Difference between revisions of "RFID"

From YobiWiki
Jump to navigation Jump to search
 
(174 intermediate revisions by 4 users not shown)
Line 1: Line 1:
  +
==Middleware: pcscd & libccid==
==RFID readers==
 
  +
There is no common RFID middleware yet but most readers rely or can rely on [http://en.wikipedia.org/wiki/PC/SC PC/SC]
===pcscd===
 
Is the Linux daemon to access readers compatible with the PC/SC standard.
+
<br>[http://ludovic.rousseau.free.fr/softwares/pcsc-tools/ pcscd] is the Linux daemon to access readers compatible with the PC/SC standard.
  +
<br>Most USB-based readers are complying with a common USB-CCID specification and therefore are relying on the same driver ([http://pcsclite.alioth.debian.org/ccid.html libccid] under Linux).
 
<br>To dump the readers list supported by libccid of your pcscd install:
 
<br>To dump the readers list supported by libccid of your pcscd install:
 
<source lang=bash>
 
<source lang=bash>
Line 34: Line 35:
 
</source>
 
</source>
   
===Parallax===
+
==RFID readers==
  +
NXP has a serie of NFC-compatible reader chips: PN531, PN532, PN533.
http://www.makezine.com/06/theorypractice/ => See MAKE n6
 
  +
<br>Here are some readers using one of those chips.
===[http://www.openpcd.org/ OpenPCD]===
 
  +
===PN531-based (warning PN531 is obsolete!)===
===[http://www.acs.com.hk/acr122.php ACR122U]===
 
====Intro====
+
====PN531====
  +
* Official site: <nowiki>http://www.nxp.com/#/pip/pip=[pfp=53424]|pp=[t=pfp,i=53424]</nowiki>
based on PN532
 
  +
* [http://www.google.com/search?q=pn531+transmission+module Short Form Specification, Near Field Communication PN531 µ-based Transmission module]
  +
  +
The PN531 is capable of speaking directly USB so there exist readers consisting simply of the PN531 wired to your Pc via USB.
  +
<br>In that case, the vendorID/productID will be either 04CC:0531 or 054c:0193
  +
  +
Apparently the following products are like that:
  +
* [http://www.scmmicro.com/scl3710/ SCL3710] by SCM Microsystems
  +
* [http://www.snapper.co.nz/ Snapper], see also discussion [http://www.proxmark.org/forum/post/189/#p189 here]
  +
====[http://www.nfc-global.com/nfc_global/nfc_products/adra.php Arygon ADRA]====
  +
based on PN531
  +
  +
Supported Standards:
  +
* ISO18092 ( NFC transport protocol)
  +
* Sony FeliCa
  +
* NXP Mifare ® family
  +
* compliant to ISO14443A, ISO14443A – 4 (T=CL)
  +
Communication protocol:
  +
* ARYGON (HL - high level language), TAMA (LL - low level language)
  +
** To send TAMA frames, send an ascii '2' as first char, e.g. to get firmware of the PN531:
  +
0x32 0x00 0x00 0xFF 0x02 0xFE 0xD4 0x02 0x2A 0x00
  +
=>
  +
0x00 0x00 0xFF 0x00 0xFF 0x00 (TAMA ACK)
  +
0x00 0x00 0xFF 0x04 0xFC 0xD5 0x03 0x02 0x02 0x24 0x00 (TAMA v=2.2)
  +
  +
echo 32 00 00 ff 02 fe d4 02 2a 00|xxd -p -r|socat - /dev/ttyUSB0|xxd -p
  +
0000ff00ff000000ff04fcd50304022200
  +
  +
Baud rate (passive/active):
  +
* 106 kBaud, 212 kBaud, up to 424 kBaud
  +
* USB, seen as a serial port
  +
  +
Apparently they propose a PCSC driver for Redhat 32-bit but it segfaults on a Debian 32-bit
  +
  +
===PN532-based===
  +
====[http://www.acs.com.hk/acr122.php ACR122U]====
 
* [http://www.nfc-reader.com/acr122-document.php docs]
 
* [http://www.nfc-reader.com/acr122-document.php docs]
 
** ISO/IEC18092 (NFC) compliant
 
** ISO/IEC18092 (NFC) compliant
Line 61: Line 97:
 
> ff 00 48 00 00
 
> ff 00 48 00 00
 
< 41 43 52 31 32 32 55 32 30 33 : Error not defined by ISO 7816
 
< 41 43 52 31 32 32 55 32 30 33 : Error not defined by ISO 7816
  +
We're using a pseudo-ADPU which doesn't return the standard SW1/SW2 error codes, this is why scriptor gives an error which can be ignored and opensc-tool is interpreting wrongly the last two data bytes as ISO7816 error codes as well.
  +
<br>The proper decoding of the received data is:
  +
$ echo ff00480000|scriptor 2>/dev/null |tail -n 1|xxd -p -r
  +
ACR122U203
  +
Tikitag / Touchatag model will return an older version:
  +
ACR122U102
   
 
If you get the following error:
 
If you get the following error:
Line 66: Line 108:
 
that's because you've a model without SAM support. Place a tag on the reader and try again, it should work.
 
that's because you've a model without SAM support. Place a tag on the reader and try again, it should work.
   
So that's where a lot of confusion comes into play: the two models behave very differently!
+
So that's where a lot of confusion comes into play: the two models behave very differently! See below
<br>Note that [http://www.libnfc.org/hardware/acr122 this site] is talking about a difference due to the firmware version but I don't think this is the real issue, see below:
+
<br>Note that [http://www.libnfc.org/hardware/devices/acr122 this site] points out that it also corresponds to a difference of firmware versions
   
====ACR122U-SAM====
+
====ACR122U-SAM / Touchatag (was Tikitag)====
 
* With SAM slot
 
* With SAM slot
 
* [http://www.acs.com.hk/drivers-manual.php?driver=ACR122SAM Windows drivers & API docs]
 
* [http://www.acs.com.hk/drivers-manual.php?driver=ACR122SAM Windows drivers & API docs]
Line 76: Line 118:
 
* When there is no SAM inserted, ATR shown is a pseudo-ATR = 3B 00
 
* When there is no SAM inserted, ATR shown is a pseudo-ATR = 3B 00
 
* So for PCSC there is always a "card inserted"
 
* So for PCSC there is always a "card inserted"
  +
* To detect contactless card "insertion", application must do the polling
 
* APDUs are sent to SAM
 
* APDUs are sent to SAM
 
* To send APDUs to a contactless card, you ''must'' wrap them into pseudo-APDUs (FF 00 00 00 ...)
 
* To send APDUs to a contactless card, you ''must'' wrap them into pseudo-APDUs (FF 00 00 00 ...)
 
* To send special APDUs to the reader (to get fw or to control LEDs), just send them
 
* To send special APDUs to the reader (to get fw or to control LEDs), just send them
   
Some more infos [http://hackerati.com/post/57314994/rfid-on-the-cheap-hacking-tikitag here] about the Tikitag
+
Some more infos [http://hackerati.com/post/57314994/rfid-on-the-cheap-hacking-tikitag here] and [http://www.synbio.org.uk/component/content/article/61-scientific-computing-news/1117-tikitag-details.html?directory=259 there] about the Tikitag
 
<br>Some more [http://www.libnfc.org/hardware/pn53x-chip here]
 
<br>Some more [http://www.libnfc.org/hardware/pn53x-chip here]
  +
<br>full technical reference of the SAM used in the Tikitag is supposed to be available [http://www.acs.com.hk/download/REF_ACOS6.pdf here]. There is a copy available [http://rassro.cz/images/pdf/REF_ACOS6.pdf here]
   
 
====ACR122U PICC====
 
====ACR122U PICC====
Line 90: Line 134:
 
* When there is no contactless card, no ATR
 
* When there is no contactless card, no ATR
 
* So for PCSC there is a "card inserted" if there is a contactless card
 
* So for PCSC there is a "card inserted" if there is a contactless card
  +
* On contactless card "insertion", it generates a "card inserted" event
 
* APDUs are sent directly to the contactless card, which makes this reader fully transparent in this mode
 
* APDUs are sent directly to the contactless card, which makes this reader fully transparent in this mode
 
* To send APDUs to a contactless card, you can also wrap them into pseudo-APDUs (FF 00 00 00 ...)
 
* To send APDUs to a contactless card, you can also wrap them into pseudo-APDUs (FF 00 00 00 ...)
Line 118: Line 163:
 
SCardControl(hCard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, ...)
 
SCardControl(hCard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, ...)
   
  +
In case libccid refuses with a
===Pegoda===
 
  +
Firmware (x.xx) is bogus! Upgrade the reader firmware or get a new reader.
* See <nowiki>http://www.nxp.com/#/pip/pip=[pfp=41960]|pp=[t=pfp,i=41960]</nowiki>
 
  +
you can force it by setting the third bit (0x04) of ifdDriverOptions in /etc/libccid_Info.plist to 1
===[http://www.nfc-global.com/nfc_global/nfc_products/adra.php Arygon ADRA]===
 
  +
<key>ifdDriverOptions</key>
based on PN531
 
  +
<string>0x0005</string>
  +
Possible values for ifdDriverOptions
  +
1: DRIVER_OPTION_CCID_EXCHANGE_AUTHORIZED
  +
the CCID Exchange command is allowed. You can use it through
  +
SCardControl(hCard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, ...)
  +
4: DRIVER_OPTION_USE_BOGUS_FIRMWARE
  +
Some reader firmwares have bugs. By default the driver refuses
  +
to work with such firmware versions. If your reader is rejected
  +
because of the firmware (log message: "Firmware (x.y) is
  +
bogus!") you can:
  +
- activate this option but you will have problems depending on the bug
   
  +
Personally I found the reader quite unstable, it disconnects often from pcscd.
Supported Standards:
 
  +
<br>Even with vendor drivers instead of libccid. BTW I've no idea what this vendor version brings extra.
* ISO18092 ( NFC transport protocol)
 
* Sony FeliCa
 
* NXP Mifare ® family
 
* compliant to ISO14443A, ISO14443A – 4 (T=CL)
 
Communication protocol:
 
* ARYGON (HL - high level language), TAMA (LL - low level language)
 
** To send TAMA frames, send an ascii '2' as first char, e.g. to get firmware of the PN531:
 
0x32 0x00 0x00 0xFF 0x02 0xFE 0xD4 0x02 0x2A 0x00
 
=>
 
0x00 0x00 0xFF 0x00 0xFF 0x00 (TAMA ACK)
 
0x00 0x00 0xFF 0x04 0xFC 0xD5 0x03 0x02 0x02 0x24 0x00 (TAMA v=2.2)
 
   
  +
Another issue is that the generated ATR doesn't follow properly the PCSC standard for contactless for ISO14443-4 tags:
echo 32 00 00 ff 02 fe d4 02 2a 00|xxd -p -r|socat - /dev/ttyUSB0|xxd -p
 
  +
<br>Where it should stuff the historical bytes of ATS into the generated ATR, it's stuffing the entire ATS, breaking tag detection done e.g. by pcsc_scan.
0000ff00ff000000ff04fcd50304022200
 
  +
<br>Moreover for e.g. a JCOP card, last bytes of the ATS are masked by 0xFF 0xFF 0xFF 0xFF.
   
  +
Examples:
Baud rate (passive/active):
 
  +
* Desfire:
* 106 kBaud, 212 kBaud, up to 424 kBaud
 
  +
ATS: 06 75 77 81 02 80
* USB, seen as a serial port
 
  +
ATR by ACR122U: 3B 86 80 01 06 75 77 81 02 80 00
  +
ATS hist bytes: 80
  +
Expected ATR: 3B 81 80 01 80 80
  +
* JCOPv2.4.1:
  +
ATS: 0D 78 77 B1 02 4A 43 4F 50 76 32 34 31
  +
ATR by ACR122U: 3B 8D 80 01 0D 78 77 B1 02 4A 43 4F 50 FF FF FF FF AB
  +
ATS hist bytes: 4A 43 4F 50 76 32 34 31 (=JCOPv241)
  +
Expected ATR: 3B 88 80 01 4A 43 4F 50 76 32 34 31 5E
   
  +
The problem is known by ACS so they upgraded its firmware and released a v207.
===PN531===
 
  +
<br>So if you want to buy one, make sure to get at least a ACR122U-A2NR/207F, or newer if exists.
  +
<br>To temporarily fix the JCOP issue on ACR122U203, you can issue another command for full ATS reply: FF CA 01 00 00. This command follows PC/SC standard.
  +
====[http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz OpenPCD 2]====
  +
Based on PN532 and an ARM Cortex-M3 (LPC1342FHN33) with open-source firmware
  +
====[http://www.seeedstudio.com/depot/nfc-shield-p-916.html?cPath=132_134 NFC shield for Arduino]====
  +
Opensource NFC shield for Arduino
  +
* More [http://seeedstudio.com/wiki/index.php?title=NFC_Shield here]
  +
* Code [https://github.com/viswesr/PN532 here], forked from Adafruit code, cf breakout board below
  +
====[https://www.adafruit.com/products/364 Breakout board]====
  +
Opensource hardware designed by microbuilder.eu
  +
* Some code for Arduino [https://github.com/adafruit/PN532 here]
  +
  +
===PN533-based===
  +
====PN533====
 
* Official site: <nowiki>http://www.nxp.com/#/pip/pip=[pfp=53424]|pp=[t=pfp,i=53424]</nowiki>
 
* Official site: <nowiki>http://www.nxp.com/#/pip/pip=[pfp=53424]|pp=[t=pfp,i=53424]</nowiki>
* [http://www.google.com/search?q=pn531+transmission+module Short Form Specification, Near Field Communication PN531 µ-based Transmission module]
 
   
The PN531 is capable of speaking directly USB so there exist readers consisting simply of the PN531 wired to your Pc via USB.
+
The PN533 is capable of speaking directly USB so there exist readers consisting simply of the PN533 wired to your PC via USB.
<br>In that case, the vendorID/productID will be either 04CC:0531 or 054c:0193
+
<br>vendorID/productID may vary, e.g. 04CC:2533 or for SCL3711: 04E6:5591
   
  +
====SCL3711====
Apparently the following products are like that:
 
  +
Based on a PN533
* [http://www.scmmicro.com/scl3710/ SCL3710] by SCM Microsystems
 
  +
* [http://www.scmmicro.com/en/products-services/smart-card-readers-terminals/contactless-dual-interface-readers/scl3711.html SCL3711] by SCM Microsystems
* [http://www.snapper.co.nz/ Snapper], see also discussion [http://www.proxmark.org/forum/post/189/#p189 here]
 
  +
It can be used as such with libnfc via libusb or it can be used via PCSC through a proprietary driver but AFAIK this driver doesn't provide a mechanism to send commands to the PN533 so you've to disable PCSC (or to remove the driver) if you want to use libnfc.
  +
<br>My 64-bit driver doesn't work with PCSCd >=1.6.1 if pcscd is run in background, it needs to run in foreground.
  +
<br>With PCSCd v1.5.5 it works fine (excepted that I couldn't use the Escape IOCTL mechanism, which pwrks properly under Windows).
  +
<br>Note that Info file mentions LGPL but the driver is closed-source...
  +
====StickID====
  +
Based on a PN533
  +
* [http://www.sensorid.it/prodotti/stickid.html StickID], in italian, might exist with SAM too
  +
===PN544-based===
  +
There is not yet PN544 readers for PC but it's the one you'll find in NFC phones
  +
====Nexus S====
  +
  +
===CL RC632 -based===
  +
  +
====[http://www.openpcd.org/ OpenPCD]====
  +
  +
====Pegoda====
  +
* See <nowiki>http://www.nxp.com/#/pip/pip=[pfp=41960]|pp=[t=pfp,i=41960]</nowiki>
  +
* Almost no opensource support, just an embryonic one in librfid
   
===[http://www.omnikey.com/?id=products&tx_okprod_pi1%5bproduct%5d=41 Omnikey 5321]===
+
====[http://www.omnikey.com/?id=products&tx_okprod_pi1%5bproduct%5d=41 Omnikey 5321]====
 
* [http://www.omnikey.com/fileadmin/Documents/OK5321_Datasheet.pdf datasheet]
 
* [http://www.omnikey.com/fileadmin/Documents/OK5321_Datasheet.pdf datasheet]
 
* ISO 14443 A/B and 15693 ( up to 848 Kbps in the fastest ISO 14443 transmission mode)
 
* ISO 14443 A/B and 15693 ( up to 848 Kbps in the fastest ISO 14443 transmission mode)
Line 171: Line 257:
 
Installing OmniKey reader under linux:
 
Installing OmniKey reader under linux:
   
  +
There are drivers [http://www.hidglobal.com/driverDownloads.php?techCat=19&prod_id=171# here]
apt-get install libusb-dev pcsc-omnikey
 
Warning! this removes libccid!!
 
   
  +
But there is also a Debian package pcsc-omnikey
Note that there are also drivers [http://omnikey.aaitg.com/index.php?id=69 here]
 
  +
<br>Warning! Don't install it or it will remove libccid!!
  +
<br>It's better to keep libccid if needed for other readers and install the missing RFID driver by hand: (here on a 64-bit platform)
  +
aptitude download pcsc-omnikey
  +
dpkg -x pcsc-omnikey_1%3a2-4_amd64.deb .
  +
cp -a usr/lib/pcsc/drivers/ifdokrfid_lnx_x64-2.6.0.bundle /usr/lib/pcsc/drivers/
   
It's better to keep libccid if needed and install the missing driver by hand:
 
cd ifdokrfid_lnx-2.6.0
 
sudo ./install -d /usr/lib/pcsc/drivers/
 
 
See [http://www.hidglobal.com/faqs.php?techCat=19 here]: you need also to recompile pcscd with libusb:
 
See [http://www.hidglobal.com/faqs.php?techCat=19 here]: you need also to recompile pcscd with libusb:
 
./configure --disable-libhal --enable-libusb
 
./configure --disable-libhal --enable-libusb
 
To do it by repackaging the Debian pcscd:
 
To do it by repackaging the Debian pcscd:
  +
aptitude install libusb-dev
 
apt-get source pcscd
 
apt-get source pcscd
 
apt-get build-dep pcscd
 
apt-get build-dep pcscd
Line 203: Line 291:
 
To launch the modified pcsc in foreground, showing ADPUs and debug info: (here pcscd was installed in /usr/local/bin/pcscd-libusb)
 
To launch the modified pcsc in foreground, showing ADPUs and debug info: (here pcscd was installed in /usr/local/bin/pcscd-libusb)
 
pcscd-libusb -f -a -d
 
pcscd-libusb -f -a -d
  +
  +
'''UPDATE''': I've tried successfully the latest drivers from Omnikey on Debian Squeeze (pcscd 1.5.5) without too much hassle:
  +
* Get from [http://www.hidglobal.com/driverDownloads.php?techCat=19&prod_id=171 here] either ifdokrfid_lnx-2.7.0.tar.gz or ifdokrfid_lnx_x64-2.7.0.tar.gz depending if you're using a 32 or 64-bit OS.
  +
* Copy the directory ifdokrfid_lnx-2.7.0.bundle to /usr/lib/pcsc/drivers and the file cmrfid.ini to /etc
  +
That's it. No need to recompile pcscd or to mangle /etc/libccid_Info.plist
  +
====SpringCard [http://www.springcard.com/fr/products/proxnroll-pcsc.html Prox'N'Roll]====
  +
Gives a lot of control by means of ADPUs.
  +
<br>Mainly useful to have full access to ISO15693 commands or to perform "strange" things on ISO14443 like sending ISO14443-4 commands to an ISO14443-3 card (which you can also do with PN53x but PN53x doc is under NDA)
  +
 
===Others===
 
===Others===
  +
====ACG LF / OMNIKEY 5534====
  +
Adam Laurie is selling via [http://rfidiot.org his RFIDiot website] some ACG LF readers, either with their native serial interface or with a USB interface.
  +
<br>Those readers are based on a module from ACG, now relabeled as Omnikey since they're owned by HID:
  +
<br>'''RDLO-0101N0'''
  +
<br>aka [http://www.therfidshop.com/product_info.php?products_id=256 OMNIKEY 5534 Core MultiTag Reader]
  +
<br>aka [http://www.united-access.com/rfidreaders ACG LF MultiTag OEM Module]
  +
* 125 & 134.2 kHz
  +
* Supports: EM4x02, EM4x50, EM4x05 (ISO 11784/5 FDX-B), Hitag 1 / 2 / S, Q5, TI 64 bit R/O & R/W, TI 1088 bit Multipage
  +
You can modify the default serial port speed by modifying byte 0Ch in EEPROM. Mine is working at 57600 baud.
  +
<br>USB version is actually using a FTDI USB Serial Device converter and so will simply be identified on your linux as the serial port /dev/ttyUSB0
  +
  +
Usage example with RFIDiot tools:
  +
readlfx.py -R RFIDIOt.rfidiot.READER_ACG -s 57600
  +
Usage example in console:
  +
cu -l /dev/ttyUSB0 -s 57600
  +
Short quickref for console usage:
  +
<pre>
  +
~. quit cu
  +
! test continuous read -> ! if active, F if not
  +
c continuous read -> poll, any key to stop -> S
  +
dX set tag settings -> dH80 gain=2 sampling_time=0
  +
l login -> lMIKR -> L=ok X=fail N=no_tag
  +
oX set tag type -> oH
  +
o+X include tag type
  +
o-X exclude tag type
  +
poff antenna power off
  +
pon antenna power on
  +
rb read block -> rb00 -> 4 bytes
  +
wb write block -> wb0011223344
  +
rp read EEPROM
  +
wp write EEPROM
  +
s select -> poll once
  +
v get version
  +
x reset
  +
y field reset -> y8080 off time in ms + recovery time in ms
  +
</pre>
  +
====Mir:ror====
  +
by Violet, a French company (so most links below are in French)
  +
*[http://www.violet.net/_mirror-le-premier-lecteur-rfid.html?r=home Official page]
  +
*[http://my.violet.net/mirror/choose_mirware Official software stack]
  +
Works with ISO14443-A and -B
  +
* interesting [http://www.jopa.fr/index.php/2009/07/07/violet-mirror-linux/ blog] [http://www.jopa.fr/index.php/2009/07/12/violet-mirror-acces-device-c/ posts]
  +
* [https://code.google.com/p/erawrim/ erawrim], an opensource to mirware
  +
  +
====Misc====
  +
* Parallax, see [http://www.makezine.com/06/theorypractice/ MAKE n6] and [http://www.gumbolabs.org/2009/10/17/parallax-rfid-reader-arduino/ Using it with an Arduino]
 
* [http://www.netronix.pl/index_en.php Netronix]: producer of RFID readers for Unique, Mifare, Q5,Hitag, I-code transponders.
 
