forked/mfcuk
1
0
Fork 0
mirror of https://github.com/nfc-tools/mfcuk.git synced 2025-12-23 18:50:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Migrating wiki contents from Google Code

Browse Source
This commit is contained in:
Google Code Exporter 2015-04-19 03:50:14 -04:00
commit 328019125e
5 changed files with 485 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
MifareClassicDefaultKeys.md Normal file
View File

@ -0,0 +1,21 @@
# Introduction #
List of default keys presented as **examples** in NXP Application Notes, but which were used ad-litteram by vendors/system-integrators.
# Details #
The list below details the publicly known and available default keys (specified in various application notes as examples):
| **Default key** | **No. of known systems using it** | **List of those systems** | **Approx. no. of cards using it** | **Approx. % of cards from total Mifare Classic cards** |
|:----------------|:----------------------------------|:--------------------------|:----------------------------------|:-------------------------------------------------------|
| ffffffffffff | 1 | SKGT<br> <table><thead><th> ? </th><th> ? </th></thead><tbody>
<tr><td> a0a1a2a3a4a5 </td><td> 1 </td><td> SKGT<br> </td><td> ? </td><td> ? </td></tr>
<tr><td> b0b1b2b3b4b5 </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> 000000000000 </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> 4d3a99c351dd </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> 1a982c7e459a </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> d3f7d3f7d3f7 </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> aabbccddeeff </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr></tbody></table>
As in the case of GSM COMP128, the example details from specifications/appnotes were taken ad-litteram, posing a security threat on the system.

21
MifareClassicEnabledPhones.md Normal file
View File

@ -0,0 +1,21 @@
# Introduction #
Summarizes a list of known/available information regarding mobile phones/devices that have Mifare Classic Reader/Tag elements
# Details #
| **Name/Model** | **URLs/Photo** | **Reader/Tag** | **RFID/NFC Chipset** |
|:---------------|:---------------|:---------------|:---------------------|
| <a href='http://europe.nokia.com/find-products/devices/nokia-6131-nfc/technical-specifications'>Nokia 6131</a> | ? | Reader+Tag | ? |
| <a href='http://europe.nokia.com/find-products/devices/nokia-6212-classic/specifications'>Nokia 6212</a> | ? | Reader+Tag | ? |
| <a href='http://www.mobilemag.com/2004/03/16/nokia-5140-rfid-reader/'>Nokia 5140</a> | ? | ? (14443A) | ? |
| Samsung SGH X700 NFC | ? | ? | ? |
| Benq T80 | ? | ? | ? |
| <a href='http://www.adactiv.es/PDFs/NFC/NFC%20GSM%20PDA.pdf'>Telefunken CS A108</a> | ? | ? | ? |
| <a href='http://www.austromontan.com/images/NFC_Phone_Datasheet_E.pdf'>Austro Montan</a> | ? | ? | ? |
| Foxway Limited 5003 | ? | ? | ? |
# Links #
http://en.wikipedia.org/wiki/Near_Field_Communication#NFC-enabled_handsets

311
MifareClassicFullSoftTagEmulation.md Normal file
View File

@ -0,0 +1,311 @@
# Introduction #
**“Mifare Classic Full SoftTag Emulation”** = Software emulation (either in a PC, or a custom hardware programmable controller) of a physical Mifare Classic tag/device based on a dumped tag data, including:
* UID/Manufacturer Block information
* All sectors data, keys, AC bits, etc.
