Comment by kweks

Comment by kweks 10 months ago

10 replies

View on Hacker News

CEO of Lab401.com / Flipper Distributor / RFID geek.

One of the best resources is probably the Discord channels. There is the official channel, and the non-official (for non-official firmware). YMMV, but the non-official seems to be more active.

The Flipper is "somewhat underpowered" in terms of hardware for RFID, or specifically 13.56MHz, but makes up for it in a very active development community.

"Access badges" is a fairly vast blanket term. Anything that's not an exhaustive, lengthy breakdown will be inherently over-generalised, but here we go:

125KHz: Low Frequency: _usually_ cards with "just" an ID or very limited memory. _Usually_ much simpler technology. _Usually_ without security, and much easier to copy.

There are multiple encoding and modulation methods in this family, almost all of which are encompassed in a (fairly amazing) tag that can emulate them all - meaning they can be cloned easily : the T5577 chipset.

There's much more penetration of these chipsets in non-EU markets (US, Canada, etc). Key brands and tags: HID Prox, EM4XXX, Hitag, etc.

The FlipperZero handles most / if not all of these very well (read / save / emulate / write).

High-Frequency tags (13.56MHz) : encompasses multiple ISO Standards : 14443-A/B/C (lots of access cards), also ISO15693 (Slightly Longer read range, more industrial tags, ski-passes, etc), and EMV (Payment Cards) among others.

There are many sub-protocols and implementations of these higher level standards. But these can be generalised as : small memory units / computing units on a chip. As such : larger functionality, and various security.

The most well-known family is probably MIFARE (1K/4K Classic..). Chances are, if you've got one somewhere. Encryption is totally broken.

Ultralight / NTAG: Cheaper, no / not much security (password + signatures on some tags, and counters). Typically used for ticketing etc.

These are handled in Flipper.

Other implementations: DESFIRE: Uncracked. iCLASS (Commercial Access Control - iCLASS SE / ELITE / SEOS ..). Can be cloned, or suffer from downgrade attacks. Not handled by Flipper by default.

The Flipper has a fundamental 'flaw' with high-frequency tags: it can't handle emulation on chip, and its clock isn't evenly divisible by 13.56MHz, so emulation and some functions are always going to be limited. With that said, the 13.56MHz stack is always improving - the community has done amazing things.

Likewise, cracking (typically: MIFARE) is CPU / memory intensive. The Flipper can limp through some implementations, and can team up with a PC for others.

However, more specialised devices (Proxmark, iCopy-X) pick up where the Flipper leaves off.

In summary, it's a very useful tool for RFID (LF + HF) - can handle most LF operations, and quite a few HF operations - before you have to reach for much more expensive hardware (Proxmark : ~300 EU).

Some people to check out on YT: https://www.youtube.com/@TalkingSasquach https://www.youtube.com/watch?v=VF3xlAm_tdo

Feel free to reach out for more questions.

aftbit 10 months ago

Is it possible to emulate EMV cards? I have not had any luck with that, and most people are unwilling to talk about it as the usual use cases are pretty black hat (carding etc). I just want to use my Flipper (or some other hardware) to make a payment with my own card. I'm not trying to do any fraud. I want something that does tap to pay using any of the CCs that I own, without having to have a modern locked Android or iPhone that cooperates with the bank.

Reply View 2 replies
  • kweks 10 months ago

    Closest thing to it is the "MagSpoof" device (originally made by Samy Kamkar) - which "emulates" a MagStripe track (Tracks 1/2/3) wirelessly.

    There are a few suppliers building these devices. The bad uses outstrip the good uses.

    Reply View 1 reply
    • aftbit 10 months ago

      Yeah I built one of these for myself around the time it was announced. Even then, EMV was on the way, and you needed to do a little dance where you put a disabled card into the reader three times to force it to fall back to magstripe, then you could run the spoofer. I did this successfully on some vending machines and the like, but never tried it in stores.

      >The bad uses outstrip the good uses.

      I understand this logic, but I reject it conceptually. This is true for a huge variety of products. At the end of the day, it should be up to the individual to decide this. We survived as a society with substantially higher trust in the past. For example, check fraud is technically trivial and quite common, but did not prevent checks from being an accepted method of payment. Perhaps there is a path back to this in the future, but certainly not if we allow the megacorps and governments to make all technical decisions for the greater good.

      I can write more about this but this is not the place or time.

      Reply View 0 replies
stavros 10 months ago

I got a Proxmark 3 clone from Ali for $35 or so, it's been fantastic. I'm not entirely sure how to crack Mifare tags with the Proxmark (how to efficiently brute-force the key), though. AFAIK the way to do it on the Flipper is to read the tag and then listen to what the reader sends (which I haven't gotten around to trying), does the Proxmark do things differently?

Reply View 2 replies
  • kweks 10 months ago

    There are multiple ways to crack MIFARE - depending on the actual chipset version / manufacturer.

    For Mifare Classic: - Nested (Uses one known key to crack others) - darkside (Derives a key with no others. Slower, results are typically handed off to the nested attack to calculate remaining keys..)

    For newer versions of the Mifare Classic with better PRNGs - "Hardened" cards: HardNested. Needs one known key.

    For cards that provide a static nonce (to try to evade cracking, ie FUDAN) - Static Nested.

    For the latest generation FUDAN: Static Encrypted HardNested.

    Note, for the nested attacks - if you don't have a known key, these can be sniffed from the access control reader, and then cracked (MFKey32/64).

    Flipper supports the MFKey32 attacks, and limited nested. You may bump into limits of your Proxmark clone with hardnested cracking - it's memory intensive, and most of the Proxmark Easy clones have reduced RAM.

    There's actually an auto_crack LUA script on proxmark ( Use this fork: https://github.com/RfidResearchGroup/proxmark3 ) which will take most of the hassle out of cracking.

    Cracking requires very, very precise timing: In a nutshell, you're trying to predict nonces / PRNG values, by sending very precicesly timed requests, and then later cracking those results.

    The Flipper has limited CPU power - its main "attack vector" against MIFARE is a very large keylist / dictionary of common MIFARE keys. It's slow and dumb, but it works for most cases. It can also do limited cracking, depending on the type required.

    The Proxmark is built around an FPGA, and can crack much, much more efficiently.

    Reply View 1 reply
renewiltord 10 months ago

What a great comment. If I could overpay my karma into it, I would do so ten times. Thanks for the helpful tips. Most fobs I've encountered are the basic 125 kHz ones but some, like my garage keycard, are not. And I'd like to be able to amplify that signal because it's hard to get the garage in my condo building to detect the card.

Reply View 1 reply
  • kweks 10 months ago

    Because it's passively powered, "amplifying" isn't really possible, short of replacing the access control reader.

    With that said, if your badge is in tag/fob format, you could clone it onto a card-format. Larger antenna, better coupling.

    Reply View 0 replies
A4ET8a8uTh0 10 months ago

Thank you for going into that level of detail here:D That makes the search a lot easier for me and it is a reminder, why I a keep coming back here.

I am only starting my adventure with RFID and there is a lot to learn, but it has been a while since I was this weirdly excited.

Reply View 1 reply