前言
支持nfc的小米可以模拟不加密的门卡,加密的需要使用小米白卡功能到物业里写入。嗯。。。物业怎么可能配合嘛!不如自己破解折腾一下,成本也不会太高。
本教程仅支持Mifare Classic 1K卡的破解,和写入小米手机的过程。不能用于其它非法用途。
原理
上图中,扇区0里保存着卡的id信息,一般都会被写保护,但是有不锁扇区0的uid卡。扇区5是加密扇区,浅绿色是keyA,深绿色是keyB。我们就是通过破解加密扇区的keyA、keyB来获取该扇区数据信息并最终写入到小米手机中。
准备工作
- 硬件:支持nfc的小米手机;要破解的门卡;pn532,淘宝30几块钱,最好买usb芯片焊好的;uid白卡滴胶卡,不锁扇区0的,淘宝5块钱一大把,买前问下掌柜。
- 软件:win驱动,破解工具nfc-tools(pn532文件夹下),mifare。链接: https://pan.baidu.com/s/1sHoHCWKlv8s_GFpNVEVi7g 提取码: vp89
先在手机上安装mifare。
然后电脑安装驱动。有两个版本,v1200是最新的版本,v110是老版。我的win10不能使用v1200驱动,会出现感叹号。
这种情况下安装v100驱动,并在设备管理器里的设备上右键选择更新驱动程序->浏览我的计算机以查找驱动程序软件->让我从计算机上的可用驱动程序列表中选取
选择2009年的版本,点下一步安装
这时设备上的感叹号应该没有了,并且挂载到了COM5端口
打开pn532文件夹下的libnfc.conf
文件
将配置里的端口改成你实际挂载的端口
最后测试一下。把你的门卡放在pn532上。在下载的pn532文件夹下shift加右键打开菜单,选择在此处打开powershell窗口,输入.\nfc-list
命令
PS C:\apps\pn532> .\nfc-list
C:\apps\pn532\nfc-list.exe uses libnfc 1.7.1
NFC device: pn532_uart:COM5 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 24 99 01 dd
SAK (SEL_RES): 08
如果出现以上信息,说明pn532运行成功了
操作
使用mfoc破解加密卡
把门卡放在pn532上,在终端输入.\mfoc -P 50 -T 30 -O mycard.mfd
命令开始破解
PS C:\apps\pn532> .\mfoc -P 50 -T 30 -O mycard.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 24 99 01 dd
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxxx.xxxx......]
[Key: a0a1a2a3a4a5] -> [xxxxx.xxxx......]
[Key: d3f7d3f7d3f7] -> [xxxxx.xxxx......]
[Key: 000000000000] -> [xxxxx.xxxx......]
[Key: b0b1b2b3b4b5] -> [xxxxx.xxxx......]
[Key: 4d3a99c351dd] -> [xxxxx.xxxx......]
[Key: 1a982c7e459a] -> [xxxxx.xxxx......]
[Key: aabbccddeeff] -> [xxxxx.xxxx......]
[Key: 714c5c886e97] -> [xxxxx.xxxx......]
[Key: 587ee5f9350f] -> [xxxxx.xxxx......]
[Key: a0478cc39091] -> [xxxxx.xxxx......]
[Key: 533cb6c723f6] -> [xxxxx.xxxx......]
[Key: 8fd0a4f256e9] -> [xxxxx.xxxx......]
Sector 00 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 01 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 02 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 03 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 04 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 05 - Unknown Key A Unknown Key B
Sector 06 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 07 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 08 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 09 - Found Key A: ffffffffffff Found Key B: ffffffffffff
Sector 10 - Unknown Key A Unknown Key B
Sector 11 - Unknown Key A Unknown Key B
Sector 12 - Unknown Key A Unknown Key B
Sector 13 - Unknown Key A Unknown Key B
Sector 14 - Unknown Key A Unknown Key B
Sector 15 - Unknown Key A Unknown Key B
Using sector 00 as an exploit sector
Sector: 5, type A, probe 0, distance 12969 .....
Sector: 5, type A, probe 1, distance 13027 .....
Sector: 5, type A, probe 2, distance 12823 .....
Sector: 5, type A, probe 3, distance 12879 .....
Sector: 5, type A, probe 4, distance 12519 .....
Sector: 5, type A, probe 5, distance 12619 .....
Sector: 5, type A, probe 6, distance 12679 .....
Sector: 5, type A, probe 7, distance 12527 .....
Sector: 5, type A, probe 8, distance 12525 .....
Sector: 5, type A, probe 9, distance 12577 .....
Sector: 5, type A, probe 10, distance 12569 .....
Sector: 5, type A, probe 11, distance 12625 .....
Sector: 5, type A, probe 12, distance 12615 .....
Sector: 5, type A, probe 13, distance 12669 .....
Sector: 5, type A, probe 14, distance 12565 .....
Sector: 5, type A, probe 15, distance 12623 .....
Sector: 5, type A, probe 16, distance 12569 .....
Found Key: A [3aa93eb6a6eb]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 10, type A, probe 0, distance 12571 .....
Sector: 10, type A, probe 1, distance 12569 .....
Found Key: A [bdbb578b6c89]
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 11, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [bdbb578b6c89]
Sector: 12, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [bdbb578b6c89]
Sector: 13, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [bdbb578b6c89]
Sector: 14, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [bdbb578b6c89]
Sector: 15, type A
Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Found Key: A [bdbb578b6c89]
Sector: 5, type B, probe 0, distance 12721 .....
Sector: 5, type B, probe 1, distance 12621 .....
Sector: 5, type B, probe 2, distance 12621 .....
Sector: 5, type B, probe 3, distance 12573 .....
Found Key: B [0604acbb55d5]
Sector: 10, type B
Found Key: B [bdbb578b6c89]
Sector: 11, type B
Found Key: B [bdbb578b6c89]
Sector: 12, type B
Found Key: B [bdbb578b6c89]
Sector: 13, type B
Found Key: B [bdbb578b6c89]
Sector: 14, type B
Found Key: B [bdbb578b6c89]
Sector: 15, type B
Found Key: B [bdbb578b6c89]
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key bdbb578b6c89 :00 00 00 00 00 00 7f 07 88 69 00
00 00 00 00 00
....
从输出信息中可以发现mfoc找到了3个key: 3aa93eb6a6eb
,bdbb578b6c89
,0604acbb55d5
。记一下,之后会用到。
运行成功后会在pn532文件夹下生成mycard.mfd
文件
写入uid白卡
把从淘宝上买的白卡放到pn532下,运行.\nfc-mfclassic W a mycard.mfd
。运行成功后会克隆一张与原门卡信息一样的卡。
PS C:\apps\pn532> .\nfc-mfclassic W a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 24 99 01 dd
SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.
需要注意的是,输出的最后一行一定要有Done
,否则都是失败。
清空白卡数据扇区
目前克隆好的白卡和原门卡一样,存在加密扇区,是不能直接模拟到小米手机上的。我们需要把白卡里除扇区0的数据都清掉。
打开手机上的mifare软件。选择增加密钥文件,新建一个mykey.keys
文件。第一行固定为FFFFFFFFFFFF
,然后把上面用mfoc找到的密钥复制进去并保存。回到主菜单选择写标签->工厂格式化,勾选自定义的密钥文件。将克隆好的白卡放到手机背部,识别后点击启动映射并格式化标签。完成后使用读标签功能看下除扇区0外其他扇区是不是都清空了。
将扇区0克隆到手机上
打开小米钱包app,选择门卡->模拟实体门卡。点开始检测后,将清了数据的白卡放到手机背部,检测到并通过认证后开始模拟。模拟完成后双击电源键可以看到我们模拟的卡。
写入其它数据扇区
双击电源键找到模拟的卡,手机提示请靠近读卡器后,将手机背面放到pn532上。终端输入命令.\nfc-mfclassic w a mycard.mfd
。注意中间的w
是小写。
PS C:\apps\pn532> .\nfc-mfclassic w a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 24 99 01 dd
SAK (SEL_RES): 28
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.
但输出为Done后,加密门卡模拟就全部成功了。去刷门禁试试吧。