* [http://www.netronix.pl/index_en.php Netronix]: producer of RFID readers for Unique, Mifare, Q5,Hitag, I-code transponders.
 
* [http://www.elektor.fr/products/kits-modules/modules-(-9x)/elektor-rfid-reader-(060132-91).91440.lynkx kit from Elektor] and a [http://81.56.186.109/ELEKTOR/RFID_EXPERIMENTAL.html user experience] (fr)
 
* [http://www.elektor.fr/products/kits-modules/modules-(-9x)/elektor-rfid-reader-(060132-91).91440.lynkx kit from Elektor] and a [http://81.56.186.109/ELEKTOR/RFID_EXPERIMENTAL.html user experience] (fr)
  +
* [http://www.velleman.be/be/en/product/view/?id=379238 Proximity card reader kit] by Velleman, supporting [http://www.priority1design.com.au/em4100_protocol.html EM4100 protocol]
  +
* [http://instruct1.cit.cornell.edu/courses/ee476/FinalProjects/s2006/cjr37/Website/index.htm 100% home-made 125kHz reader]
  +
* [http://www.icarte.ca iCarte 110]: ''As a MFi (Made for iPod/iPhone) accessory attaching to the bottom connector of the iPhone, the iCarte™ turns the iPhone into an NFC phone as well as an RFID Reader/Writer'', but as of writing, nothing is available yet
  +
* [http://blog.section9.co.uk/2010/03/iphone-rfid-reader.html Prototype for iPhone], based on an ID-12
  +
* [http://micah.navi.cx/2008/08/simplest-rfid-reader/ Simplest RFID reader?], 125kHz, using a Propeller microcontroller card
  +
  +
===SDCard shaped===
  +
Not sure which ones are actually available for purchase and which ones are just vaporware...
  +
* [http://www.wdi.ca/products.shtml SDID 1010 & 1020 by Wireless Dynamics]
  +
* [http://www.gi-de.com/portal/page?_pageid=44,150689&_dad=portal&_schema=PORTAL Mobile Security Card by Giesecke & Devrient]
  +
* [http://www.tyfone.com/product-contactless-payment.html Secure Memory Card by Typhone] see details [http://www.nearfieldcommunicationsworld.com/2009/01/12/3485/tyfone-puts-nfc-into-microsd-cards/ here]
  +
* [http://www.logomotion.eu/en/innovative-logomotion-technology/secure-nfc-micro-sd-card-with-miniature-antenna.html Logomotion Pay Card]
  +
* [http://www.cell-idea.com/NFC%20Micro%20SD.htm Cell Idea NFC Micro-SD card], doesn't contain NFC but rely on NFC-enabled phone
   
 
==Other Hardware Tools==
 
==Other Hardware Tools==
Line 211: Line 367:
 
* http://www.acbm.com/inedits/rfid.html (French)
 
* http://www.acbm.com/inedits/rfid.html (French)
 
* [http://globalguerrillas.typepad.com/globalguerrillas/2006/01/weapons_the_rfi.html WEAPONS: The RFID zapper]
 
* [http://globalguerrillas.typepad.com/globalguerrillas/2006/01/weapons_the_rfi.html WEAPONS: The RFID zapper]
* [https://events.ccc.de/congress/2005/static/r/f/i/RFID-Zapper(EN)_77f3.html RFID-Zapper(EN)]
+
* [https://events.ccc.de/congress/2005/static/r/f/i/RFID-Zapper(EN)_77f3.html RFID-Zapper(EN)] and a cool [http://codeninja.de/rfiddler/ implementation]
  +
* Hoaxes?
* [http://www.rfidwasher.com/index.php RFIDwasher], if not hoax...
 
* [http://www.tagzapper.com/ TagZapper], if not hoax...
+
** [http://www.rfidwasher.com/index.php RFIDwasher]
  +
** [http://www.tagzapper.com/ TagZapper] (dead link)
   
 
===RFID skimmers===
 
===RFID skimmers===
 
* [http://www.schneier.com/blog/archives/2006/06/build_your_own.html Build Your Own RFID Skimmer]
 
* [http://www.schneier.com/blog/archives/2006/06/build_your_own.html Build Your Own RFID Skimmer]
  +
* [http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html How to Build a Low-Cost, Extended-Range RFID Skimmer]
 
* [http://www.openpcd.org/rfiddump.0.html RFIDDump]
 
* [http://www.openpcd.org/rfiddump.0.html RFIDDump]
  +
* [http://blog.didierstevens.com/2009/05/19/another-lowcost-rfid-detector/ Another low-cost RFID detector]: using a BasicCard
  +
* [http://rfid.marcboon.com/ RFID sniffer], cheap hardware just to tell you if it's a 13.26MHz tag or not, can be bought [http://shop.marcboon.com/ here]
   
 
===RFID emulators===
 
===RFID emulators===
Line 267: Line 427:
   
 
====[http://www.proxmark.org/ Proxmark III]====
 
====[http://www.proxmark.org/ Proxmark III]====
see also [http://cq.cx/proxmark3.pl here], maintained by [http://www.proxmark.org/contact Roel] [http://www.cs.ru.nl/staff/Roel.Verdult Verdult]
+
Originally created by J.Westhues: [http://cq.cx/proxmark3.pl here], video in action [http://www.youtube.com/watch?v=4jpRFgDPWVA here]
* [https://www.lafargue.name/proxmark3/refman.html manual]
+
* [https://www.lafargue.name/proxmark3/refman.html manual], see also [http://proxmark3.com/dl/PM3-UserGuide.pdf this pdf]
 
* [http://www.proxmark.org/forum/index.php forum]
 
* [http://www.proxmark.org/forum/index.php forum]
* [http://www.proxmark.org/files/index.php files], require login
+
* [http://www.proxmark.org/files/ files], <strike>require login,</strike> not anymore
 
* can read, sniff & emulate
 
* can read, sniff & emulate
* 13.6MHz & 125kHz
+
* 13.6MHz, 125kHz and 134kHz
  +
 
Extracting the reader datastream (to be compared with OpenPICC results)
 
Extracting the reader datastream (to be compared with OpenPICC results)
 
<pre>cat dump |grep -v TAG|cut -c 21-|sed 's/!crc.*//;s/\([0-9a-f]\+\)[[:space:]]*/\1/g'|tr a-z A-Z</pre>
 
<pre>cat dump |grep -v TAG|cut -c 21-|sed 's/!crc.*//;s/\([0-9a-f]\+\)[[:space:]]*/\1/g'|tr a-z A-Z</pre>
 
Getting both directions
 
Getting both directions
 
<pre>cat dump |sed 's/: /+/;s/: TAG /-/'|cut -c 15-|sed 's/!crc.*//;s/\([0-9a-f]\+\)!\?[[:space:]]*/\1/g'|tr a-z A-Z</pre>
 
<pre>cat dump |sed 's/: /+/;s/: TAG /-/'|cut -c 15-|sed 's/!crc.*//;s/\([0-9a-f]\+\)!\?[[:space:]]*/\1/g'|tr a-z A-Z</pre>
  +
  +
[http://www.cq.cx/verichip.pl Demo: Cloning a Verichip]
  +
  +
Source code is now on [http://code.google.com/p/proxmark3 Google Code].
  +
<br>Even if you don't have the board, some tools can be used offline.
  +
<br>To compile the host client without the ARM toolchain:
  +
apt-get install gcc g++ libreadline-dev libusb-dev libqt4-dev pkg-config
  +
make client
  +
  +
Cool hack to run it under Android [http://blog.spiderlabs.com/2012/12/proxmark-3-now-with-100-more-android.html here].
   
 
====[http://www.iaik.tugraz.at/content/research/rfid/tag_emulators/ IAIK RFID DemoTag]====
 
====[http://www.iaik.tugraz.at/content/research/rfid/tag_emulators/ IAIK RFID DemoTag]====
  +
====[http://www.t4f.org/projects/open-rfid-tag Open RFID Tag]====
====125kHz cloners====
 
  +
====[[N2 Elite]]====
  +
  +
====125kHz cloners and emulators====
 
* Chris Paget's cloner: [http://www.youtube.com/watch?v=fDimlEdeGjM video], [http://www.flickr.com/photos/eecue/990977879/ picture]. Raw cloner
 
* Chris Paget's cloner: [http://www.youtube.com/watch?v=fDimlEdeGjM video], [http://www.flickr.com/photos/eecue/990977879/ picture]. Raw cloner
 
* [http://www.rfidhackers.com/viewtopic.php?f=3&t=26 Programmable HID]<br>''The design is currently capable of emulating any of HID’s 26-bit, 35-bit (Corporate 1000) or 37-bit card formats.''
 
* [http://www.rfidhackers.com/viewtopic.php?f=3&t=26 Programmable HID]<br>''The design is currently capable of emulating any of HID’s 26-bit, 35-bit (Corporate 1000) or 37-bit card formats.''
 
* [http://cq.cx/vchdiy.pl Verilog chip cloner]
 
* [http://cq.cx/vchdiy.pl Verilog chip cloner]
 
* [http://pe.ece.olin.edu/projects/proxcard/prox.html AM-FSK] explained
 
* [http://pe.ece.olin.edu/projects/proxcard/prox.html AM-FSK] explained
  +
* [http://www.cq.cx/prox.pl Flexpass PSK] explained + cloning
  +
* [http://www.rmxtech.com/products/ RMX commercial] [http://www.rmxlabs.ru/ products]: emulators etc
  +
* [http://www.proxpick.com/default.html ProxPick] is a highly versatile attack & defense tool for 125-134KHz RFID systems, about the size of a playing card. It is able to read, copy, and playback almost all Prox-type tags
  +
* [http://mrl.cz/projects/rfid/rfid.pdf EM4001 emulator (pdf)], by Michael Krumnikl, based on ATmega8. See a picture [http://radikal.ru/F/s42.radikal.ru/i095/0907/fc/c7b340a1af7b.jpg.html here]
  +
* [http://micah.navi.cx/2008/09/using-an-avr-as-an-rfid-tag Passive emulator] based on ATtiny85 and a single self, emulates EM4001 and HID. See pictures [http://picasaweb.google.com/micahjd/RFID#5248658518260327522 here] and [http://picasaweb.google.com/lh/photo/CGsKUEYheSuA9rAXuWFjBg here]
  +
* A design [http://www.dennislambing.com/senior-design-rfid/ based on Arduino and EM4095]
  +
* Another one [http://www.instructables.com/id/Stupid-Simple-Arduino-LF-RFID-Tag-Spoofer/ based on Arduino and home-made antenna]
  +
* [http://www.vk1zdj.net/?p=47 Universal RFID key]
  +
* A simple LC tuned at 125kHz hooked through a Schottky diode to an audio input, with [http://www.baudline.com/ baudline] on the host, does miracles as sniffer...
  +
* Some [http://www.t4f.org/en/projects cool projects] by Ramiro Pareja
  +
 
===Misc===
 
===Misc===
 
* [http://en.wikipedia.org/wiki/USRP Universal Software Radio Peripheral]
 
* [http://en.wikipedia.org/wiki/USRP Universal Software Radio Peripheral]
* [http://www.rfidguardian.org RFID Guardian], see [http://www.rfidguardian.org/pipermail/announce/2008-July/000000.html here] what they want to come with for v4.
+
* [http://www.rfidguardian.org RFID Guardian], see [http://rfidguardian.org/images/1/11/RF40-RevA-Catalog.pdf here] what they want to come with for v4, which is currently in alpha stage, first hardware rollout.
 
* [http://www.instructables.com/id/RFID_Reader_Detector_and_Tilt_Sensitive_RFID_Tag/ RFID Reader Detector and Tilt Sensitive RFID Tag]
 
* [http://www.instructables.com/id/RFID_Reader_Detector_and_Tilt_Sensitive_RFID_Tag/ RFID Reader Detector and Tilt Sensitive RFID Tag]
  +
* [http://www.raisonance.com Raisonance] products: [http://www.raisonance.com/~proxilab__smart-cards__product~product__T017:4cc863cqyaql.html ProxiLAB] ([http://www.raisonance.com/tzr/scripts/downloader2.php?filename=T020/file/73/b5/4ccaodgr44ka&mime=application/pdf&originalname=ProxiLAB_brochure.pdf pdf]), [http://www.raisonance.com/~proxispy__smart-cards__product~product__T017:4cc6848h7ij1.html ProxiSPY] ([http://www.raisonance.com/tzr/scripts/downloader2.php?filename=T020/file/3d/46/4ccap1bwb3vo&mime=application/pdf&originalname=ProxiSPY_brochure.pdf pdf]), [http://www.raisonance.com/~proxicard__smart-cards__product~product__T017:4cc87fzi8mge.html ProxiCARD] ([http://www.raisonance.com/tzr/scripts/downloader2.php?filename=T020/file/e0/3f/4ccappplhlbs&mime=application/pdf&originalname=ProxiCARD_brochure.pdf pdf])
  +
* [http://www.micropross.com Micropross] products: [http://www.micropross.com/product-30-MP300-SCL1--spy+smartcard-simulation-.html MP300 SCL1 (spy+smartcard simulation)]
  +
* [http://www.cs.ru.nl/~flaviog/tools.html Ghost & RfidSpy]
  +
* [http://blog.makezine.com/archive/2009/10/seeing_rfid_on_the_cheap.html Seeing RFID on the cheap] on Makezine and [http://www.flickr.com/photos/doegox/4029711939/ my own attempt] based on a slightly different technique
  +
* [http://www.spirtech.com/detector_us.html Spirtech probe]
  +
* [http://code.google.com/p/mikeycard/ mikey card]
  +
* [http://micah.navi.cx/2008/10/long-winding-descent-into-plushy-cuddliness/ Sewed RFID antenna]
   
 
==Software Tools==
 
==Software Tools==
 
===[http://openmrtd.org/projects/librfid/ librfid]===
 
===[http://openmrtd.org/projects/librfid/ librfid]===
librfid is a Free Software RFID library. It implements the PCD (reader) side protocol stack of ISO 14443 A, ISO 14443 B, ISO 15693, Mifare Ultralight and Mifare Classic. Support for iCODE*1 and other 13.56MHz based transponders is planned.
+
librfid is a Free Software RFID library. It implements the PCD (reader) side protocol stack of ISO 14443 A, ISO 14443 B, ISO 15693, Mifare Ultralight and Mifare Classic.
  +
<br>It works mainly with OpenPCD and Omnikey Cardman 5121/5321
  +
<br>It drives directly the readers and so doesn't use pcscd which must be stopped.
  +
<br>See this [http://blog.rot13.org/2010/01/omnikey_cardman_5321_supported_by_librfid.html blog post] how to install and use it to read an ISO15693.
  +
<br>To get the tool working properly I had to compile statically the tools (svn r2107), otherwise I get segfaults when trying to read tags:
  +
# apt-get install libusb-dev
  +
$ svn co https://svn.gnumonks.org/trunk/librfid/
  +
$ cd librfid/
  +
$ ./autogen.sh
  +
$ ./configure --enable-ccid --disable-shared
  +
$ make
  +
Then you can read content of ISO15693 from e.g. Infineon, NXP iCode and TI Tag-IT.
  +
<br>Scan for tag: (user must have the right to use libusb, otherwise do it as root)
  +
$ ./utils/librfid-tool -s
  +
<br>Read tag till the first error occurs
  +
$ ./utils/librfid-tool -r -1
  +
<br>Internally it's using the ISO15693 optional command "Read Single Block" but EM Microelectronic Marin cards only support the other optional "Read Multi Blocks" command.
  +
<br>Here is a quick hack to change the librfid read command (but then it won't be able to read NXP iCode which only supports "Read Single Block"...)
  +
<source lang=diff>
  +
--- rfid_layer2_iso15693.c.orig 2010-03-11 19:02:54.000000000 +0100
  +
+++ rfid_layer2_iso15693.c 2010-03-11 19:08:57.000000000 +0100
  +
@@ -45,12 +45,14 @@
  +
struct iso15693_request head;
  +
u_int64_t uid;
  +
u_int8_t blocknum;
  +
+ u_int8_t nrblocks;
  +
u_int8_t data[0];
  +
} __attribute__ ((packed));
  +
  +
struct iso15693_request_block_selected {
  +
struct iso15693_request head;
  +
u_int8_t blocknum;
  +
+ u_int8_t nrblocks;
  +
u_int8_t data[0];
  +
} __attribute__ ((packed));
  +
  +
@@ -166,7 +168,7 @@
  +
  +
rx_len = sizeof(resp);
  +
  +
- tx_req.sel.head.command = ISO15693_CMD_READ_BLOCK_SINGLE;
  +
+ tx_req.sel.head.command = ISO15693_CMD_READ_BLOCK_MULTI;
  +
  +
if (handle->priv.iso15693.vicc_fast){
  +
tx_req.sel.head.flags |= RFID_15693_F_RATE_HIGH;
  +
@@ -183,12 +185,14 @@
  +
if (handle->priv.iso15693.state==RFID_15693_STATE_SELECTED) {
  +
tx_len = sizeof(struct iso15693_request_block_selected);
  +
tx_req.sel.blocknum = blocknr;
  +
+ tx_req.sel.nrblocks = 0;
  +
tx_req.sel.head.flags |= RFID_15693_F4_SELECTED;
  +
} else {
  +
tx_len = sizeof(struct iso15693_request_block_addressed);
  +
memcpy(&tx_req.addr.uid, handle->uid, ISO15693_UID_LEN);
  +
tx_req.addr.head.flags |= RFID_15693_F4_ADDRESS;
  +
tx_req.addr.blocknum = blocknr;
  +
+ tx_req.addr.nrblocks = 0;
  +
}
  +
  +
//DEBUGP("sizeof: addr: %d sel:%d\n",sizeof(struct iso15693_request_read_addressed),sizeof(struct iso15693_request_read_selected));
  +
</source>
  +
 
===[http://www.rfdump.org/ RFDump]===
 
===[http://www.rfdump.org/ RFDump]===
 
RFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible.
 
RFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible.
Line 316: Line 569:
 
===[http://www.rfidunplugged.com/pwnpass/ pwnpass]===
 
===[http://www.rfidunplugged.com/pwnpass/ pwnpass]===
 
RFID tool by 3ric Johanson (get info from rfid on credit cards), presented at Shmoocon 2009
 
RFID tool by 3ric Johanson (get info from rfid on credit cards), presented at Shmoocon 2009
<br>See also this [http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html video] showing sth probably similar
+
<br>See also this [http://tv.boingboing.net/2008/03/19/how-to-hack-an-rfide.html video] showing it demo'd
  +
<br>See [http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf here(pdf)] a technical report of the vulnerabilities of RFID credit cards and [http://www.rfidhackers.com/viewtopic.php?f=4&t=45&start=0 here] info on PayPass 3000 reader
  +
 
===[http://www.libnfc.org libnfc]===
 
===[http://www.libnfc.org libnfc]===
Oen source library for Near Field Communication (NFC) using PN53x, current support for ACR122U v1.x readers.
+
Open source library for Near Field Communication (NFC) using readers based on PN531/PN532/PN533 chips.
  +
The library comes with examples demonstrating read, emulation & relay attack by exploiting a "hidden" raw mode of those chips.
<br>Apparently maintained by [http://www.proxmark.org/contact Roel] [http://www.cs.ru.nl/staff/Roel.Verdult Verdult]
 
