Bluetooth Hacking?
OpenPICC SnifferOnly 13.56MHz

From OpenBeacon

Jump to: navigation, search
OpenPICC SnifferOnly frontend for sniffing 13.56MHz RFID card transactions using a PicoScope 3204A.


Sniffing ISO15693 RFID iCLASS SE transactions on a 13.56MHz carrier using a PicoScope 3204A and an OpenPICC SnifferOnly frontend.

OpenPICC Sniffer Hardware Design

Our RFID hardware projects for RFID Security Analysis

You can support our project by buying RFID hardware in our shop.

Software

  • PicoRFID-3K Windows Software for sniffing using a PicoScope 3204A and an OpenPICC SnifferOnly frontend. Make sure to have the latest PicoScope software installed before running this program.
  • Audacity Wave editor software for browsing the gathered data.
  • sox audio processing software for converting binary log files into WAV files

Example usage

You can download the latest sources from our OpenBeacon git repository - and browse the source code at tree/host/openpcd/sniffer.

resulting output from running 'make demo':

The make file will download demo data if a sniff of a iCLASS SE reader reading a iCLASS SE card successfully. In the process of running this software a WAV-file with the filtered waveform (*.wav) will be created together with a text file of the binary wave form (*.csv). After converting the recorded binary log file into a WAV file you can review it nicely in Audacity.

g++ -Werror -Wall -D_REENTRANT -DPROGRAM_VERSION=\"1.0.1-39-g200e-dirty\" -DPROGRAM_NAME=\"openpcd-sniffer\"  -O3 -MM src/filter.cpp > .depend
g++ -Werror -Wall -D_REENTRANT -DPROGRAM_VERSION=\"1.0.1-39-g200e-dirty\" -DPROGRAM_NAME=\"openpcd-sniffer\"  -O3 -c src/filter.cpp -o src/filter.o
g++ -lm  src/filter.o -o openpcd-sniffer
curl -f -o iCLASS-002.img.bz2 http://mirror.openbeacon.net/iCLASS-002.img.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100 21.0M  100 21.0M    0     0  1706k      0  0:00:12  0:00:12 --:--:-- 1830k
bzip2 -cd iCLASS-002.img.bz2 > iCLASS-002.img
./openpcd-sniffer iCLASS-002.img iCLASS-002-filtered.img > iCLASS-002-filtered.csv

processed 001 seconds (written 434027)
processed 002 seconds (written 434028)
processed 003 seconds (written 434028)
processed 004 seconds (written 434028)
processed 005 seconds (written 434027)
processed 006 seconds (written 434028)
processed 007 seconds (written 434028)
processed 008 seconds (written 434028)
processed 009 seconds (written 303762), filtered @ 434027 Hz [DONE]
sox -2 -b 16 -s -c 2 -r 434027 -t raw iCLASS-002-filtered.img iCLASS-002-filtered.wav

decode filtered iCLASS SE RFID card sniff of a successful door authentication:

see HID iClass demystified for more information in iCLASS SE cards and readers.

php decode_iso15693_hid_iClass.php  iCLASS-002-filtered.csv > iCLASS-002-filtered.txt

Output:

PCD : CMD ACTALL
PICC: SoF@ 1531.860ms
PCD : CMD IDENTIFY
PICC: RESPONSE=0x3C481920FF5F02FC CRC=OK
 
PCD : CMD SELECT UID=0x3C481920FF5F02FC
PICC: RESPONSE=0xE741CA00F9FF12E0 CRC=OK
 
PCD : CMD READ ADDRESS=0x05 CRC=OK
PICC: RESPONSE=0xFFFFFF0006FFFFFF CRC=OK
 
PCD : CMD READCHECK ADDRESS=0x02
PICC: READCHECK RESPONSE=0xFFFFFFFF6FFFFFFF
 
PCD : CMD CHECK CHALLENGE=0x0D08A692 SIGNATURE=0x61C71FAD
PICC: CHECK RESPONSE=0x2C4594FA
 
PCD : CMD UNKNOWN CMD=0x87 PACKET=0x02FFFFFFFF6EFFFFFF4C3F5EA6
PICC: RESPONSE=0x6EFFFFFFFFFFFFFF CRC=OK
 
PCD : CMD READ ADDRESS=0x06 CRC=OK
PICC: RESPONSE=0x3032810501811A83 CRC=OK
 
PCD : CMD READ ADDRESS=0x0C CRC=OK
PICC: RESPONSE=0xA902050005000000 CRC=OK
 
PCD : CMD READ ADDRESS=0x06 CRC=OK
PICC: RESPONSE=0x3032810501811A83 CRC=OK
 
PCD : CMD READ ADDRESS=0x06 CRC=OK
PICC: RESPONSE=0x3032810501811A83 CRC=OK
 
PCD : CMD READ ADDRESS=0x07 CRC=OK
PICC: RESPONSE=0x42A5020500A60881 CRC=OK
 
PCD : CMD READ ADDRESS=0x08 CRC=OK
PICC: RESPONSE=0x01010403030009A7 CRC=OK
 
PCD : CMD READ ADDRESS=0x09 CRC=OK
PICC: RESPONSE=0x1785154947FC427F CRC=OK
 
PCD : CMD READ ADDRESS=0x0A CRC=OK
PICC: RESPONSE=0x6702414D29AFCC78 CRC=OK
 
PCD : CMD READ ADDRESS=0x0B CRC=OK
PICC: RESPONSE=0x5B52C257197E1D5A CRC=OK
 
PCD : CMD READ ADDRESS=0x0C CRC=OK
PICC: RESPONSE=0xA902050005000000 CRC=OK

Converting sniffed binaries to WAV-files

Record the sniff using the PicoRFID-3K software that samples at 15.5Mhz and outputs a filtered waveform at 423750Hz. Use sox to convert the recorded binary log file into a WAV file for review in Audacity.

sox -2 -b 16 -s -c 1 -r 423750 -t raw dump-003.img dump-003.wav

Example Sniffs

Excerpt showing the delta-compressed time stamp in nanoseconds (ns) of the sampled RFID waveform data sniffed:

DeltaTime[ns],SignalEnvelope
1479882005,0
103834,1
47962241,0
4719,1
4719,0
4719,1
9439,0
4719,1
9439,0
4719,1
9439,0
4719,1
14159,0
4719,1
1899705,0
...