安装 libnfc
ACR122U 是一款 NFC (Near Field Communication) 读卡器。要在 macOS 上使用 ACR122U,通常需要安装相应的驱动程序和库。
via brew
运行以下命令安装 libnfc:
brew install libnfc
via 手工编译
$ brew install libtool automake autoconf libusb pkg-config
$ git clone https://github.com/nfc-tools/libnfc
$ autoreconf -vis
$ ./configure --with-drivers=acr122_pcsc
$ sudo make clean all && sudo make && sudo make install
配置 libnfc
安装完成后,需要配置 libnfc 以使用 ACR122U 读卡器。
创建配置文件:
创建一个名为 acr122_usb.conf 的配置文件。
mkdir -p /usr/local/etc/nfc/devices.d
echo "device.connstring = 'usb:072f/2200'" > /usr/local/etc/nfc/devices.d/acr122_usb.conf
使用 nfc-list 连接 ACR122U
确保 ACR122U 已连接到你的 Mac,然后运行以下命令检查设备连接情况:
$ nfc-list
# or
$ sudo LIBNFC_LOG_LEVEL=3 nfc-list -v
如果配置正确,你应该会看到类似如下的输出,表示读卡器已成功识别:
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
# My case
nfc-list uses libnfc 1.8.0
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 34 46 0d c4
SAK (SEL_RES): 88
安装 pcsc-lite
pcsc-lite 是一个提供智能卡服务的中间件,很多 NFC 应用程序依赖于它。
安装 pcsc-lite:
brew install pcsc-lite
破解卡
使用 mfoc 以破解卡
$ brew install mfoc
# 把要破解的卡放到读卡器上
# mfoc 将尝试破解卡片密钥并将卡片内容导出到 dump.mfd 文件中。
$ sudo mfoc -O dump.mfd
# view the dump result
$ xxd dump.mfd
00000000: 3446 0dc4 bb88 0400 8500 0000 0000 0000 4F..............
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: ffff ffff ffff ff07 8069 ffff ffff ffff .........i......
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
help
$ mfoc -h
Usage: mfoc [-h] [-k key]... [-P probnum] [-T tolerance] [-O output]
h print this help and exit
k try the specified key in addition to the default keys
P number of probes per sector, instead of default of 20
T nonce tolerance half-range, instead of default of 20
(i.e., 40 for the total range, in both directions)
O file in which the card contents will be written (REQUIRED)
Example: mfoc -O mycard.mfd
Example: mfoc -k ffffeeeedddd -O mycard.mfd
Example: mfoc -P 50 -T 30 -O mycard.mfd
This is mfoc version 0.10.7.
For more information, run: 'man mfoc'.
使用 nfc-mfclassic 以破解卡
# Read card to file, using key A:
$ nfc-mfclassic r a u bb_card_nfc-mfclassic.mfd
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 34 46 0d c4
SAK (SEL_RES): 88
RATS support: no
Guessing size: seems to be a 1024-byte card
Reading out 64 blocks |................................................................|
Done, 64 of 64 blocks read.
Writing data to file: bb_card_nfc-mfclassic.mfd ...Done.
使用 mcuk
如果门禁卡是全加密卡,上面使用 mfoc 就会有失败提示:
No sector encrypted with the default key has been found, exiting..
这时我们就需要用到 mfcuk 了。它利用了同样是 2009 年研究出的 Dark Side attack,利用认证协议上的漏洞来猜解密码,可能需要一个小时才能破解出密钥。当拿到其中一个密钥之后,就可以可上面部分加密卡一样,使用 mfoc 工具猜解其它的密钥。
先执行 mfcuk -C -R 0:A -s 250 -S 250,然后就是漫长的等待。当输出如下内容时,表示破解成功:
INFO: block 3 recovered KEY: 123456789ABC
将拿到的 Key 传给 mfoc,执行 mfoc -k 123456789ABC -O dump.mfd,就可破解出完整的卡片数据。
# install
$ brew install mfcuk
$ mfcuk
mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, zveriu@gmail.com, http://andreicostin.com
Usage:
-C - require explicit connection to the reader. Without this option, the connection is not made and recovery will not occur
-i mifare.dmp - load input mifare_classic_tag type dump
-I mifare_ext.dmp - load input extended dump specific to this tool, has several more fields on top of mifare_classic_tag type dump
-o mifare.dmp - output the resulting mifare_classic_tag dump to a given file
-O mifare_ext.dmp - output the resulting extended dump to a given file
-V sector[:A/B/any_other_alphanum[:fullkey]] - verify key for specified sector, -1 means all sectors
After first semicolon key-type can specified: A verifies only keyA, B verifies only keyB, anything else verifies both keys
After second semicolon full 12 hex-digits key can specified - this key will override any loaded dump key for the given sector(s) and key-type(s)
-R sector[:A/B/any_other_alphanum] - recover key for sector, -1 means all sectors.
