search

RfidResearchGroup / ChameleonUltra

The new generation chameleon based on NRF52840 makes the performance of card emulation more stable. And gave the chameleon the ability to read, write, and decrypt cards.
https://chameleonultra.com
GNU General Public License v3.0
939 stars 155 forks source link

Add mode fuzzing for MF1 emulation #193

Open rickNmorty2 opened 10 months ago

rickNmorty2 commented 10 months ago

This PR aims to provide a new mode called fuzzing. When in fuzzing mode, the slot generate a new (random) content each time it is read. This allows to fuzz a reader for which the keys are known but required UID/bitfield values are not.

For example, we read twice the same slot on the ChameleonUltra, configured in fuzzing mode:

rick@linux-desktop:~$ nfc-mfclassic r a u first_read
rick@linux-desktop:~$ nfc-mfclassic r a u second_read

And we obtain different data:

rick@linux-desktop:~$ diff --git a/first_read.hx b/second_read.hx
index 6684444..1490847 100644
--- a/first_read.hx
+++ b/second_read.hx
@@ -1,65 +1,65 @@
-0000000 5d62 07fb 9a55 3f74 3436 5906 f41a 0f63
-0000010 620d 6f7c 729e 6ef8 a4f2 c548 8286 d0a5
-0000020 23b1 4760 c362 55fd b8bd f955 763c 6345
+0000000 9647 7409 79c7 b9bc 0515 5029 0ce7 c242
+0000010 d765 adf5 586c 2d9b 1343 901c c473 6bb9
+0000020 cd17 e2b3 19e2 72ec 78f0 35ed 64d1 ca56
 0000030 ffff ffff ffff 07ff 6980 0000 0000 0000
-0000040 0018 d9a8 6c68 148f dcee d4fa f29b 3db0
-0000050 16f0 2d2f 62c9 4571 22a3 3108 3b7c f0dc
-0000060 8ac1 c1e9 d2a0 b1dd 7281 bf6d e258 70cc
+0000040 9c67 bb13 14e4 6172 1dce ab2d 83f4 06df
+0000050 5879 a04b 3a8e 0154 a204 03b2 a546 4fe7
+0000060 dc79 0e49 e3d9 e5f0 f21e aab8 2f31 1da2
 0000070 ffff ffff ffff 07ff 6980 0000 0000 0000
-0000080 ffe4 3590 d7fe 3efd 0393 e6dd af4f 1eb0
-0000090 58d2 5771 6b80 f207 feaa 5138 a07f 1d37
-00000a0 9d70 5020 adc3 7bed 59d1 4ec7 f6ab 3376
+0000080 bba8 07fd dd73 4e3a 6541 22a2 c8ba 620e
+0000090 88ff f33b 9c2a 8de9 e593 33a7 f565 ae41
+00000a0 c0da f377 c865 d31e ed7b 5d02 4036 9f5e
 00000b0 ffff ffff ffff 07ff 6980 0000 0000 0000

It is a per-slot setting, configurable through the CLI:

[USB] chameleon --> hw slot list
 - Slot 1:(active)
   HF:  Mifare Classic 1k
      UID:                                    DEADBEEF
      ATQA:                                   0400 (0x0004)
      SAK:                                    08
      Gen1A magic mode:                       disabled
      Gen2 magic mode:                        disabled
      Use anti-collision data from block 0:   disabled
      Write mode:                             Normal
      Log (mfkey32) mode:                     disabled
      Fuzzing mode:                           disabled
   LF:  EM410X
      ID:                                     DEADBEEF88
[USB] chameleon --> hf mf econfig --enable-fuzzing -s 1
 - MF1 Emulator settings updated
[USB] chameleon --> hw slot list
 - Slot 1:(active)
   HF:  Mifare Classic 1k
      UID:                                    DEADBEEF
      ATQA:                                   0400 (0x0004)
      SAK:                                    08
      Gen1A magic mode:                       disabled
      Gen2 magic mode:                        disabled
      Use anti-collision data from block 0:   disabled
      Write mode:                             Normal
      Log (mfkey32) mode:                     disabled
      Fuzzing mode:                           enabled
   LF:  EM410X
      ID:

It is also possible to specify keys to use for fuzzing mode for each sector:

[USB] chameleon --> hf mf fuzz -h
--------------------------------------------------------------------------------
hf mf fuzz

Mifare Classic fuzzer tag

usage:
  hf mf fuzz [-h] [-k KEY [KEY ...]]

options:
  -h, --help            show this help message and exit
  -k KEY [KEY ...], --key KEY [KEY ...]
                        Key to use for a given sector

Note that the current implementation does not randomize keys and access mode when generating new data.

Any feedback on the idea and/or on the implementation (client or firmware side) is welcome.

github-actions[bot] commented 10 months ago

You are welcome to add an entry to the CHANGELOG.md as well

github-actions[bot] commented 10 months ago

Built artifacts for commit 6a03449044557ec239d1d5be7b20538e121360f2

Firmware

Client

rickNmorty2 commented 9 months ago

Thanks for the suggestions @p-l-

rickNmorty2 commented 6 months ago

Hi,

For me this PR is ready to be merged. Or if you think it is not relevant I am OK to close it as well. Just let me know.