Europe: Lab401
United States: Hackerwarehouse
UK: KSEC
Anywhere else: Sneaktechnology / Aliexpress by RRG
Why not keep using ATxmega128? First of all, it is difficult to buy chips because the lead time for the main chip is too long, and because the price has skyrocketed. Secondly, because the interaction speed of the ATxmega simulation is slow, the decryption performance of the READER mode cannot meet the needs, and the low-frequency function cannot be added, so we have been trying to upgrade it, such as using the latest ARM to replace the AVR framework, and the performance will definitely be greatly improved.
NRF52840 has a built-in NFC Tag-A module, but no one seems to care about it. After playing with HydraNFC's TRF7970A and
FlipperZero's ST25R3916, the developers found that they can only simulate MIFARE UID. I accidentally tested the NFC of
52840, and found that it is not only surprisingly easy to simulate a complete MIFARE card, but also has very good
simulation performance, friendly data flow interaction, and very fast response, unlike the former which is limited by
the SPI bus clock rate. We also found that it has ultra-low power consumption, ultra-small size, 256kb/1M large RAM and
FLASH, also has BLE5.0 and USB2.0 FS, super CotexM4F, most importantly, he is very cheap! This is undoubtedly a treasure
discovery for us!
Below we will explain in detail how we exploited the performance of the NRF52840, and what seemingly impossible functions have been realized with it!
Update:
- FlipperZero can simulate mifare sector now, but FDT so high.
| Attack Type | Tag Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Sniffing | No | No | No | No | |
| MFKEY32 V2 | MifareClassic | Support | Support | Support | MifareClassic Detection |
| Darkside | MifareClassic | Support | Support | Support | Encrypted 4 bit NAck |
| Nested | MifareClassic | Support | Support | Support | PRNG(Distance guess) |
| StaticNested | MifareClassic | Support | Support | Not yet implemented | PRNG(2NT Fast Decrypt) |
| HardNested | MifareClassic | Support | Support | Not yet implemented | No |
| Relay attack | ISO14443A | Support | Support | Not yet implemented | No |
| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Non <13.56MHz or ISO14443A> | No | No | No | No | NRF52 NFC Module |
| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| MifareClassic1K/2K/4K (4B/7B) | ISO14443A/106 kbit/s | Support | Support | Support | |
| Mifare DESFire | ISO14443A High Rate | Only supported Low rate | Only supported Low rate | Not yet implemented | |
| Mifare DESFire EV1 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | Backward compatible |
| Mifare DESFire EV2 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | |
| Mifare PLUS | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented |
| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Non <13.56MHz or ISO14443A> | No | No | No | No | NXP RC522 Datasheet |
| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| Mifare Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | |
| MifareClassic1K/2K/4K (4B/7B) | ISO14443A/106 kbit/s | Support | Support | Support | |
| Mifare DESFire | ISO14443A High Rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | |
| Mifare DESFire EV1 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | Backward compatible |
| Mifare DESFire EV2 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | |
| Mifare PLUS | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented |
| Vulnerability Type | Tag Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Sniffing | 125KHz | Support | Support | Not yet implemented | |
| Brute Force | EM410x ID | Support | Support | Not yet implemented |
| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Non <125KHz/ASK/PSK/FSK> | No | No | No | No | Only 125 khz RF, Modulation ASK, FSK and PSK. |
| EM410x | ASK | Support | Support | Support | EM4100 is support(AD 64bit) |
| T5577 | ASK | Support | Support | Not yet implemented | |
| HID Prox | FSK | Support | Support | Not yet implemented | |
| Indala | PSK | Support | Support | Not yet implemented | |
| FDX-B | ASK | Support | Support | Not yet implemented | |
| Paradox | FSK | Support | Support | Not yet implemented | |
| Keri | PSK | Support | Support | Not yet implemented | |
| AWD | FSK | Support | Support | Not yet implemented | |
| ioProx | FSK | Support | Support | Not yet implemented | |
| securakey | ASK | Support | Support | Not yet implemented | |
| gallagher | ASK | Support | Support | Not yet implemented | |
| PAC/Stanley | ASK | Support | Support | Not yet implemented | |
| Presco | ASK | Support | Support | Not yet implemented | |
| Visa2000 | ASK | Support | Support | Not yet implemented | |
| Viking | ASK | Support | Support | Not yet implemented | |
| Noralsy | ASK | Support | Support | Not yet implemented | |
| NexWatch | PSK | Support | Support | Not yet implemented | |
| Jablotron | ASK | Support | Support | Not yet implemented |
| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note |
|---|---|---|---|---|---|
| Non <125KHz/ASK/PSK/FSK> | No | No | No | No | Only 125 khz RF, Modulation ASK, FSK and PSK. |
| EM410x | ASK | Support | Support | Support | |
| T5577 | ASK | Support | Support | Support(Write) | |
| HID Prox | FSK | Support | Support | Not yet implemented | |
| Indala | PSK | Support | Support | Not yet implemented | |
| FDX-B | ASK | Support | Support | Not yet implemented | |
| Paradox | FSK | Support | Support | Not yet implemented | |
| Keri | PSK | Support | Support | Not yet implemented | |
| AWD | FSK | Support | Support | Not yet implemented | |
| ioProx | FSK | Support | Support | Not yet implemented | |
| securakey | ASK | Support | Support | Not yet implemented | |
| gallagher | ASK | Support | Support | Not yet implemented | |
| PAC/Stanley | ASK | Support | Support | Not yet implemented | |
| Presco | ASK | Support | Support | Not yet implemented | |
| Visa2000 | ASK | Support | Support | Not yet implemented | |
| Viking | ASK | Support | Support | Not yet implemented | |
| Noralsy | ASK | Support | Support | Not yet implemented | |
| NexWatch | PSK | Support | Support | Not yet implemented | |
| Jablotron | ASK | Support | Support | Not yet implemented |
| Modulation Type | wav |
|---|---|
| PSK |  |
| FSK |  |
| ASK |  |
It integrates a high-performance and low-power NFC module inside. When the NFC unit is turned on, the total current of the chip is only 5mA@3.3V. The underlying interaction is done independently by the NFC unit and does not occupy the CPU. In addition, the 52840 itself is a high-performance low-power Bluetooth chip, and the encryption and calculation process is only 7mA@3.3V. It can greatly reduce the battery volume and prolong the working time. That is to say, the 35mAh 10mm* 40mm button lithium battery can guarantee to be charged once every half a year under the working condition of swiping the card 8 times a day for 3 seconds each time. Full potential for everyday use.
We can easily and completely simulate all data and password verification of all sectors, and can customize SAK, ATQA, ATS, etc. Similar to an open CPU card development platform, 14A interaction of various architectures can be easily realized.
The structure of the old Chameleon AVR is slow to start during simulation. Faced with a battery-powered low-power lock and an integrated lock on the door, it will be frequently interrupted, and the verification interaction cannot be completed completely, resulting in no response when swiping the card.
In order to reduce power consumption, the battery lock will send out a field signal as short as possible when searching for a card, which is no problem for the original card, but it is fatal for the MCU simulated card. Cards or mobile smart bracelets simulated by the MCU cannot wake up and respond in such a short time, so many battery locks cannot open the door, which greatly reduces the user experience.
This project specially optimizes the start-up and interaction logic and antenna for low-power reading heads. After testing a variety of common low-power reading heads, they can open the door perfectly by swiping the card.
| Simulation | FDT | "FDT" Rating |
|---|---|---|
| Standard MIFARE Card |  |
⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ |
| ChameleonUltra |  |
⭐⭐⭐⭐⭐⭐⭐⭐ |
| Proxmark3 Rdv4.01 |  |
⭐⭐⭐⭐ |
| RedMi K30 |  |
⭐⭐⭐⭐⭐⭐ |
| ChameleonTiny |  |
⭐⭐⭐⭐⭐ |
| FlipperZero |  |
⭐⭐ |
5. 256kB super large RAM cooperates with RC522 to replace Proxmark3 magically to complete the decoding
| Attack Type | CLI |
|---|---|
| MFKEY32 V2 |  |
| Darkside |  |
| Nested |  |
| StaticNested | Coming Soon |
| HardNested | Coming Soon |
| Relay attack | Coming Soon |