After first semicolon key-type can specified: A recovers only keyA, B recovers only keyB, anything else recovers both keys
-U UID - force specific UID. If a dump was loaded with -i, -U will overwrite the in the memory where dump was loaded
-M tagtype - force specific tagtype. 8 is 1K, 24 is 4K, 32 is DESFire
-D - for sectors and key-types marked for verification, in first place use default keys to verify (maybe you are lucky)
-d key - specifies additional full 12 hex-digits default key to be checked. Multiple -d options can be used for more additional keys
-s - milliseconds to sleep for SLEEP_AT_FIELD_OFF (Default: 10 ms)
-S - milliseconds to sleep for SLEEP_AFTER_FIELD_ON (Default: 50 ms)
-P hex_literals_separated - try to recover the key from a conversation sniffed with Proxmark3 (mifarecrack.c based). Accepts several options:
Concatenated string in hex literal format of form uid:tag_chal:nr_enc:reader_resp:tag_resp
Example -P 0x5c72325e:0x50829cd6:0xb8671f76:0xe00eefc9:0x4888964f would find key FFFFFFFFFFFF
-p proxmark3_full.log - tries to parse the log file on it's own (mifarecrack.py based), get the values for option -P and invoke it
-F - tries to fingerprint the input dump (-i) against known cards' data format
-v verbose_level - verbose level (default is O)
Usage examples:
Recove all keys from all sectors:
mfcuk -C -R -1
Recove the sector #0 key with 250 ms for all delays (delays could give more results):
mfcuk -C -R 0 -s 250 -S 250
使用 nfc-mfclassic 以写入到新卡
要将从 MIFARE Classic 卡中获取的 dump.mfd 文件写入到另一张卡,实现复制操作,可以使用 nfc-mfclassic 工具。
# 安装 nfc-tools
brew install nfc-tools
首先确保目标卡片已经放置在读卡器上,然后使用 nfc-mfclassic 工具将 bb_card_mfoc.mfd 文件写入新卡。
// f|r|R|w|W
// 参数中的 W 表示同时写入 UID 号(需要 UID 系列卡片),也可以用 w 仅写入卡片数据内容。如果手头没有 UID 卡,可以仅写入卡片内容试试看是不是仅校验卡的内容,但不验证 UID。
// - note that unlocked write will attempt to overwrite block 0 including UID
// - unlocked read does not require authentication and will reveal A and B keys
// - unlocking only works with special Mifare 1K cards (Chinese clones)
// r: read from
// a|A|b|B - Use A or B keys for action; Halt on errors (a|b) or tolerate errors (A|B)
// u|U - Use any (u) uid or supply a uid specifically as U01ab23cd.
// 将 bb_card_mfoc.mfd 中数据写入到 UID 卡片,包括 UID 数据
$ nfc-mfclassic W a u bb_card_mfoc.mfd
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 1b 5a c2 19
SAK (SEL_RES): 08
RATS support: no
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Card unlocked
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.
验证写入
在写入完成后,建议再次读取卡片内容并与原始 dumpdata.dmp 文件进行比较,以确保数据写入正确。
你可以使用以下命令读取卡片内容并保存为新文件:
nfc-mfclassic R a newdump.dmp
然后比较两个文件是否一致:
diff dumpdata.dmp newdump.dmp
如果没有输出,表示两个文件一致,写入成功。
使用 Mifare dumps parser
https://github.com/zhovner/mfdread
python3 mfdread.py ./dump.mfd