  +
  +
To compile:
  +
  +
apt-get install automake1.9 libtool pkg-config libusb-dev libpcsclite-dev libreadline5-dev
  +
./autogen.sh
  +
make
  +
make install
  +
  +
See also [http://code.google.com/p/nfc-tools/ nfc-tools], [http://code.google.com/p/pynfc/ pynfc] (python bindings), [http://code.google.com/p/mtools/ mtools] (GUI) and [http://code.google.com/p/micmd/ micmd] projects
  +
  +
===[http://code.google.com/p/libndef/ libndef]===
  +
This is a C++ library for use in reading and writing messages based on NDEF (NFC Data Exchange Format) Specification.
  +
  +
===[[NFC Type 4 Applet]]===
  +
It's about using a NXP SmartMX with JCOP as NFC Forum Type 4 Tag
  +
  +
===[http://www.springcard.com SpringCard]===
  +
Offers a SDK for their reader but somehow compatible with e.g. the Omnikey 5321, see [http://www.springcard.com/download/sdks.html here] especially the two PCSC-SDK
  +
  +
See also their [http://www.springcard.com/blog/2010/nfc-tags-with-nfctool-and-nfcdecoder/ NFC tools] and their [http://www.springcard.com/blog/2010/calypso-explorer/ Calypso Explorer]
  +
  +
===[http://www.literatecode.com/2007/06/03/smacadu/ SMACADU]===
  +
Smart Card Digging utilities (Windows)
  +
  +
===[http://code.google.com/p/cardpeek/ Cardpeek]===
  +
is a Linux tool to read the contents of ISO7816 smartcards. It uses a PC/SC reader to communicate with the card, and its GTK GUI represents card data is a tree view. Cardpeek list of supported cards is expandable thanks to a scripting language. Currently, the tool can explore EMV cards, Calypso cards, Moneo cards (french ePurse) and Vitale (french health card) (from [http://www.springcard.com/blog/2010/cardpeek-open-source-tool-to-read-the-content-of-smartcards/ SpringCard's Blog])
  +
<br>Installation on Debian: see INSTALL, you need to install also lua5.1 and liblua5.1-0-dev
  +
apt-get install liblua5.1-0-dev automake1.10 libssl-dev libgtk2.0-dev
  +
  +
===[http://www.scardsoft.com/ SCard SOFT]===
  +
A Russian software company making stuff to explore smartcards
  +
* [http://www.scardsoft.com/main.php3?Theme=Soft_v3Server Smart Card ToolSet PRO v3.4], a shareware to explore cards based on APDUs, seems rich of features
  +
===[http://code.google.com/p/tageventor/ TagEventor]===
  +
A Linux open-source client for the Touchatag (Tikitag).
  +
<br>It uses the PCSC-Lite daemon and can be run in foreground or daemon mode to make tag events available to user-space applications.
  +
  +
===About ePassports===
  +
* See [[EPassport#Tools_2|here]]
  +
===[http://www.openpcd.org/Live_RFID_Hacking_System OpenPCD LiveCD]===
  +
With baudline, libnfc tools, etc
  +
  +
==Specific applications==
  +
===[[ePassport]]===
  +
* [[ePassport]] in general
  +
* [[Belgian ePassport]]
  +
* [[EPassport#US_Passport_Card]] (which is not an ePassport...)
  +
===[[MOBIB]]/Calypso===
  +
see [[MOBIB|dedicated page ]]
  +
===Cambio===
  +
* Cambio (at least in Germany) is using [http://www.invers.com/en/products/keymanager/keymanager.html Invers COCOS-keymanager], according to this [http://carsharingus.blogspot.com/2008/12/carsharing-technology-overview.html car-sharing technology overview] and if [http://www.rfidjournal.com/article/articleview/3839/1/1/ RFIDjournal] is right, this is a passive 125 kHz Hitag RFID inlay, manufactured by NXP Semiconductors
  +
===Mifare Classic===
  +
* crapto1
  +
* tk-libnfc-crapto1/mfcuk & mfoc, does not work against MFC emulation on e.g. JCOP or Mifare Plus
   
 
==Privacy==
 
==Privacy==
  +
===[[Privacy: Legal European Framework]]===
  +
see the above link for a general introduction and a list of RFID-related items
  +
===Miscellaneous articles===
 
* Social patterns at conferences: the good and the bad ;-)
 
* Social patterns at conferences: the good and the bad ;-)
 
** [http://events.ccc.de/congress/2008/Fahrplan/events/2899.en.html Mining social contacts with active RFID], presentation and application of the [http://www.sociopatterns.org/ SocioPatterns project]
 
** [http://events.ccc.de/congress/2008/Fahrplan/events/2899.en.html Mining social contacts with active RFID], presentation and application of the [http://www.sociopatterns.org/ SocioPatterns project]
Line 334: Line 645:
 
* Privacy: cultural differences
 
* Privacy: cultural differences
 
** [http://www.rtbf.be/info/societe/securite/les-japonais-veulent-pister-leurs-enfants-87768 Japaneses want to track their children (fr)]
 
** [http://www.rtbf.be/info/societe/securite/les-japonais-veulent-pister-leurs-enfants-87768 Japaneses want to track their children (fr)]
  +
* Recently Belgian Privacy Commission expressed its thoughts on the matter:
  +
** See ''[http://www.privacycommission.be/fr/docs/Commission/2009/avis_27_2009.pdf Avis d'initiative relatif à la RFIDDate: 28 octobre 2009 N° : 27/2009]'' from [http://www.privacycommission.be/fr/decisions/commission/opinions/ here]
  +
* See also the [[MOBIB]] case
   
==Misc==
+
==Misc documentation==
  +
* [http://www.rfidhackers.com/index.php Forum] setup by Chris Paget (aka foon)
* [[ePassport]]
 
** [[Belgian ePassport]]
 
** [[EPassport#US_Passport_Card]] (which is not an ePassport...)
 
* [[MOBIB]]
 
* Cambio
 
** Cambio (at least in Germany) is using [http://www.invers.com/en/products/keymanager/keymanager.html Invers COCOS-keymanager], according to this [http://carsharingus.blogspot.com/2008/12/carsharing-technology-overview.html car-sharing technology overview] and if [http://www.rfidjournal.com/article/articleview/3839/1/1/ RFIDjournal] is right, this is a passive 125 kHz Hitag RFID inlay, manufactured by NXP Semiconductors
 
 
* New [http://www.rfidhackers.com/index.php Forum] setup by Chris Paget (aka foon)
 
 
* [http://www.proxmark.org/forum Proxmark forum], also with a lot of other information
 
* [http://www.proxmark.org/forum Proxmark forum], also with a lot of other information
  +
* [http://en.wikipedia.org/wiki/Near_Field_Communication#Security_aspects Security aspects of NFC] on Wikipedia
  +
  +
* [http://www.rfidblog.org.uk/research.html Research page of Gerhard Hancke], mainly about physical RFID attacks
  +
* [http://www.sec.in.tum.de/student-work/publication/157 Performing Relay Attacks on ISO 14443 Contactless Smart Cards using NFC Mobile Equipment]
  +
* [http://eprint.iacr.org/2010/332.pdf hacking techniques on Passive Keyless Entry and Start Systems (pdf)] with cable relay
  +
* [http://www.avoine.net/rfid/ RFID Security & Privacy lounge] by Professor Gildas Avoine, *the* bibliography of academic papers on those matters
  +
* [http://ec.europa.eu/information_society/policy/rfid/index_en.htm Radio Frequency IDentification and the Internet of Things], a page of the European Commission]
  +
 
* [http://sid.rstack.org/blog/index.php/321-vagues-reflexions-sur-le-warfidriving Réflexions sur le warfidriving] & experiments on skipass...
 
