NFC spoofing for a *certain* Portal using game - NFC Hacking

i know precious little about the nitty-gritty of RFID or NFC stuff, but i'm wondering if there's such a thing as an RFID or NFC spoofer (emulator) that works at the standard nfc frequency of 13.56mhz, and uses the iso 14443 standard.
i'm wondering if it's possible to spoof those sky-landers figures, which use nfc. it's currently impossible to write one figure onto another because of access restrictions on the first little block in the rfid tag. and I'm not aware of any commercially available generic RFID tags that have *quite* the same hardware as the figures.
I believe the sky-landers use MiFare Classic tags, and have a locked block 0 (or UID), in that block 0 is the code which says which character they are.
is it in principle, possible to "project" a fake MiFare tag from an nfc equipped phone, also with a fake UID?
for that matter, are there any breakout boards that can do this, like an arduino shield?

*BUMP*
I'd also like to pull this off with my G-Nex...

The breakout board I use is from Adafruit.com which at the moment is hooked up to a raspberry pi. You could theoretically spoof a tag if you will. But I don't follow the logic to do so. I think what you want to do is more like cloning and siphoning. Check over on the Kali Linux forums, new version of backtrack they are working on something that does just that. I read a little into it about how they were basically bumping into people at a conference or getting in range of someone with there phone out texting or not paying attention and we're able to do just that.
Sent from my SAMSUNG-SGH-I747 using xda premium

Osbor said:
i know precious little about the nitty-gritty of RFID or NFC stuff, but i'm wondering if there's such a thing as an RFID or NFC spoofer (emulator) that works at the standard nfc frequency of 13.56mhz, and uses the iso 14443 standard.
i'm wondering if it's possible to spoof those sky-landers figures, which use nfc. it's currently impossible to write one figure onto another because of access restrictions on the first little block in the rfid tag. and I'm not aware of any commercially available generic RFID tags that have *quite* the same hardware as the figures.
I believe the sky-landers use MiFare Classic tags, and have a locked block 0 (or UID), in that block 0 is the code which says which character they are.
is it in principle, possible to "project" a fake MiFare tag from an nfc equipped phone, also with a fake UID?
for that matter, are there any breakout boards that can do this, like an arduino shield?
Click to expand...
Click to collapse
In theory one is able to emulate a NXP MiFare Classic card using an Android device. However, the firmware of the NFC chip is programmed to produce a different UID with each transmission, therefore the new firmware for the chip would have to modified to produce a static UID. If you want to learn more of the capabilities of the NXP NFC chips used in most Android devices, navigate to NXP's website and there is plenty of info.
From The Q, Of Course
live the life you love, love the life you live

Related

[Q] Is it possible to clone an RFID card w/ GNEX's NFC?

Has anyone heard of using an NFC enabled device to imitate a RFID gate pass? My complex won't give me another one for my fiance. I thought I could copy it, and swipe my Gnex at the gate while my fiance use the proxicard HID.
I'm ignorant of the details of the two technologies, so this is probably impossible. Worth asking. Thanks
I would sure hope not. Sounds like that would be a pretty big security risk for companies that use such cards for sensitive locations.
Sent from my Galaxy Nexus using Tapatalk 2
It is possible I believe. I know for Bamboozle that the NFC wristbands had no security and I was able to get into VIP area with no problems.
I would imagine that it is likely since I doubt that their NFC security is high.
With Regards to cloning an NFC tag and an RFID card. No it won't be possible. You have mentioned two technologies that are similar but not the same. NFC and RFID work the same in theory, but at different radio bands. Think of it like ATT phones vs. T-Mo phones. Some PC adaptors can read/write both, but the GNex can't.
Second flaw is that you probably wouldn't be able to use the GNex itself to open the door. The much more likely solution would be to use the GNex to capture the info on the old tag and write it to a different tag of the same type.
Third, and this ties into what Self Righteos Banana said about the NFC wrist bands at Bamboozle, most places don't have high security on their NFC or RFID solutions, but the software isn't quite there for GNex to fully exploit this. We were able to read the wristbands and determine that all of them, VIP, 1 day, 3 day etc. etc. had the same info stored on the tag. They were relying on the site staff to visually identify the various wristbands as well as scan to see if they were genuine. With this, a little social engineering got us into restricted access. We weren't able to rewrite the wristbands completely without altering other bits yet though. One of us wrote Hello to an unused portion of the memory, but it wrote header info in adjacent bits, not zeroes. I assume this is based on protocols that the phone (or other NFC devices use). So we were able to read and write to the tags, but could not clone them. For that I think you would still need a PC until software catches up.
EDIT: Also since this is a question, I feel I should remind you to post it in the Q&A section and not general. Also there is an NFC Hacking subforum.
Thanks a lot for the valuable info. I'll hunt around in the NFC hacking section. Sorry about posting in the wrong forum. I won't make mistake again.

