6578 0
ipv6 367607 24
View SPI devices (SPI represented here appear spidev0.0 equipment is turned on)
root@pi2:~# ls /dev/sp*
/dev/spidev0.0 /dev/spidev0.1
The Raspberry Pi GPIO pins used for SPI are:
P1-19 (MOSI)
P1-21 (MISO)
P1-23 (CLK)
P1-24 (CE0)
P1-26 (CE1)
Test SPI Interface
http://www.airspayce.com/mikem/bcm2835/spi_8c-example.html
The MISO and MOSI connection, you run the program will receive the data transmitted.
spi.c
Shows how to use SPI interface to transfer a byte to and from an SPI device
// spi.c
//
// Example program for bcm2835 library
// Shows how to interface with SPI to transfer a byte to and from an SPI device
//
// After installing bcm2835, you can build this
// with something like:
// gcc -o spi spi.c -l bcm2835
// sudo ./spi
//
// Or you can test it before installing with:
// gcc -o spi -I ../../src ../../src/bcm2835.c spi.c
// sudo ./spi
//
// Author: Mike McCauley
// Copyright (C) 2012 Mike McCauley
// $Id: RF22.h,v 1.21 2012/05/30 01:51:25 mikem Exp $
#include <bcm2835.h>
#include <stdio.h>
int main(int argc, char **argv)
{
// If you call this, it will not actually access the GPIO
// Use for testing
// bcm2835_set_debug(1);
if (!bcm2835_init())
{
printf("bcm2835_init failed. Are you running as root??\n");
return 1;
}
if (!bcm2835_spi_begin())
{
printf("bcm2835_spi_begin failedg. Are you running as root??\n");
return 1;
}
bcm2835_spi_setBitOrder(BCM2835_SPI_BIT_ORDER_MSBFIRST); // The default
bcm2835_spi_setDataMode(BCM2835_SPI_MODE0); // The default
bcm2835_spi_setClockDivider(BCM2835_SPI_CLOCK_DIVIDER_65536); // The default
bcm2835_spi_chipSelect(BCM2835_SPI_CS0); // The default
bcm2835_spi_setChipSelectPolarity(BCM2835_SPI_CS0, LOW); // the default
// Send a byte to the slave and simultaneously read a byte back from the slave
// If you tie MISO to MOSI, you should read back what was sent
uint8_t send_data = 0x23;
uint8_t read_data = bcm2835_spi_transfer(send_data);
printf("Sent to SPI: 0x%02X. Read back from SPI: 0x%02X.\n", send_data, read_data);
if (send_data != read_data)
printf("Do you have the loopback from MOSI to MISO connected?\n");
bcm2835_spi_end();
bcm2835_close();
return 0;
}
Code Testing
树莓派连线RC522
Pins
Name Pin # Pin name
SDA 24 GPIO8
SCK 23 GPIO11
MOSI 19 GPIO10
MISO 21 GPIO9
IRQ None None
GND Any Any Ground
RST 22 GPIO25
3.3V 1 3V3
附PI2 GPIO图
Use Raspberry Pi RC522 C language library, libraries and sample programs Download
Process card reader
findCard detecting card -> anticoll discharge collision detection -> selectTag card selection -> auth authentication password -> read / write reader
#include "mfrc522.c"
#include <stdio.h>
#include <string.h>
int main(){
int i,count;
unsigned char s;
unsigned char id[10];
unsigned char key[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
unsigned char uid[5]; //4字节卡序列号,第5字节为校验字节
unsigned char str[MAX_LEN];
unsigned char wData[16] = {'h','a','c','k','e','d',' ','b','y',' ','r','u','o'};
int isTrue = 1;
if (!bcm2835_init()) return -1;
init();
while(isTrue){
if (findCard(0x52,&s) == MI_OK){
if ( anticoll(id) == MI_OK){
memcpy(uid,id,5);
printf("CARD UID:");
for(i = 0;i < 5;i++)
printf("%x",uid[i]);
printf("\n");
}else {
printf("FindCard ERR.\n");
}
//select Card
selectTag(uid);
//auth
if(auth(0x60,4,key,uid) == MI_OK){
//write data
if(write(4,wData) == MI_OK){
printf("Write data success!\n");
//isTrue = false;
}
//read data
if(read(4,str) == MI_OK){
printf("Hex:");
for(i = 0;i < 16;i++)
printf("%x",str[i]);
printf("\n");
printf("Data:%s\n",str);
}
}else{
printf("Auth faild.\n");
}
}
halt();
}
bcm2835_spi_end();
bcm2835_close();
return 0;
Other libraries
MFRC522-python
A put to use in a raspberry MFRC522 interface class.
https://github.com/mxgxw/MFRC522-python
Above about a lot of useless details, ask if you want to rush to break, you should look at this chapter.
使用PN532 NFC模块
Near field communication (NFC) is a set of standards for smart phones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimeters.
Feature
Small dimension and easy to embed into your project
Support I2C, SPI and HSU (High Speed UART), easy to change between those modes
Support RFID reading and writing, P2P communication with peers, NFC with Android phone
RFID reader/writer supports:
Mifare 1k, 4k, Ultralight, and DesFire cards
ISO/IEC 14443-4 cards such as CD97BX, CD light, Desfire, P5CN072 (SMX)
Innovision Jewel cards such as IRT5001 card
FeliCa cards such as RCS_860 and RCS_854
Up to 5cm~7cm reading distance
On-board level shifter, Standard 5V TTL for I2C and UART, 3.3V TTL SPI
Arduino compatible, plug in and play with our shield
这里我们使用I2C接口将树莓派与PN532连接,安装mfoc,mfcuk(Mifare Classic DarkSide Key Recovery Tool)破解软件。
mfoc program to crack other KEY contains default password card M1 based nested authentication validation vulnerability.
mfcuk whole program to crack the encryption card based dackside principle.
Both are based on libnfc software library development, so we also need to install libnfc library.
Libnfc library Download
http://nfc-tools.org/index.php?title=Libnfc
Libnfc: configuration (Configuration Interface)
http://nfc-tools.org/index.php?title=Libnfc:configuration
Installation documentation (using libnfc-1.7.1.tar.bz2 package to the device successfully read, clone the installation of equipment not found on github)
http://www.jamesrobertson.eu/blog/2016/feb/08/using-a-pn532-nfc-rfid-reader-with-the-raspberry-pi.html
installation mfoc, mfcuk
https://github.com/nfc-tools/
git clone https://github.com/nfc-tools/mfoc.git
cd mfoc/
autoreconf -vis
./configure
make
make install
#mfoc -O test.mfd //使用默认key尝试破解
#mfoc -f key.txt -O test.mfd //使用key字典
mfcuk -C -R 0:A -v 2
References
http://blog.sina.com.cn/s/blog_9ed067ad0100z47e.html
http://blog.sina.com.cn/s/blog_683b6e4f0102vtfm.html
http://www.cnblogs.com/lubiao/p/4716965.html?ptvd
http://www.fuzzysecurity.com/tutorials/rfid/2.html
http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf
http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf
http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf