Read this, is your meal card still safe?
For testing purposes only.
//What's NFC, KFC?,,, no.
Near Field Communication (NFC), is an emerging technology where devices
(such as cell phones) can be in close proximity to each other to The NFC technology is an evolutionary step in the integration of contactless RFID and interconnectivity interoperability by integrating an inductive reader, proximity card, and By integrating an inductive reader, proximity card and peer-to-peer communication on a single chip, mobile terminals can be utilized to realize mobile payment, e-ticketing, access control, mobile identification, anti-counterfeiting and other applications. Developed by Philips and Sony***, a contactless identification and interconnection technology that enables proximity wireless communication between mobile devices, consumer electronics, PCs, and smart control tools.NFC functionality provides a simple, touch-sensitive solution that allows consumers to simply and intuitively exchange information, access content and services .
Software card emulation with the CM9 rom's nfc read/write tag feature. (None of the previous versions, google official version did not open this function, currently from android 5.0 onwards google open other nfc api in order to carry out card simulation operation,).
Mobile phones or bracelets and other devices with NFC functionality by simulating the operation of the IC card, such as community access cards, meal cards and other IC card data copied to the cell phone's NFC chip above, you can later use the cell phone's NFC functionality to swipe the card.
You can intercept all the tag data of 13.56hz nfc wireless communication protocol supported by Android phones. nfc non-contact black box test has not been too good a program, either too high-end (requiring professional equipment), or not good (proxmark3 is not cheap, listening to the wireless way to intercept data is not stable, there is no ready solution, the operation of the convenience and interaction is also poor. (Convenience and interactivity is also poor) nfcproxy to us occasionally with a test dog provides a low-cost and efficient solution to support a variety of nfc tags, iso 14443 standard, apdu data is also complete and stable, based on the secondary development of the Android app source code is also very simple, will be java casually change the basic are not a problem. Based on this app, a variety of testing methods can be derived from the software
1, sniffing data between the card and the terminal
2, modifying data during the interaction process
3, simulating the card
The most critical thing is still simple, buy two hundred dollars a second-hand cell phone on it.
Hardware requirements:
Two android phones with nfc function (salted fish cheapest within 300 dollars can be dealt with) a POS with non-contact function or card reader (there is a POS the most economical, I have a support UnionPay flash payment of the POS) their own bank card, support for non-contact payment, there is a UnionPay quick pass sign are
1, based on the support CM9 rom android phone a
I used Google's own son generation nexus s, ROM is slim 4.3 build 2-OFFICIAL-1332 a customized version based on the cm
android version 4.3.1. I bought early, slightly more expensive, and now idle fish to buy! Used, there is no need to buy this, the latter generations are also cheaper, the second son of the third son of the fourth son of whatever, can be considered, a plus one can also be considered, slightly expensive. Theoretically support CM9 can be, but because
CM official website has yellowed the old version of the rom is not good to find, so try to find the phone corresponds to the old version of the rom and then decide to buy what. 2, with nfc function of android cell phone a (preferably also support cm9)
I use is samsung GALAXY S2 T version SGH-T989 Hercules, CM version is 11-20160815-NIGHTLY-hercules,
android version 4.4.4 , cm11 seems to have removed software card I didn't bother downgrading the rom version, it's good to have one that works. As long as you don't have a customized rom that's too weird, you can theoretically use it. I'd recommend choosing one that supports cm to be on the safe side. The hardware selection is the same as the software requirements:
There is a complete functional implementation, you can directly packaged to use I based on their own use of convenient
Integration of the emv-bertlv library, you can directly in the app to interact with the data unpacking. You can try it on my github address:
Local app package download:
How to use
Install nfcproxy on both phones and turn on the NFC function to connect to the same wifi, so that the two phones can access each other
1. Proxy setup
In the support of the cm9 card, you can set up the nfcproxy on your phone. In the phone that supports cm9 card simulation (I have to be nexus s), open the nfcproxy software, point to settings, cancel the relay mode checkbox IP address fill in the other phone's wifi ip port fill in the other phone's nfcproxy listening port, the default is 9999encrypt
communications don't need to choose, play with yourself! No need to encrypt always keep screen on casually debug logging Check the box to show the card number. Then quit the setup.
2. relay side of the setup
In another phone (I have to t989), open the nfcproxy software, point to settings, check the relay mode radio box IP address do not need to fill in
port fill in the nfcproxy just set up in another phone to listen to the port, the default is 9999, the same as the two sides of the line. encrypt
communications Don't need to choose, you don't need to encrypt your own play always keep screen on random debug logging hook up, you can show the card number. Then exit the setup.
