Jail Raiders: Mifare1 Card crack

Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )

Supplementary information:

Black programmer system to their restaurant meal card charge money, technology is a double-edged sword, be careful, be careful!

Foreword
from M1 card validation vulnerability is found to the present day, after another break device, so fast break fool a key focus of this article is not, the young driver from this article to obtain the following skills.

If you want quick and easy to use, you can choose ACR122-like, Proxmark3 and other simple devices operate easy to buy, or there is an NFC-enabled and equipped with Android Mifare Classic Tool (MCT) software for mobile phones is a good select.
Based on the Raspberry Pi plus RC522, PN532 module test, if you are just getting started Geek lovers may wish to read this article, I will briefly mention the SPI interface protocol and part of the RC522 driver code.
This article refers to crack are obtained KeyA, KeyB for Mifare Classic card, the sector data read.
This paper aims to initiate Caishuxueqian, if wrong also please let me know.
M1 card structure
Mifare NXP is produced by a series of compliance with ISO14443A standard RF cards, including Mifare S50, Mifare S70, Mifare UltraLight , Mifare Pro, Mifare Desfire and so on. Mifare S50 1K bytes of capacity, often referred to as Mifare Standard, also called the Mifare 1, it is to comply with the standard ISO14443A cards most widely used, the most influential one. S50 card type (ATQA) is 0004H.

Use MCT blank card read Mifare Classic 1k (S50) on the phone with an NFC-enabled, we can see that the card storage structure intuitively.


M1 card has a total of from 0 to 15 of 16 sectors (Sectors), and each sector has its own code, each sector from 0 to 3 with a total of four blocks (Block), 16 sectors absolute address 64 blocks numbered from 0 to 63, each block 16 can be saved, the byte to a total 16X4X16 = 1024byte.

Paragraph 4 of each sector for holding KeyA, KeyB and control bits (ACs control read and write access).

0 sector 0 is a special data block, for storing a manufacturer code, includes a chip serial number, this block is read-only.

SPI interface
SPI Serial Peripheral Interface (Serial Peripheral Interface) is a high-speed, full-duplex, synchronous communication bus, SPI communication to the primary (master) from (slave) mode, this mode is usually a master device and (unidirectional transmission) from one or more devices, at least four lines, in fact, may be three. All are based on the total SPI devices are SDI (data input MISO), SDO (data output MOSI), SCLK (clock SCK), CS (SS chip select).

CS to control whether the chip is selected, that is to say only when the chip select signal to the enable signal (a high potential or low potential) is predetermined, the operation is valid for this chip.

Communication data is exchanged through two bidirectional shift register. SPI is a serial communication protocol, the data transmission is a one (always the first high byte sent or received MSB data). SCLK provides clock pulses, data changes when the clock rising or falling edge through the SDO output line is immediately read on the falling edge or the rising edge, a bit data transmission is completed. Accordingly, at least eight times to change the clock signal to complete the transfer of the 8-bit data 1byte.


SPI protocol is a way of how to transmit data, by integrating a Raspberry Pi hardware SPI controller, we do not need to be complicated software simulation SPI, we just use the relevant library bcm2835 send and receive data on the line. Like a crawler transporter on the assembly line, we have to do is put the goods on top (and not have to think of ways how to build a transport aircraft), of course, we have to know how to put, let's learn to control RC522 module.

MFRC522
several important characteristics

14443A supports the ISO / the MIFARE
64-byte transmit and receive FIFO buffers
3V supply
support SPI, I2C, UART interfaces
how to communicate with the card M1?

