loading...

August 9, 2023

NFCat

Prelude :

Recently the building where I live got an upgrade with an access controller, a bunch of tags have been distributed to the residents with $$$ to pay for extra tags, the reason I needed to start my journey into understanding and bending this technology for educational purposes (of course)

theory

The Journey :

Recon :

First things first, the access token was looking like any NFC Tag with a keychain, I remember smartphones are able to read those, my first smartphone (a trusty and waterproof Xperia V back in the days) was promoted with the NFC feature, an quick and interesting way to share links and texts between phones, so popped my worthy Nethunter (Oneplus5T unofficial build) and tried reading it, Nothing.

Gave it another try with NFC Tool app and the only thing I got was me rubbing the tag against my phone flattering my ADHD ..

After few researches, appeared that the most common NFC tags comes in two flavors :

13.56Mhz NFC

- High Frequency
- Writable
- 2 ways
- Can store to 4Kb of data
- Can be encrypted
- Smartphone compatible

125Khz NFC

- Low Frequency
- Not Writable (*)
- 1 way
- 64 bits memory
- cannot be encrypted
- too low frequency for smartphone

Most common tags, Abusively called Mifare tags, as mifare is the chip inside responsible of the memory and frequency resonance, they’re not all mifare, hundreds of chips are available today and everyone is going with his sauce on the hard formatting and encryption, Mifare, Ntag, Slix, ST25 …etc..

a cheap alternative, low frequency based on TK4100 and EM4100 chips not designed to be writable however a writable version is available and based on T5577 chip.

There’s a number written on those, 10 digits not sure what that is yet.

However, the frequencies commonly employed for LFID (Low-Frequency Identification) or LowFID systems are typically 125kHz and 134kHz. It’s important to note that these frequencies serve as the foundation for low-frequency RFID technology. In and of themselves, these frequencies do not possess inherent functionality for activities such as ID identification, reading, or writing.

Commonly utilized low-frequency cards encompass brands like HID, T55xx, EM410x, and other similar series. These types of low-frequency cards are frequently encountered and used in everyday life by many individuals.

Not being able to read the tag with my phone suggests that it’s not a Mifare chip, I can’t go anywhere without being able to read it, shopping time !

here’s what I got :

RDM6300 Module
125Khz Cloner
0.91 Oled i²c
Hypothesis 01 :

before diving into any code, clone a tag using the cheap handheld 125Khz RFID Writer, if it works means they’re 125Khz, try writing to my current tag, if it’s possible means they are T5577 othrrwise they’re 4100 family

Hypothesis 02:

Build a reader using the RDM6300 and see what kind of informations we get from reading

Experiments : 

First hypothesis concluded, the access controller is reading  a 4100 family tag 125Khz
 
Building a simple reader with the RDM6300 was very interesting tho, I first went with the example code that was returning values via the serial terminal:

observations

By cross-referencing the EM4100 datasheet and the RDM6300 example code we can tell : 

  • tags are 64-bit data
  • 9 bits in the header (probably a reading trigger)
  • D00-D93  body construction (data)
  • PR0-PR9 parity check per row
  • PC0-PC3 parity check per column
  • E0 closing bit
 Parity bit is simply summing the number of 1s in a data unit, if the sum is odd then the parity bit is 1 otherwise it’s 0, this is the standard parity check system but it’s not a general truth, some systems apply the even parity check where the parity bit is 1 when the sum of 1s is odd but that’s another story for another day
 
 So far it seems like the antenna is playing a simple high/low state inductor role to the reader, but in a xor style, which means low state for a 0 bit and high state for a 1 bit
 
Header1  1  1  1  1  1  1  1  1
MessageD00D01D02D03PR0
D10D11D12D13PR1
D20D21D22D23PR2
D30D31D32D33PR3
D40D41D42D43PR4
D50D51D52D53PR5
D60D61D62D63PR6
D70D71D72D73PR7
D80D81D82D83PR8
D90D91D92D93PR9
PC0PC1PC2PC3E0

Let me break this out a little bit more with an example, let’s do the reverse math for the tag I used to test on the RDM6300

the number on the tag is : 0009622573
RDM6300 is returning :
Message-Data (HEX):
49 (version) 0092D42D (tag)
Extracted Tag: 9622573

0092D42D is basically the decimal to hex conversion for (000)9622573
but that 49 marked (version) is really intriguing and doesn’t correspond to anything visible on the tag

from the comment on line 2 in the example code let’s assume this should build this way : 
(header)+ [(version)+(tag)+(tail)]

let’s do a binary table and check if this works

Header
1  1  1  1  1  1  1  1  1
Hex TagBinaryMessageRP
4010001001
9100110010
0000000000
0000000000
9100110010
2001000101
D110111011
4010001001
2001000101
D110111011
CP00000

 

the complicated math : 

header (9 bits) + message (40 bits) + row parity (10 bits) + column parity (4 bits) + closing (1 bits) = 64 bits

that’s poetically matches to the entire memory stamp of an EM4100

conclusions

  • Version number cannot be retrieved by visual recognition on the tags
  • Conversion from the number on the tag to the reader seems go this way :
Serial Number (décimal) → Hexadecimal → Binary 
  • This conversion gives us the software path to emulate a tag, but also that there’s a minimum and maximum value to a tag, which means a bruteforce is practicable, in fact, since the key conversion is a 10 digits hex number [version]+[tag] means  :
  • the minimum value is [00][00000000]
  • the maximum value is [FF][FFFFFFFF]

practice

let’s put this to practice, we can clone these tags with the handheld 125Khz cloner from EM4100 to T5577 tags that are writable, but that is restrictive and too bluky to be effectively used stealthy in the field

I need to make a gadget/tool for this kind of access controller, it’s already covered by the flipper zero and the proxmark but both suffers from a high price, lack of availability and flagged, I need something I can shape stealth and open source to the community  

Features to embed :

  • Emulate any tag 
  • Read tags and get Version & Tag hex values
  • Save read values in a slot system
  • Select a slot from the memory and replay the values
  • Bruteforce 
  • Enter Tag values manually and bruteforce the version number
  • Write to T5577 magic tags

The reading part is perfectly done via the RDM6300 so I am just going to rely on it and build a device around it, I am going with Arduino Micro spared from an old project and a 0.91″ i²c oled screen

Let’s work on the key feature, Emulating

emulating

Even if marketed as read/write module the RDM6300 is only able to read, or at least I’ve never been able to to use it for writing.

If I want to emulate a tag I will need extra electronics for that, since I suspect the antenna to be a simple inductor tuned and detuned by the EM4100 chip doing only high/low states at the right frequency, I built a simple resonating circuit that will be controlled by the µC 

normally the circuit should be tuned by the resonance formula but since that I am gonna reuse the RDM6300 antenna, I winged standard values to the components, the antenna is something around ~860uH

extra note for the software part is that the data seems to be modulating the signal through a manchester encoding, also from the datasheet ~ 

And this worked incredibly well, event tried it on the reader and I’ve been gracefully granted access with a green light

Now this means we can read and emulate tags, the tag values can be retrieved from the RDM6300 we only need to convert it to 64bits binary and do the parity check

putting all this together and the NFCat will see the light

NFCat

Hardware Notes :

    • Using the same antenna for the RDM6300 in reading and the tag emulator was not possible, the signal line was noisy because each one was tuning the other, solved it by air-gapping the lines with optocouplers,  PC817 from my shelves, transistors would’ve made the trick but I choosed the safety.
    • Designing a menu navigation was a pain, I am really bad with front-end coding but made my best for a minimal buttons configuration with only two buttons, well three buttons if we count the arduino reset button I used go back to the main menu, it’s resetting the AT328P and taking to the main menu 😂 ✅
    • 2 buttons, 4 functionalities :
      • Short press left/right → navigation
      • Long press left → back, cancel
      • Long press right → enter, validate
    • Main menu :
      • Read :
        • Save
        • Emulate
      • Emulate
        • Emulate
      • Credit
Posted in hacking
1 Comment
  • Vinny

    Bravo

    9:21 pm September 28, 2023 Reply
Write a comment