First let me start by describing what the tool is. The RFIDler is a Software Defined (SD) Low Frequency Only(LFO) Radio (R) (SDLFOR). It is from Aperature Labs. Mine came as an exposed circuit board with n exposed coil antenna.
On the right side of the board in the photo, near the top, you can see the Micro USB plug. The RFIDler uses an onboard UART to USB converter to talk to it's host. Since I use Linux on virtually all my machines, this write up will assume that environment. There are equivalent procedures for Windows I am told. But I have never done them. I have tested using Raspberry Pi host and Minicom as the manual communication channel. For automated commands I use Python to make calls to the rfidler.py script as you will see in a bit.
The manual interface was my first stop. The commands in the current firmware are:
ANALOGUE[N] <# OF SAMPLES> Sample raw coil ([N]o local clock) & output in XML (HEX)
APDU <CLA+INS+P1+P2[+LC+DATA][+LE]> Transmit (HEX) ISO-7816-4 APDU to SmartCard. Return is [DATA]+<SW1>+<SW2>
API Switch to API mode
ASK <HEX UID> <FC> <RATE> <REPEAT> Emulate ASK, Field Clock in uS/100, Data Rate in RF/n
ATR Get Answer To Reset from SmartCard
AUTH [HEX KEY] [BLOCK] Authenticate in CRYPTO mode
AUTOPOT Auto-Detect ideal POT setting(s)
AUTORATE Auto-Detect data rate
AUTORUN [OFF | COMMAND [ARGS]] Set/Show startup command
AUTOTAG Auto-Detect TAG type
BINTOHEX <BIN> Show BINARY as HEX string
BL Reboot in BOOTLOADER mode
CLI Switch to CLI mode
COIL <HIGH|LOW> Set emulator coil output HIGH/LOW
CONFIG Show current NVM config
CONVERT <TAGTYPE> Convert VTAG to TAGTYPECLOCKH <HZ> Enable H/W TOGGLE CLOCK (timings in Hz, max 250,000)
CLOCKP <PW> <PERIOD> Enable H/W PWM CLOCK (timings in uS/100, max 53,687,091)
CLOCKT <PERIOD> Enable H/W TOGGLE CLOCK (timings in uS/100, max 53,687,091)
CLONE [HEX KEY|PWD] Copy Virtual TAG to TAG (may require auth/login)
COPY [TAGTYPE] [HEX KEY|PWD] Copy TAG (and optionally convert) to Virtual TAG (may require auth/login)
DEBUG [1-4] Toggle DEBUG line state (no argument to SHOW current states)
DEBUGOFF <0-4> DEBUG off (LOW) (0 for ALL)
DEBUGON <0-4> DEBUG on (HIGH) (0 for ALL)
DETECT Detect external clock with READER coil
DOOR <CLOSE|OPEN> Close or Open DOOR RELAY
DUMP <START BLOCK> [END BLOCK] Read and view data block(s) (may require auth/login)
EMU <UID> One-shot emulate UID with current TAG config
EMULATOR [BG] Continuously emulate VTAG [optionally in the BackGround]
ENCODE <UID> [TAGTYPE] Show raw HEX UID or create VTAG for encoded UID
EXAMPLES Show some emulation examples
FSK <HEX UID> <FC> <RATE> <SUB0> <SUB1> <REPEAT> Emulate FSK, Field Clock in uS/100, Data Rate in RF/n, Sub Carriers 0/1 in RF/n
FREQUENCY Show resonant frequency of coil
HELP Show this help
HEXTOBIN <HEX> Show HEX as BINARY string
LOAD Load config from NVM
LED <1-6> Toggle LED
LEDOFF <0-6> LED off (0 for ALL)
LEDON <0-6> LED on (0 for ALL)
LOGIN [PWD] [BLOCK] Authenticate in PASSWORD mode
PING Keepalive - prints 'RFIDler'
POTS Show POT wiper settings
POTINC <H|L> <1-255> Increment POT
POTDEC <H|L> <1-255> Decrement POT
POTSET[V][NV] <H|L> <0-255> Set [Volts][Non Volatile] POT wiper
PSK1 <HEX UID> <FC> <RATE> <SUB> <REPEAT> Emulate PSK1, Field Clock in uS/100, Data Rate in RF/n, Sub Carrier in RF/n
PWM <FC> <SLEEP> <WAKE> <PW0> <PW1> <GAP> <TXRX> <RXTX> Set PWM parameters for RWD commands, Field Clock in uS/100, timings in FCs
READ <START BLOCK> [END BLOCK] Read and store data block(s) (may require auth/login)
READER Go into READER mode (continuously acquire UID)
REBOOT Perform soft reset
RTC Show Real Time Clock
RWD <BINARY> Send binary command/data
SAVE Save current config to NVM
SELECT [UID] Send SELECT command
SET BIPHASE <ON|OFF> Set BiPhase encoding
SET BITS <BITS> Set number of data bits
SET FC <PERIOD> Set Field Clock in uS/100
SET INVERT <ON|OFF> Set data inversion
SET MANCHESTER <ON|OFF> Set Manchester encoding
SET MOD <ASK|FSK|PSK1> Set modulation scheme
SET PSK <QUALITY> Set minimum PSK pulse width in uS
SET RATE <RATE> Set Data Rate in RF/n (FC/bit)
SET REPEAT <REPEAT> Set emulation transmission repetitions
SET SUB0 <RATE> Set Sub Carrier 0 data rate in RF/n (FC/bit)
SET SUB1 <RATE> Set Sub Carrier 1 data rate in RF/n (FC/bit)
SET SYNCBITS <BITS> Set number of SYNC bits
SET SYNC<0-3> <HEX> Set SYNC byte 0-3
SET TAG <TYPE> Set parameters appropriate for TAG TYPE
SET VTAG <TYPE> Set Virtual TAG TYPE
SNIFFER Go into SNIFFER mode (continuously sniff UID)
SNIFF-PWM [MIN GAP] [MIN PULSE] [MESG GAP] Sniff PWM on external clock with READER coil. Values in uS (default 12/0/0).
