brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » FreakCard
project:freakcard:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
project:freakcard:start [2019/01/25 14:11] – [Proxmark] RDV4, EVO and pentester pack with Chameleon and PN532 reader abyssalproject:freakcard:start [2021/06/05 17:28] (current) – [Biometric NFC passport and emulation] abyssal
Line 42: Line 42:
   * https://lab401.com/products/chameleon-mini-reve-rebooted   * https://lab401.com/products/chameleon-mini-reve-rebooted
   * https://lab401.com/collections/hardware/products/usb-rfid-reader-writer-scl-3711   * https://lab401.com/collections/hardware/products/usb-rfid-reader-writer-scl-3711
 +
 +======= PN532-based readers =======
 +
 +PN532 based readers:
 +
 +  * https://www.acs.com.hk/en/products/3/acr122u-usb-nfc-reader/
 +  * https://www.acs.com.hk/en/products/109/acr122t-usb-tokens-nfc-reader/
 +  * https://www.adafruit.com/product/789 - there are two board versions, one as Arduino shield, other has different pinout, but are in essence the same
 +  * [[http://nfc-tools.org/index.php/Devices_compatibility_matrix | compatibility matrix with libnfc]]
 +
 +======= Software for PN532 readers =======
 +
 +  * https://github.com/nfc-tools/libnfc
 +  * https://github.com/nfc-tools/libfreefare
 +  * [[https://github.com/KaiQ/dat | Desfire Access Tool]] - there is ''v2.0'' branch with new stuff and rewrite
 ====== Decision tree. ====== ====== Decision tree. ======
  
Line 294: Line 309:
 Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark. Ultralight EV1 and NTAG2/1 can be [[https://lab401.com/blogs/academy/magic-ntag-21x-getting-started | copied onto Magic NTAG21x]] with proxmark.
  
-== Magic NTAG2x and magic Ultralight C ==+== Magic NTAG2xmagic Ultralight C and magic Desfire ==
  
 [[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others. [[http://proxmark3.tictail.com/ | IceSql]] sells "magic" cards to simulate NTAG2/NTAG1, Ultralight EV1 and others.
Line 341: Line 356:
  
  3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00             3des key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00           
 +</code>
 +
 +This shop sells [[https://www.rfxsecure.com/product/gen2-uid-changeable-fobs-1k-mf-4k-mf-ul-ul-c-df-ntag21x/ | lot of different changeable UID cards and keyfobs, 4-byte and 7-byte, including UID changeable Desfire]]/
 +
 +== Magic Desfire ==
 +
 +The "magic Desfire" is far from real Desfire, e.g.
 +
 +  * writing NDEF file seems to succeed, but read fails, you get just zeros
 +  * libfreefare segfaults with the magic Desfire
 +  * any SELECT APDU is responded to with OK, but there are no real applications
 +
 +In short, waste of money.
 +
 +Setting UID on magic Desfire with Proxmark:
 +
 +<code>
 +hf 14a raw -s -c 02 00 ab 00 00 07 UID
 </code> </code>
  
Line 397: Line 430:
 Proxmark can read them and so can some android phones. Proxmark can read them and so can some android phones.
  
-They contain UID and 64 bytes of data. Reading with proxmark can be done with:+They contain UID and 4-byte blocks of data. Reading with proxmark can be done with:
  