* Authentication and encryption
# Mifare Classic 100% SoftTag Emulation using ACR122U #
* Seems like impossible because of not very accurate timings, USB timing delays, slow Crapto1 implementation
* Check this link for a small discussion: http://www.libnfc.org/community/topic/113/mifare-classic-softtag-emulation/
# Mifare Classic 100% SoftTag Emulation using Proxmark3 #
* Seems possible, but not too promising as of now
* Needs special firmware version to have proper timings
* Not very sure how to optimally stick Crapto1 implementation into Proxmark3 and making sure ISO 14443 timings are preserved
# Mifare Classic 100% SoftTag Emulation using Nokia 6131 or Nokia 6212 #
* Some Mifare Classic with Nokia 6212 demo video:
<a href='http://www.youtube.com/watch?feature=player_embedded&v=SDQSRpS46Fo' target='_blank'><img src='http://img.youtube.com/vi/SDQSRpS46Fo/0.jpg' width='425' height=344 /></a>
* As of now, the **most promising direction** for Mifare Classic 100% SoftTag Emulation
* Exploit vectors:
1. Getting around the software checks using the holes in Nokia 6131/6212 SDKs
1. Patching the cldc11.jar in the SDK and test the emulator
1. Patching the cldc11.jar in the Nokia 6131/6212 device and test
## Getting around the software checks using the holes in Nokia 6131/6212 SDKs ##
* Block 0 operations and results:
```
MFStandardConnection conn = null;
String internalUrl = System.getProperty("internal.mf.url");
conn = (MFStandardConnection) Connector.open(internalUrl);
MFBlock block;
byte KAbytes[] = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
MFKey.KeyA KA = new MFKey.KeyA(KAbytes);
block = conn.getBlock(0);
byte block_FF[] = {
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
(byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF
};
block.getBlockType(); // returns com.nokia.nfc.nxp.mfstd.MFBlock.BLOCKTYPE_MANUFACTURER == 2
if (block instanceof MFBlock) // returns true
{
}
if (block instanceof MFManufacturerBlock) // returns true
{
}
block.write(KA, block_FF, 0);
com.nokia.nfc.nxp.mfstd.MFStandardException
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFManufacturerBlockImpl.write(+8)
at nokiatest.startApp(+249)
at javax.microedition.midlet.MIDletProxy.startApp(+7)
at com.nokia.mid.impl.isa.ui.MIDletManager.callStartApp(+4)
at com.nokia.mid.impl.isa.ui.MIDletManager.activateMIDlet(+10)
at com.nokia.mid.impl.isa.ui.MIDletManager.run(+15)
```
* getBlock(-1) or getBlock(255) operations and results:
```
MFStandardConnection conn = null;
String internalUrl = System.getProperty("internal.mf.url");
conn = (MFStandardConnection) Connector.open(internalUrl);
MFBlock block;
byte KAbytes[] = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
MFKey.KeyA KA = new MFKey.KeyA(KAbytes);
block = conn.getBlock(-1); // getBlock(256);
java.lang.IllegalArgumentException: Invalid block index
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFStandardConnectionImpl.getBlock(+21)
at nokiatest.startApp(+157)
at javax.microedition.midlet.MIDletProxy.startApp(+7)
at com.nokia.mid.impl.isa.ui.MIDletManager.callStartApp(+4)
at com.nokia.mid.impl.isa.ui.MIDletManager.activateMIDlet(+10)
at com.nokia.mid.impl.isa.ui.MIDletManager.run(+15)
```
* iii. getSector(0), read(), write() offset 0/16/32 etc **no exception**, however **no change in block0** of the “Virtual 4K” “Embedded Tag” occurs, but block1, block2 and block3 changes the data. **Is there a physical/hardware check on this case?**
```
MFStandardConnection conn = null;
String internalUrl = System.getProperty("internal.mf.url");
conn = (MFStandardConnection) Connector.open(internalUrl);
byte KAbytes[] = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
MFKey.KeyA KA = new MFKey.KeyA(KAbytes);
MFSector sector = conn.getSector(0);
byte offset = 0;
byte sector_bytes[] = new byte[64-offset];
sector.read(KA, sector_bytes, 0, 0, 64-offset);
// Overwrite with 0xFF all 4 block of sector0/sector1
for (int i=0; i < (com.nokia.nfc.nxp.mfstd.MFBlock.BLOCK_LEN * 4) - offset; i++)
{
sector_bytes[i] = (byte) 0xFF;
}
sector.write(KA, sector_bytes, offset);
```
* getSector(0) write offset other than 0/16/32 (i.e. multiples of BLOCK\_LEN==16) etc **exception**:
```
MFStandardConnection conn = null;
String internalUrl = System.getProperty("internal.mf.url");
conn = (MFStandardConnection) Connector.open(internalUrl);
byte KAbytes[] = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
MFKey.KeyA KA = new MFKey.KeyA(KAbytes);
MFSector sector = conn.getSector(0);
byte offset = 4; // skip the UID, maybe we can overwrite some other parts of the manufacturer block?
