Differences

This shows you the differences between two versions of the page.

--- project:freakcard:start [2016/11/27 05:35] – ruza
+++ project:freakcard:start [2021/06/05 17:28] (current) – [Biometric NFC passport and emulation] abyssal
@@ Line 25: / Line 25: @@
   * old [[https://code.google.com/p/proxmark3/source/checkout | SVN repo from code.google.com]]
   * new [[https://github.com/Proxmark/proxmark3 | github repo]]
+  * [[https://github.com/iceman1001/proxmark3 || iceman's fork]] - needed for full Ultralight EV1 simulation, has some extra Desfire client stuff
 The best revision for OS code is rev 838 from old SVN repo. All the stuff that I checked that should work works.
@@ Line 31: / Line 32: @@
 There is also a library available for PC/SC readers that supports many kinds of cards, but you need specific reader for each separate card - https://github.com/islog/liblogicalaccess/wiki
+======= Proxmark new versions - RDV4, EVO and pack with PN532 reader with Chameleon mini =======
+There are new versions of Proxmark, which are more compact, see the comparison table in the links at the bottom of the page
+  * https://lab401.com/collections/hardware/products/proxmark-3-rdv4
+  * https://lab401.com/collections/hardware/products/proxmark-3-evo
+  * https://lab401.com/collections/hardware/products/rfid-pentester-pack?variant=12470762307695 (has Proxmark + Chameleon + PN532 reader)
+  * https://lab401.com/products/chameleon-mini-reve-rebooted
+  * https://lab401.com/collections/hardware/products/usb-rfid-reader-writer-scl-3711
+======= PN532-based readers =======
+PN532 based readers:
+  * https://www.acs.com.hk/en/products/3/acr122u-usb-nfc-reader/
+  * https://www.acs.com.hk/en/products/109/acr122t-usb-tokens-nfc-reader/
+  * https://www.adafruit.com/product/789 - there are two board versions, one as Arduino shield, other has different pinout, but are in essence the same
+  * [[http://nfc-tools.org/index.php/Devices_compatibility_matrix | compatibility matrix with libnfc]]
+======= Software for PN532 readers =======
+  * https://github.com/nfc-tools/libnfc
+  * https://github.com/nfc-tools/libfreefare
+  * [[https://github.com/KaiQ/dat | Desfire Access Tool]] - there is ''v2.0'' branch with new stuff and rewrite
 ====== Decision tree. ======
@@ Line 234: / Line 260: @@
 == Desfire ==
-Get id: Same as Mifare Classic.
-<code>
+Multiple versions available
-lsnfc: (opencard)
-UID=041343xxxxxx80
+  * MIFARE DESFire D40
-Several possible matches:
+  * MIFARE DESFire EV1
-* NXP MIFARE DESFire 4k
+  * MIFARE DESFire EV2
-* NXP MIFARE Plus 1k
-* NXP MIFARE Plus 4k
+In order to find out you have Desfire, check SAK in anticollision. Then use get version command to see which Desfire version it is.
-* NXP JCOP31 or JCOP41
-</code>
+Has "applications" and several file types, but much more limited than Javacard (read, write, increase, decrease, add record, ..., see specs below). Some features:
+  * Virtually no limitation on number of applications per PICC (new)
+  * Up to 32 files in each application (6 file types available: Standard Data file, Back-up Data file, Value file, Linear Record file, Cyclic Record file and Transaction MAC file)
+  * File size is determined during creation (not for Transaction MAC file)
+  * DES, 3DES, AES encryption, depending on version
+  * EV2 supports proximity check against relay and ECC signature for UID (originality check)
+Command specifications (non-NDAed), with detailed formats for command data request and response formats: [[https://www.jadaktech.com/skyetekfiles/docs/m2/desfire.pdf]]
+Short [[https://www.nxp.com/docs/en/data-sheet/MF3DX2_MF3DHX2_SDS.pdf|MF3D(H)x2 MIFARE DESFire EV2 contactless multi-application IC]]. Contains command list, memory organization, file types, etc.
+[[https://github.com/KaiQ/dat|Desfire Access Tool]] - old Qt4 application for accessing and managing Desfire cards. Still works as of Nov 2018, though expect bugs. Uses libfreefare, which in turn uses libnfc and PN53x readers.
