前言

支持nfc的小米可以模擬不加密的門卡，加密的需要使用小米白卡功能到物業(yè)里寫入。嗯。。。物業(yè)怎么可能配合嘛！不如自己破解折騰一下，成本也不會太高。

本教程僅支持Mifare Classic 1K卡的破解，和寫入小米手機(jī)的過程。不能用于其它非法用途。

原理

破解后的卡信息

上圖中，扇區(qū)0里保存著卡的id信息，一般都會被寫保護(hù)，但是有不鎖扇區(qū)0的uid卡。扇區(qū)5是加密扇區(qū)，淺綠色是keyA，深綠色是keyB。我們就是通過破解加密扇區(qū)的keyA、keyB來獲取該扇區(qū)數(shù)據(jù)信息并最終寫入到小米手機(jī)中。

準(zhǔn)備工作

• 硬件：支持nfc的小米手機(jī)；要破解的門卡；pn532，淘寶30幾塊錢，最好買usb芯片焊好的；uid白卡滴膠卡，不鎖扇區(qū)0的，淘寶5塊錢一大把，買前問下掌柜。
• 軟件：win驅(qū)動，破解工具nfc-tools（pn532文件夾下），mifare。鏈接: https://pan.baidu.com/s/1sHoHCWKlv8s_GFpNVEVi7g 提取碼: vp89

先在手機(jī)上安裝mifare。
然后電腦安裝驅(qū)動。有兩個版本，v1200是最新的版本，v110是老版。我的win10不能使用v1200驅(qū)動，會出現(xiàn)感嘆號。

v1200

這種情況下安裝v100驅(qū)動，并在設(shè)備管理器里的設(shè)備上右鍵選擇更新驅(qū)動程序->瀏覽我的計(jì)算機(jī)以查找驅(qū)動程序軟件->讓我從計(jì)算機(jī)上的可用驅(qū)動程序列表中選取

選擇驅(qū)動版本

選擇2009年的版本，點(diǎn)下一步安裝

驅(qū)動安裝成功

這時(shí)設(shè)備上的感嘆號應(yīng)該沒有了，并且掛載到了COM5端口

打開pn532文件夾下的libnfc.conf文件

修改端口

將配置里的端口改成你實(shí)際掛載的端口

最后測試一下。把你的門卡放在pn532上。在下載的pn532文件夾下shift加右鍵打開菜單，選擇在此處打開powershell窗口，輸入.\nfc-list命令

PS C:\apps\pn532> .\nfc-list
C:\apps\pn532\nfc-list.exe uses libnfc 1.7.1
NFC device: pn532_uart:COM5 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08

如果出現(xiàn)以上信息，說明pn532運(yùn)行成功了

操作

使用mfoc破解加密卡

把門卡放在pn532上，在終端輸入.\mfoc -P 50 -T 30 -O mycard.mfd命令開始破解

PS C:\apps\pn532> .\mfoc -P 50 -T 30 -O mycard.mfd
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found

[Key: ffffffffffff] -> [xxxxx.xxxx......]
[Key: a0a1a2a3a4a5] -> [xxxxx.xxxx......]
[Key: d3f7d3f7d3f7] -> [xxxxx.xxxx......]
[Key: 000000000000] -> [xxxxx.xxxx......]
[Key: b0b1b2b3b4b5] -> [xxxxx.xxxx......]
[Key: 4d3a99c351dd] -> [xxxxx.xxxx......]
[Key: 1a982c7e459a] -> [xxxxx.xxxx......]
[Key: aabbccddeeff] -> [xxxxx.xxxx......]
[Key: 714c5c886e97] -> [xxxxx.xxxx......]
[Key: 587ee5f9350f] -> [xxxxx.xxxx......]
[Key: a0478cc39091] -> [xxxxx.xxxx......]
[Key: 533cb6c723f6] -> [xxxxx.xxxx......]
[Key: 8fd0a4f256e9] -> [xxxxx.xxxx......]

Sector 00 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 01 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 02 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 03 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 04 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 05 - Unknown Key A               Unknown Key B
Sector 06 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 07 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 08 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 09 - Found   Key A: ffffffffffff Found   Key B: ffffffffffff
Sector 10 - Unknown Key A               Unknown Key B
Sector 11 - Unknown Key A               Unknown Key B
Sector 12 - Unknown Key A               Unknown Key B
Sector 13 - Unknown Key A               Unknown Key B
Sector 14 - Unknown Key A               Unknown Key B
Sector 15 - Unknown Key A               Unknown Key B