STOP Stop any running clocks
TAGS Show known TAG TYPES
TCONFIG Show TAG's config block
TEST-HITAG Hitag2 crypto - test correctness & timing
TEST-RWD [HEX KEY|PATTERN|PWD] Find ideal paramaters for RWD commands
TEST-SC Test ISO-7816 Smartcard (get ATR)
TEST-SD Test SD card (directory listing)
TEST-TIMER Timer tests
TEST-WIEGAND Wiegand loopback test
TEST-WIEGAND-READ <DEBUG PIN> Wiegand reader test (triggers with DEBUG_PIN_X)
TRESET [PWD] Reset TAG's config block to default
TRISTATE <ON|OFF> Switch reader circuit tri-state ON/OFF
TWIPE [PWD] Reset TAG contents to default (*** all data will be lost!)
UID Read TAG UID
VERSION Show firmware version
VTAG Show contents of Virtual TAG
VWRITE <BLOCK> <HEX DATA> Write VTAG data block(s)
WIEGAND-LEARN Learn Wiegand input timings
WIEGAND-OUT <OFF|ON> Set Wiegand output OFF or ON
WIEGAND-READ Read Wiegand input
WIEGAND-WRITE <BINARY> Send Wiegand output
WIPE Wipe NVM
WRITE <BLOCK> <HEX DATA> Write data block (may require login/auth)
WIRING Show wiring diagram (alias: WIRES PINS)
There is a lot on that list, but luckily there are only a few that we will need to be familiar with to get our manual cloning setup running. Let's assume for a moment that you know the type of card that you want to clone is in the EM4x02 family and the card you have to clone it to is one in the T55x7 family. The commands below will achieve this in two parts. First place the physical source card on the coil. Then issue the commands:
set tag EM4X02
uid
copy
The first command 'set tag EM4X02' tells the RFIDler what type of Physical Source Card to expect data from. This automatically configures things like Modulation scheme and bit rate. You can change these if you need to, but the defaults worked perfectly for me. The second command 'uid' will display the UID of the card on the reader using the given tag type to decode the data. It isn't strictly necessary, but it will help you verify you are reading the card correctly. The third command 'copy' does just that. It samples the card on the coil and stores the decoded information. You now have a copy of that card in memory on the RFIDler. This storage is called the Virtual Tag or VTAG. When you are writing a clone card, you are really taking the virtual tag's data and moving it back into physical space.When you use the emulator feature, you are really just broadcasting the VTAG storage as if your antenna was inside a card.
Now you can remove the physical source card from the coil. Place the physical clone card on the coil and run the commands:
vtag
convert T55X7
clone
The first command here, 'vtag', will display the contents of the VTAG memory. They should still match the data from our last 'copy' operation. Look at the UID field and verify it matches the output from the UID command earlier. The 'convert T55X7' command takes the data we captured into the VTAG and converts it to almost any other known tag type for you. If you issued another VTAG command you'd see that there is a new section that shows the converted data as well. This is the data that will actually be copied to the new card. The third command 'clone' takes the information for the converted VTAG and writes it out to the physical clone card.
set tag EM4X02
copy
convert T55X7
clone
That is it for manually cloning a proximity card. Only 4 strictly necessary commands. I can do the entire operation in less than half a minute. My next goal is to script the RFIDler to capture multiple UIDs from unknown card types. There are some key challenges to overcome before I fully achieve this though. First, it cannot use one shot commands like COPY, AUTOTAG. etc., because it will need to be continuously running. It needs to store the captured data to 1 or more files so they can be analyzed later. It needs to be able to automatically run from a Raspberry Pi on boot. I will go over the script for this once I have finished testing it.
No comments:
Post a Comment