EvilZone
Hacking and Security => Mobile Hacking => Android => : Stackprotector August 19, 2014, 04:18:03 PM
-
Hi guys!,
The railroads company in the netherlands use a Mifare Classic chip card to travel with the trains and other public transport. Now the Mifare Classic cards made by NXP are easily exploitable in most cases so the companies who need security but still need the laim Mifare Classic protocol use a even more smarter chip card (made by infineon in this case) who emulates Mifare Classic but throws of the regular attack against weak Crypto part.
So now our public transit cards are not readable for the public anymore...
But.. The companies announced to release an app who will read the card and can give you offline card information, this is where my android mod "MifareSpy" comes in. MifareSpy logs the Mifare Classic keys to the android logging system for you to read and thus giving you the possibility to tinker with YOUR OWN card :)
It's basically this piece of code inside of android_frameworks_base / core / java / android / nfc / tech / MifareClassic.java
//MifareSpy 1
StringBuffer sb = new StringBuffer();
for (byte b : key) {
sb.append(String.format("%02X", b));
}
Log.i("MifareSpy1", ":"+keyA+":"+sector+":"+sb.toString()+":");
//End MifareSpy 1
I have tried it and it works great with adb logcat.
The modded file:
https://github.com/Factionwars/android_frameworks_base/blob/cm-11.0/core/java/android/nfc/tech/MifareClassic.java
My fork:
https://github.com/Factionwars/android_frameworks_base/
You can apply this to your own android source and compile it, you can ask me to compile it for your device, download the cyanogenmod-11 source and at the frameworks/base folder use my repo (you can ask me to get it uptodate) or you can just stop being interested in what is on your card :D
More android (preferably nfc) mods to come!
-
This is cool. But android chips are just readers, they can't write to the cards?
-
Yes they can write, this also extracts the b (writing) key. Even since 4.4 or cm10 android is able to do HCE (host card emulation) so it can emulate specific card which don't use any form of timing. You can emulate the paypass or MasterCard wave system with the phone without a embedded secure element. Though mifare classic can't be emulated by android without the se element because it's too slow. I did too many research on this because I wanted to emulate my public transit chip card but I need access to the secure element which Samsung of course only gives to the big boys.
-
I live in San Fran and the transit company also uses similar cards. The MIFARE DESFire.
There is also an android app called FareBot that will show your remaining balance, recent trips, and other information from contact-less public transit cards using a NFC Android phone.
Pretty sure they use the same code to implement that.
(https://lh3.ggpht.com/8Ba3NtQwt7GtGdeFrKOHtX9u-J7TDuKIRhtQs-iL2vb8xeGfyt7S-x1DrDllLPgBryw=h310-rw) (https://lh5.ggpht.com/tZjrzBNuwdVSm5LdFBw60bh_V2tOf8e8YS0bPf4JpJYmh2kU4bZU4-ZgRaw7DUOWR38=h310-rw)
You could swipe your phone or brush it against someones backpocket to be able to see a log of where that person gets on and gets off a bus or train.
Here is a list of phone that include NFC:
http://www.nfcworld.com/nfc-phones-list/
I am very interested in rfid exploits. Thank you for sharing how to enable the feature.
-
I live in San Fran and the transit company also uses similar cards. The MIFARE DESFire.
There is also an android app called FareBot that will show your remaining balance, recent trips, and other information from contact-less public transit cards using a NFC Android phone.
Pretty sure they use the same code to implement that.
(https://lh3.ggpht.com/8Ba3NtQwt7GtGdeFrKOHtX9u-J7TDuKIRhtQs-iL2vb8xeGfyt7S-x1DrDllLPgBryw=h310-rw) (https://lh5.ggpht.com/tZjrzBNuwdVSm5LdFBw60bh_V2tOf8e8YS0bPf4JpJYmh2kU4bZU4-ZgRaw7DUOWR38=h310-rw)
You could swipe your phone or brush it against someones backpocket to be able to see a log of where that person gets on and gets off a bus or train.
Here is a list of phone that include NFC:
http://www.nfcworld.com/nfc-phones-list/
I am very interested in rfid exploits. Thank you for sharing how to enable the feature.
Yes i also used farebot a year ago a lot! But because they implemented the new Infineon chips i can't extract the keys from my new card anymore so no farebotting for me :(
-
This is cool. But android chips are just readers, they can't write to the cards?
There is apps for writing nfc tags/ mifare cards in play store so i imagine you should be able to write also with androids chip. Altough i haven't use any of the apps to see if they work.
Edit: oh, i was a little late on answering. I guess i had update issues with tapatalk. Sorry.
Edit2: @OP This does seem very cool. In here Finland the railroad company uses Mifare cards also so i definitely have to take closer look on this.:)
-
Hello, I liked this post, I would put to work on my phone, help me?
thank you ;D I am from Brazil
-
Hello, I liked this post, I would put to work on my phone, help me?
thank you ;D I am from Brazil
What do you want to try with it ? :)
-
Can change data of my public transport card? 8)
-
Can change data of my public transport card? 8)
Not if there is no app on your phone that is reading the data from it. Otherwise buy a reader and use MFOC
-
I have a LG G2 and he read the card, the more I can not make the change, only reading the data
-
I have a LG G2 and he read the card, the more I can not make the change, only reading the data
What kind of card is it
-
Mifare Classic 1K / Mifare Plus 2K SL1
-
Or back up information :D
-
Yes they can write, this also extracts the b (writing) key. Even since 4.4 or cm10 android is able to do HCE (host card emulation) so it can emulate specific card which don't use any form of timing. You can emulate the paypass or MasterCard wave system with the phone without a embedded secure element. Though mifare classic can't be emulated by android without the se element because it's too slow. I did too many research on this because I wanted to emulate my public transit chip card but I need access to the secure element which Samsung of course only gives to the big boys.
I am really late, is it the transmitter itself that is too slow or the cycles you need?
In the last case you can probably do that offsite and transer the data, just a suggestion.
-
I am really late, is it the transmitter itself that is too slow or the cycles you need?
In the last case you can probably do that offsite and transer the data, just a suggestion.
Well, mifare classic uses timing to get some vulnerabilities out of the way. So the way from the chip to java land and back is too slow, when using an embedded secure element(SE) it is an applet who communicates internally (on the chip) to the nfc chip (well itself almost) using single wire protocol, so that is much much faster.
It could be possible to do it on driver level but then again there are no implementations public i think. Though i have emulation implementations for a PN512, it might be all possible.
The best thing to do is to get access to the SE on the nfc chip (manufacturer has the password which it only shares with big parties like google wallet, +1 if you reverse engineer it from there) or get a SD card with a SE on it and be happy enough that the wiring is done from the nfc chip to the sd card.
These guys have a hacked android kernel who can do the sd card thingie.
https://code.google.com/p/seek-for-android/wiki/Concept
This guy is great:
http://nelenkov.blogspot.nl/2012/08/accessing-embedded-secure-element-in.html