Live RFID Hacking System

From OpenPCD

Jump to: navigation, search



Bootable RFID Live Hacking System

Breaking Mifare Classic using bootable Live DVD tutorial video - breaking derived keys with mfoc for two cards and comparing card using kdiff3
Shows the captured waveform with the demodulated LF RFID tag data using our LF RFID frontend for USB soundcards

The bootable Live RFID Hacking System contains a ready-to-use set of hacking tools for breaking and analyzing MIFARE Classic RFID cards and other well known card formats. It is built around PCSC-lite, the CCID free software driver and libnfc that gives you access to some of the most common RFID readers. See our tutorial video for a quick introduction on how to break MIFARE Classic RFID card keys using our Live RFID Hacking System.

This RFID Live Hacking System is superseded by our OpenPCD 2 reader with libnfc support - you can download the latest ISO image here. This page is only kept for historical reasons.

The MFOC/MFCUK tools of the Live system won't work inside virtualization software like VMware as virtualization seems to break the timing requirements of the MIFARE Classic attack tools - please boot from the CD/DVD instead.

Our RFID hardware projects for RFID Security Analysis


Suggested RFID Reader for MIFARE Classic key recovery for this live system

Tikitag USB RFID reader versus MIFARE classic room card of the Montreal Hyatt Regency Hotel @ RECON2011. Happy Hacking!

Please use the ACR122U102 Tikitag RFID reader for MIFARE key extraction (v1.02) - later versions or compatible models could work, but some later firmware revisions (ACR122U207) seem to be crash while breaking MIFARE Classic with mfcuk/mfoc. For normal use and known keys the other compatible readers should be fine though. Please send me a note if you successfully used another reader for key extraction using our Live CD. The Firmware version is shown when using mfoc.

Note for touchatag reader users

If the pcsd daemon bails out on a touchatag reader with:

00000012 ccid_usb.c:901:ccid_check_firmware() Firmware (1.00) is bogus! Upgrade the reader
         firmware or get a new reader.
00000039 ifdhandler.c:101:IFDHCreateChannelByName() failed
00000015 readerfactory.c:990:RFInitializeReader() Open Port 200000 Failed

just edit /usr/local/openpcd/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist - ifdDriverOptions and set key from 0x0000 to 0x0005 to disable version checking.

Checksums

Fedora-15-x86_64-Live-RFID-v02.iso

SHA256: 79373eaef0accbcf348dda456356b7f22dd7c06653dbdf2d968fce4654db2daa
MD5   : c8ef5ec1fcba012cd3b30f0c9e7579de
SHA1  : da54d9a0959dc8aa7668e37610a665a957f51ae2

Tools Installed

The most important tools are highlighted. The Fedora 15 based Live Destop system runs Gnome 3 Desktop - just move your mouse cursor in the upper left corner to get a list of installed applications.

General Purpose Tools

Our LF RFID sniffer frontend for USB soundcards
(Too tired after recon.cx to do draw the schematics better than that :) Stay tuned for the next version including Tag emulation.)
  • pcscd - you need to run this daemon in a separate terminal before running any RFID reader related tools in this bootable Live distribution. We use a wrapper script which callls pcscd in superuser-mode with the correct parameters.
  • baudline FFT signal analyzer for sniffing LF RFID tags using our sound card based RFID sniffer/emulator (more information soon!).
  • hexdump & od for converting binary dumps into hexfiles for easier editing and kdiff3 difference analysis.
  • kdiff3 - for displaying differences between card hexdump text files
  • vbindiff - for displaying difference between card dump binary files
  • 'bsdiff/bspatch - binary diff/patch tool
  • lsnfc (for guessing the card type)
  • gtkterm serial console utility.
  • nfc-anticol (runs full ISO14443A anticollision)
  • nfc-list
  • pn53x-diagnose
  • pn53x-sam
  • pn53x-tamashell
  • RSA_SecurID_getpasswd

MIFARE Classic Tools

  • mfoc (Recovery of MIFARE Classic Card Keys if at least one sector has a know key - run this tool first)
  • mfcuk (MFCUK - MiFare Classic Universal toolKit - Recovery of MIFARE Classic Card Keys if no sector key is known. This wrapper script changes to the fingerprint directory automatically)
  • mfcuk_keyrecovery_darkside (same as above)
  • nfc-mfclassic (use this tool to read from cards with known card keys retrieved by mfoc/mfcuk or copy card dumps from the tools above to new cards)
  • mifare-classic-format
  • mifare-classic-write-ndef

MIFARE Ultralight Tools

  • nfc-mfultralight

MIFARE Desfire Tools

  • mifare-desfire-access
  • mifare-desfire-ev1-configure-ats
  • mifare-desfire-ev1-configure-default-key
  • mifare-desfire-ev1-configure-random-uid
  • mifare-desfire-format
  • mifare-desfire-info
  • mifare-desfire-write-ndef

Near Field Communication Tools

  • nfc-dep-initiator
  • nfc-dep-target
  • nfc-emulate-forum-tag2
  • nfc-emulate-forum-tag4
  • nfc-emulate-tag
  • nfc-emulate-uid
  • nfc-poll
  • nfc-relay
  • nfc-relay-picc

Other open RFID hardware projects on this site