动机
安卓手机本身的
Windows
准备
物质准备
- PN532,
我买的是这个的 PN532+CH340G套餐 - 一台有
OTG 功能的安卓手机,安卓版本最低为 7.0 - 自行焊接
PN532 的引脚
焊接完成后按下表接线,注意
| PN532 | USB |
USB |
|---|---|---|
| GND | GND | 黑色 |
| VCC | 5.0V | 红色 |
| TXD/SDA | RXD | 白色 |
| RXD/SCL | TXD | 绿色 |
软件配置
- Termux:终端模拟器
- TCPUART:串口转
TCP 协议 - RFID Tools v1.3.3:一站式
NFC 工具箱,支持系统 NFC(部分)与 PN532 等外接 NFC 设备
Termux
该方案在
感谢这个讨论中给出的方案!
pkg install autoconf make git automake pkg-config libtool clang
# for Arch Linux
# yay -S --needed autoconf make git automake pkg-config libtool gcc
git clone --depth 1 https://github.com/mywalkb/libnfc
cd libnfc
autoreconf -vis
./configure --prefix=$PREFIX --with-drivers=pn532_uart
make -j8
make install
连接
TCPUART
将ConnectServer,配置监听端口(此处假设为10000),点击Start。记得锁后台,别被杀了。
Termux
export LIBNFC_DEVICE="pn532_uart:tcp_127.0.0.1_10000"
# do what you want to do now
如果一切正常,你应该可以开始使用
$ nfc-scan-device # 查看 NFC 设备
nfc-scan-device uses libnfc 1.8.0
1 NFC device(s) found:
error libnfc.bus.uart Unable to apply new speed settings.
- user defined device:
pn532_uart:tcp_127.0.0.1_10000
$ nfc-list # 扫描附近的卡片,注意 PN532 要贴紧卡片
error libnfc.bus.uart Unable to apply new speed settings.
NFC device: user defined device opened
2 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): d8 11 c0 02
SAK (SEL_RES): 08
使用
nfc-mfclassic
PN532.mfd
详细命令行参数请参考 nfc-mfclassic(1) - Arch manual pages。
$ nfc-mfclassic r a u dump.mfd # `a`指使用密钥mfoc & mfcuk
如果你正在用
如果你在用yay -S mfoc-hardnested-git mfcuk-git
mfcukmfcuk -C -R 0:A -s 250 -S 250mfoc。
mfoc-hardnestedmfoc-hardnested -O dump.mfd
crypto1_bs
用于半加密卡之一密破解。
git clone https://github.com/aczid/crypto1_bs.git --depth 1
cd crypto1_bs
git clone https://github.com/Tilka/crapto1.git crapto1-v3.3 --depth 1
git clone https://github.com/vk496/craptev1.git craptev1-v1.1 --depth 1
make
./libnfc_crypto1_crack <known key> <for block> <A|B> <target block> <A|B>
收集足够Collected xxx nounces...,进入到Cracking)后,你就可以直接停止破解,在目录下找到0x1111aaaa_003A.txt1111aaaa3B./solve_bs 0x1111aaaa_003A.txt 0x1111aaaa
Proxmark3
如果你在用
自己编译各个组件(指termcap
如果你在用
直接下预编译版本中有official
用Go.batnonces.binGo.bat
如果你在用
直接yay -S termcap gcc-arm-none-eabi-bin && git clone https://github.com/Proxmark/proxmark3 --depth 1 && cd proxmark3 && wget https://github.com/Proxmark/proxmark3/commit/ee8491b04a5ef3950c2fdc1dd2c2a14706247e7e.diff && git apply ee8491b04a5ef3950c2fdc1dd2c2a14706247e7e.diff && make clean && make all
makeclient/cd
下载0x1111aaaa_003A.txt1111aaaa_generated.bin,重命名为nonces.binclient/
cd client
wget https://github.com/Young-Lord/Young-Lord.github.io/releases/download/assets/nfc_txttobin.py
python3 nfc_txttobin.py 0x1111aaaa_003A.txt 1111aaaa
mv 1111aaaa_generated.bin nonces.bin
# 进入交互式命令行,串口号相关报错不用理
./proxmark3 /
进入
hf mf hardnested r
很快该扇区密码就能跑出来了。
proxmark3> hf mf hardnested r
--target block no: 0, target key type:A, known target key: 0x000000000000 (not set), file action: read, Slow: No, Tests: 0
Using no SIMD core.
time | #nonces | Activity | expected to brute force
| | | #states | time
------------------------------------------------------------------------------------------------------
0 | 0 | Start using 8 threads and no SIMD core | |
0 | 0 | Brute force benchmark: 232 million (2^27.8) keys/s | 140737488355328 | 7d
2 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 7d
3 | 0 | Reading nonces from file nonces.bin... | 140737488355328 | 7d
12 | 1670 | (Ignoring Sum(a8) properties) | 686792 | 0s
12 | 1670 | Starting brute force... | 686792 | 0s
12 | 1670 | Brute force phase completed. Key found: 000000000000 | 0 | 0s
mfterm
用于更简单地爆破密码、读写转储。
Arch: yay -S mfterm
Termux: 自行编译,wget https://github.com/4ZM/mfterm/releases/download/v1.0.7/mfterm-1.0.7.tar.gz && tar xvf mfterm-1.0.7.tar.gz && cd mfterm-1.0.7/ && ./configure --prefix=$PREFIX "CFLAGS=-Wno-error" && make && make install
注意这里的write unlockednfc-mfclassic W。
mfdread
Python.mfd
下载脚本,搞个虚拟环境安装bitstring