* [http://sid.rstack.org/blog/index.php/321-vagues-reflexions-sur-le-warfidriving Réflexions sur le warfidriving] & experiments on skipass...
  +
* [http://www.rfidvirus.org/ RFID virus]
  +
* [http://www.acbm.com/inedits/pass-transports-commun-secrets.html Les secrets des Pass de transports en commun] by P. Gueulle
  +
* [http://www.h-online.com/security/news/item/26C3-Nothing-to-crack-in-Legic-Prime-RFID-chip-cards-security-system-893615.html Karsten Nohl on "Legic Prime" RFID chip]
  +
* [http://dlinyj.livejournal.com/tag/rfid Russian blog] on hacking RFID
  +
* [http://www.springcard.com/blog SpringCard blog]
  +
* [http://gibraltarsf.com/blog/ Gibraltar SF blog], mainly about Android & NFC
  +
* [https://ridrix.wordpress.com/ Ridrix blog]
  +
* [http://www.i-hacked.com/index.php?option=content&task=view&id=208 Hand-made shield wallet]
  +
* Hakin9 August 2011 issue was about hacking RFID, find it [http://hakin9.org/hacking-rfid-82011/ here]
  +
* [http://mulliner.org/nfc/ Mulliner's research page]
  +
  +
==Shopping==
  +
  +
* http://www.txsystems.com/
  +
* http://www.smartcardfocus.com/
  +
* http://www.therfidshop.com/
  +
* http://www.shop-smartcard.com/
  +
* http://www.rfid-webshop.com/shop/
  +
Maybe more expensive, less stuffed or for specific material:
  +
* http://www.cryptoshop.com/
  +
* http://www.idtronic.de/
  +
* http://securetech-corp.com/
  +
* http://www.rfidiot.org/
  +
* http://store.touchatag.com/
  +
  +
==NFC==
  +
Ok all technologies presented above and running at 13.56MHz are now under the "NFC" umbrella but this section is more specific to the NFC-Forum part of the story...
  +
  +
===Resources===
  +
* [http://www.nfc-forum.org/home/ NFC Forum] & its [http://www.nfc-forum.org/specs/ specs]
  +
===Stacks===
  +
* [http://www.nxp.com/documents/application_note/AN10664_1_NFC_FRI_SDK_206810.zip NFC-FRI SDK (NFC Forum Reference Implementation) (v.1.0, 2007-12-04) (zip)]
  +
* [https://code.google.com/p/nfc-tools/source/browse/trunk/libnfc-llcp/ LLCP based on libnfc], in progress
  +
* Android
  +
** [https://android.git.kernel.org/?p=platform/external/libnfc-nxp.git;a=summary libnfc-nxp driver]
  +
** [https://android.git.kernel.org/?p=platform/packages/apps/Nfc.git;a=summary NFC App]
  +
* [http://open-nfc.sourceforge.net/ Open NFC], also [http://open-nfc.sourceforge.net/android.html for Android]
  +
* [https://code.launchpad.net/nfcpy NFCpy], python module for NFC
  +
* [https://nfc.codeplex.com/ NFC.net]
  +
* [https://code.google.com/p/nfcip-java/ nfcip-java]
  +
===Google Android===
  +
* [http://www.youtube.com/watch?v=49L7z3rxz4Q Google I/O 2011: How to NFC]
  +
* http://nfc.android.com/
  +
** [http://developer.android.com/reference/android/nfc/package-summary.html API documentation]
  +
* [http://www.linkedin.com/groups/Android-NFC-developers-3914121 Android-NFC-developers group on LinkedIn]
  +
* [http://gibraltarsf.com/blog/ Gibraltar SF blog]
  +
* [[Android_Apps#NFC-related|Applications on Android Market]]
  +
* [[Android_SE|Android & Secure Element]]
  +
* [[Android_Software_Card_Emulation|Android and Software Card Emulation]], also called Host-based Card Emulation since v4.4
  +
  +
===Misc===
  +
* [http://www.sony.net/Products/felica/campaign/NFC-F.html Sony NFC-F sample gift campaign]
  +
==RFID/NFC Workshops & Talks==
  +
From time to time I give RFID/NFC security/privacy workshops:
  +
* 2010-03-31 [http://sites.uclouvain.be/security/rfidtraining.html RFID Security and Privacy Training Week, UCL]
  +
* 2010-09-24 & 25 [http://2010.brucon.org/index.php/Workshops#RFID_workshop Brucon 2010]
  +
* 2010-12-17 [http://www.heb.be/esi/grilleS_fr.htm Ecole supérieure d'Informatique (ESI) de Bruxelles, année de spécialisation en sécurité des réseaux et des systèmes informatiques]
  +
* 2011-06-15 [https://www.cosic.esat.kuleuven.be/course/index.shtml 13th International COSIC Course on Computer Security and Cryptography]
  +
* 2011-09-20 & 21 [http://2011.hack.lu Hack.lu 2011]
  +
* 2012-07-01 [http://rfidsec12.cs.ru.nl/index.php?menu_id=3&menu_name=TUTORIALS#hands-on RFIDsec 2012: the 8th workshop on RFID security and privacy]
  +
* 2012-11-09 [http://www.heb.be/esi/grilleS_fr.htm Ecole supérieure d'Informatique (ESI) de Bruxelles, dans le cadre des veilles technologiques en troisième année de Bachelor]
  +
* 2013-01-23 [http://sites.uclouvain.be/security/rfidtraining.html RFID Security and Privacy Training Week, UCL]
  +
* 2013-04-10 [http://urlab.be/Evenement:Workshop_RFID UrLaB hackerspace]
  +
* 2013-05-02 & 03 [http://2013.hackitoergosum.org/workshops/ Hackito Ergo Sum 2013]: '''talk''' + workshops
  +
* 2013-07-09 [http://schedule2013.rmll.info/programme/technique/securite/article/atelier-rfid-nfc-securite-et-vie RMLL2013], slides [http://schedule2013.rmll.info/IMG/pdf/rfid-practice.pdf available]
  +
* 2013-10-11 [http://www.heb.be/esi/grilleS_fr.htm Ecole supérieure d'Informatique (ESI) de Bruxelles, dans le cadre des veilles technologiques en troisième année de Bachelor]: '''talk''' + workshop
  +
* 2014-03-20 private workshop @ Riscure, Delft, NL
  +
* 2014-10-22 & 23 [http://2014.hack.lu/index.php/List#NFC.2FRFID_Security_.26_Privacy_workshop Hack.lu 2014]
  +
* 2014-11-14 [http://www.heb.be/esi/grilleS_fr.htm Ecole supérieure d'Informatique (ESI) de Bruxelles, année de spécialisation en sécurité des réseaux et des systèmes informatiques]
  +
* 2015-11-27 [http://www.heb.be/esi/grilleS_fr.htm Ecole supérieure d'Informatique (ESI) de Bruxelles, année de spécialisation en sécurité des réseaux et des systèmes informatiques]
  +
* 2016-03-14 & 15 [https://www.troopers.de/troopers16/trainings/ Troopers 2016] with Nahuel Grisolía
  +
* 2017-03-20 & 21 [https://www.troopers.de/troopers17/trainings/ Troopers 2017] with Nahuel Grisolía
  +
* 2017-04-07 & 14 private workshop @ Quarkslab, Paris, FR
  +
* 2017-09-25 & 26 private workshop @ Brussels, BE
  +
* 2018-03-12 & 13 [https://www.troopers.de/troopers18/trainings/ Troopers 2018] with Nahuel Grisolía
  +
* 2019-03-18 & 19 [https://www.troopers.de/troopers19/trainings/ Troopers 2019] with Nahuel Grisolía and Salvador Mendoza
  +
  +
Workshops are typically 2 to 6 hours long and contain topics such as:
  +
* RFID/NFC readers for PC supported by open-source software (Omnikey CardMan 5321, ACG-LF, Frosch, ASK LoGO, SCL3711 & others)
  +
* PC/SC: limits of manipulating RFID with contact-oriented standards (ATR/ATS & APDUs).
  +
* NFC, anticollision, card emulation, relay attacks, RFID authentication protocol example
  +
* libnfc tools, RFIDIOt tools, ePassports, privacy
  +
* Open hardwares, Proxmark
  +
The workshops is a mix of intro to readers, standards, tools, security aspects, hands-on & demos.
  +
<br>For the hands-on, I distribute bootable CDs / USB keys (based on Debian Live) with all drivers & open-source tools I could find and participants can borrow a SCL3711 reader.
  +
<br>If you're interested, you can [[User:PhilippeTeuwen|contact me]]
  +
  +
==Pictures==
  +
RFID reader field visualized:
  +
* https://secure.flickr.com/photos/doegox/4029711939/
  +
* https://secure.flickr.com/photos/doegox/4029712227/

Latest revision as of 00:36, 24 March 2019

Middleware: pcscd & libccid

There is no common RFID middleware yet but most readers rely or can rely on PC/SC
pcscd is the Linux daemon to access readers compatible with the PC/SC standard.
Most USB-based readers are complying with a common USB-CCID specification and therefore are relying on the same driver (libccid under Linux).
To dump the readers list supported by libccid of your pcscd install:

 cat /etc/libccid_Info.plist|gawk '
    /ifdVendorID/{
        mode=1
    }
    /ifdProductID/{
        mode=2
    }
    /ifdFriendlyName/{
        mode=3
    }
    {
        inarray=0
    }
    /<array>/{
        i=0
    }
    /<array>/,/<\/array>/{
        inarray=1
    }
    /string/&&inarray{
        match($0,/<string>(.*)<\/string>/,a);
        t[mode i]=a[1]; 
        i++
    }
    END{
        for (j=0;j<i;j++) 
            print t[1 j]":"t[2 j], t[3 j]
    }'

RFID readers

NXP has a serie of NFC-compatible reader chips: PN531, PN532, PN533.
Here are some readers using one of those chips.

PN531-based (warning PN531 is obsolete!)

PN531

The PN531 is capable of speaking directly USB so there exist readers consisting simply of the PN531 wired to your Pc via USB.
In that case, the vendorID/productID will be either 04CC:0531 or 054c:0193

Apparently the following products are like that:

Arygon ADRA

based on PN531

Supported Standards:

  • ISO18092 ( NFC transport protocol)
  • Sony FeliCa
  • NXP Mifare ® family
  • compliant to ISO14443A, ISO14443A – 4 (T=CL)

Communication protocol:

  • ARYGON (HL - high level language), TAMA (LL - low level language)
    • To send TAMA frames, send an ascii '2' as first char, e.g. to get firmware of the PN531:
0x32 0x00 0x00 0xFF 0x02 0xFE 0xD4 0x02 0x2A 0x00
=>
0x00 0x00 0xFF 0x00 0xFF 0x00 (TAMA ACK)
0x00 0x00 0xFF 0x04 0xFC 0xD5 0x03 0x02 0x02 0x24 0x00 (TAMA v=2.2)
echo 32 00 00 ff 02 fe d4 02 2a 00|xxd -p -r|socat - /dev/ttyUSB0|xxd -p
0000ff00ff000000ff04fcd50304022200

Baud rate (passive/active):

  • 106 kBaud, 212 kBaud, up to 424 kBaud
  • USB, seen as a serial port

Apparently they propose a PCSC driver for Redhat 32-bit but it segfaults on a Debian 32-bit

PN532-based

ACR122U

  • docs
    • ISO/IEC18092 (NFC) compliant
    • NFC Tags Access Speed = 212 kbps
    • Support FeliCa card
    • Support ISO 14443 Type A & B cards
    • MIFARE® cards (Classics, DESFire)
    • SAM Socket (optional)
  • To get the Firmware version string in command line: (actual string here is "ACR122U203" as the last 2 bytes are not SW1/SW2 but part of the string)
$ opensc-tool -s FF00480000
Sending: FF 00 48 00 00.
Received (SW1=0x30, SW2=0x33):
41 43 52 31 32 32 55 32 ACR122U2

You can also use scriptor:

$ echo ff00480000|scriptor           
No reader given: using ACS ACR122U PICC Interface 00 00
Using T=1 protocol
Reading commands from STDIN
> ff 00 48 00 00 
< 41 43 52 31 32 32 55 32 30 33 : Error not defined by ISO 7816

We're using a pseudo-ADPU which doesn't return the standard SW1/SW2 error codes, this is why scriptor gives an error which can be ignored and opensc-tool is interpreting wrongly the last two data bytes as ISO7816 error codes as well.
The proper decoding of the received data is:

$ echo ff00480000|scriptor 2>/dev/null |tail -n 1|xxd -p -r
ACR122U203

Tikitag / Touchatag model will return an older version:

ACR122U102

If you get the following error:

Can't allocate Chipcard::PCSC::Card object: No smartcard inserted.

that's because you've a model without SAM support. Place a tag on the reader and try again, it should work.

So that's where a lot of confusion comes into play: the two models behave very differently! See below
Note that this site points out that it also corresponds to a difference of firmware versions

ACR122U-SAM / Touchatag (was Tikitag)

Usage:

  • When there is a SAM inserted, ATR shown is the ATR of the SAM
  • When there is no SAM inserted, ATR shown is a pseudo-ATR = 3B 00
  • So for PCSC there is always a "card inserted"
  • To detect contactless card "insertion", application must do the polling
  • APDUs are sent to SAM
  • To send APDUs to a contactless card, you must wrap them into pseudo-APDUs (FF 00 00 00 ...)
  • To send special APDUs to the reader (to get fw or to control LEDs), just send them

Some more infos here and there about the Tikitag
Some more here
full technical reference of the SAM used in the Tikitag is supposed to be available here. There is a copy available here

ACR122U PICC

Usage:

  • When there is a contactless card, ATR shown is the ATR of the card
  • When there is no contactless card, no ATR
  • So for PCSC there is a "card inserted" if there is a contactless card
  • On contactless card "insertion", it generates a "card inserted" event
  • APDUs are sent directly to the contactless card, which makes this reader fully transparent in this mode
  • To send APDUs to a contactless card, you can also wrap them into pseudo-APDUs (FF 00 00 00 ...)
  • To send special APDUs to the reader (to get fw or to control LEDs)
    • If there is a contactless card, just send the APDUs
    • If there is no contactless card, the CCID Escape command must be used (*)

(*) Here is one small example how to use the Escape command:

#!/usr/bin/python
from smartcard.scard import *
hresult, hcontext = SCardEstablishContext( SCARD_SCOPE_USER )
hresult, hcard, dwActiveProtocol = SCardConnect(
hcontext, 'ACS ACR122U PICC Interface 00 00', SCARD_SHARE_DIRECT, SCARD_PROTOCOL_T0 )
IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE = SCARD_CTL_CODE(1)
CMD = [0xFF, 0x00, 0x48, 0x00, 0x00]
hresult, response = SCardControl( hcard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, CMD )
if hresult!=SCARD_S_SUCCESS:
     raise error, 'Failed to control: ' + SCardGetErrorMessage(hresult)
print ''.join([chr(i) for i in response])

This requires also to allow libccid to use the Escape command, you've to set bit 0 of ifdDriverOptions in /etc/libccid_Info.plist to 1:

       <key>ifdDriverOptions</key>
       <string>0x0001</string>
       Possible values for ifdDriverOptions
       1: DRIVER_OPTION_CCID_EXCHANGE_AUTHORIZED
               the CCID Exchange command is allowed. You can use it through
               SCardControl(hCard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, ...)

