Bluetooth Hacking?
Holistic NFC hacking 2012

From OpenPCD

Jump to: navigation, search
Bootable RFID & NFC Live Hacking system with libnfc and OpenPCD 2 RFID Reader/Writer/Emulator support
OpenPICC SnifferOnly frontend for sniffing 13.56MHz RFID card transactions using a PicoScope 3204A.

Sniffing ISO15693 RFID iCLASS SE transactions on a 13.56MHz carrier using a PicoScope 3204A and an OpenPICC SnifferOnly frontend.



The security of many RFID protocols depends on owning the production process, controlling the card or reader distribution, magic unique read-only IDs that stop you from copying card content and hardwired protocols in cards and readers that stop you from tampering with the communication (man-in-the middle, remote forwarding etc.) on chip- or firmware-level.

As a result of these security features a key requirement for evaluating and breaking RFID cards is to have full control over protocols and cards on radio-frequency level. In our last years course we did show how to build and use RFID sniffers to reverse engineer unknown card protocols. This year we will teach you emulating 13.56MHz HF RFID cards and readers on radio-frequency level (ISO14443, ISO15693, NFC and proprietary) in software and readers on radio-frequency level in software.

This three day hands-on course will teach you to emulate proprietary 13.56MHz reader and card protocols (ISO14443A, ISO15693, NFC and proprietary card chips) in software and show real world attacks on prominent RFID card systems on protocol level. It will show how to practically exploit weaknesses in the random number generation of RFID cards or how to perform card emulation for cloning cards.

RFID hardware projects for RFID Security Analysis

Further Reading

Random Recipes

Please check out our Fedora 17 x64 based bootable ISO image of the RFID OpenPCD 2 live CD/DVD with OpenPCD 2 support for NFC and Mifare Classic cracking (64bit x86 systems only). This download link is only valid for 3 hours - just reload page to get a new link. The following examples are all done in the Live system.

update reader to the latest OpenPCD 2 firmware with libnfc support

Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.

lpc-flash openpcd2-libnfc-LPC1342.bin /run/media/$USER/CRP\ DISABLD/firmware.bin

reading and analyzing the hotel door RFID card

Dump both hotel key cards:

# place card 1 on the reader & run mfoc to break the keys and dump the card content
mfoc -O hotel1.mfd
# place card 2 on the reader & run mfoc to break the keys of the second card
mfoc -O hotel2.mfd
# inspect one of the files
ghex hotel1.mfd 
# convert both binary dumps into text files
od -v -Ax -t x1 -w16 hotel1.mfd > hotel1.txt
od -v -Ax -t x1 -w16 hotel2.mfd > hotel2.txt
# highlight the differences between both key cards
meld hotel1.txt hotel2.txt

creating a ndef based NFC tag

Create a NDEF formatted link:

ndef-encode openpcd.ndef -sp "" -t " web site" "en-US" -s-

Store the link to a Mifare DESfire RFID card:

mifare-desfire-format -y
mifare-desfire-create-ndef -y
mifare-desfire-write-ndef -i openpcd.ndef

Emulate a RFID tag using OpenPCD2:

nfc-emulate-forum-tag4 openpcd.ndef

compiling the latest OpenPCD 2 source code and flashing the firmware

Press both the RESET+FLASH button and release RESET first to switch OpenPCD 2 into programming mode. A mass storage device containing the firmware image pops up as a result.

OpenPCD is also capable of running in a stand-alone mode where the RFID protocol is handle by the onboard ARM cpu. For a stand-alone firmware example - please refer to firmware/lpc13xx/openpcd2. In src/main.c you can see the interface for talking to the PN532 chip and sending out data via USB Serial CDC ACM protocol.

cd openbeacon/firmware/lpc13xx/openpcd2-libnfc
make clean flash

Talking directly to the RFID reader chip on OpenPCD 2

Please check the PN532 datasheet for details on the RFID chip protocol (starting at page 65).

# NFC reader: pn532_uart:/dev/ttyACM0 opened

Getting the firmware version (see GetFirmwareVersion, page 73):

> 02
Tx: 02  
Rx: 32  01  04  07  

Scanning for cards (see InListPassiveTarget, page 115):

> 4A 01 00
Tx: 4a  01  00  
Rx: 01  01  03  44  20  07  04  36  26  a9  b2  1c  80  06  75  77  81  02  80  

You can see the card uid length length (7) at byte 6. The card uid follows (04 36 26 a9 b2 1c 80).

Converting sniffed binaries to WAV-files

Record the sniff with PicoRFID-3K at 15.5Mhz. Use sox to convert the recorded binary log file into a WAV file for review in Audacity. Please visit OpenPICC SnifferOnly front end for more information.

sox -2 -b 16 -s -c 1 -r 15625 -t raw dump-003.img dump-003.wav