Are all the tags compatible with all phones??

I was wondering if all the NFC tags are compatible with all phones.. P.EX. i was about to get
http://www.ebay.com/itm/10pcs-NFC-S...130?pt=LH_DefaultDomain_0&hash=item231dcadbaa
10pcs for around 10$ but are they going to be compatible with xperia S which i own? Is this the same as the original tags included in the box?
Sorry if this is a NOOB question!!!!
cdrov said:
I was wondering if all the NFC tags are compatible with all phones.. P.EX. i was about to get
http://www.ebay.com/itm/10pcs-NFC-S...130?pt=LH_DefaultDomain_0&hash=item231dcadbaa
10pcs for around 10$ but are they going to be compatible with xperia S which i own? Is this the same as the original tags included in the box?
Sorry if this is a NOOB question!!!!
Click to expand...
Click to collapse
Those will work. They aren't the same.
The tags included with the phone are Mifare Ultralight based. These are NFC Forum Type 2 tags with 64 bytes of memory (48 writable).
The ones you have linked are Mifare Classic 1K. These contain 1K or memory (~716 writable). These are *not* NFC Forum type tags. All this means is that they aren't guaranteed to work with all future iterations of devices. Blackberries, for example, don't do so well with 1K tags. Android devices though don't seem to have any problem with them.
Thank you, i am going to get them, and i ll get back here to post the results
wich devices support NFC?
Hey guys do Samsung Galaxy S2 GT-i9100 support NFC? if yes why my device dont support the NFC?
I am on Resurrection Remix ics V2.2
do it disabled or what's the problem?
Won't work on the 9100
From what I have read only special made 9100s will work with NFC. The one that I know will work is the 9100P. So if you have that one you are in luck. The other ones I don't think will. Also the Note will work, but that is a whole other phone.