Using sector 00 as an exploit sector
Sector: 5, type A, probe 0, distance 12969 .....
Sector: 5, type A, probe 1, distance 13027 .....
Sector: 5, type A, probe 2, distance 12823 .....
Sector: 5, type A, probe 3, distance 12879 .....
Sector: 5, type A, probe 4, distance 12519 .....
Sector: 5, type A, probe 5, distance 12619 .....
Sector: 5, type A, probe 6, distance 12679 .....
Sector: 5, type A, probe 7, distance 12527 .....
Sector: 5, type A, probe 8, distance 12525 .....
Sector: 5, type A, probe 9, distance 12577 .....
Sector: 5, type A, probe 10, distance 12569 .....
Sector: 5, type A, probe 11, distance 12625 .....
Sector: 5, type A, probe 12, distance 12615 .....
Sector: 5, type A, probe 13, distance 12669 .....
Sector: 5, type A, probe 14, distance 12565 .....
Sector: 5, type A, probe 15, distance 12623 .....
Sector: 5, type A, probe 16, distance 12569 .....
  Found Key: A [3aa93eb6a6eb]
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 10, type A, probe 0, distance 12571 .....
Sector: 10, type A, probe 1, distance 12569 .....
  Found Key: A [bdbb578b6c89]
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
Sector: 11, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 12, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 13, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 14, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 15, type A
  Data read with Key A revealed Key B: [000000000000] - checking Auth: Failed!
  Found Key: A [bdbb578b6c89]
Sector: 5, type B, probe 0, distance 12721 .....
Sector: 5, type B, probe 1, distance 12621 .....
Sector: 5, type B, probe 2, distance 12621 .....
Sector: 5, type B, probe 3, distance 12573 .....
  Found Key: B [0604acbb55d5]
Sector: 10, type B
  Found Key: B [bdbb578b6c89]
Sector: 11, type B
  Found Key: B [bdbb578b6c89]
Sector: 12, type B
  Found Key: B [bdbb578b6c89]
Sector: 13, type B
  Found Key: B [bdbb578b6c89]
Sector: 14, type B
  Found Key: B [bdbb578b6c89]
Sector: 15, type B
  Found Key: B [bdbb578b6c89]
Auth with all sectors succeeded, dumping keys to a file!
Block 63, type A, key bdbb578b6c89 :00  00  00  00  00  00  7f  07  88  69  00
00  00  00  00  00
....

從輸出信息中可以發(fā)現(xiàn)mfoc找到了3個key: 3aa93eb6a6eb，bdbb578b6c89，0604acbb55d5。記一下，之后會用到。

運(yùn)行成功后會在pn532文件夾下生成mycard.mfd文件

寫入uid白卡

把從淘寶上買的白卡放到pn532下，運(yùn)行.\nfc-mfclassic W a mycard.mfd。運(yùn)行成功后會克隆一張與原門卡信息一樣的卡。

PS C:\apps\pn532> .\nfc-mfclassic W a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 08
Guessing size: seems to be a 1024-byte card
Sent bits:     50  00  57  cd
Sent bits:     40 (7 bits)
Received bits: a (4 bits)
Sent bits:     43
Received bits: 0a
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.

需要注意的是，輸出的最后一行一定要有Done，否則都是失敗。

清空白卡數(shù)據(jù)扇區(qū)

目前克隆好的白卡和原門卡一樣，存在加密扇區(qū)，是不能直接模擬到小米手機(jī)上的。我們需要把白卡里除扇區(qū)0的數(shù)據(jù)都清掉。

打開手機(jī)上的mifare軟件。選擇增加密鑰文件，新建一個mykey.keys文件。第一行固定為FFFFFFFFFFFF，然后把上面用mfoc找到的密鑰復(fù)制進(jìn)去并保存。回到主菜單選擇寫標(biāo)簽->工廠格式化，勾選自定義的密鑰文件。將克隆好的白卡放到手機(jī)背部，識別后點(diǎn)擊啟動映射并格式化標(biāo)簽。完成后使用讀標(biāo)簽功能看下除扇區(qū)0外其他扇區(qū)是不是都清空了。

清空數(shù)據(jù)扇區(qū)

將扇區(qū)0克隆到手機(jī)上

打開小米錢包app，選擇門卡->模擬實(shí)體門卡。點(diǎn)開始檢測后，將清了數(shù)據(jù)的白卡放到手機(jī)背部，檢測到并通過認(rèn)證后開始模擬。模擬完成后雙擊電源鍵可以看到我們模擬的卡。

克隆到手機(jī)上

寫入其它數(shù)據(jù)扇區(qū)

雙擊電源鍵找到模擬的卡，手機(jī)提示請靠近讀卡器后，將手機(jī)背面放到pn532上。終端輸入命令.\nfc-mfclassic w a mycard.mfd。注意中間的w是小寫。

PS C:\apps\pn532> .\nfc-mfclassic w a mycard.mfd
NFC reader: pn532_uart:COM5 opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 24  99  01  dd
      SAK (SEL_RES): 28
Guessing size: seems to be a 1024-byte card
Writing 64 blocks |...............................................................|
Done, 63 of 64 blocks written.

但輸出為Done后，加密門卡模擬就全部成功了。去刷門禁試試吧。