From ad3241aeb90b420788e6e75b0fed43c59fb5f352 Mon Sep 17 00:00:00 2001 From: dxl <64101226@qq.com> Date: Wed, 20 Sep 2023 11:00:43 +0800 Subject: [PATCH] doc --- docs/images/cli_staticnested.jpg | Bin 0 -> 11544 bytes docs/technical_whitepaper.md | 223 +++++++++++++++++-------------- 2 files changed, 121 insertions(+), 102 deletions(-) create mode 100644 docs/images/cli_staticnested.jpg diff --git a/docs/images/cli_staticnested.jpg b/docs/images/cli_staticnested.jpg new file mode 100644 index 0000000000000000000000000000000000000000..05272b469341cfc583f551557975c6adc59d3f47 GIT binary patch literal 11544 zcmaKS2~?6>*T1(i>zY|t%Zif9O3f)tB~9_B<&c?{Es!Zk6mEg(_*)wZpo|AVGB8yA1Tu9+H%VY?5`h%UBxpSL_OCRQFNx$Z75 zy51gW<^U5D`zv_k?~gGrV5pdwYKi%U^VdUNS)=D(&*Bp9PY!>$prq$`fORwEup3b| zE4_UB%Nt!2hsq~dwd-FXsOMUg2FV{%cMj2I%kNC95;L}4p-2A|uzj_;TlD0vIYPFHOhJHUK z)krPP{nfnBH45DPtEI0U1^9ipK-9u;1Golz?N-3gRwA^Yj|}pS&1(Cn1(f#IL4Jr4 z-fj42G7TY^3K8;lky(?S71(x8a}mnzg^zq@7$HsL=9qgED?!>-8a8!s=}hLQ4s5iT zdNzQHLm;-%<(Z3XxY*I@D8MU)5q^6Nu}`CL9K&8U$Z!}?-x+>l7j@SmBteE6YBcDQ zbg>f+`$`J^O9Q|2fYoxOPG))cf#;ufu@3ZvW;B6{;t_;(!by~{@+`O2O+XjS3)f4h zhunlrL98;1Ab}zX*9TP*cbhK9E8vb`V*PGk_NTzW$1)uTz&pbq@22kBO~q|GM{gk< z1~+6_El<+>L8EyHxnwyzCVky)Okq;jDwUa|+auC|7;k_TFQ{q?>#BT@B4TQCF zmWC#XB{M?&kY;YrCmn^3`@q|=f^QW zChv528LsKi)&=$|!iA?cE7Rg3wNCL?lstVj1m8yJU6vVMNM@8z+JX8!QgbZhiguva zh!rPz3ltsD$9>mxrc0DN^k^-1jV|7Rl-SB;KGx4}%0UtF-ia7~)Ab~~htwaA*Wzo^ z^EHYr)k$6R@u&p98LJdX8o;+8V|l-p-dbqegl&&pNmFtE;z<;=l4ITwAqF>P-Q zx?