 <code> <code>
-hf 15 dumpmemory+pm3 --> hf 15 reader 
 + UID  : E0 16 24 66 1E C1 A5 AD           
 + TYPE : EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102           
 +pm3 --> hf 15 dump 
 +[=] Using UID as filename           
 +Reading memory from tag UID E0 16 24 66 1E C1 A5 AD           
 +....................................................[-] Tag returned Error 15: Unknown error.           
 + 
 +           
 +block#   | data         |lck| ascii           
 +---------+--------------+---+----------           
 +  0/0x00 | 3F 08 1A 4D  | 0 | ?..M           
 +  1/0x01 | 82 18 60 20  | 0 | ..`            
 +  2/0x02 | 00 38 00 50  | 0 | .8.P           
 +  3/0x03 | 1C 48 33 00  | 0 | .H3.           
 +  4/0x04 | 1B 00 00 00  | 0 | ....           
 +  5/0x05 | 00 00 00 00  | 0 | ....           
 +  6/0x06 | 00 00 00 00  | 0 | ....           
 +  7/0x07 | 00 00 00 00  | 0 | ....           
 +  8/0x08 | 00 00 00 00  | 0 | ....           
 +  9/0x09 | 00 00 00 00  | 0 | ....           
 + 10/0x0A | 00 00 00 00  | 0 | ....           
 + 11/0x0B | 00 00 00 00  | 0 | ....           
 + 12/0x0C | 00 00 00 00  | 0 | ....           
 + 13/0x0D | 00 00 00 00  | 0 | ....           
 + 14/0x0E | 00 00 00 00  | 0 | ....           
 + 15/0x0F | 00 00 00 00  | 0 | ....           
 + 16/0x10 | 00 00 00 00  | 0 | ....           
 + 17/0x11 | 00 00 00 00  | 0 | ....           
 + 18/0x12 | 00 00 00 00  | 0 | ....           
 + 19/0x13 | 00 00 00 00  | 0 | ....           
 + 20/0x14 | 00 00 00 00  | 0 | ....           
 + 21/0x15 | 00 00 00 00  | 0 | ....           
 + 22/0x16 | 00 00 00 00  | 0 | ....           
 + 23/0x17 | 00 00 00 00  | 0 | ....           
 + 24/0x18 | 00 00 00 00  | 0 | ....           
 + 25/0x19 | 00 00 00 00  | 0 | ....           
 + 26/0x1A | 00 00 00 00  | 0 | ....           
 + 27/0x1B | 00 00 00 00  | 0 | ....           
 + 28/0x1C | 2A 80 53 42  | 0 | *.SB           
 + 29/0x1D | 1F 90 53 42  | 0 | ..SB           
 + 30/0x1E | 33 00 00 00  | 0 | 3...           
 + 31/0x1F | 00 00 00 00  | 0 | ....           
 + 32/0x20 | 00 00 00 00  | 0 | ....           
 + 33/0x21 | 00 00 00 00  | 0 | ....           
 + 34/0x22 | 00 00 00 00  | 0 | ....           
 + 35/0x23 | 00 00 00 00  | 0 | ....           
 + 36/0x24 | 00 00 00 00  | 0 | ....           
 + 37/0x25 | 00 00 00 00  | 0 | ....           
 + 38/0x26 | 00 00 00 00  | 0 | ....           
 + 39/0x27 | 00 00 00 00  | 0 | ....           
 + 40/0x28 | 00 00 00 00  | 0 | ....           
 + 41/0x29 | 00 00 00 00  | 0 | ....           
 + 42/0x2A | 22 00 E1 23  | 0 | "..#           
 + 43/0x2B | C0 05 1B 01  | 0 | ....           
 + 44/0x2C | 4A 5C A0 1D  | 0 | J\..           
 + 45/0x2D | 1A 30 00 12  | 0 | .0..           
 + 46/0x2E | 50 E7 AB EC  | 0 | P...           
 + 47/0x2F | 60 00 00 00  | 0 | `...           
 + 48/0x30 | 00 00 40 7B  | 0 | ..@{           
 + 49/0x31 | 00 68 20 15  | 0 | .h .           
 + 50/0x32 | 00 00 00 00  | 0 | ....           
 + 51/0x33 | 00 00 00 00  | 0 | ....           
 </code> </code>
  
-Latest proxmark 2.3.0 has some basic ISO 15693 simulation functionalitybut it's not working properly yet.+Rfxsecure.com sells magic ISO-15693 cards with changeable UID. Either you need the iso15_magic from RRG repo or "hf 15 csetuid" from the official repo. The official repo's client segfaults on this right nowalthough it seems to change UID before segfault (signed/unsigned integer confusion, negative received octet count, etc). Proxmark developers have abysmal code standards and can't even use tags in repos.
  
-AFAIK there are no "Chinese backdoored clones" that would allow changing of UID.+Changing UID, depending on repo (you need iso15_magic from RRG + read15.lua) or the segfaulting official repo with "hf 15 csetuid":
  
 +<code>
 +proxmark3> hf 15 reader
 +#db# 12 octets read from IDENTIFY request:          
 +#db# NoErr CrcOK          
 +#db# 00 00 bf a5 c1 1e 66 24          
 +#db# 16 e0 56 a3          
 +#db# UID = E01624661EC1A5BF          
 +proxmark3> hf 15 csetuid E01624661EC1A5CA
 +          
 +new UID | e0 16 24 66 1e c1 a5 ca           
 +Using backdoor Magic tag function          
 +received -1 octets          
 +
 +Thread 4 "WorkerThread" received signal SIGSEGV, Segmentation fault.
 +
 +</code>
 +
 +With the magic scripts:
 +
 +<code>
 +script run iso15_magic.lua -u E004013344556677
 +</code>
  
 +Neither will work on the first time likely. Retry at least 3 times. Same with "hf 15 dump" and "hf 15 restore".
  