In case libccid refuses with a

Firmware (x.xx) is bogus! Upgrade the reader firmware or get a new reader.

you can force it by setting the third bit (0x04) of ifdDriverOptions in /etc/libccid_Info.plist to 1

       <key>ifdDriverOptions</key>
       <string>0x0005</string>
       Possible values for ifdDriverOptions
       1: DRIVER_OPTION_CCID_EXCHANGE_AUTHORIZED
               the CCID Exchange command is allowed. You can use it through
               SCardControl(hCard, IOCTL_SMARTCARD_VENDOR_IFD_EXCHANGE, ...)
       4: DRIVER_OPTION_USE_BOGUS_FIRMWARE 
               Some reader firmwares have bugs. By default the driver refuses 
               to work with such firmware versions. If your reader is rejected
               because of the firmware (log message: "Firmware (x.y) is 
               bogus!") you can: 
               - activate this option but you will have problems depending on the bug

Personally I found the reader quite unstable, it disconnects often from pcscd.
Even with vendor drivers instead of libccid. BTW I've no idea what this vendor version brings extra.

Another issue is that the generated ATR doesn't follow properly the PCSC standard for contactless for ISO14443-4 tags:
Where it should stuff the historical bytes of ATS into the generated ATR, it's stuffing the entire ATS, breaking tag detection done e.g. by pcsc_scan.
Moreover for e.g. a JCOP card, last bytes of the ATS are masked by 0xFF 0xFF 0xFF 0xFF.

Examples:

  • Desfire:
ATS:                        06 75 77 81 02 80
ATR by ACR122U: 3B 86 80 01 06 75 77 81 02 80 00
ATS hist bytes:             80
Expected ATR:   3B 81 80 01 80 80
  • JCOPv2.4.1:
ATS:                        0D 78 77 B1 02 4A 43 4F 50 76 32 34 31
ATR by ACR122U: 3B 8D 80 01 0D 78 77 B1 02 4A 43 4F 50 FF FF FF FF AB
ATS hist bytes:             4A 43 4F 50 76 32 34 31   (=JCOPv241)
Expected ATR:   3B 88 80 01 4A 43 4F 50 76 32 34 31 5E

The problem is known by ACS so they upgraded its firmware and released a v207.
So if you want to buy one, make sure to get at least a ACR122U-A2NR/207F, or newer if exists.
To temporarily fix the JCOP issue on ACR122U203, you can issue another command for full ATS reply: FF CA 01 00 00. This command follows PC/SC standard.

OpenPCD 2

Based on PN532 and an ARM Cortex-M3 (LPC1342FHN33) with open-source firmware

NFC shield for Arduino

Opensource NFC shield for Arduino

  • More here
  • Code here, forked from Adafruit code, cf breakout board below

Breakout board

Opensource hardware designed by microbuilder.eu

  • Some code for Arduino here

PN533-based

PN533

  • Official site: http://www.nxp.com/#/pip/pip=[pfp=53424]|pp=[t=pfp,i=53424]

The PN533 is capable of speaking directly USB so there exist readers consisting simply of the PN533 wired to your PC via USB.
vendorID/productID may vary, e.g. 04CC:2533 or for SCL3711: 04E6:5591

SCL3711

Based on a PN533

It can be used as such with libnfc via libusb or it can be used via PCSC through a proprietary driver but AFAIK this driver doesn't provide a mechanism to send commands to the PN533 so you've to disable PCSC (or to remove the driver) if you want to use libnfc.
My 64-bit driver doesn't work with PCSCd >=1.6.1 if pcscd is run in background, it needs to run in foreground.
With PCSCd v1.5.5 it works fine (excepted that I couldn't use the Escape IOCTL mechanism, which pwrks properly under Windows).
Note that Info file mentions LGPL but the driver is closed-source...

StickID

Based on a PN533

  • StickID, in italian, might exist with SAM too

PN544-based

There is not yet PN544 readers for PC but it's the one you'll find in NFC phones

Nexus S

CL RC632 -based

OpenPCD

Pegoda

  • See http://www.nxp.com/#/pip/pip=[pfp=41960]|pp=[t=pfp,i=41960]
  • Almost no opensource support, just an embryonic one in librfid

Omnikey 5321

  • datasheet
  • ISO 14443 A/B and 15693 ( up to 848 Kbps in the fastest ISO 14443 transmission mode)
  • APIs: PC/SC, Synchronous-API (on top of PC/SC), OCF (Open Card Framework) or CT-API
  • contactless smartcards supported:
    • HID: iCLASS®
    • NXP: MIFARE®, DESFire®, SMART-MX and ICODE
    • Texas Instruments: TagIT®
    • ST Micro: x-ident, SR 176, SR 1X 4K
    • Infineon: My-d (in secure mode UID only)
    • Atmel: AT088RF020
    • KSW MicroTech: KSW TempSens
    • iCODE SLI, iCODE SL2 & LRI 64
    • Contactless 2048 bit key generation in RSA mode (JCOP / SMART-MX)

Installing OmniKey reader under linux:

There are drivers here

But there is also a Debian package pcsc-omnikey
Warning! Don't install it or it will remove libccid!!
It's better to keep libccid if needed for other readers and install the missing RFID driver by hand: (here on a 64-bit platform)

aptitude download pcsc-omnikey
dpkg -x pcsc-omnikey_1%3a2-4_amd64.deb .
cp -a usr/lib/pcsc/drivers/ifdokrfid_lnx_x64-2.6.0.bundle /usr/lib/pcsc/drivers/

See here: you need also to recompile pcscd with libusb:

./configure --disable-libhal --enable-libusb

To do it by repackaging the Debian pcscd:

aptitude install libusb-dev
apt-get source pcscd
apt-get build-dep pcscd
--- debian/rules        2009-01-14 13:54:42.000000000 +0100
+++ debian/rules        2009-01-14 13:46:56.000000000 +0100
@@ -38,6 +38,8 @@
        dh_testdir
        # we add LDFLAGS="-lpthread" for bug #253629
        ./configure $(confflags) \
+               --disable-libhal \
+               --enable-libusb \
                --sysconfdir=/etc \
                --prefix=/usr \
                --enable-usbdropdir=/usr/lib/pcsc/drivers \

Then

dpkg-buildpkg -uc -us

To launch the modified pcsc in foreground, showing ADPUs and debug info: (here pcscd was installed in /usr/local/bin/pcscd-libusb)

pcscd-libusb -f -a -d

UPDATE: I've tried successfully the latest drivers from Omnikey on Debian Squeeze (pcscd 1.5.5) without too much hassle:

  • Get from here either ifdokrfid_lnx-2.7.0.tar.gz or ifdokrfid_lnx_x64-2.7.0.tar.gz depending if you're using a 32 or 64-bit OS.
  • Copy the directory ifdokrfid_lnx-2.7.0.bundle to /usr/lib/pcsc/drivers and the file cmrfid.ini to /etc

That's it. No need to recompile pcscd or to mangle /etc/libccid_Info.plist

SpringCard Prox'N'Roll

Gives a lot of control by means of ADPUs.
Mainly useful to have full access to ISO15693 commands or to perform "strange" things on ISO14443 like sending ISO14443-4 commands to an ISO14443-3 card (which you can also do with PN53x but PN53x doc is under NDA)

Others

ACG LF / OMNIKEY 5534

Adam Laurie is selling via his RFIDiot website some ACG LF readers, either with their native serial interface or with a USB interface.
Those readers are based on a module from ACG, now relabeled as Omnikey since they're owned by HID:
RDLO-0101N0
aka OMNIKEY 5534 Core MultiTag Reader
aka ACG LF MultiTag OEM Module

  • 125 & 134.2 kHz
  • Supports: EM4x02, EM4x50, EM4x05 (ISO 11784/5 FDX-B), Hitag 1 / 2 / S, Q5, TI 64 bit R/O & R/W, TI 1088 bit Multipage

You can modify the default serial port speed by modifying byte 0Ch in EEPROM. Mine is working at 57600 baud.
USB version is actually using a FTDI USB Serial Device converter and so will simply be identified on your linux as the serial port /dev/ttyUSB0

Usage example with RFIDiot tools:

readlfx.py -R RFIDIOt.rfidiot.READER_ACG -s 57600

Usage example in console:

cu -l /dev/ttyUSB0 -s 57600

Short quickref for console usage:

~.   quit cu
!    test continuous read -> ! if active, F if not
c    continuous read      -> poll, any key to stop -> S
dX   set tag settings     -> dH80 gain=2 sampling_time=0
l    login                -> lMIKR -> L=ok X=fail N=no_tag
oX   set tag type         -> oH
o+X  include tag type
o-X  exclude tag type
poff antenna power off
pon  antenna power on
rb   read block           -> rb00  -> 4 bytes
wb   write block          -> wb0011223344
rp   read EEPROM
wp   write EEPROM
s    select               -> poll once
v    get version
x    reset
y    field reset          -> y8080 off time in ms + recovery time in ms

Mir:ror

by Violet, a French company (so most links below are in French)

Works with ISO14443-A and -B

Misc

SDCard shaped

Not sure which ones are actually available for purchase and which ones are just vaporware...