byte sector_bytes[] = new byte[64-offset];
sector.read(KA, sector_bytes, 0, 0, 64-offset);
// Overwrite with 0xFF all 4 block of sector0/sector1
for (int i=0; i < (com.nokia.nfc.nxp.mfstd.MFBlock.BLOCK_LEN * 4) - offset; i++)
{
sector_bytes[i] = (byte) 0xFF;
}
sector.write(KA, sector_bytes, offset);
com.nokia.nfc.nxp.mfstd.MFStandardException
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFStandardConnectionImpl.write(+183)
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFSectorImpl.write(+24)
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFSectorImpl.write(+10)
at nokiatest.startApp(+448)
at javax.microedition.midlet.MIDletProxy.startApp(+7)
at com.nokia.mid.impl.isa.ui.MIDletManager.callStartApp(+4)
at com.nokia.mid.impl.isa.ui.MIDletManager.activateMIDlet(+10)
at com.nokia.mid.impl.isa.ui.MIDletManager.run(+15)
```
* getSector (1) write offset 0 **no exception**, all data written
```
MFStandardConnection conn = null;
String internalUrl = System.getProperty("internal.mf.url");
conn = (MFStandardConnection) Connector.open(internalUrl);
byte KAbytes[] = { (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
MFKey.KeyA KA = new MFKey.KeyA(KAbytes);
MFSector sector = conn.getSector(0);
byte offset = 0;
byte sector_bytes[] = new byte[64-offset];
sector.read(KA, sector_bytes, 0, 0, 64-offset);
// Overwrite with 0xFF all 4 block of sector0/sector1
for (int i=0; i < (com.nokia.nfc.nxp.mfstd.MFBlock.BLOCK_LEN * 4) - offset; i++)
{
sector_bytes[i] = (byte) 0xFF;
}
sector.write(KA, sector_bytes, offset);
```
* getSector(-1) - operations and results:
```
java.lang.IllegalArgumentException: Invalid sector index
at com.nokia.mid.impl.isa.io.protocol.external.nfc.MFStandardConnectionImpl.getSector(+21)
at nokiatest.startApp(+347)
at javax.microedition.midlet.MIDletProxy.startApp(+7)
at com.nokia.mid.impl.isa.ui.MIDletManager.callStartApp(+4)
at com.nokia.mid.impl.isa.ui.MIDletManager.activateMIDlet(+10)
at com.nokia.mid.impl.isa.ui.MIDletManager.run(+15)
```
## Conclusions about code implementations and ways to patch/get around ##
* _cldc11.jar/com/nokia/mid/impl/isa/io/protocol/external/nfc/MFManufacturerBlockImpl.class_ **possibly looks like**:
```
public void write(MFKey key, byte src[], int dstOffset)
{
throw new MFStandardException(0);
}
public void write(MFKey key, byte src[], int srcOffset, int length, int dstOffset)
{
throw new MFStandardException(0);
}
public void writeValue(MFKey key, MFValue newValue)
{
throw new MFStandardException(0);
}
```
* _cldc11.jar/com/nokia/mid/impl/isa/io/protocol/external/nfc/MFStandardConnectionImpl.class_ **possibly looks like**:
```
public MFBlock getBlock(int blockIndex)
{
// Some code
if(blockIndex < 0 || blockIndex >= getBlockCount())
throw new IllegalArgumentException("Invalid block index");
// Some code
/* Need the below patched out. JVM opcode equivalent is:
*
* 22. iload_1
* 23. ifne 31 (+8)
* 26. aload_0
* 27. invokevirtual #17 <com/nokia/mid/impl/isa/io/protocol/external/nfc/MFStandardConnectionImpl.getManufacturerBlock>
* 30. areturn
*
* Use BCEL from Apache to change bytecode of the class file.
