|
仅作技能研究,切勿用作非法用途
【2020-07-04更新】【目前厂商码无法乐成写入】【https://api-mifit-cn.huami.com】也被替换成了【https://api-mifit-cn2.huami.com】
(第一次发帖,如有错误,望大佬指正)
结论:
方案1
小米手环5 NFC可以通过修改HTTPS的POST 数据来自界说NFC卡片的所有扇区数据;【2020-07-04更新】【目前厂商码无法乐成写入】
方案2
- 先手环复制一张没有加密的实体门禁卡(实体门禁卡卡号要提前写成自己想要的卡号),并且启用。
- 然后通过电脑+NFC读卡器(ACR122U)直接修改这张卡的数据。除去0扇区第0行外,其它所有数据都可以修改。由于0扇区第0行包含卡号、校验码和厂商码,所以小米手环不答应改。
着重先容一下方案1:
方案1的实现:
我们利用小米手环NFC(3,4和5代)进行门卡模拟,必要读取一张非加密门禁卡。读取乐成后,手机会将这张卡的卡号(uid)和所有数据(blockContent)上传至服务器,所有的手环指令都由服务器天生,再下发到手机,手机通过蓝牙将指令传给手环。这些指令我全都看不懂,也没办法自己天生手环指令。但是我可以在手机将卡号(uid)和所有数据(blockContent)上传至服务器前进行更改成自己想要的,然后由小米服务器自己去天生指令即可乐成。
可以借鉴我以前的小米手环3 NFC数据修改的方式借鉴电脑抓包和改包。
抓包改包软件很多,自行选择。
接下来,先容两个关键请求和上传参数
第一个api和参数:【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】
https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198
Request Body为:
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}
第二个api和参数:【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】
https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974
Request Body为:
{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$", "command": "00A4040008A000000151000000", "index": "1" }, { "result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000", "checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}
你的任务:
- 首先手机处于被抓包的状态,然后点击复制门禁卡(必要未加密的门禁卡,后面的api才会被触发)
- 利用抓包和改包工具,在Request请求前,拦截这两个API请求,并修改这两个请求体的两个参数:uid和blockContent,末了复制乐成后的卡就是你自界说的NFC数据了。
- 安卓我不确定能不能抓包,安卓系统信任证书太严格了。iOS亲测有效,我写了一个thor脚本,用过thor的应该能明确怎么去自界说数据了。【2020-07-04更新】【目前厂商码无法乐成写入】
里面涉及较多电脑相关知识,无法做到一一解释,可以搜百度。iPhone 演示 NFC全部数据模拟【视频已经被B站下架了】
天翼云盘 小米手环5 NFC体验视频(视频中的工具为iOS平台某HTTP调试工具演示,必要自己实现相应规则)
https://cloud.189.cn/t/iqEbymr6Nvqi【2020-07-04更新】【视频已删除】
(访问码:lfz5)
不出意外手环3,4,5NFC版本都是用的同一套接口,各位爱友可以试试手环3,4
来源:http://www.12558.net
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|