NFC-V (ISO/IEC 15693) tags

I have a bunch of blank NFC tags from Texas Instruments (about 40 in total) in varying sizes (both physical and storage-wise), shapes, and casings. While I'm able to read them on my Galaxy S3, none of the apps I've tried are able to write to them.
After some poking around, I determined that these are all NFC-V tags (ISO/IEC 15693 compliant), which are apparently not NDEF-compatible. While the Android OS supports them, it provides no functionality to interface with them other than transcieve (raw read/write). Lacking the knowledge to write my own interface app, I'm reduced to research, questions, and experimentation.
Does anybody have any experience using Android to write to NFC-V tags? If so, what were you able to store and how did you do it?
https://play.google.com/store/apps/...1bGwsMSwxLDEsImNvbS5ueHAubmZjLnRhZ3dyaXRlciJd
try this app, it might work for you.
Thanks for the reply. That's actually the first app I tried, and no matter what type of data I try to write, I get the following: ow.ly/c5ubE
I've been putting a lot of my effort into getting this (ow.ly/c5uaz) app to work since it specifies NFC-V and ISO/IEC 15693 compatibility, but I still can't get it to write any data (NDEF or raw). From reading up on NFC-V, I get the impression this may be an issue with one-bit vs two-bit addressing and the app assuming which it is wrongly, but I have no way to confirm that. That said, the source for that app is available for download from its developer here (ow.ly/c5uaR) if anybody is interested in picking it apart.
Aren't they locked?
I can't give you more clues as I've just started reading about NFC.
daniel_loft said:
Aren't they locked?
I can't give you more clues as I've just started reading about NFC.
Click to expand...
Click to collapse
Not that I'm aware. I can read them, and the access conditions allow writes. TI also advertises that they're shipped unlocked and unprotected.
Having done a fair amount of research since, it seems the issue is that NFC-V tags are not part of the NFC Forum standard, and there's no standard way to store NDEF data on them. Short of writing my own app with a proprietary method of doing so, I think the only option for those tags is to wait until NXP, TI, the NFC Forum, etc decide on a standard, then all the NFC Android apps update appropriately.
Fortunately, I've since gained access to the NXP Semiconductors samples ordering system, and their MiFARE tags are differently complicated but NDEF-formatable, so I'm making some headway.
rowanator0 said:
Not that I'm aware. I can read them, and the access conditions allow writes. TI also advertises that they're shipped unlocked and unprotected.
Having done a fair amount of research since, it seems the issue is that NFC-V tags are not part of the NFC Forum standard, and there's no standard way to store NDEF data on them. Short of writing my own app with a proprietary method of doing so, I think the only option for those tags is to wait until NXP, TI, the NFC Forum, etc decide on a standard, then all the NFC Android apps update appropriately.
Fortunately, I've since gained access to the NXP Semiconductors samples ordering system, and their MiFARE tags are differently complicated but NDEF-formatable, so I'm making some headway.
Click to expand...
Click to collapse
Hm, I belive that NFCIP-2 specifies something according to vicinity cards, but I don't remember what exactly. The main problem is though that the NFC chip of the SG3, which should be PN544 (not 100% sure, but I tihnk its the same as in the predecessor, and NXP didn't release PN547 yet) does not have the capability to write vicinity cards. I think there were datasheets on this though.
Damastus said:
Hm, I belive that NFCIP-2 specifies something according to vicinity cards, but I don't remember what exactly. The main problem is though that the NFC chip of the SG3, which should be PN544 (not 100% sure, but I tihnk its the same as in the predecessor, and NXP didn't release PN547 yet) does not have the capability to write vicinity cards. I think there were datasheets on this though.
Click to expand...
Click to collapse
Can you define "vicinity" in this context? If you're referring specifically to NFC-V, you may be on to something. If you just mean proximity cards in general, though, I am able to write to MiFARE tags. Furthermore, as I understand it, with the right software behind an NFC reader/writer, you can theoretically read/write just about anything that uses 13.56MHz, simply as a result of the way the active field works.
Additionally, you seem to be correct about the NFC chip in the S3 (see ow.ly/foV15), but according to the NXP spec sheet for that chip (ow.ly/foUYj), it should be able to read/write tags that meet the same ISO standards as my TI tags. Apologies for the shortened URLs; I don't have enough posts yet to post links and that seems to be the only way to get around it.
rowanator0 said:
Can you define "vicinity" in this context? If you're referring specifically to NFC-V, you may be on to something. If you just mean proximity cards in general, though, I am able to write to MiFARE tags. Furthermore, as I understand it, with the right software behind an NFC reader/writer, you can theoretically read/write just about anything that uses 13.56MHz, simply as a result of the way the active field works.
Additionally, you seem to be correct about the NFC chip in the S3 (see ow.ly/foV15), but according to the NXP spec sheet for that chip (ow.ly/foUYj), it should be able to read/write tags that meet the same ISO standards as my TI tags. Apologies for the shortened URLs; I don't have enough posts yet to post links and that seems to be the only way to get around it.
Click to expand...
Click to collapse
ISO15693 is the vicinity card standard (basicly the same as the other ISO14443 standard, but those ISO15693 cards have a bigger range up to several meters). Cards that can be read via NFC-V are vicinity cards / tags. Though I checked again, you are right, coming from the data sheet, it should be able to read and write them.
Btw, your idea to be able to read and write anything that uses 13.56MHz is to idealistic. There are many kinds of cards and standards with many different protocols (many of them are even proprietary, like Mifare Classic, Legic, iClass etc.) involved in this. These protocols are most of the time implemented on the hardware level. One of the reasons for that is the fact that there are also very strict timings cards, tags and reader have to comply to. Going up layers of software can be to slow in that case.
You can read most of the ISO 14443 A and B compliant cards for example, but Mifare Classic can only be read with phones that feature chips that implement the ISO 14443-3 A protocol. The PN544 can read Mifare Classic, because hes manufactured by NXP, the same company that holds the patents and rights of the Mifare Classic standard.
Damastus said:
ISO15693 is the vicinity card standard (basicly the same as the other ISO14443 standard, but those ISO15693 cards have a bigger range up to several meters). Cards that can be read via NFC-V are vicinity cards / tags. Though I checked again, you are right, coming from the data sheet, it should be able to read and write them.
Btw, your idea to be able to read and write anything that uses 13.56MHz is to idealistic. There are many kinds of cards and standards with many different protocols (many of them are even proprietary, like Mifare Classic, Legic, iClass etc.) involved in this. These protocols are most of the time implemented on the hardware level. One of the reasons for that is the fact that there are also very strict timings cards, tags and reader have to comply to. Going up layers of software can be to slow in that case.
You can read most of the ISO 14443 A and B compliant cards for example, but Mifare Classic can only be read with phones that feature chips that implement the ISO 14443-3 A protocol. The PN544 can read Mifare Classic, because hes manufactured by NXP, the same company that holds the patents and rights of the Mifare Classic standard.
Click to expand...
Click to collapse
Which leaves us pretty much back where we started.
As for my "WORKS WITH EVERYTHING" comment, you're absolutely right. I should have specified ISO14443/15693 (and even then my original statement would be wrong). Basically, I was referring to the fact that if you have the command set for something that operates on the 13.56MHz frequency, you can in theory write software to interface with it, as you can send and receive pretty much any raw data you want. However, you're right--there are plenty of 13.56MHz devices, both passive and active, that some active modules simply cannot communicate with.