*/
if(blockIndex == 0)
return manufacturerBlock; // implements the above restricted MfManufacturerBlock interface
// Some code
return normalBlock; // Implements the normal data block, non-restrictive MFBlock
}
public MFSector getSector(int sectorIndex)
{
if(sectorIndex < 0 || sectorIndex >= getSectorCount())
throw new IllegalArgumentException("Invalid sector index");
else
return new someMFSectorConstructor();
}
public void write(MFKey key, byte src[], int srcOffset, int length, int dstOffset)
{
// Some code
if(dstOffset % 16 != 0 || length % 16 != 0)
{
// Some codef
while(someCondition)
{
currentBlockIndex = getCurrentBlockToWrite();
if (currentBlockIndex == 0)
throw new MFStandardException(0);
}
}
// Some other code, where no check for block index 0 is made, so sector0's write(keya, bytes, offset_0) goes thru
}
```
## Patching the cldc11.jar in the SDK and test the emulator ##
* Check out this book for techniques _"Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering"_ (http://www.amazon.com/Covert-Java-Techniques-Decompiling-Engineering/dp/0672326388)
* Possible approaches:
1. Directly patch the needed class files and update them in the cldc11.jar of the SDK/emulator not easy, but preferable
1. Recompile needed classes and update them in cldc11.jar seems easier, but not preferable since the decompiled sources are not 100% trustworthy, it is not very easy to compile them back and/or preserving unpatched functionality intact
* TODO list of patching/recompilation for the SDK:
1. _cldc11.jar/com/nokia/mid/impl/isa/io/protocol/external/nfc/MFManufacturerBlockImpl.class_ - instead of throwing an exception on write(), to call super.write()
1. _cldc11.jar/com/nokia/mid/impl/isa/io/protocol/external/nfc/ MFStandardConnectionImpl.class_ - in getBlock() method instead of returning a MFManufacturerBlock class in case of block 0, just remove that “if() return;” statement
1. _Unlock\_Midlet.jar_ - Is obfuscated, maybe some juicy things are there which might give some insight for exploitation, since this midlet somehow accesses at low-level the Mifare Classic and Secure Smart Card elements, resetting the keys for Mifare Classic and doing some other certificates/keys nasty things
## Patching the cldc11.jar in the Nokia 6131/6212 device and test ##
* As far as I know from a GSM tech guy, getting to filesystem and files is not very easy please let me know if you know how to access and/or patch/replace cdlc11.jar on a physical device (JTAG, other techniques)
* As far as I know from a GSM tech guy, the flash is encrypted and possibly signed by Nokia, so preparing an already-patched flash (i.e. a flash memory dump with an already patched cldc11.jar and/or other files as required) is a bit of a problem (not to say pain in the arse) please let me know if you know an exploit in the chain of trust of software booting and loading of these (wish these 6131 and 6212 had the same hype as iPhone :) )
## Open items ##
* In case of physical unlock with Unlock\_Midlet.jar, does the UID of Mifare Classic element changes?
* In case of software upgrade/downgrade using “PC Nokia Suite” or JTAG reflash in GSM service centers, does the UID of Mifare Classic element changes?
* What is the hardware chip (and its specifications) that emulates/implements Mifare Classic and Secure Smart Card elements in Nokia 6131/Nokia 6212?
# Mifare Classic 100% SoftTag Emulation using iCarte adapter with an iPhone #
* Possibly is achievable using low-level UNIX programming and given iCarte is “exploitable” for this
