• Registered: 2009-10-19
  • Posts: 19

Topic: Mifare Classic SoftTag Emulation

Hello,

I would appreciate some help regarding the emulation scenarios below.

The below research is for MFCUK SoftTag 100% emulation tool for Mifare Classic. If anyone would like to join the efforts - welcome!

1. Setup used is:
- ACR122 emulates a TAG (using a default/modified nfc-emulate.c) with libnfc 1.2.1
- Omnikey 5131 is the READER (using Omnikey Diagnostic Tool to check the TAG in its field). Reasons:
    -- first, I don't have a second ACR122
    -- second, having different hardware in the setup would prove more interoperability rather than using just two ACR122 devices

2. First tests and then questions:

- if I use the default nfc-emulate.c, I get a VERY "short presence" (~1 sec) of the emualted-tag in the Diagnostic Tool (I suppose because of nfc_target_init()) and then nothing happens (i.e. the nfc-emulate.c while() loop is not tranceiving anyting)

- RESULTS:
    -- very short DETECTED presence of the ACR122 emulated tag detected by Omnikey
    -- the initiator command received is: "e0 81"
    -- UID detected: 08 00 B0 0B (because of nfc_target_init() hardcoded 00 B0 0B) (btw, is anyone seeing any b00bs in nfc?! smile )
    -- ATR detected: 3B 80 80 01 01
    -- please check this screenshot - http://andreicostin.com/MFCUK/emulate_result1.png

- QUESTIONS:
    -- what does "e0 81" mean? couldn't make a clue out of it... i'm dumb at this smile
    -- why nothing happens in the:

while(true)
  {
    // Test if we received a frame
    if (nfc_target_receive_bits(pdi,abtRecv,&uiRecvBits,NULL))

loop of the emulation? is ACR122 tranceiving incompatibile/time-unsynced with Omnikey (I suppose it should not)?
   
3. Second tests and then questions:

- modified the default nfc-emulate.c such that it does:

while(true)
{
    if (!nfc_target_init(pdi,abtRecv,&uiRecvBits))
    {
        printf("Error: Could not come out of auto-emulation, no command was received\n");
        return 1;
    }
    printf("[+] Received initiator command: ");
    print_hex_bits(abtRecv,uiRecvBits);
}

- modified in libnfc.c the function nfc_target_init():

// Set UID
// zveriu - use our old friend DEADBEEF
pncmd_target_init[5] = 0xDD;
pncmd_target_init[6] = 0xBE;
pncmd_target_init[7] = 0xEF;

- RESULTS:
    -- TAG is with constant periodicity (2-3 times a second) detected by Omnikey, Omnikey reader leds blinking periodically while reading tag info and Diagnostic Tool detects a tag in field
    -- UID detected: 08 DD BE EF (as modified in nfc_target_init() )
    -- ATR detected: 3B 80 80 01 01
    -- please check this screenshot - http://andreicostin.com/MFCUK/emulate_result2.png

- QUESTIONS:
    -- why nfc_target_init() configures only 3 bytes of UID? why not 4 bytes? (though should check the mnemonic of D4 8C command since nfc_target_init is using byte_t pncmd_target_init[39] = { 0xD4,0x8C };)
    -- where does 08 first byte of UID comes from? is it possible to control it as well as I did with last 3 bytes of UID?
    -- where does the ATR sequence comes from? is it possible to control it so that it matches one of Mifare Classic ATR/ATS? (http://ludovic.rousseau.free.fr/softwar … d_list.txt)

Sorry for the long post. Hope someone can answer with few useful pointers.

Thanks,
Andrei Costin
http://andreicostin.com
http://code.google.com/p/tk-libnfc-crapto1/

Regards,
Andrei Costin
http://andreicostin.com/
http://code.google.com/p/tk-libnfc-crapto1/
  • Registered: 2009-11-17
  • Posts: 5

Re: Mifare Classic SoftTag Emulation

ATR 3B 80 80 01 01 is an empty ATR, actually (use ATR_analysis from Dr Rousseau's pcsc-tools package).

ATR: 3B 80 80 01 01
+ TS = 3B --> Direct Convention
+ T0 = 80, Y(1): 1000, K: 0 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1
-----
+ Historical bytes:
+ TCK = 01 (correct checksum)

Mifare cards (and other synchronous memory cards) do not actually send an ATR upon reset: it is the reader's driver which generates a 'pseudo-ATR' according to PCSC specs (see in particular the PC/SC 2.01 part 3 spec for precise rules for ATR generation).

So the ATR you are getting probably means that the reader does not actually detect that your (emulated) card is mifare at all: a suggestion would be to use a Linux box with pcsc-lite and see what the behaviour is with the Linux driver?

A Mifare 4K card should typically return:

ATR: 3B8F8001804F0CA0000003060300020000000069
TS: 3B (Direct Convention)
T0: 8F Y(1): 8 K: 15 (historical bytes)
TD(1) = 80 --> Y(i+1) = 8 Protocol T=0
-----
TD(2) = 1 --> Y(i+1) = 0 Protocol T=1
-----
+ Historical bytes: 804f0ca00000030603000200000000
Category indicator byte: 80 (compact TLV data object)

    * Tag: 4, len: 15 (initial access data)
      Initial access data: 0ca00000030603000200000000
      RID: A000000306: PC/SC Workgroup
      SS: 3 -> ISO 14443 A, part 3 (card standard)
      NN: 2 -> Mifare Standard 4K (card name)
---
Checksum: 69 (correct checksum)

A Proxmark to analyse communication between your actual reader and emulated card would come in handy smile

  • Registered: 2009-10-19
  • Posts: 19

Re: Mifare Classic SoftTag Emulation

Hi,

@edo512 - thanks for the reply smile. New partially some of the info, good to learn new stuff though.

My questions then are:
1. Anyone knows how to set ACR122U's ATR to a custom one? (firmware hack? *scard*dll hacks for win32? other hacks or lin/mac?)

2. Why would for RF's sake this pn53x_transceive(pdi,pncmd_target_receive,2) fail on win32 with ACR122 emulation and Omnikey 5321 reader? (don't want to start a new thread for this smile )

Thanks

Regards,
Andrei Costin - http://andreicostin.com

Regards,
Andrei Costin
http://andreicostin.com/
http://code.google.com/p/tk-libnfc-crapto1/
  • Registered: 2009-12-05
  • Posts: 11

Re: Mifare Classic SoftTag Emulation

I've had long discussions with roel about this same issue, and the problem is with timing... You cannot properly emulate tags with a PCSC device because you can't respond quickly enough during the anti-collision phase... However, it's possible that it will work with devices that are being controlled directly with libnfc, such as pn531 or pn533... I'm currently testing your mf_darkside attack (nice work, BTW!) with a snapper/feeder device (http://www.snapper.co.nz/index.html) which go for around $25NZ, so you might want to get one of those...

As far as setting the ATR goes, check 'pn532emulate.py' in the RFIDIOt distribution (http://rfidiot.org).

Last edited by adam@algroup.co.uk (2009-12-05 10:44:48)

  • Registered: 2009-10-19
  • Posts: 19

Re: Mifare Classic SoftTag Emulation

Hi,

[MM] - Thanks for clarifying this topic and for suggesting the snapper/feeder/pn532emulate. Also, thanks for words of appreciation.

Regarding the emulation - pushing the emulation further, I have started the Nokia 6131/6212 emulation feasibility checks.

Here is some wiki entry for those interested in giving a helpful hand:
http://code.google.com/p/tk-libnfc-crap … gEmulation

Hopefully the full emulation task is an achievable one smile

Last edited by zveriu (2009-12-14 12:16:57)

Regards,
Andrei Costin
http://andreicostin.com/
http://code.google.com/p/tk-libnfc-crapto1/
  • Registered: 2010-01-22
  • Posts: 1

Re: Mifare Classic SoftTag Emulation

Hi,

I have tested the "nfc-emulate.c" example  to emulate a MIRFARE 1K with an ACR122.
For example, i want to get the UID with the Nokia 6131 phone. I have an application which do that. But it doesn't work.

Is it possible to do that, and if yes, have you some extra examples which demonstrate how the emulator work ?

Thanks in advance,

Joris