Technical aspects of NFC and related security

Hey everyone,
Within the last month, I ended up receiving a refund from the university I attend and used majority of the funds to flat out buy a Samsung Galaxy Rugby Pro (SGH-i547). The selling points for me was the build quality (almost akin to the Nokia candy bar phones of the late 1990's and early 2000's predominantly seen with Cingular), comparable hardware capabilities to the other galaxy phones (IE the SII) and it's inclusion of the NFC chipset/antenna. Because I don't have a stable income it wasn't possible to get a voice/text/data plan. For obvious reasons I subsequently rooted the Rugby Pro to remove the tethering.provision XML reference in the framework.apk as well as carrier unlocking.
One of problems I'm facing is the ability to use the NFC chipset for anything more than novel purposes. It has been widely documented on the forums about the lack of ability to use Google Wallet on other than sprint based Samsung Galaxy phones (officially), with the apparent competing digital wallet 'ISIS' not being an effective replacement (tried installing and even with a temporary uproot it's still picking up on the root status of the Rugby Pro).
After trying to do a general web search on NFC, I can't seem to find any noteworthy information about the 'secure element'. Even sending an email to Samsung resulted in a recommendation to call their Hotline.
What I'm wondering:
For those devices that have NFC which devices have the hardware support for the secure element
(is a requirement for NFC implementation to include the hardware to support 'secure element')
Is it a limitation imposed by the telcos that prevents the inclusion of the software aspect (IE the keys) to allow access to the secure element?
For devices using the same chipset (ie the Galaxy Series Devices) , is it technically possible to import a working keyset (assumed to be a library) to try and gain access?
Apologies in advance if any of these questions have been answered beforehand. My hopes are to try and be able to use the hardware capabilities of NFC devices in a telco independent manner. Eventually once I can acquire enough information, as an college engineering capstone project, I would want to approach the local public transportation authority and try to sell them on the mass usage of contactless payments (at the moment they only implement the RFID/NFC NXP cards for senior citizens and those who are physically disabled).
Thanks
Joe M.
Sent from my Transformer TF101 using xda app-developers app

backup of rfid Disney infinity figurine tags

hello everyone, im a bit new to this. i recently saw a video on youtube of someone's proof of concept that it would be possible to emulate disney infinity rfid tags by using some special hardware and listening in on the traffic between the disney figurine base and the xbox 360 by routing it through a laptop. my question was of a similar nature. i have a bunch of these disney infinity figurines, and it gets annoying trying to keep track of them. especially since my little brother is the one that uses them and they wind up in miscellaneous places in the house, occasionally broken. i understand that they are some kind of 13.56 mhz rfid tag with a toy on top of them. my question is, how would i use an android phone, (samsung galaxy s5 rooted) or some kind of rfid reader to determine the hex key that is locking the information that is contained inside the rfid tag, so that i can make a copy of the figurine in case my brother steps on one of them again. so that way i can just have him use a clone of the tag. as far as i understand, since i PAID for these figurines, they are mine, so if i copy them for backup purposes thats completely fine. i have tried a few things, i tried "nfc - war" which was not too usefull, and a couple of other apps to no avail. is there an app, or a windows program (and compatible hardware) that i can use to either brute force the keys out or use some sort of exploit to get the keys? as far as i understand it is a mifare classic ndef formatable tag. help would be greatly appreciated. also im not on here to do anything illegal, or wrong in any way. so anyone whom would like to simply complain to me about how backing up my own property is wrong, please direct your comments elsewhere because i really don't care.

Categories

Resources