* TODO
1. Need some detailed specs for iCarte hardware design, API/SDK design, etc.
1. Need some dissected iCarte (pictures from someone else also might give some insights on implementation)
* Exploit vectors
1. Unknown. Anyone?
# Mifare Classic 100% SoftTag Emulation using MiKeyCard #
* Main project page: http://www.mikeycard.org/
* Another **promising direction**
* It's good that project is open-source/open-hardware project
* It's good it has smart guys' support
* Need a testing version of hardware to play with
* Sort of resembling Proxmark3, though have specific usage direction
# Mifare Classic 100% SoftTag Emulation using OpenPCD #
* Also a promising direction
* Not much information gathered on the progress of emulation though
* Some demo video:
<a href='http://www.youtube.com/watch?feature=player_embedded&v=Srzf2MSCO6Y' target='_blank'><img src='http://img.youtube.com/vi/Srzf2MSCO6Y/0.jpg' width='425' height=344 /></a>

42
MifareClassicKnownCardsDataFormat.md Normal file
View File

@ -0,0 +1,42 @@
# Introduction #
Summarizes known/publicly implemented Mifare Classic cards - default keys, data storage format, known-plaintexts on card, etc.
# How to contribute #
If you legally own a publicly available Mifare Classic card, which **is not** listed here or which you think **is more accurate/updated** than presented one, we would like to hear from you.
Please DO NOT contribute:
* private card dumps (examples: office building, fitness centers, etc.)
* card dumps which do not legally belong to you (examples: a test dump made by a friend on your computer, dump you made from your friend's card, etc.)
# Legal disclaimer #
This information is presented in good faith and for informational purposes only. It is not intended to disclose private/sensitive information nor to affect in any other ways holders or issuers of such publicly available cards. The information is gathered from personally and legally owned cards. The information presented here is intended to raise awareness to the possible security threats and privacy implications when using Mifare Classic cards.
# Details #
| **Country** | **City** | **Card Name** | **Estimated number (date)** | **URL/Photo** | **Card type** | **Default keys** | **Reused keys patterns** | **Data format** | **Known plain-text** | **Risk level** |
|:------------|:---------|:--------------|:----------------------------|:--------------|:--------------|:-----------------|:-------------------------|:----------------|:---------------------|:---------------|
| Romania | <a href='http://maps.google.com/?q=Bucharest'>Bucharest</a> | RATB SAT Card Activ | ? | http://card.ratb.ro/<br> <img src='http://mfcuk.googlecode.com/files/Romania_Bucharest_RATB_Activ_front0.jpg'><br> <img src='http://mfcuk.googlecode.com/files/Romania_Bucharest_RATB_Multiplu_front.jpg'> <table><thead><th> 1K </th><th> None </th><th> Sector_0_A=Sector_1_A <br> Sector_0_B=Sector_1_B </th><th> <b>Unknown</b><br> encoded/mangled/in-house crypto?<br> encrypted?<br> block/stream cipher? </th><th> 0xFF sequences in blocks: 1, 2, 32, 33, 34, 36, 37, 38 </th><th> low </th></thead><tbody>