3, test
1, will be used to relay end of the phone, nfcproxy software open stick to the bank card, then the status window should prompt
TechList: android.nfc.tech.IsoDepandroid.nfc.tech. NfcA, if there is no reaction, please check whether the nfc is open, the phone
NFC function is normal
2, the POS machine to the choice of consumption, enter the amount of money, prompted to swipe the card interface
3, will be used for proxy end of the cell phone, the nfcproxy software to open, go to paste to the POS machine to perform the non-connection of swipe card action.
Normal situation after the paste up nfcproxy data window will prompt: Reader
TAG:Tech[android.nfc.tech.Iso.PcdA]Connecting to NFCRelayConnected to NFCRelayTransaction
Complete! This means that the phone has been connected to the card, the POS request has been forwarded to the card, and the card's answer has been forwarded back, the transaction is complete. At this point, the POS should display Please enter your PIN, enter your PIN and the transaction is successful. Then look at the replay side of the nfcproxy data window, you can see the interactive data on the data long press can choose the right three vertical points, export to file will intercept the data saved to the internal storage of the / NfcProxy directory
Note 1: If the post POS cell phone does not respond, you need to check the nfc function is normal!
Note 2: status prompts connection to NFCRelay failed need to check whether the two phones wifi connection, configure the ip and port is normal
Good luck.
btw: I've been using this program for 15 years, just working on test pos needs, and occasionally use it to feel very convenient, and recently used it again, determined to organize it. I've been reading the articles of the gods before, and I've been contributing to the community for a while. The software itself has a lot of potential to dig, such as dynamic modification of interactive data what 。。。。。。 You know, don't mess with it Oh, will check the water meter . In addition, we also found that there are some terminals reading the card will use some strange mode, resulting in the software error, this time can only then use proxmark3 violent listening, but this mitm way than proxmark much more convenient, and much cheaper haha.
Tools:
1. Hardware: PN532 (beginners are advised to buy this, a treasure sells 30RMB or so, the general half-encrypted card with this can be cracked, full-encrypted card need to use PM3), USB to ttl cable, millet bracelet NFC version (3 generation 4 generation at random), cuid card
2. Software: PN532 driver (ask the seller to find the corresponding driver). Software: PN532's driver (ask the seller for the corresponding driver, or see if the driver in my link is suitable), winhex,
MifareOneTool (M1T for short), NFC_READER_crack.
Firstly, connect the USB to ttl cable to the PN532 (wire sequence definition: black GND, red VCC, white SDA, green SCL). Green SCL). Then install the driver of PN532 on your computer, connect PN532 to your computer, and check the device manager, there is a device on the COM port to prove that the driver has been successfully installed.
Open the M1T software, click to detect the connection and then a key to unlock the original card, there are keys will try to crack, cracked successfully will export a .dump file, we save it.
Open the .dump file with winhex, fill the AB key with FF, after filling it well, we save it as a copy, and by the way, write down the card number at the beginning (8 digits)
After that, we open the M1t again, select the advanced operation mode, open the Hex editor, copy the eight-digit card number that we just looked for, and then open the tool, modify the UID, and paste the eight-digit card number that we just copied into it. the eight-digit card number you just copied, paste it in, tap OK, and then tap File-Save As to a .mfd file.
Select cuid write in advanced mode, write the .mfd file to the cuid card, and then write it again if you don't get all 64 blocks.
Select door card emulation in Xiaomi bracelet, emulate the cuid card that just wrote the .mfd file to the Xiaomi bracelet, after that, open
NFC_READER_crack this software, choose to write the normal M1 card, write the data of the rice card that is filled with the key into the bracelet. If it only writes 63 blocks, that's fine, go ahead and try to see if it works.
Then it's done!
This tutorial should not be used for illegal purposes, the balance of the duplicate meal card is the same, there is no such thing as modifying the balance. The original balance of the card is how much, what you use to play the balance of the meal is the same. The only thing you need to do is copy it into your bracelet to make it easier for you to play.
Q: Why don't you use NFC_READER_crack instead of the original M1T when writing data into the bracelet at the end?
A: Because there is a metaphysical problem of not being able to write 63 blocks to the bracelet with the M1T, which is not a problem with NFC_READER_crack. If you are using a cuid card to copy the access card you can try to use M1T.
Q: How to copy the access card?
A: If the access card is a semi-encrypted card, you can refer to this article to copy it, if it is a non-encrypted card, try to simulate it directly, if not, follow the procedure of reading out the data (save it)-generate a .mfd file with the card number-copy it to the cuid card- and copy it to the cuid card. The bracelet emulates the cuid card - the bracelet writes the access card data to copy it.
There is no shortage of other cases in life where hackers have cracked NFC bus cards for unlimited rides, or even hijacked cell phones with NFC functionality, so the security issue is obvious, and after all, prevention is not an option.