Request standard / all. After the power-on reset Power-On Reset (POR), M1 card sends ATQA code (card type code, such as 00 04h Representative MF1S503yX) WUPA wakeup request or response command REQA.
Anti-collision mechanism. If the reader sensing area there is more than one card, they need to own identifier (SN sending 4 bytes and 1-byte checksum) and to distinguish only the selected one card to the next step.
Election card. Command to select the option card reader using a card as the authentication and storage-related operation, the card returns a response SAK select code (card capacity).
Three mutual authentication. After the card selection, the card reader specified memory address, using the appropriate password verification step was completed three times each. After validation by the operation of all the memory is encrypted.
Memory operation.
Read (Read): Read data block

Write (Write): write block

Impairment (Decrement): decrease the value in the data block, and the results stored in the temporary data register internal

Value (Increment): increase the value in the data block, and the results stored in a data register

Dump (Restore): The contents of the temporary register to the internal data value is written block

Pause (Halt): the card is placed on suspended status for

several important registers

FIF0DataReg, FIFO buffer input and output data bus coupled to FIFODataReg register, by writing into the FIFO buffer register FIFODataReg terms of a byte of data, then the internal FIFO buffer write pointer.

The main status indication register comprises ComIrqReg, Er-rorReg, Status2Reg FIFOLevelReg and the like.

(For more details, please see the chip manual, which is a must)

communication processes)

Read and write operations

Writer two steps

Step A: query block state.

Command code (0xA0) block address
If a block is ready, the 4-bit MIFARE card returns a response. If the value of 1010, the next step may be performed; if the value is not 1010, then the block is not ready to wait until the block is ready so far.

Step B: write data.

Data bytes (16 bytes) CRC (2 bytes)
If the write is successful, then the 4-bit MIFARE card returns a response, the value is still 1010; if not lOl0, it said writing failure.

Reader

Instruction format

Command code (0x30) block address
if successful, the MIFARE card 18 returns a response bit bytes. Note that, where only 16-byte block of data is read, two additional bytes of stuffing bytes. If the number of bytes is not 18, the error can be judged that a card reading operation.

* 函 数 名：write
 * 功能描述：写块数据
 * 输入参数：blockAddr--块地址;writeData--向块写16字节数据
unsigned char write(unsigned char blockAddr, unsigned char *writeData)
{
  unsigned char status;
  unsigned int recvBits;
  unsigned char i;
  unsigned char buff[18];
 
  buff[0] = PICC_WRITE;
  buff[1] = blockAddr;//块地址0-63
  calculateCRC(buff, 2, &buff[2]);
//发送指令
  status = MFRC522ToCard(PCD_TRANSCEIVE, buff, 4, buff, &recvBits);
 
//这里判断返回状态
  if ((status != MI_OK) || (recvBits != 4) || ((buff[0] & 0x0F) != 0x0A))
    status = MI_ERR;
  //准备16byte数据
  if (status == MI_OK){
    for (i=0; i<16; i++)    //?FIFO?16Byte?? Datos a la FIFO 16Byte escribir
      buff[i] = *(writeData+i);
    //计算校验位
calculateCRC(buff, 16, &buff[16]);
//发送数据
    status = MFRC522ToCard(PCD_TRANSCEIVE, buff, 18, buff, &recvBits);
    if ((status != MI_OK) || (recvBits != 4) || ((buff[0] & 0x0F) != 0x0A))
      status = MI_ERR;
  }
  return status;
}

Feel how that has kind of hard to explain the feeling, spend more time in front of the library and MFRC522 Datasheet strong line and show it on!

If it says is too complex, please take the following on your Raspberry Pi and RC522 module start our happy simply make it work.

step

Installation bcm2835 library, open the Raspberry Pi SPI interface and can be used to test whether the
Raspberry Pi RC522 connection with
the preparation of libraries based on communication processes and procedures
to test
the installation bcm2835 library

bcm2835

Raspberries come in bcm2835 Broadcom chip C language library

This is a C library for Raspberry Pi (RPi). It provides access to GPIO and other IO functions on the Broadcom BCM 2835 chip, allowing access to the GPIO pins on the 26 pin IDE plug on the RPi board so you can control and interface with various external devices.

安装
# 下载最新版库文件, 类似bcm2835-1.xx.tar.gz, 然后:
tar zxvf bcm2835-1.xx.tar.gz
cd bcm2835-1.xx
./configure
make
sudo make check
sudo make install


Raspberry Pi 2 (RPI2)

Enable SPI interface (the new system without modifying the configuration file blacklist like) come in raspberry

sudo raspi-config

under Advanced Options – A5 SPI

Reboot.