<tr><td> Romania </td><td> <a href='http://maps.google.com/?q=Timisoara'>Timisoara</a> </td><td> RATT Acces Card </td><td> ? </td><td> <a href='http://www.ratt.ro/taxare/'>http://www.ratt.ro/taxare/</a><br> <img src='http://mfcuk.googlecode.com/files/Romania_Timisoara_RATT_Acces_front0.jpg'> </td><td> ?K </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> Bulgaria </td><td> <a href='http://maps.google.com/?q=Sofia'>Sofia</a> </td><td> SKGT </td><td> ? </td><td> <a href='http://www.skgt-bg.com/index_en.htm'>http://www.skgt-bg.com/index_en.htm</a><br> <img src='http://mfcuk.googlecode.com/files/Bulgaria_Sofia_ECard_front0.JPG'> </td><td> 4K </td><td> FFzzzzzzzzzz<br> A0zzzzzzzzzz </td><td> Default keys heavily reused<br> Sector_5_A=Sector_6_A </td><td> <b>Sector 1</b> (administration code 0x00 0x04) contain card holder information (Run-Length-Encoded)<br> <b>Sector 2</b> contain card publisher information (code 0x00, 0x15)<br> <b>Sector 3</b> electronic purse, city traffic<br> These sectors do not change during card usage<br> <b>Sector 4 Block 0,1</b> = unknown data<br> <b>Sector 4 Block 2</b> = last travel<br> Example: <i>00 04 00 01 01 00 e1 05 58 12 c2 00 00 70 00 93</i><br> <i>00 04</i> = line number 4<br> <i>05 e1</i> (hex) = 1505 (dec) = car number<br> <i>00 c2 12 58</i> (hex) = 1100 0010 00 01 0010 0101 1000 (bin), lower 14 bits = number of days since 01.01.1997, higher bits = number of minutes since the start of the day<br> <b>Sector 5 Block 0,1</b> = Value blocks </td><td> Hex password for last sector key B represents string "SofiaM" </td><td> <b>HIGH</b> </td></tr>
<tr><td> U.K. </td><td> <a href='http://maps.google.com/?q=London'>London</a> </td><td> Oyster card </td><td> ? </td><td> <a href='https://oyster.tfl.gov.uk/oyster/entry.do'>https://oyster.tfl.gov.uk/oyster/entry.do</a><br> <img src='http://mfcuk.googlecode.com/files/UK_London_Oyster_frontX.jpg'><br> <img src='http://mfcuk.googlecode.com/files/UK_London_Oyster_backX.jpg'> </td><td> 1K </td><td> None </td><td> None </td><td> <b>Unknown</b><br> encoded/mangled/in-house crypto?<br> encrypted?<br> block/stream cipher? </td><td> 0xFF sequences in blocks: 2, 17, 56, 57, 58, 60, 61, 62<br> "ABCDEFGHIJKLM" string at block 1 </td><td> . </td></tr>
<tr><td> Netherlands </td><td> <a href='http://maps.google.com/?q=Amsterdam'>Amsterdam</a> </td><td> OV Chipkaart </td><td> ? </td><td> <a href='http://www.ov-chipkaart.nl/'>http://www.ov-chipkaart.nl/</a><br> <img src='http://mfcuk.googlecode.com/files/Netherlands_Amsterdam_OV_Chipkaart_front0.jpg'> </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> . </td></tr>
<tr><td> Taiwan </td><td> <a href='http://maps.google.com/?q=Taipei'>Taipei</a> </td><td> EasyCard </td><td> <a href='http://www.nfctimes.com/news/easycard-corp-assures-secure-e-wallets'>18.2 millions (Apr 2010)</a> </td><td> <a href='http://www.trtc.com.tw/'>http://www.trtc.com.tw/</a><br> <img src='http://mfcuk.googlecode.com/files/Taiwan_Taipei_EasyCard_frontX.jpg'> </td><td> 1K </td><td> ? </td><td> ? </td><td> <b>Unknown</b><br> encoded/mangled/in-house crypto?<br> encrypted?<br> block/stream cipher? </td><td> ? </td><td> . </td></tr>
<tr><td> Czech </td><td> Czech Technical University in Prague, Institute of Chemical Technology Prague </td><td> Student CVUT/VSCHT Card </td><td> ? </td><td> <a href='http://www.techlib.cz/en/customer-account/registration/id-cards-of-cvut-and-vscht/'>http://www.techlib.cz/en/customer-account/registration/id-cards-of-cvut-and-vscht/</a> </td><td> 1K </td><td> FFzzzzzzzzzz </td><td> Sectors 0 to 3 have equal key A<br> Sectors 0 to 3 have equal key B </td><td> <b>Cleartext</b><br> Block1 = National ID (?)<br>Block2 = Passport No (?)<br> Block4 = Name (space padded)<br> Block5 = Surname (space padded)<br> Block8 = Valability (?) in format DD.MM.YYYY<br> Block12/13 = Telephone numbers (?) </td><td> None </td><td> <b>HIGH</b> </td></tr>
<tr><td> Czech </td><td> Czech </td><td> Czech ISIC Card </td><td> ? </td><td> <a href='http://www.isic.cz/'>http://www.isic.cz/</a> </td><td> 1K </td><td> FFzzzzzzzzzz </td><td> None </td><td> Cleartext (?)<br> Block4 = some kind of serial number </td><td> None </td><td> <b>HIGH</b> </td></tr>
<tr><td> Czech </td><td> Liberec </td><td> Liberec City Card </td><td> ? </td><td> <a href='http://www.mikroelektronika.cz/custom-made-electronics/novinky'>http://www.mikroelektronika.cz/custom-made-electronics/novinky</a><br> <a href='http://www.mucl.cz/mestska-autobusova-doprava/opuscard/karta-opuscard.html'>http://www.mucl.cz/mestska-autobusova-doprava/opuscard/karta-opuscard.html</a> </td><td> 4K </td><td> A0zzzzzzzzzz </td><td> Block 0x5F to 0xFF have equal key A<br> Block 0x5F to 0xFF have equal key B </td><td> Partially cleartext<br> Block4 = Surname Name (seem null terminated C strings)<br> Rest encoded/encrypted (?) </td><td> Block 1 and 2 = lots of every second byte is 0x18 </td><td> MEDIUM </td></tr>
<tr><td> Luxembourg </td><td> Luxembourg </td><td> Luxembourg (Public Transport) Card </td><td> ? </td><td> ? </td><td> 1K </td><td> FFzzzzzzzzzz </td><td> Block 0x00 to 0x33 have equal key A<br> Block 0x00 to 0x33 have equal key B </td><td> Encoded, seems no encryption or dynamic keys </td><td> Block 0x34, 0x35, 0x36, 0x38, 0x39, 03a, 0x3c, 0x3d, 0x3e = filled with 0xFF </td><td> MEDIUM </td></tr>
<tr><td> Russia </td><td> Moscow </td><td> Бесконтактные транспортные карты </td><td> <a href='http://www.rfida.com/2007/02/russia-rfid-transportation-application.htm'>5-30 millions (1998-2007)</a> </td><td> <a href='http://www.metro.ru/fare/contactless/'>http://www.metro.ru/fare/contactless/</a> </td><td> ?K </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr>
<tr><td> Russia </td><td> Russia </td><td> Rossiyskie Zheleznye Dorogi/Russian Railways (RZhD) </td><td> ? </td><td> <a href='http://www.rzd.ru/isvp/public/rzd?STRUCTURE_ID=5064&layer_id=4064&refererLayerId=4063&id=312006&forum_id=12#2'>Forum notes</a><br> <a href='http://www.old.recon.ru/daily/page1_3918.php'>News notes</a> </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td><td> ? </td></tr></tbody></table>
<h1>Links</h1>
<a href='http://www.dib.com.br/dib%20cd/C2007/Palestras/Palestra%20Francimar%20Santos%20Cards%202007.pdf'>http://www.dib.com.br/dib%20cd/C2007/Palestras/Palestra%20Francimar%20Santos%20Cards%202007.pdf</a><br>
<a href='http://www.skyscrapercity.com/showthread.php?p=39116178'>http://www.skyscrapercity.com/showthread.php?p=39116178</a><br>
<a href='http://www.ratt.ro/forum/index.php?showtopic=157&st=0'>http://www.ratt.ro/forum/index.php?showtopic=157&amp;st=0</a><br>

90
ProjectHome.md Normal file
View File

@ -0,0 +1,90 @@
**IMPORTANT: Due to constant lack of time, I (Andrei Costin) cannot support/maintain this project. If there is any volunteer to maintain/develop, please contact me or leave a message on libnfc's forum.**
**M**_FCUK_ - `MiFare Classic Universal toolKit`
<img src='http://mfcuk.googlecode.com/files/MFCUK_logo_small.png'>
<a href='https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=zveriu%40gmail%2ecom&lc=CY&item_name=zveriu%20%2d%20security%26FOSS%20dev%26reasearch&item_number=MFCUK&currency_code=EUR&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted'><img src='https://www.paypal.com/en_US/i/btn/btn_donateCC_LG.gif' /></a>
Toolkit containing samples and various tools based on and around libnfc and crapto1, with emphasis on Mifare Classic NXP/Philips RFID cards.<br>
<br>
Special emphasis of the toolkit is on the following:<br>
<ul><li>mifare classic weakness demonstration/exploitation<br>
</li><li>demonstrate use of libnfc (and ACR122 readers)<br>
</li><li>demonstrate use of Crapto1 implementation to confirm internal workings and to verify theoretical/practical weaknesses/attacks</li></ul>
<hr />
<b>Wishlist for next version:</b>
<ul><li><del>integrate with mifarecrack (proxmark3 sniffed-logs parser-decrypter) (short-term)</del>
</li><li>write proper proxmark3 parser (c for internal calls and py for external calls)<br>
</li><li>integrate with MFOC (medium-term)<br>
</li><li>integrate with crapto1 3.2<br>
</li><li><del>create initial fingerprint design&implementation. card fingerprinting based on: known plain-text in specific blocks, range of UIDs, etc. (short-term)</del>
</li><li>more templates to add (short-term)<br>
</li><li>summarize decoding info and implement custom decoders (short-medium-term)<br>
</li><li>implement "wiser" template data-structure and appropriate binary data similarity algotihms (medium-term)<br>
</li><li>have command-line (silent+interactive) and GUI (QT-based?) (long-term)</li></ul>
More of research type long-term activity (any volunteers :)?):<br>
<ul><li>go deeper into how UID/block/keys/Nt/Nr relate so that we choose Nt and Nr with shortest crack time (long-term)<br>
</li><li>research on how to shorten time in case prefix of the keys or any part of the keys are known<br>
</li><li>many cards from same issuer might have known plaintext in specific blocks - can this be exploited to speed-up first key recovery and then use optimized darkside/nested to get whole card (medium-term)</li></ul>
<hr />
<b>PACKAGE HISTORY</b>:<br>
<ul><li>zv_mf_dark_side-v0.3.zip Nov 28 829 KB 604 Downloads<br>
</li><li>zv_mf_dark_side-v0.2.zip Nov 15 43.2 KB 82 Downloads<br>
</li><li>zv_mf_dark_side-v0.1.zip Nov 13 40.1 KB 48 Downloads</li></ul>
<hr />
<b>IMPORTANT NOTICE</b> - would greatly appreciate if someone can donate (even used, smashed, but still programmable) things below:<br>
<ul><li>either Nokia 6131 either Nokia 6212<br>
</li><li>iCarte for iPhone</li></ul>
These things are aimed to research, implement the 100% software emulation of Mifare Classic Cards (including UID) and release it open-source under GPL.<br>
<br>
<b>Please contact zveriu</b> through my zveriu's blog regarding donations.<br>
<hr />
<b>DISCLAIMER</b> - The information and reference implementation source/binary contained herein is provided:<br>
<br>
<ul><li>for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems<br>
</li><li>as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader<br>
</li><li>NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)</li></ul>
<h1>Contacts</h1>
<h2>Andrei</h2>
Andrei Costin - <a href='mailto:zveriu@gmail.com'>mailto:zveriu@gmail.com</a>
<a href='http://andreicostin.com'>http://andreicostin.com</a>
<a href='http://code.google.com/p/mfcuk/'>http://code.google.com/p/mfcuk/</a>
<h2>Nethemba Team</h2>
<a href='mailto:mifare@nethemba.com'>mailto:mifare@nethemba.com</a>
Pavol Luptak - <a href='mailto:pavol.luptak@nethemba.com'>mailto:pavol.luptak@nethemba.com</a>
Norbert Szetei - <a href='mailto:norbert.szetei@nethemba.com'>mailto:norbert.szetei@nethemba.com</a>
<a href='http://nethemba.com'>http://nethemba.com</a>
<h1>Papers</h1>
<a href='http://eprint.iacr.org/2009/137.pdf'>http://eprint.iacr.org/2009/137.pdf</a>
<a href='http://www.cs.ru.nl/~petervr/web/papers/grvw_2009_pickpocket.pdf'>http://www.cs.ru.nl/~petervr/web/papers/grvw_2009_pickpocket.pdf</a>
<h1>Links</h1>
<a href='http://www.mikeycard.org'>http://www.mikeycard.org</a>
<a href='http://www.libnfc.org'>http://www.libnfc.org</a> forum<br>
<br>
<a href='http://www.proxmark.org'>http://www.proxmark.org</a> forum