Other Hardware Tools

RFID killers

RFID skimmers

RFID emulators

OpenPICC

Use ARM toolchain, e.g. [1], add arm/bin/ to the path

svn co -r432 http://svn.openpcd.org/branches/sniffonly/openpicc/
cd openpicc
make

You may try later revision but at least r432 is compiling and working.
If you don't get a /dev/usbTTYx to flash the beast, load the driver by hand:

modprobe -r usbserial
modprobe usbserial vendor=0x03EB product=0x6124

If ./at91flash_automatic openpicc.bin failed, edit at91flash => /dev/ttyUSB0 then

./at91flash openpicc.bin

Unplus & replug, you'll get a /dev/ttyACM0

  • Using:

Whatever talking serial:

socat - /dev/ttyACM0,raw,echo=0,crnl,b115200 
cu -l /dev/ttyACM0 -s 115200 
screen /dev/ttyACM0 115200 

h for help, f for field strength measure
To sniff raw data, you've to convert the hexadecimal stream if you want to display it, e.g. with

(echo r;cat)|socat - /dev/ttyACM0,raw,echo=0,crnl,b115200 |xxd

Note that you can still send commands to the OpenPICC, e.g. "r" to stop sniffing, CTRL-D to quit
To sniff and get decoded frames (from reader only, for tag you would need a OpenPCD)

svn co -r432 http://svn.openpcd.org/branches/sniffonly/host/
cd host
make

Usage:

./openpicc-sniff-14443a /dev/ttyACM0

To get just the raw stream:

./openpicc-sniff-14443a /dev/ttyACM0|cut -c 50-|sed 's/\([0-9A-F]\+\) [01]!\? */\1/g'
  • Using under Windows:

Plug it, let Windows finding the new hardware -> search software? -> no -> install from specific location -> search/include/browse -> svn/branches/sniffonly/openpicc/win32driver (OpenBeaconUSB.inf) -> continue anyway
To communicate, use whatever talking serial, e.g. Start->Accessories->Communications->HyperTerminal -> new connection -> COM4 -> 115200/8/N/1/None -> try e.g. "h" -> File -> Save

  • Debug

In case of trouble, you can get more lucky with the debug cable (115200/8/N/1 3v3)

  1. GND
  2. CTS# - shorted
  3. VCC - provided! not to be connected to external Vcc
  4. TXD
  5. RXD
  6. RTS# - shorted

Proxmark III

Originally created by J.Westhues: here, video in action here

Extracting the reader datastream (to be compared with OpenPICC results)

cat dump |grep -v TAG|cut -c 21-|sed 's/!crc.*//;s/\([0-9a-f]\+\)[[:space:]]*/\1/g'|tr a-z A-Z

Getting both directions

cat dump |sed 's/:     /+/;s/: TAG /-/'|cut -c 15-|sed 's/!crc.*//;s/\([0-9a-f]\+\)!\?[[:space:]]*/\1/g'|tr a-z A-Z

Demo: Cloning a Verichip

Source code is now on Google Code.
Even if you don't have the board, some tools can be used offline.
To compile the host client without the ARM toolchain:

apt-get install gcc g++ libreadline-dev libusb-dev libqt4-dev pkg-config
make client

Cool hack to run it under Android here.

IAIK RFID DemoTag

Open RFID Tag

N2 Elite

125kHz cloners and emulators

Misc

Software Tools

librfid

librfid is a Free Software RFID library. It implements the PCD (reader) side protocol stack of ISO 14443 A, ISO 14443 B, ISO 15693, Mifare Ultralight and Mifare Classic.
It works mainly with OpenPCD and Omnikey Cardman 5121/5321
It drives directly the readers and so doesn't use pcscd which must be stopped.
See this blog post how to install and use it to read an ISO15693.
To get the tool working properly I had to compile statically the tools (svn r2107), otherwise I get segfaults when trying to read tags:

# apt-get install libusb-dev
$ svn co https://svn.gnumonks.org/trunk/librfid/
$ cd librfid/
$ ./autogen.sh
$ ./configure --enable-ccid --disable-shared
$ make

Then you can read content of ISO15693 from e.g. Infineon, NXP iCode and TI Tag-IT.
Scan for tag: (user must have the right to use libusb, otherwise do it as root)

$ ./utils/librfid-tool -s


Read tag till the first error occurs

$ ./utils/librfid-tool -r -1


Internally it's using the ISO15693 optional command "Read Single Block" but EM Microelectronic Marin cards only support the other optional "Read Multi Blocks" command.
Here is a quick hack to change the librfid read command (but then it won't be able to read NXP iCode which only supports "Read Single Block"...)

--- rfid_layer2_iso15693.c.orig	2010-03-11 19:02:54.000000000 +0100
+++ rfid_layer2_iso15693.c	2010-03-11 19:08:57.000000000 +0100
@@ -45,12 +45,14 @@
 	struct iso15693_request head;
 	u_int64_t uid;
 	u_int8_t blocknum;
+	u_int8_t nrblocks;
 	u_int8_t data[0];
 } __attribute__ ((packed));
 
 struct iso15693_request_block_selected {
 	struct iso15693_request head;
 	u_int8_t blocknum;
+	u_int8_t nrblocks;
 	u_int8_t data[0];
 } __attribute__ ((packed));
 
@@ -166,7 +168,7 @@
 
 	rx_len = sizeof(resp);
 
-	tx_req.sel.head.command = ISO15693_CMD_READ_BLOCK_SINGLE;
+	tx_req.sel.head.command = ISO15693_CMD_READ_BLOCK_MULTI;
 
 	if (handle->priv.iso15693.vicc_fast){
 		tx_req.sel.head.flags |= RFID_15693_F_RATE_HIGH;
@@ -183,12 +185,14 @@
 	if (handle->priv.iso15693.state==RFID_15693_STATE_SELECTED) {
 		tx_len = sizeof(struct iso15693_request_block_selected);
 		tx_req.sel.blocknum = blocknr;
+		tx_req.sel.nrblocks = 0;
 		tx_req.sel.head.flags |= RFID_15693_F4_SELECTED;
 	} else {
 		tx_len = sizeof(struct iso15693_request_block_addressed);
 		memcpy(&tx_req.addr.uid, handle->uid, ISO15693_UID_LEN);
 		tx_req.addr.head.flags |= RFID_15693_F4_ADDRESS;
 		tx_req.addr.blocknum = blocknr;
+		tx_req.addr.nrblocks = 0;
 	}
 
 	//DEBUGP("sizeof: addr: %d sel:%d\n",sizeof(struct iso15693_request_read_addressed),sizeof(struct iso15693_request_read_selected));

RFDump

RFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible.

RFIDIOt

RFIDIOt is an open source python library for exploring RFID devices

apt-get install python-pyscard
$ ./mrpkey.py -L
PCSC devices:
   No: 0               OMNIKEY CardMan 5x21 00 00
   No: 1               OMNIKEY CardMan 5x21 00 01
$ ./mrpkey.py -r 1 CHECK
mrpkey v0.1n (using RFIDIOt v0.1s)
 Reader: PCSC OMNIKEY CardMan 5x21 00 01
 Device is a Machine Readable Document
$ ./mrpkey.py -r 1 "EXnnnnnn<cBELyymmddcSyymmddc<<<<<<<<<<<<<<cc"

To fix reader number, edit RFIDIOtconfig.py
In MRZ passport number is coded with 9 chars. Belgian uses only 8 chars so some passport readers need a document number padded with char "<" ("EXnnnnnn<")

To use mrpkey under Windows you need:
python, pyscard, pyserial, pywin32, pycrypto, python imaging library

GNU Radio

GNU Radio is a collection of software that when combined with minimal hardware, allows the construction of radios where the actual waveforms transmitted and received are defined by software. What this means is that it turns the digital modulation schemes used in today's high performance wireless devices into software problems.

pwnpass

RFID tool by 3ric Johanson (get info from rfid on credit cards), presented at Shmoocon 2009
See also this video showing it demo'd
See here(pdf) a technical report of the vulnerabilities of RFID credit cards and here info on PayPass 3000 reader

libnfc

Open source library for Near Field Communication (NFC) using readers based on PN531/PN532/PN533 chips. The library comes with examples demonstrating read, emulation & relay attack by exploiting a "hidden" raw mode of those chips.

To compile:

apt-get install automake1.9 libtool pkg-config libusb-dev libpcsclite-dev libreadline5-dev
./autogen.sh
make
make install

See also nfc-tools, pynfc (python bindings), mtools (GUI) and micmd projects

libndef

This is a C++ library for use in reading and writing messages based on NDEF (NFC Data Exchange Format) Specification.

NFC Type 4 Applet

It's about using a NXP SmartMX with JCOP as NFC Forum Type 4 Tag

SpringCard

Offers a SDK for their reader but somehow compatible with e.g. the Omnikey 5321, see here especially the two PCSC-SDK

See also their NFC tools and their Calypso Explorer

SMACADU

Smart Card Digging utilities (Windows)

Cardpeek

is a Linux tool to read the contents of ISO7816 smartcards. It uses a PC/SC reader to communicate with the card, and its GTK GUI represents card data is a tree view. Cardpeek list of supported cards is expandable thanks to a scripting language. Currently, the tool can explore EMV cards, Calypso cards, Moneo cards (french ePurse) and Vitale (french health card) (from SpringCard's Blog)
Installation on Debian: see INSTALL, you need to install also lua5.1 and liblua5.1-0-dev

apt-get install liblua5.1-0-dev automake1.10 libssl-dev libgtk2.0-dev

SCard SOFT

A Russian software company making stuff to explore smartcards

TagEventor

A Linux open-source client for the Touchatag (Tikitag).
It uses the PCSC-Lite daemon and can be run in foreground or daemon mode to make tag events available to user-space applications.

About ePassports

OpenPCD LiveCD

With baudline, libnfc tools, etc

Specific applications

ePassport

MOBIB/Calypso

see dedicated page

Cambio

Mifare Classic

  • crapto1
  • tk-libnfc-crapto1/mfcuk & mfoc, does not work against MFC emulation on e.g. JCOP or Mifare Plus

Privacy

Privacy: Legal European Framework

see the above link for a general introduction and a list of RFID-related items

Miscellaneous articles

Misc documentation

Shopping

Maybe more expensive, less stuffed or for specific material:

NFC

Ok all technologies presented above and running at 13.56MHz are now under the "NFC" umbrella but this section is more specific to the NFC-Forum part of the story...

Resources

Stacks

Google Android

Misc

RFID/NFC Workshops & Talks

From time to time I give RFID/NFC security/privacy workshops:

Workshops are typically 2 to 6 hours long and contain topics such as:

  • RFID/NFC readers for PC supported by open-source software (Omnikey CardMan 5321, ACG-LF, Frosch, ASK LoGO, SCL3711 & others)
  • PC/SC: limits of manipulating RFID with contact-oriented standards (ATR/ATS & APDUs).
  • NFC, anticollision, card emulation, relay attacks, RFID authentication protocol example
  • libnfc tools, RFIDIOt tools, ePassports, privacy
  • Open hardwares, Proxmark

The workshops is a mix of intro to readers, standards, tools, security aspects, hands-on & demos.
For the hands-on, I distribute bootable CDs / USB keys (based on Debian Live) with all drivers & open-source tools I could find and participants can borrow a SCL3711 reader.
If you're interested, you can contact me

Pictures

RFID reader field visualized: