Skip to content

Commit

Permalink
fix furui detector
Browse files Browse the repository at this point in the history
  • Loading branch information
taichunmin committed Sep 5, 2023
1 parent b6d197d commit 05b43f7
Show file tree
Hide file tree
Showing 5 changed files with 444 additions and 453 deletions.
9 changes: 4 additions & 5 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
"web-serial-polyfill": "^1.0.14"
},
"devDependencies": {
"@rollup/plugin-commonjs": "^24.0.1",
"@rollup/plugin-commonjs": "^25.0.0",
"@rollup/plugin-json": "^6.0.0",
"@rollup/plugin-node-resolve": "^15.0.1",
"@rollup/plugin-terser": "^0.4.0",
Expand All @@ -36,7 +36,7 @@
"eslint": "^8.37.0",
"eslint-config-standard": "^17.0.0",
"eslint-plugin-import": "^2.27.5",
"eslint-plugin-n": "^15.7.0",
"eslint-plugin-n": "^16.0.0",
"eslint-plugin-node": "^11.1.0",
"eslint-plugin-promise": "^6.1.1",
"eslint-plugin-pug": "^1.2.5",
Expand All @@ -45,13 +45,12 @@
"html-minifier": "^4.0.0",
"jest": "^29.5.0",
"jstransformer-sass": "^1.0.0",
"jstransformer-scss": "git+https://github.com/taichunmin/jstransformer-scss.git",
"livereload": "^0.9.3",
"lodash": "^4.17.21",
"node-watch": "^0.7.3",
"pug": "^3.0.2",
"rollup": "^3.20.2",
"serialport": "^10.5.0",
"serialport": "^11.0.0",
"serve-static": "^1.15.0",
"web-streams-polyfill": "^3.2.1"
},
Expand Down Expand Up @@ -107,7 +106,7 @@
"url": "https://github.com/taichunmin/pn532.js.git"
},
"resolutions": {
"**/jstransformer-scss": "git+https://github.com/taichunmin/jstransformer-scss.git"
"**/jstransformer-scss": "^2.0.0"
},
"scripts": {
"build": "cross-env DEBUG=app:* node ./index.js && yarn docjs",
Expand Down
3 changes: 3 additions & 0 deletions src/plugin/WebserialAdapter.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ const WEBSERIAL_FILTERS = [
{ usbVendorId: 0x1A86, usbProductId: 0x5523 }, // 1A86: QinHeng Electronics, 5523: CH341 in serial mode, usb to serial port converter
{ usbVendorId: 0x1A86, usbProductId: 0x7522 }, // 1A86: QinHeng Electronics, 7522: CH340 serial converter
{ usbVendorId: 0x1A86, usbProductId: 0x7523 }, // 1A86: QinHeng Electronics, 7523: CH340 serial converter
{ usbVendorId: 0x10C4, usbProductId: 0xEA60 }, // 10C4: Silicon Labs, EA60: CP210x UART Bridge
{ usbVendorId: 0x10C4, usbProductId: 0xEA61 }, // 10C4: Silicon Labs, EA61: CP210x UART Bridge
{ usbVendorId: 0x10C4, usbProductId: 0xEA63 }, // 10C4: Silicon Labs, EA63: CP210x UART Bridge
]

/**
Expand Down
71 changes: 32 additions & 39 deletions web/detector-furui.pug
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
//- trace: https://gist.github.com/taichunmin/a553033b0625b357dea85b1dfd6e390a
extends /layout/default

block beforehtml
Expand Down Expand Up @@ -49,7 +51,7 @@ block content
.input-group.input-group-sm.mb-2.was-validated
.input-group-prepend: span.input-group-text.justify-content-center Block
input.form-control(type="number", min="0", max="63", required, v-model.number="h.block")
.input-group-append: span.input-group-text Sector {{ (h?.block ?? 0) >>> 2 }}
.input-group-append: span.input-group-text Sector {{ blockToSector(h?.block ?? 0) }}
.input-group.input-group-sm.mb-2
.input-group-prepend: span.input-group-text.justify-content-center KEY類型
select.form-control.form-control-sm(v-model.number="h.isKb")
Expand All @@ -75,7 +77,7 @@ block content
v-for="d in h.detects",
:key="`${d.block}-${d.isKb}-${d.key}`",
)
td(@click="btnCopy(d.block >>> 2)") {{ d.block >>> 2 }}
td(@click="btnCopy(blockToSector(d.block))") {{ blockToSector(d.block) }}
td(@click="btnCopy('AB'[d.isKb])") {{ 'AB'[d.isKb] }}
td(@click="btnCopy(d.key)") {{ d.key }}
td(@click="btnSetTestFromDetect(d)"): a.badge.badge-primary.mr-1(href="javascript:void(0)") 填寫
Expand All @@ -84,8 +86,8 @@ block content
.card-body
small
p 請先把原卡放在 PN532 上,按下「讀取卡號」來取得原卡的卡號,然後把原卡移開並把「福睿偵測卡」放到 PN532 上,按下「模擬卡號」來設定卡號。模擬完成後,請把「福睿偵測卡」拿去門禁讀卡機刷卡三次以上,然後再把「福睿偵測卡」放在 PN532 上,按下「破解金鑰」應該就可以取得金鑰了。
p 開發者所取得的「福睿偵測卡」硬體,能夠記錄 8 次 Sector 0 的刷卡記錄,如果已經記錄過 8 次 Sector 0 刷卡記錄,你就需要把「福睿偵測卡」放到 PN532 上,再次按下「模擬卡號」按鈕才能重新記錄。
p 如果沒有辦法成功使用這種方式取得卡片金鑰,代表讀卡機沒有使用金鑰讀寫 Sector 0,或是讀卡機有針對此種攻擊方式進行防範,這時候你會需要改用其他嗅探卡或是側錄讀卡機與原卡的通訊資料才能破解金鑰。
p 開發者所取得的「福睿偵測卡」硬體,能夠記錄 256 次讀卡記錄,如果記錄已滿,你就需要把「福睿偵測卡」放到 PN532 上,再次按下「模擬卡號」按鈕才能重新記錄。
p 如果沒有辦法成功使用這種方式取得卡片金鑰,代表讀卡機沒有使用金鑰讀寫,或是讀卡機有針對此種攻擊方式進行防範,這時候你會需要改用其他嗅探卡或是側錄讀卡機與原卡的通訊資料才能破解金鑰。
.row.mx-n1.mt-2
.col.px-1: a.btn.btn-block.btn-outline-secondary(target="_blank", href="https://xmfuruixin.taobao.com/") #[i.fa.fa-fw.fa-shopping-cart] 店舖頁面
.col.px-1: a.btn.btn-block.btn-outline-secondary(target="_blank", href="https://lihi1.com/0vzx7") #[i.fa.fa-fw.fa-tag] 購買網頁
Expand Down Expand Up @@ -172,14 +174,6 @@ block script
await pn532.updateRegistersWithMask([
{ adr: 0x6303, mask: 0x80, value: 0x00 }, // PN53X_REG_CIU_RxMode, SYMBOL_RX_CRC_ENABLE, 0x80
])
const { data: data1 } = await pn532.inCommunicateThru({ data: Packet.fromHex('AAA700') })
const recordLen = data1[2]
await pn532.inDeselect()
await pn532.inSelect({ tg: 1 })
await pn532.rfSetTimeouts()
await pn532.updateRegistersWithMask([
{ adr: 0x6303, mask: 0x80, value: 0x00 }, // PN53X_REG_CIU_RxMode, SYMBOL_RX_CRC_ENABLE, 0x80
])
await pn532.inCommunicateThru({ data: Packet.fromHex('AAA500000000000000000000000000000000') })
await pn532.inCommunicateThru({
data: Packet.merge(
Expand All @@ -190,14 +184,9 @@ block script
new Packet(8),
),
})
if (recordLen > 0) {
await pn532.inCommunicateThru({ data: Packet.fromHex('AAA5FFFFFF00000000000000000000000000') })
for (let i = 1; i <= recordLen; i++) await pn532.inCommunicateThru({ data: new Packet([...Packet.fromHex('AAA600'), i]) })
}
await pn532.inCommunicateThru({ data: Packet.fromHex('AAA5FFFFFF00000000000000000000000000') })
for (let i = 0; i <= 255; i++) await pn532.inCommunicateThru({ data: new Packet([0xAA, 0xA6, i]) })
} finally {
await pn532.updateRegistersWithMask([
{ adr: 0x6303, mask: 0x80, value: 0x80 }, // PN53X_REG_CIU_RxMode, SYMBOL_RX_CRC_ENABLE, 0x80
])
if (pn532?.$adapter?.isOpen?.()) await pn532.inRelease().catch(() => {})
}
const card = await this.pn532.$hf14a.mfSelectCard()
Expand Down Expand Up @@ -233,45 +222,46 @@ block script
this.$set(this.h, 'detects', [])
const records = []
try {
const card = await this.pn532.$hf14a.mfSelectCard()
const blockMax = `${card.atqa.hex}-${card.sak.hex}` === '0004-08' ? 16 : 40
await pn532.$hf14a.inListPassiveTarget()
await pn532.inSelect({ tg: 1 })
await pn532.rfSetTimeouts()
await pn532.updateRegistersWithMask([
{ adr: 0x6303, mask: 0x80, value: 0x00 }, // PN53X_REG_CIU_RxMode, SYMBOL_RX_CRC_ENABLE, 0x80
])
const { data: data1 } = await pn532.inCommunicateThru({ data: Packet.fromHex('AAA700') })
const recordLen = data1[2]
if (recordLen < 2) throw new Error('刷卡次數不夠。請先模擬卡號、刷卡三次以上、然後按下破解金鑰按鈕。')
for (let i = 1; i <= recordLen; i++) {
const { data: data2 } = await pn532.inCommunicateThru({ data: new Packet([...Packet.fromHex('AAA800'), i]) })
records.push({
uid: data2.subarray(0, 4).hex,
block: data2[4],
sector: data2[4] >>> 2,
isKb: +(data2[5] === 0x61),
nt: data2.subarray(6, 10),
nr: data2.subarray(10, 14),
ar: data2.subarray(14, 18),
})
for (let i = 0; i < blockMax; i++) {
const size = (await pn532.inCommunicateThru({ data: new Packet([0xAA, 0xA7, i]) }))?.data?.[2]
for (let j = 1; j < size; j++) {
const data2 = (await pn532.inCommunicateThru({ data: new Packet([0xAA, 0xA8, i, j]) }))?.data
records.push({
uid: data2.subarray(0, 4).hex,
block: data2[4],
sector: this.blockToSector(data2[4]),
isKb: +(data2[5] === 0x61),
nt: data2.subarray(6, 10),
nr: data2.subarray(10, 14),
ar: data2.subarray(14, 18),
})
}
}
} finally {
await pn532.updateRegistersWithMask([
{ adr: 0x6303, mask: 0x80, value: 0x80 }, // PN53X_REG_CIU_RxMode, SYMBOL_RX_CRC_ENABLE, 0x80
])
if (pn532?.$adapter?.isOpen?.()) await pn532.inRelease().catch(() => {})
}
if (records.length < 2) throw new Error('刷卡次數不夠。請先模擬卡號、刷卡三次以上、然後按下破解金鑰按鈕。')
let detectLen = 0
for (let i = 0; i < records.length; i++) {
try {
const r0 = records[i]
const r1 = _.find(records, r => _.every(['uid', 'sector', 'isKb'], k => r0[k] === r[k]), i + 1)
const r1 = _.find(records, _.pick(r0, ['uid', 'sector', 'isKb']), i + 1)
if (!r1) continue
this.showLoading('正在破解...', `正在計算第 ${++detectLen} 組金鑰`)
this.$set(this.h, 'detects', _.unionWith([{
this.$set(this.h, 'detects', _.unionWith(this.h.detects, [{
block: r0.block,
isKb: r0.isKb,
key: this.mfkey32v2(r0.uid, r0, r1),
}], this.h.detects, _.isEqual))
}], _.isEqual))
await new Promise(resolve => { this.$nextTick(resolve) }) // 等待 UI 更新
} catch (err) {
console.error(err)
}
Expand Down Expand Up @@ -327,6 +317,9 @@ block script
}
return (await Swal.fire(args))?.isConfirmed
},
blockToSector (block = 0) {
return block < 128 ? block >>> 2 : 24 + (block >>> 4)
},
showLoading (title, text) {
Swal.fire({
title,
Expand Down
7 changes: 5 additions & 2 deletions web/detector-shop143630998.pug
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ block content
.input-group.input-group-sm.mb-2.was-validated
.input-group-prepend: span.input-group-text.justify-content-center Block
input.form-control(type="number", min="0", max="63", required, v-model.number="h.block")
.input-group-append: span.input-group-text Sector {{ (h?.block ?? 0) >>> 2 }}
.input-group-append: span.input-group-text Sector {{ blockToSector(h?.block ?? 0) }}
.input-group.input-group-sm.mb-2
.input-group-prepend: span.input-group-text.justify-content-center KEY類型
select.form-control.form-control-sm(v-model.number="h.isKb")
Expand Down Expand Up @@ -205,7 +205,7 @@ block script
const { data: data2 } = await pn532.inCommunicateThru({ data: pack2 })
records.push({
block: data2[3],
sector: data2[3] >>> 2,
sector: this.blockToSector(data2[3]),
isKb: +(data2[2] === 0x61),
nt: 0,
nr: data2.subarray(4, 8),
Expand Down Expand Up @@ -271,6 +271,9 @@ block script
}
return (await Swal.fire(args))?.isConfirmed
},
blockToSector (block = 0) {
return block < 128 ? block >>> 2 : 24 + (block >>> 4)
},
showLoading (title, text) {
Swal.fire({
title,
Expand Down
Loading

0 comments on commit 05b43f7

Please sign in to comment.