The display module system has been loaded

root@pi2:~# lsmod
Module                Size Used by
joydev                 9194 0
evdev                 11650 2
cfg80211             499234 0
rfkill                 21397 2 cfg80211
8192cu               555405 0
snd_bcm2835           23163 0
snd_pcm               95441 1 snd_bcm2835
snd_timer             22396 1 snd_pcm
snd                   68368 3 snd_bcm2835,snd_timer,snd_pcm
spi_bcm2835             8032 0 //表示开启
i2c_bcm2708             5740 0
bcm2835_gpiomem         3823 0
bcm2835_wdt             4133 0
uio_pdrv_genirq         3718 0
uio                   10230 1 uio_pdrv_genirq
i2c_dev                 6578 0
ipv6                  367607 24

View SPI devices (SPI represented here appear spidev0.0 equipment is turned on)

root@pi2:~# ls /dev/sp*

/dev/spidev0.0 /dev/spidev0.1

The Raspberry Pi GPIO pins used for SPI are:

    P1-19 (MOSI)
    P1-21 (MISO)
    P1-23 (CLK)
    P1-24 (CE0)
    P1-26 (CE1)

Test SPI Interface

http://www.airspayce.com/mikem/bcm2835/spi_8c-example.html

The MISO and MOSI connection, you run the program will receive the data transmitted.

spi.c
Shows how to use SPI interface to transfer a byte to and from an SPI device

// spi.c
//
// Example program for bcm2835 library
// Shows how to interface with SPI to transfer a byte to and from an SPI device
//
// After installing bcm2835, you can build this 
// with something like:
// gcc -o spi spi.c -l bcm2835
// sudo ./spi
//
// Or you can test it before installing with:
// gcc -o spi -I ../../src ../../src/bcm2835.c spi.c
// sudo ./spi
//
// Author: Mike McCauley
// Copyright (C) 2012 Mike McCauley
// $Id: RF22.h,v 1.21 2012/05/30 01:51:25 mikem Exp $
#include <bcm2835.h>
#include <stdio.h>
int main(int argc, char **argv)
{
// If you call this, it will not actually access the GPIO
// Use for testing
// bcm2835_set_debug(1);
if (!bcm2835_init())
{
printf("bcm2835_init failed. Are you running as root??\n");
return 1;
}
if (!bcm2835_spi_begin())
{
printf("bcm2835_spi_begin failedg. Are you running as root??\n");
return 1;
}
bcm2835_spi_setBitOrder(BCM2835_SPI_BIT_ORDER_MSBFIRST); // The default
bcm2835_spi_setDataMode(BCM2835_SPI_MODE0); // The default
bcm2835_spi_setClockDivider(BCM2835_SPI_CLOCK_DIVIDER_65536); // The default
bcm2835_spi_chipSelect(BCM2835_SPI_CS0); // The default
bcm2835_spi_setChipSelectPolarity(BCM2835_SPI_CS0, LOW); // the default
// Send a byte to the slave and simultaneously read a byte back from the slave
// If you tie MISO to MOSI, you should read back what was sent
uint8_t send_data = 0x23;
uint8_t read_data = bcm2835_spi_transfer(send_data);
printf("Sent to SPI: 0x%02X. Read back from SPI: 0x%02X.\n", send_data, read_data);
if (send_data != read_data)
printf("Do you have the loopback from MOSI to MISO connected?\n");
bcm2835_spi_end();
bcm2835_close();
return 0;
}

Code Testing

树莓派连线RC522

Pins
Name	Pin #	Pin name
SDA	24	GPIO8
SCK	23	GPIO11
MOSI	19	GPIO10
MISO	21	GPIO9
IRQ	None	None
GND	Any	Any Ground
RST	22	GPIO25
3.3V	1	3V3
附PI2 GPIO图

Use Raspberry Pi RC522 C language library, libraries and sample programs Download