 +Note on cloned skipass ISO-15693 cards - they have counter in sector 2, so as soon as your cloned cards will desync, one of them will stop working.
 ==== Low Frequency card ==== ==== Low Frequency card ====
 Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :) Emulation in general: http://www.t4f.org/en/projects/open-rfid-tag/55 this looks like a very nice generic emulator for LF, some hw guru could look into assembling it? lukash willing to help :)
Line 506: Line 626:
 Usage around: building access system Usage around: building access system
  
-This information pertains to model Paradox C704. Full decoding in proxmark is not implemented, but the modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:+This information pertains to model Paradox C704. Full decoding in proxmark is implemented, in the latest git version. The modulation is Fc/8/10 FSK, thus raw data transmitted by the tag can be read with:
  
 <code> <code>
 proxmark3> lf read proxmark3> lf read
 proxmark3> data samples 40000 proxmark3> data samples 40000
-proxmark3> data fskdemod+loaded 40000 samples           
 +proxmark3> data plot 
 +proxmark3> lf paradox demod 
 +Paradox TAG ID: 000328176 (Full ID: 0ca05dadf) - FC: 50 - Card: 33142 - Checksum: b7 - RAW: 0f555555a5995566a699a6aa          
 </code> </code>
  
 Emulate: Emulate:
  
-Not implemented in proxmark code, but the HID Prox emulation is very similar. Code in CmdHIDsimTAG() function of armsrc/lfops.c can be modified to transmit Paradox code. Frame marker needs to be modified to use 0x1F instead of 0x1D. The bits after frame marker do not seem to employ Manchester encoding.+Latest proxmark code has clone Paradox to T5577 command. Iceman's fork has emulation. 
 + 
 +<code> 
 +pm3 --> lf paradox sim 50 33142 
 +Simulating Paradox - Facility Code: 50, CardNumber: 33142 
 +</code
  
 === T55x7 universal emulation card === === T55x7 universal emulation card ===
Line 549: Line 678:
   * [[http://www.hidglobal.com/technology.php?tech_cat=4&subcat_id=10]]   * [[http://www.hidglobal.com/technology.php?tech_cat=4&subcat_id=10]]
  
-===== Radio chips XXX =====+===== Biometric passports with ISO-14443A NFC chip, chip emulation ===== 
 + 
 +Passports can be read with [[http://rfidiot.org/ | RFIdiot]], e.g. 
 + 
 +<code> 
 +python2 mrpkey.py -g -R READER_LIBNFC 'L898902C<36908061940619406236<<<<<<<<<<<<<08' 
 +</code> 
 + 
 +Note the code is old, you need python2 and some patching to make it run. 
 + 
 +There is also attempt at emulation of passport - https://is.muni.cz/th/tc83s/ (in Slovak). It has code for emulation for first Proxmark. 
 + 
 +Run with in proxmark3 shell (use old client, old bootloader, old fullimage) 
 + 
 +<code> 
 +hf 14a sim 5 01020304 
 +</code> 
 + 
 +It is quite difficult to build now, also you will definitely need JTAG adapter as you would otherwise brick Proxmark in process. 
 + 
 +Everything on passport chip is plaintext except fingerprint.
  
-  * hcs300 KEELOQ ) +Prebuilt image (flash bootloader.elf and fullimage.elf in one session):
-    * Can be broken XXX +
-  * NXP UCODE (passive UHF) +
-  * NXP ICODE (HF) +
-  * NXP HITAG (LF)+
  
 +{{ :project:freakcard:passport_emulator.zip |}}
 ===== RF Theory and antennas ===== ===== RF Theory and antennas =====
 [[http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf|Microchip antenna/coil design guide ]] [[http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf|Microchip antenna/coil design guide ]]
project/freakcard/start.1548425466.txt.gz · Last modified: 2019/01/25 14:11 by abyssal