+Has native and wrapped ISO 7816 command modes: [[https://ridrix.wordpress.com/tag/desfire-commands/]]
 Full read: No working crpyto attack so far, unencrypted sectors can be read, also you can try to look for default keys.
@@ Line 253: / Line 294: @@
   * MF3ICD40 hacked: [[http://www.theregister.co.uk/2011/10/10/mifare_desfire_smartcard_broken/|theregister]], [[http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2011/10/10/desfire_2011_extended_1.pdf|paper]]
-Relay: see Relay attack
+Relay: see Relay attack; EV2 spec says it has relay attack protection, but no details.
+== Ultralight C, Ultralight EV1 and NTAG2 ==
+EV1 compared to old Ultralight has added 32-bit password for read/write access, ECC signature (static over UID, so copyable), OTP.
+Ultralight C has 3DES authentication on top of Ultralight features.
+[[https://www.nxp.com/docs/en/data-sheet/NTAG213F_216F.pdf | NTAG2]] is succesor to NTAG1, serves as NDEF Forum Type 2 tag. Has ECC signature, read counter, 7 byte UID, SLEEP mode (enable/disable card).
+Proxmark3 can simulate some of the features of Ultralight EV1/C, though the ECC signature seems missing (read works). There is [[https://github.com/iceman1001/proxmark3 | iceman's fork]]
+which [[http://www.proxmark.org/forum/viewtopic.php?id=3850 | seems to be able to simulate EV1]].
+Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark.
+== Magic NTAG2x, magic Ultralight C and magic Desfire ==
+[[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others.
+There is a special [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | Lua script for proxmark to program them]].
+Information about the cards from proxmark (hf mfu i):
+<code>
+proxmark3> hf mfu i
+--- Tag Information ---------
+-------------------------------------------------------------
+      TYPE : MIFARE Ultralight (MF0ICU1) <magic>
+       UID : 11 22 33 55 66 77 88
+    UID[0] : 11, Emosyn-EM Microelectronics USA
+      BCC0 : 44, crc should be 88
+      BCC1 : FF, crc should be CC
+  Internal : FF, not default
+      Lock : ff ff  - 1111111111111111
+OneTimePad : ff ff ff ff  - 11111111111111111111111111111111
+proxmark3> hf mfu i
+--- Tag Information ---------
+-------------------------------------------------------------
+      TYPE : MIFARE Ultralight C (MF0ULC) <magic>
+       UID : 00 00 00 00 00 00 00
+    UID[0] : 00, no tag-info available
+      BCC0 : 00, crc should be 88
+      BCC1 : 00, Ok
+  Internal : 00, not default
+      Lock : 00 00  - 0000000000000000
+OneTimePad : 00 00 00 00  - 00000000000000000000000000000000
+--- UL-C Configuration
+ Higher Lockbits [40/0x28] : 00 00 00 00  - 0000000000000000
+         Counter [41/0x29] : 00 00 00 00  - 0000000000000000
+           Auth0 [42/0x2A] : 00 00 00 00  default
+           Auth1 [43/0x2B] : 00 00 00 00  read and write access restricted
+         deskey1 [44/0x2C] : 00 00 00 00  []
+         deskey1 [45/0x2D] : 00 00 00 00  []
+         deskey2 [46/0x2E] : 00 00 00 00  []
+         deskey2 [47/0x2F] : 00 00 00 00  []
+des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+</code>
+This shop sells [[https://www.rfxsecure.com/product/gen2-uid-changeable-fobs-1k-mf-4k-mf-ul-ul-c-df-ntag21x/ | lot of different changeable UID cards and keyfobs, 4-byte and 7-byte, including UID changeable Desfire]]/
+== Magic Desfire ==
+The "magic Desfire" is far from real Desfire, e.g.
+  * writing NDEF file seems to succeed, but read fails, you get just zeros
+  * libfreefare segfaults with the magic Desfire
+  * any SELECT APDU is responded to with OK, but there are no real applications
+In short, waste of money.
+Setting UID on magic Desfire with Proxmark:
+<code>
+hf 14a raw -s -c 02 00 ab 00 00 07 UID
+</code>
 == other mifare cards ==
@@ Line 260: / Line 381: @@
 but now widely deployed, at least no in .cz and .sk:
-  * Ultralight C
   * SmartMX
   * DESFire EV1
@@ Line 310: / Line 430: @@
 Proxmark can read them and so can some android phones.
-They contain UID and 64 bytes of data. Reading with proxmark can be done with:
+They contain UID and 4-byte blocks of data. Reading with proxmark can be done with:
 <code>
-hf 15 dumpmemory
+pm3 --> hf 15 reader
+ UID  : E0 16 24 66 1E C1 A5 AD
+ TYPE : EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
+pm3 --> hf 15 dump
+[=] Using UID as filename
+Reading memory from tag UID E0 16 24 66 1E C1 A5 AD
+....................................................[-] Tag returned Error 15: Unknown error.
+block#   | data         |lck| ascii
+---------+--------------+---+----------
+/0x00 | 3F 08 1A 4D  | 0 | ?..M
+/0x01 | 82 18 60 20  | 0 | ..`
+/0x02 | 00 38 00 50  | 0 | .8.P
+/0x03 | 1C 48 33 00  | 0 | .H3.
+/0x04 | 1B 00 00 00  | 0 | ....
+/0x05 | 00 00 00 00  | 0 | ....
+/0x06 | 00 00 00 00  | 0 | ....
+/0x07 | 00 00 00 00  | 0 | ....
+/0x08 | 00 00 00 00  | 0 | ....
+/0x09 | 00 00 00 00  | 0 | ....
+/0x0A | 00 00 00 00  | 0 | ....
+/0x0B | 00 00 00 00  | 0 | ....
+/0x0C | 00 00 00 00  | 0 | ....
+/0x0D | 00 00 00 00  | 0 | ....
+/0x0E | 00 00 00 00  | 0 | ....
+/0x0F | 00 00 00 00  | 0 | ....
+/0x10 | 00 00 00 00  | 0 | ....
+/0x11 | 00 00 00 00  | 0 | ....
+/0x12 | 00 00 00 00  | 0 | ....
+/0x13 | 00 00 00 00  | 0 | ....
+/0x14 | 00 00 00 00  | 0 | ....
+/0x15 | 00 00 00 00  | 0 | ....
+/0x16 | 00 00 00 00  | 0 | ....
+/0x17 | 00 00 00 00  | 0 | ....
+/0x18 | 00 00 00 00  | 0 | ....
+/0x19 | 00 00 00 00  | 0 | ....
+/0x1A | 00 00 00 00  | 0 | ....
+/0x1B | 00 00 00 00  | 0 | ....
+/0x1C | 2A 80 53 42  | 0 | *.SB
+/0x1D | 1F 90 53 42  | 0 | ..SB
+/0x1E | 33 00 00 00  | 0 | 3...
+/0x1F | 00 00 00 00  | 0 | ....
+/0x20 | 00 00 00 00  | 0 | ....
+/0x21 | 00 00 00 00  | 0 | ....
+/0x22 | 00 00 00 00  | 0 | ....
+/0x23 | 00 00 00 00  | 0 | ....
+/0x24 | 00 00 00 00  | 0 | ....
+/0x25 | 00 00 00 00  | 0 | ....
+/0x26 | 00 00 00 00  | 0 | ....
+/0x27 | 00 00 00 00  | 0 | ....
+/0x28 | 00 00 00 00  | 0 | ....
+/0x29 | 00 00 00 00  | 0 | ....
+/0x2A | 22 00 E1 23  | 0 | "..#
+/0x2B | C0 05 1B 01  | 0 | ....
+/0x2C | 4A 5C A0 1D  | 0 | J\..
+/0x2D | 1A 30 00 12  | 0 | .0..
+/0x2E | 50 E7 AB EC  | 0 | P...
+/0x2F | 60 00 00 00  | 0 | `...
+/0x30 | 00 00 40 7B  | 0 | ..@{
+/0x31 | 00 68 20 15  | 0 | .h .
+/0x32 | 00 00 00 00  | 0 | ....
+/0x33 | 00 00 00 00  | 0 | ....
 </code>
-Latest proxmark 2.3.0 has some basic ISO 15693 simulation functionality, but it's not working properly yet.
+Rfxsecure.com sells magic ISO-15693 cards with changeable UID. Either you need the iso15_magic from RRG repo or "hf 15 csetuid" from the official repo. The official repo's client segfaults on this right now, although it seems to change UID before segfault (signed/unsigned integer confusion, negative received octet count, etc). Proxmark developers have abysmal code standards and can't even use tags in repos.
+Changing UID, depending on repo (you need iso15_magic from RRG + read15.lua) or the segfaulting official repo with "hf 15 csetuid":
+<code>
+proxmark3> hf 15 reader
+#db# 12 octets read from IDENTIFY request:
+#db# NoErr CrcOK
+#db# 00 00 bf a5 c1 1e 66 24
+#db# 16 e0 56 a3
+#db# UID = E01624661EC1A5BF
+proxmark3> hf 15 csetuid E01624661EC1A5CA
+new UID | e0 16 24 66 1e c1 a5 ca
+Using backdoor Magic tag function
+received -1 octets
+Thread 4 "WorkerThread" received signal SIGSEGV, Segmentation fault.
+</code>
+With the magic scripts:
+<code>
+script run iso15_magic.lua -u E004013344556677
+</code>
-AFAIK there are no "Chinese backdoored clones" that would allow changing of UID.
+Neither will work on the first time likely. Retry at least 3 times. Same with "hf 15 dump" and "hf 15 restore".
+Note on cloned skipass ISO-15693 cards - they have counter in sector 2, so as soon as your cloned cards will desync, one of them will stop working.
 ==== Low Frequency card ====
 Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)
@@ Line 417: / Line 626: @@
 Usage around: building access system
-This information pertains to model Paradox C704. Full decoding in proxmark is not implemented, but the modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:
+This information pertains to model Paradox C704. Full decoding in proxmark is implemented, in the latest git version. The modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:
 <code>
 proxmark3> lf read
 proxmark3> data samples 40000
-proxmark3> data fskdemod
+loaded 40000 samples
+proxmark3> data plot
+proxmark3> lf paradox demod
+Paradox TAG ID: 000328176 (Full ID: 0ca05dadf) - FC: 50 - Card: 33142 - Checksum: b7 - RAW: 0f555555a5995566a699a6aa
 </code>
 Emulate:
-Not implemented in proxmark code, but the HID Prox emulation is very similar. Code in CmdHIDsimTAG() function of armsrc/lfops.c can be modified to transmit Paradox code. Frame marker needs to be modified to use 0x1F instead of 0x1D. The bits after frame marker do not seem to employ Manchester encoding.
+Latest proxmark code has clone Paradox to T5577 command. Iceman's fork has emulation.
+<code>
+pm3 --> lf paradox sim 50 33142
+Simulating Paradox - Facility Code: 50, CardNumber: 33142
+</code>
 === T55x7 universal emulation card ===
@@ Line 460: / Line 678: @@
   * [[http://www.hidglobal.com/technology.php?tech_cat=4&subcat_id=10]]
-===== Radio chips XXX =====
+===== Biometric passports with ISO-14443A NFC chip, chip emulation =====
+Passports can be read with [[http://rfidiot.org/ | RFIdiot]], e.g.
+<code>
+python2 mrpkey.py -g -R READER_LIBNFC 'L898902C<36908061940619406236<<<<<<<<<<<<<08'
+</code>
+Note the code is old, you need python2 and some patching to make it run.
+There is also attempt at emulation of passport - https://is.muni.cz/th/tc83s/ (in Slovak). It has code for emulation for first Proxmark.
+Run with in proxmark3 shell (use old client, old bootloader, old fullimage)
+<code>
+hf 14a sim 5 01020304
+</code>
+It is quite difficult to build now, also you will definitely need JTAG adapter as you would otherwise brick Proxmark in process.
+Everything on passport chip is plaintext except fingerprint.
-  * hcs300 ( KEELOQ )
+Prebuilt image (flash bootloader.elf and fullimage.elf in one session):
-    * Can be broken XXX
-  * NXP UCODE (passive UHF)
-  * NXP ICODE (HF)
-  * NXP HITAG (LF)
+{{ :project:freakcard:passport_emulator.zip |}}
 ===== RF Theory and antennas =====
 [[http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf|Microchip antenna/coil design guide ]]
@@ Line 662: / Line 897: @@
   * [[http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic|RFID_Cooking_with_Mifare_Classic]]
   * [[http://www.acs.com.hk/en/products/109/acr122t-usb-tokn-nfc-reader/|ACR122T USB reader with PN532 PIN]] (functional equivalent of Touchatag)