Process card reader

findCard detecting card -> anticoll discharge collision detection -> selectTag card selection -> auth authentication password -> read / write reader

#include "mfrc522.c"

#include <stdio.h>

#include <string.h>

int main(){

int i,count;

unsigned char s;

unsigned char id[10];

unsigned char key[] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};

unsigned char uid[5]; //4字节卡序列号，第5字节为校验字节

unsigned char str[MAX_LEN];

unsigned char wData[16] = {'h','a','c','k','e','d',' ','b','y',' ','r','u','o'};

int isTrue = 1;

if (!bcm2835_init()) return -1;

init();

while(isTrue){

if (findCard(0x52,&s) == MI_OK){

if ( anticoll(id) == MI_OK){

memcpy(uid,id,5);

printf("CARD UID:");

for(i = 0;i < 5;i++)

printf("%x",uid[i]);

printf("\n");

}else {

printf("FindCard ERR.\n");

}

//select Card

selectTag(uid);


//auth

if(auth(0x60,4,key,uid) == MI_OK){

//write data

if(write(4,wData) == MI_OK){

printf("Write data success!\n");

//isTrue = false;

}


//read data

if(read(4,str) == MI_OK){

printf("Hex:");

for(i = 0;i < 16;i++)

printf("%x",str[i]);

printf("\n");

printf("Data:%s\n",str);

}

}else{

printf("Auth faild.\n");

}

}

halt();

}

bcm2835_spi_end();

bcm2835_close();

return 0;

Other libraries

MFRC522-python

A put to use in a raspberry MFRC522 interface class.

https://github.com/mxgxw/MFRC522-python

Above about a lot of useless details, ask if you want to rush to break, you should look at this chapter.

使用PN532 NFC模块

Near field communication (NFC) is a set of standards for smart phones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimeters.

Feature

Small dimension and easy to embed into your project
Support I2C, SPI and HSU (High Speed UART), easy to change between those modes
Support RFID reading and writing, P2P communication with peers, NFC with Android phone
RFID reader/writer supports:
Mifare 1k, 4k, Ultralight, and DesFire cards
ISO/IEC 14443-4 cards such as CD97BX, CD light, Desfire, P5CN072 (SMX)
Innovision Jewel cards such as IRT5001 card
FeliCa cards such as RCS_860 and RCS_854
Up to 5cm~7cm reading distance
On-board level shifter, Standard 5V TTL for I2C and UART, 3.3V TTL SPI
Arduino compatible, plug in and play with our shield
这里我们使用I2C接口将树莓派与PN532连接，安装mfoc，mfcuk（Mifare Classic DarkSide Key Recovery Tool）破解软件。

mfoc program to crack other KEY contains default password card M1 based nested authentication validation vulnerability.

mfcuk whole program to crack the encryption card based dackside principle.

Both are based on libnfc software library development, so we also need to install libnfc library.

Libnfc library Download

http://nfc-tools.org/index.php?title=Libnfc

Libnfc: configuration (Configuration Interface)

http://nfc-tools.org/index.php?title=Libnfc:configuration

Installation documentation (using libnfc-1.7.1.tar.bz2 package to the device successfully read, clone the installation of equipment not found on github)

http://www.jamesrobertson.eu/blog/2016/feb/08/using-a-pn532-nfc-rfid-reader-with-the-raspberry-pi.html

installation mfoc, mfcuk

https://github.com/nfc-tools/

git clone https://github.com/nfc-tools/mfoc.git

cd mfoc/

autoreconf -vis

./configure

make

make install

#mfoc -O test.mfd //使用默认key尝试破解

#mfoc -f key.txt -O test.mfd //使用key字典

mfcuk -C -R 0:A -v 2

References
http://blog.sina.com.cn/s/blog_9ed067ad0100z47e.html

http://blog.sina.com.cn/s/blog_683b6e4f0102vtfm.html

http://www.cnblogs.com/lubiao/p/4716965.html?ptvd

http://www.fuzzysecurity.com/tutorials/rfid/2.html

http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf

http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf

http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf