Quick jump:  What's new

 
Go to:
 
Weblog: RFID   
in Dobrica Pavlinušić's random unstructured stuff
Proxmark


Cheap(er) China Proxmark

Mifare sniff/crack

http://code.google.com/p/crapto1/

http://www.youtube.com/watch?v=kTvb7tjbSTI
http://www.fuzzysecurity.com/tutorials/rfid/3.html

Proxmark firmware comparison on emulated Mifare 4k

r command note
590   USB HID
  hf mf rdbl 0 A a0a1a2a3a4a5 OK
  hf mf chk 0 A a0a1a2a3a4a5 Can't select card
617   USB HID
  hf mf rdbl 0 A a0a1a2a3a4a5 OK
  hf mf chk 0 A a0a1a2a3a4a5 Can't select card
  hf mf mifare 2 red, needs power cycle
  hf mf nested o 0 a a0a1a2a3a4a5 4 t Can't select card
672   proxendian.h:22:4: error: #error Define BYTE_ORDER
756   USB CCID
  hf mf rdbl 0 A a0a1a2a3a4a5 Auth error
  hf mf chk 0 A a0a1a2a3a4a5 Can't select card
  hf mf mifare red, yellow, red, needs power cycle
  hf mf nested o 0 a a0a1a2a3a4a5 4 t Can't select card
840   latest
  hf mf rdbl 0 A a0a1a2a3a4a5 Can't select card
  hf mf chk 0 A a0a1a2a3a4a5 Can't select card
  hf mf mifare Can't select card
  hf mf nested o 0 a a0a1a2a3a4a5 4 t Can't select card

Usage

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 816 2013-10-11 22:09:42                 
#db# os: svn 816 2013-10-11 22:09:43                 
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56                 
uC: AT91SAM7S256 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          

proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...                 
#db# Measuring complete, sending report back to host                 
          
# LF antenna:  0.00 V @   125.00 kHz          
# LF antenna:  0.00 V @   134.00 kHz          
# LF optimal:  0.00 V @ 12000.00 kHz          
# HF antenna:  7.28 V @    13.56 MHz          
# Your LF antenna is unusable.          

proxmark3> hf 14a read
ATQA : 02 00          
 UID : ?? ?? ?? ??
 SAK : 38 [1]          
TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K          
 ATS : 0d 78 f7 b1 02 4a 43 4f 50 76 32 34 31 27 cc           
       -  TL : length is 13 bytes          
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8          
       - TA1 : different divisors are NOT supported, DR: [2, 4, 8], DS: [2, 4, 8]          
       - TB1 : SFGI = 0, FWI = 8          
       - TC1 : NAD is NOT supported, CID is supported          
       -  HB : 4a 43 4f 50 76 32 34 31           



brute force 26-bit proxcard

firmware version

According to http://wiki.radiowar.org/Proxmark3%E5%9B%BA%E4%BB%B6%E5%88%97%E8%A1%A8
firmwares newer than 617 have problems.

Google translated version

Please do not upgrade your firmware to the CDC Proxmark3 version r617 ~ r830 driver's! We found that because the problem will lead to Proxmark3 code appears unable to identify high-frequency card, and 816 will appear after Nested number of keys for 000000000000.

flashing update

dpavlin@blue:/blue-zfs/FPGA/proxmark/proxmark3$ make flash-all


Compile new version of firmware

All instructions below this are for old version of software see http://www.proxmark.org/forum/viewtopic.php?id=1668

http://code.google.com/p/proxmark3/wiki/Compiling je strgan http://www.proxmark.org/forum/post/3244/#p3244

sudo apt-get install build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config

dpavlin@t61p:/tank/proxmark3$ svn co http://proxmark3.googlecode.com/svn/trunk proxmark3

Boot loader

dpavlin@t61p:/tank/proxmark3/proxmark3$ ./client/flasher -b ./bootrom/obj/bootrom.elf 
Loading ELF file './bootrom/obj/bootrom.elf'...
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x000017a8->0x000017a8) [R X] @0x294

Waiting for Proxmark to appear on USB...
Connected units:
        1. SN: ? [004/013]
 Found.
Entering bootloader...
(Press and release the button only to abort)
Waiting for Proxmark to reappear on USB....
Connected units:
        1. SN: ? [004/014]
 Found.

Flashing...
Writing segments for file: ./bootrom/obj/bootrom.elf
 0x00100000..0x001001ff [0x200 / 2 blocks].. OK
 0x00100200..0x001019a7 [0x17a8 / 24 blocks]........................ OK

Resetting hardware...
All done.

Have a nice day!

^
dpavlin@t61p:/tank/proxmark3/proxmark3$ ./client/flasher ./armsrc/obj/fullimage.elf 
Loading ELF file './armsrc/obj/fullimage.elf'...
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x0000a4bc->0x0000a4bc) [R  ] @0xb4
1: V 0x00110000 P 0x00110000 (0x0000ba8c->0x0000ba8c) [R X] @0xa570
2: V 0x00200000 P 0x0011ba8c (0x00000004->0x00000004) [RW ] @0x15ffc
Note: Extending previous segment from 0xba8c to 0xba90 bytes

Waiting for Proxmark to appear on USB...
Connected units:
        1. SN: ? [004/015]
 Found.
Entering bootloader...
(Press and release the button only to abort)
Waiting for Proxmark to reappear on USB....
Connected units:
        1. SN: ChangeMe [004/016]
 Found.

Flashing...
Writing segments for file: ./armsrc/obj/fullimage.elf
 0x00102000..0x0010c4bb [0xa4bc / 165 blocks]..................................................................................................................................................................... OK
 0x00110000..0x0011ba8f [0xba90 / 187 blocks]........................................................................................................................................................................................... OK

Resetting hardware...
All done.

Have a nice day!
permalink
touchatag

http://www.touchatag.com/



install pcscd

sudo apt-get install pcscd
sudo dpkg -i libnfc-read_dev-build-1_i386.deb
sudo ldconfig

build libnfc

dependencies

dpavlin@t61p:/rest/cvs$ sudo apt-get install libpcsclite-dev build-essential autoconf libtool debhelper \
 subversion pkg-config libusb-dev

checkout source and compile

dpavlin@t61p:/rest/cvs$ git svn clone -s http://libnfc.googlecode.com/svn libnfc
dpavlin@t61p:/rest/cvs$ cd libnfc/
dpavlin@t61p:/rest/cvs/libnfc$ autoreconf --install
dpavlin@t61p:/rest/cvs/libnfc$ sudo ./debian/rules binary

install dpkg packages

dpavlin@t61p:/rest/cvs$ sudo dpkg -i libnfc0_1.4.0-0_i386.deb libnfc-bin_1.4.0-0_i386.deb libnfc-dev_1.4.0-0_i386.deb 

modify pcscd configuration to recognize all readers

dpavlin@t61p:~$ diff -urw /etc/libccid_Info.plist.orig /etc/libccid_Info.plist
--- /etc/libccid_Info.plist.orig        2011-01-13 23:05:07.449342958 +0100
+++ /etc/libccid_Info.plist     2011-01-13 23:05:25.624371843 +0100
@@ -52,7 +52,7 @@
        -->
 
        <key>ifdDriverOptions</key>
-       <string>0x0000</string>
+       <string>0x0004</string>
 
        <!-- Possible values for ifdDriverOptions
        1: DRIVER_OPTION_CCID_EXCHANGE_AUTHORIZED

restart pcscd

sudo /etc/init.d/pcscd restart

test it

with touchatag sticker

dpavlin@t61p:~$ nfc-list 
nfc-list use libnfc 1.4.0 (r842)
Connected to NFC device: ACS ACR122U PICC Interface 00 00 / ACR122U102 - PN532 v1.4 (0x07)
1 ISO14443A passive target(s) was found:
    ATQA (SENS_RES): 00  44  
       UID (NFCID1): 04  cc  6b  d9  a1  25  80  
      SAK (SEL_RES): 00  

read Mifare

mfoc -O dump | tee keys.txt
permalink
Hitchhikers Guide to RFID
Contents: [Dobrica Pavlinušić's random unstructured stuff]


There are many on-line resources about RFID. However, most of them are not well suited for beginners. So, if you just got RFID reader (3M in this case) and want high-level overview of what it is and what it can do, you are out of luck.

Until now, that is. This guide should help you decide if RFID is right thing for your library and when you make choice to implement it, how to do it.

This document will describe my experience with 3M 810 reader using RFID 501: RFID Standards for Libraries RFID_501.pdf

RFID tag

Best way to think about RFID tags is like contact-less readable barcode.

Our particular tags come in two form: RFID stickers (to be placed on books) and plastic credit-card like cards (we use them for patrons).

Have in mind that established practice is to have different RFID systems for books and patrons (we are use same one). When we asked about using same system for books and patrons, we got reply: "we don't have experience with it".
In practice, we have problem with 3M selfcheck software in some special conditions where book reader have patron card in range it gets network connection error with SIP server.
Since normal configuration of selfcheck stations is to have two different systems for patrons and books this problem doesn't show up for other users.

Each tag has unique serial number (SID) assigned by manufacturer and used in RFID collision detection protocol. It looks like hexadecimal number starting with letter E0 like this: E00401003123AA26.

It's best to think of SID as unique identifier of physical tag.
Your information system will have it's own ID (barcode?) for some item.
There are cases in which you might want to change physical tag sticker on book because it's damaged. In that case, you will change SID of that item, but not barcode (which is data programmed on tag itself).

Our initial idea was to use data programmed on chip for everything, and just ignore SIDs, but we found out that there is class of RFID devices which can read ONLY SID from chip (in our case it's photocopying system).
3M software does record SIDs to log file when programming chips, but that's all. It essential ignores it for all practical intends and purposes.

Chips have 7 blocks of user data on it, each block with 4 bytes which enables us to store 28 bytes of user specified data on each tag.

blank tag

3M Manufacturing Blank

Easiest case is blank tag, in which all data on chip is 0x55

0	55 55 55 55		blank tag
1	55 55 55 55
2	55 55 55 55
3	55 55 55 55
4	55 55 55 55
5	55 55 55 55
6	00 00 00 00 

Generic blank

Generic blank seems to erase only first three blocks with zeros:

00	00 00 00 00
01	00 00 00 00
02	00 00 00 00

while rest of tag will be unchanged including rest of data on tag

programmed tag

Tags programmed with 3M software have following data layout on them:

0	04 is 00 tt		i [4 bit] = number of item in set	[1 .. i .. s]
					s [4 bit] = total items in set
					tt [8 bit] = item type

1	dd dd dd dd		dd [16 bytes] = barcode data
2	dd dd dd dd
3	dd dd dd dd
4	dd dd dd dd

5	bb bl ll ll		b [12 bit] = branch [unsigned]
				l [20 bit] = library [unsigned]
6	cc cc cc cc		c [32 bit] = custom signed integer

This basically means that your barcode or identifier of item or patron can have up to 16 characters (by default numeric, but you can extend that to handle alphanumeric and special character if you need that) and three integer values: branch 0 .. 4095, library 0 .. 1048575 and custom data -2147483648 .. 2147483647.

You might want to use those values to uniquely identify your library and branch so that your RFID tags in books won't collide with other libraries.
If you leave decision just to providers of equipment, you might end up with 300000 tags which have plain and simple 0 in those fields. Guess which value will have tags of next library which that provider will have? My guess would be 0 also.

Writing correct numbers in that fields is not enough. If you want to use 3M software, you will also have to setup it to ignore all other tags which doesn't match your library and branch.

security

There is also single byte called AFI or security which can be changed without accessing content of chip. This byte is also readable by more primitive RFID devices like doors to check if book have been checked out from library.

3M is using 0xD7 (215) value for secured items (door will beep) and 0xDA (218) as unsecured. It seems that all other values are ignored.
(I would guess that other manufacturers are using different values)

As I mentioned before, since we don't have any special values in branch, library or custom field, we have situations in which patron cards get secured when patron walks by checkout counter and 3M software is left in checkout mode.
This triggers door to ring when patron passes which is not ideal.

disable tag

3M software have option to disable tags. Initial examination showed that it's simply programming of tag with following content:

00	ff 00 00 00
01	00 00 00 00
02	00 00 00 00
03	00 00 00 00
04	00 00 00 00
05	00 00 00 00
06	00 00 00 00

and security set to d7 (this might be value from tag before disabling it, I'll have to re-check this)

While 3M software will ignore tags programmed with this content, there is not permanent disabling of tag since it can be programmed using other software.

RFID reader device

Reader consists of several part:

  • black pad - reader antenna
  • reader - small box with micro controller and usb port
  • software

Reader is recognized as USB serial device with it's own protocol on serial port. We are mostly interested in it's protocol and our ability to use reader and tags with our custom software.

At first, I assumed that protocol with RFID readers is some kind of standard.
After extensive search on Internet I wasn't able to find any documentation about this particular protocol (I even tried to compare it with existing open source implementations just to be sure).

So, only solution was to do clean-room reverse engineering, and using that technique I developed perl module which can talk with RFID reader which is available at http://svn.rot13.org/index.cgi/RFID

After initial reverse engineering of protocol I rewrote support for 3M and CPR reader which is available at https://github.com/dpavlin/Biblio-RFID

Related blog posts

fetchrss: http://mjesec.ffzg.hr/~dpavlin/blog/mt/mt-search.cgi?tag=RFID&Template=feed&IncludeBlogs=1
  • There was an error: 500 Internal Server Error


More information

If this was too geeky for you here is some additional materials:

ISO standard

  • ISO 15962.2004 - object identifier structure
  • ISO 15693 - RFID (layer 2)
  • ISO 18000 Part 3 Mode 1 - 13.56MHz
  • ISO/IEC JTC1/SC17/WG8

ISO/IEC 14443, Proximity cards

The Standard series ISO/IEC 14443 consists of 4 parts, which are:

ISO/IEC 14443-1 Physical characteristics

17n1363t.doc 17n1363b.doc

ISO/IEC 14443-2 Radio frequency power and signal interface

17n1522t.pdf 17n1522c.doc

ISO/IEC 14443-2/AMD2 Amendment 2: Bit rates of fc/64, fc/32 and fc/16

17n2343T.pdf 17n2343F.doc

ISO/IEC 14443-3 Initialization and anticollision

17n1531t.pdf 17n1531c.doc

ISO/IEC 14443-3 Amendment 1: Bit rates of fc/64, fc/32 and fc/16

17n2342T.pdf 17n2342F.doc

ISO/IEC 14443-4 Transmission protocol

17N1689T.pdf 17n1689c.doc

ISO/IEC 15693, Vicinity cards

ISO/IEC 15693-1 Physical characteristics

17n1355t.doc 17n1355b .doc

ISO/IEC 15693-2 Air interface and initialisation

17n1486.pdf 17n1486c.doc

ISO/IEC 15693-3 Anticollision and transmission protocol

17n1692t.pdf 17n1692c.doc

ISO/IEC 10373-6, 10373-7, Test methods for the contactless integrated circuit(s) cards

ISO/IEC 10373-6 Proximity cards

17n1695t.pdf 17n1695c.doc

ISO/IEC 10373-6/AMD1 Amendment 1: Additional PICC test methods

17n2258t.pdf 17n2258t.doc 17n2258C.doc

ISO/IEC 10373-6/AMD2 Amendment 2: Improved RF test methods

17n2225t.pdf 17n2225F.doc

ISO/IEC 10373-7 Vicinity cards

17n1697t.pdf 17n1697c.doc

ISO/IEC 10536, Close-coupled cards

ISO/IEC 10536-1 Physical characteristics

17n1480t.PDF 17n1480c.doc
permalink
OmniKey CardMan 5321


Links

lsusb

dpavlin@klin:~$ sudo lsusb -v -d 076b:

Bus 003 Device 011: ID 076b:5321 OmniKey AG 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x076b OmniKey AG
  idProduct          0x5321 
  bcdDevice            5.00
  iManufacturer           1 OMNIKEY
  iProduct                2 Smart Card Reader USB
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           93
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          3 CCID
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              250mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      ** UNRECOGNIZED:  36 21 00 01 00 07 03 00 00 00 c0 12 00 00 40 1f 00 00 04 00 2a 00 00 e7 4c 06 00 6a fe 00 00 00 07 00 00 00 00 00 00 00 b2 07 02 00 0f 01 00 00 ff ff 00 00 00 01
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              24
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x05  EP 5 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
Device Status:     0x0000
  (Bus Powered)

PCSC

Install

dpavlin@klin:~$ sudo apt-get install pcsc-omnikey pcsc-tools

Usage

read RFID card in reader's range...

dpavlin@klin:~$ pcsc_scan 
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.5
Scanning present readers...
0: OMNIKEY CardMan 5x21 00 00
1: OMNIKEY CardMan 5x21 00 01

Mon Jan 18 13:59:04 2010
 Reader 0: OMNIKEY CardMan 5x21 00 00
  Card state: Card removed, 

Mon Jan 18 13:59:04 2010
 Reader 1: OMNIKEY CardMan 5x21 00 01
  Card state: Card removed, 

Mon Jan 18 13:59:08 2010
 Reader 1: OMNIKEY CardMan 5x21 00 01
  Card state: Card inserted, Shared Mode, 
  ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 0B 00 14 00 00 00 00 77

ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 0B 00 14 00 00 00 00 77
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 
-----
+ Historical bytes: 80 4F 0C A0 00 00 03 06 0B 00 14 00 00 00 00
  Category indicator byte: 80 (compact TLV data object)
    Tag: 4, len: F (initial access data)
      Initial access data: 0C A0 00 00 03 06 0B 00 14 00 00 00 00
+ TCK = 77 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 8F 80 01 80 4F 0C A0 00 00 03 06 0B 00 14 00 00 00 00 77
        Philips ICode
        RFID - ISO 15693 - Philips Semiconductors

Mon Jan 18 13:59:11 2010
 Reader 1: OMNIKEY CardMan 5x21 00 01
  Card state: Card removed, 

librfid

build from source

# build dependency
dpavlin@klin:/rest/cvs/librfid$ sudo apt-get install libusb-dev

# checkout source
dpavlin@klin:/rest/cvs$ svn co https://svn.gnumonks.org/trunk/librfid/
dpavlin@klin:/rest/cvs$ cd librfid/
dpavlin@klin:/rest/cvs/librfid$ ./autogen.sh

# build
dpavlin@klin:/rest/cvs/librfid$ ./configure --enable-ccid
dpavlin@klin:/rest/cvs/librfid$ make

test

# test
dpavlin@klin:/rest/cvs/librfid$ sudo ./utils/librfid-tool -s
lt-librfid-tool - (C) 2005-2008 by Harald Welte
This program is Free Software and has ABSOLUTELY NO WARRANTY

initializing librfid
opening reader handle OpenPCD, CM5x21
No OpenPCD found
scanning for RFID token...
Layer 2 success (ISO 15693):  eb 6e 77 1f 00 01 04 e0

read tag

dpavlin@klin:/rest/cvs/librfid$ sudo ./utils/librfid-tool -r -1
lt-librfid-tool - (C) 2005-2008 by Harald Welte
This program is Free Software and has ABSOLUTELY NO WARRANTY

initializing librfid
opening reader handle OpenPCD, CM5x21
No OpenPCD found
Layer2 init ok
Layer 2 success (ISO 15693)[8]: ' eb 6e 77 1f 00 01 04 e0'
block[  0:00]sec:0x8 data(4):  04 11 00 01
block[  1:01]sec:0x8 data(4):  31 33 30 32
block[  2:02]sec:0x8 data(4):  30 32 39 37
block[  3:03]sec:0x8 data(4):  31 30 00 00
block[  4:04]sec:0x8 data(4):  00 00 00 00
block[  5:05]sec:0x8 data(4):  00 00 00 00
block[  6:06]sec:0x8 data(4):  00 00 00 00
block[  7:07]sec:0x8 data(4):  00 00 00 00
block[  8:08]sec:0x8 data(4):  00 00 00 00
block[  9:09]sec:0x8 data(4):  00 00 00 00
block[ 10:0a]sec:0x8 data(4):  00 00 00 00
block[ 11:0b]sec:0x8 data(4):  00 00 00 00
block[ 12:0c]sec:0x8 data(4):  00 00 00 00
block[ 13:0d]sec:0x8 data(4):  00 00 00 00
block[ 14:0e]sec:0x8 data(4):  00 00 00 00
block[ 15:0f]sec:0x8 data(4):  00 00 00 00
block[ 16:10]sec:0x8 data(4):  00 00 00 00
block[ 17:11]sec:0x8 data(4):  00 00 00 00
block[ 18:12]sec:0x8 data(4):  00 00 00 00
block[ 19:13]sec:0x8 data(4):  00 00 00 00
block[ 20:14]sec:0x8 data(4):  00 00 00 00
block[ 21:15]sec:0x8 data(4):  00 00 00 00
block[ 22:16]sec:0x8 data(4):  00 00 00 00
block[ 23:17]sec:0x8 data(4):  00 00 00 00
block[ 24:18]sec:0x8 data(4):  00 00 00 00
block[ 25:19]sec:0x8 data(4):  00 00 00 00
block[ 26:1a]sec:0x8 data(4):  00 00 00 00
block[ 27:1b]sec:0x8 data(4):  57 5f 4f 4b
no data(read_block(28)>> -1)
permalink
Weblog Navigation
Loading...
Weblog Archives
  • Loading...