*!mK8LCma`6=|jouku-unR>{{S+W4bsT0Lm@ zj;D&fs>r`TwK7?AbeoReL-)e4(6#-Mn7yo703?Z;bg4avI|EA4?y0g+S4fk7y7tkB zByQ>O?VxRvp%IAQ3u}GdTI32`McUO^^yYhAsTcp$MY_SQJBkrFvuZnNEV^CdSk>Ub zd6--9cD@|#9(8Ob)#lDzb1~Ebk+%4i<9)~XtXtmIu+Mdq$!ll&ATILwt6W&bW&hOW z^{YMlC^J}wmg4LA=4n?X1^(53;b0(q$Dq=j+k$Jz;A)M}+&y26x1HlyG$z&rzq6)^ z<(*+^lTy@n#-^8aVE!Cx+0`meXw>rr5#3@j{{7TUi>|Ka732`7EjrF zm9Zshf0wkm`Hl}6BhB3|3(W3)oYxBCx-(Dn&im%Lr0QPF-N#)yQddxHPH>^<($=(5 zkLixE^P1AWgNpnbndx*A=}>_!b_PRPSVxWrYk034365*T_&klQhu!E=Pa}@6A-n7K z5r^_%qZO~G_OzvU(n7A=28~YYv3Bt^F{agZ<WuglpVm zmQep}?Lmm)`cSY9a(_H=RI5$G!ws7j3MQ@d{(hhDEJT7Kh-)>6B2YhJa5VGC_bl`H zr<9Y_U~L7~>)w;fL<9L~OHWH4i$Owrs@L&i76nJ-e7hbY9r~Go#mZb=)EgMs(5|vI z5{tga!nJ7-#uHe7m3GzX&h+yLBOw>TqjiOMlB@#Aot~*0nRln|Fm5i+Cng*$-NxCC zJ>!{Sh$=>&BbUeVIy2_GKqyPsq{FFp0lFYB^1(p=1jcYh2ldDD;zY6zE$)&>=O(hV zBAP4@t6pB8F-Uq{UEFg*c=;^ikQR^hmlMInHI@F@S9tBpau{p^>Bd>_c*Ac1TUi>; zYwv|L`txw(5wN>C7;fRBN;lAnju^0+r%uGUmvSIJGfsrm*H_FMDHqUf5OUMccoo)? zk|lehL>xq2cwkvig^DzJ^r6PCcR4o5{|6d#JICd&qm=L*; zjqNm#xbAGJOJ9VU7A81FWIkz4U|p-$bhKXoi1*ncyBbU{eCHCxTOCRdQ6~v!*9x6% z?=}$g25YBPpN3qRau*tw_?8HeO(jUEnd@Dss{d|QPe67(U;k8I#%lJvu)KJh9^}fg z@#v04I%M#CHea=z)3!*$YI0`!nsd#MA+*>#fGEN7Z}f|2n>0x-N{n5Dqw6R=yKoqM zu$mm&vU+BLn{mf;9Qr5JY&_dN>aT?P!LqGUfP_dN>1OrMZ#&|3=OjTtF0Nip{ob6G z8^<_BdEv-If~%jT%FovtfRRU03Oko>_~p1%$EG~JOGWTRPNKzfM3g=T%KI#SaXcs8 z1;6OvG(%fYahy8dZ#rk?iI*kmr4dm|L4$I@YqGMdOZ37#mt|pq8>SbPEq%-ei0EF$ z`)YF^5$%PTi#AR3`O+gXs;n#$nrhLF4i8^b?N~H?@D9WAV60usG(4Fqr47Nx(=L=m zSf~238~XKS@-SV99ti&1SWi*Eik@B7@rcY|CiSF;W;lV%E-EKA=PoB84H{Q>PC_{3~PnYcv@n!Em(csS{zd(RjSRDiAsNz3wbveK4VuG__Ae?La(6J__J)Jy=+vQ4B&Du1ITS@rOzk&hKz~?9vp3_s z7R$$gc^w9Si_vz3t9LhkTvwhWtW)c~2N@H@PKhIXhvgpB8_rNJc|-v+v~>GFXbnAh zd?8xVl2)OyzPUH8*Azm{DcejQ`OcGov}4?$4cGK^SdlyImXG@9V_Dvm{Mlc|h#?|8 z9Apr99;}772UFUwf?1pLJkG_`ac8yLoJTFZyD=vnA4kpV+P-KxI^*q$cNF=GY0dkG zdOKCGKaK2zRrjio8!l)!p^<_g^OBElb;_SbMU5GpUEu5;Fb{h1gb5M4&V@JExwB>0 zd}%zteCc{0MudZI9(pzV8#bVOk0@|-r8pyA>#qFCy!ka8OsCU$UL@dP-g0OgHz+KF zjT|giHm=Yy=#(i*XpZQ@WDoROHls};_e6ZCAb5*6pu zwf{%~Er<9{M|1)=(0Rklf!NbgfFJHJ#N_%%pUY79Er@QW{d4naw{L-;b5Blq$^H)> z*9Fs~{*J={snCvUwgJrwgquX6Xg$v|GHzc*;2!)TcIumUMYXLA_5Ou(C^3DR)V z1z>jR<7zgCZl!?x<5w;ai1?NKh>3l$`L`?cKr^}#r{OVq?}l6QD*H&&lll&n=5E5E zwCIhAV*&f9Wo|hYYjXL!sG*{_gSSC9Mmjqj9S!IJ)zHpAm=aJ`nx%>_{LVYnXGG(T zu#g>__HO|N>i!lt@fy3Ex+17Yjgl=r_ET4q$(LJcOEFb#&SP8JdOx8C?O$&_H}J+& zN*wgAs{#`6MG=+ZW`lXsrg4eOPsuId#z}XZod=HG3rfl0y&uW#dB6Cnud6d&%Vl_{ zC$MH)GuqSjv%l|~X`&g!d&F)tBIk$q>U{7>6C3_@DXS3EQks3%DDawrYnW^E)1Zy~ z=qFqKFX~EFTIQWInOi}L!Gea-s?UIo(`a2=zcN2P2y8zlAn~~Prh$gK-4Y5$VNehK zzGY8X+8e`ZAabuxzYb8e^I+*OV%d8*SF0_uoaocu1?#yQ!H6MGwhMN_Gapu9XIlbn zXV%N|{W@&7fG&eM;J%zEx!if91gjuaoep{na>J4h2_0KNvqFuuq)^zgfUgynwR*Uh z(Am4G6`#-}F%u@PNw}SBRR$IqpcPM-65L(UaD#KTN(HPAD1eQHKo-XeDq|o?OiY$e zp69TZgJEk}EK|>x1k}a#%(sN3+H2r6^_Y*(5#LDz@x8yY`yIN^^M zyqL>&qJ7mk3Q%9u0U(-ztarKiGQRUVo#nWgyQ){VLx=RZpbiy!+%X2=jNvn$)SErr z%2gq8rC*8XAai+0#nR6vu%%k%{LKxA`MX7w-+FnR;U5fm;RDE34~nLa-Cyo_U77^K zA9~tVP{7lZ9i?P4=lO@~(TC-ks;vANyw>Smb@HfFwif#1i}|sADR!yBCM?R(K$J!_ag<0z{0uY5^Qr zb1&7}_zEmDsu_JJ`;}kdy23^A+Evg~ zN>VN8RUN-+3UDeS8zQ4!S%fQyKGwA#eZw!pA}S98EfyWmxH=p@x|ATh^yAHR=?&<2 z$#&$G`Db;diM1w)i!5+oz5@jSXv-f!Rr&z;hM6p1+OYmah5SLP*jVz2wMJU_!w)gL zenOgpHprQYlHF7>`3uNrlU>@Iz%_*5(Mf5e)1Blt8m6280Tm@%2iwk(DQOy3t2);FDYu0JrYKi1 zdCv~}I6-vf#~=PBZsMp&Cwsw3BSDhFI*lT1>#QH)GZh+_FK+?u+`DP}m=)Jecs1{w zHmBIN`)T}+tPK^uTR_m-HMJ45jx=W6+MvIlfWQAxglZH( zf;a6gv*inDnjmm((p(5`MvtTFg_+`~f2;OEZ*Uv*7dbHl*oT(@QMu;SCh${O$W%Z_ zQnXl2Cb_!$@cp*dgKlG2QWC;&I*+u5)0Ajkdm=jD>>+!?I|&*J9o`VTQn2kgTu%XP zBHE4_b&Mbw8=DnQ4PxGb^e(k|H7#s?tcTH$vpxJ#+$(BaAlscXK@32pQ<9n<9Tf*% z20n~r1eBOTVtC%CT@x?<+Cn~LyBxzUKtSVHzuw|b#1LxY>DXp;Y?gtawHve`y2ZiPnFRubupvSn(O#8y9-(aANTEvI5P>FQQPjm zxfIco#YueBb#7!y$cC*9Zv_c%M@wJ*szB<^U!?n&9W8-n5)aBS`dJuP2lcXe5sdxC zpQ(R4-7K{xw6Jy;PMCPg%#DTq1VpBJ5hhFyoHbi~)zMD*v1v=#FuVHItmU3MaP@tw zQkM)p325Z!!%vLXmyK&4kT^Q?;*d&k56wmjs-&|Xba=8>DO83IiI()d*}5e%(rw2U zIY$=x&GDL~i49ir{xh6)U<)*z@3sDTB1Sgn3y8_4A^Zcg6RaB5%rnuoDipF_2Peq0 z|Aq7tssyQ0oJYkc_Xla!~r z5dNDMRKFz(ZqVm8*TmkcONq!tsacbVU|2~4&3DmP{9Lg@6adT823v_>ZlWEnR}!if zEq@XJ1`fWobi%YLYfk*Q-`8eWKu77!^i+Qopn6JE=B3$KQ(5y%{p7>_gJ0NI(T1G) z_V?8mHi@AIzgLx9PyqbH94Wlcd(pns(&$2_{G>Na!Mc`U>E7DH%u64#`qeER$Q)Yz6{n45KCxp^ z5}Mq_V^c-wO;!BV=}vw8L*aLjH+~bTEUL&BEd59nZFlwXqDtv(7K5;#d%(aYOfdjkZuWvVv9P;7(Gt7j9 zsCA#X3q!$2_r07KN~F zAN|d;)l}>mO+HN!hTnHY)#B$k=Xe*!THL?I<%kb>NyYU`b{;68;cm~6a7U)O< zBH1SnlAv64hTabe`O(rGkxwC|^4?>%`%)4-uYYy+u+3s`xm%j0YEQ{NOA4l{)zfgn=&AM{@5D*S$6w?sJ$n{_r+q$t{4Qr>Wj~a7 z@oVkzj+TzaKlLQTkEkg&xsGBTu44AAD)AJ5pp){XZ@@hA1r9e7ZxEz?96eW0v)Q>* z?GfHDS+&PC7TwGD`P$V0?Yd%bG#6HE(E$o~lp${56MBYbX-41LOAZVEQ#lkXI|YZk2$q^I4TG0^ zVdwf|&ljM8me~C!dMK<#?bO1%J9~?6A1QlglWyXuItzCQvpKX* zVjCS-i>!YXdP1YPskr!17)th8k<&|4Lw!lU$BR82Ms-m`-a*MEYzpb!fZ?Pw67TlK?y%Zx&1Zx)FbK8Iqy9PhoIEE4YI4nZ)i3%=RmIRSJE)19o-{u zRV{8ZXS?lMkMnL8o5vq?JLW0=RC-jcomVx7ul89acGopzKt{A6msW8REbwd%f~(2; z+8K5+6~QZe?b>ip1jLKuu*Gnej|Uc;Ui3;0ai@AjU70~`)Hu0n0-OB-F6Q*U(-GCW zvNP#}*S-aR)MjsrSG(LV?stT)p!Pzfq3v4Wt&VnPJWXZ5bi`Zp;)ogozbT13#?J

;e)-?r5Yd`6X;WFS zf1DDE7o-rc#+y)+Wj!5cLVwI>Kg#RwSfOY-K2JzENjy>pckHgi#5eWinD@8)aSU;lN7`T&qj)io6af6wy?%UvEa1p=R(qW2IkT5vcBH7*lr3O4(?Q*!k z?w*?xZKwy4TpS%0Zn#Oz#AQYDVuu8x0;iaUo!im)H{XTA2m^%#0ZiKOLZ$@^h@?b+`e-nf6L$iwJEmNe4lG%<9W1i?QE7gf zPEAH9(uYs`O!cM4dO%d&so7JaM6en`&~(WL(Y-lZX*_Gh{1PwhY6=p8aE2~_D`-d6XhP1SYb=<%{=4(BGU z4Nnv$6rJo)%dyaf2F+C&)8r6VJZo}*o&C=<5nK{@%2Vi8So-Qap&G^WyisZez7Kg` zrE-NZH|9WAS(Of6;AEkVfER$LTgvT&fU2_xzhFnL6PJz*$~%dWVXt&syH;I8@!f7o zj-Ah7D;jTITd_0zoBcjyX5A{CsAySaUim(uf8H1|GJ;5UWe)p(*OP{HuD&&^GzQlD zhI6kFFi9T$Jf)5U{z+S5@HOXAa%}yo&9(mF1aJ0TVX1>;$h>j9Fc=K+E*y&$yRV(8 zgcDVE#<>BDX5r3j2?p)@eTYsz*C6j)!m>k%q3O@pC&-vWjI>9NO%MpjERrGC6U1m}<^U+-G}yRdUgp zk;G~k+#l#O(&P-V>C?sEyE1Ql<7PHOdXv~d*o%o63mFahkf7&##R3^eglj5(To4&UYf;!XWLurBY=k9eiPs(U@1fvKbfJbVl&v z1UgT(Um{Gr9Bd@)qczyBWwz1EP&M@ny*cH2Q?9#sffq-(0GmgQ^tf%15N68_?v-Iu zAy28DTx$_mSC7C#XIfr=T^8*C5C%$ z(&P{7kpE?iYv8aoEr=JMGx?MHa?Qa8Xz5TGsh0!Zkz8~#V%fdWPXs=$9VjPQF^mgF z&-WREHTWC&Lm!NLuoXX~2rzC{f7^(<@e7kpa72ak(_9THG9hH>z2QH3@HVKk<8+sl zFg*9CiNvqx=3^#^({*B|d3=1)uZ{-k{~yqk+YWs*t`hWPT(A>0-@v`Mrg2y}GE3qe ze}_FZ{}VL&jPQsgN7&$TK4huyp`K+~oW>~QcCW6BFp^(pc;|+Q3G)UM5u!WCPhx*$ z2{=cbxwpr3aJ!?fI<;z|jDM_5?EU?K1~8^_GD4d8C<#RZQH*OM~H(y0>rK~&1li-QdL4ZBtAt4(08;^Me%!W$W#d_zwT=HNaD1I z4wpt*Vm+!LE!F~Zcy}1-bPx0vIodLhH$3sF9c(LMtK|!`y}YLMUlW=JDuA)upq=z(O4$pVLOzMH z|4tO(DUuZR7hkV~AAo(v-rp|;eR%Vs&i(9UMZo6Ml|7oj5{u^wxZOazt)P!4^)@Dh zH^J5D3aNt^0K&4K01416yr;YXy}D2Ky!ge8Mc+hW{m+;;12_ML4;pWBXx;Z;^8`dq5Iz2V zWH&WbW(!C@`k#59za}#J+D;+?ze#NisM{v;p2R=?+jsGwbtlIB{jQkU|46VR>BJOp z(;TS4e-6hxr|Glm{F%<}OB4}I#%J&0Hh7}Zq~25w;krPURPqnIJ{Mr!?#%!V^CGrdELVgJR993^Z8!$@dz~mR z+!pu>^#`!JC68>MLGl&ZJ53zWp$#7go8bGVmHuI?k`+a?tDAN*$OdCKrnS6_diE>Q ze`IMn7B*wpXz`o=c^39`g4pniO-BS1&r}D{=S>oA|Axpr_G`&E5IIqjK@(qOfQhqUQ zK|korM0bcPBB(4C8wJ(uX5kOq(-r@H50gk*M71<#xxh0rRz-2KAg0B;iqT zS8#E?ZfU~kB<=464YzI76)@Yw2enZM7+dQyR{K49*zb)|0ACP%c&q04V@C+!QjqU3v;-rvVYDy%y?At;I?lQF=ekXBJka+*F6Gca$@rcr|^am?j=_ztUnLm`F7q#{iNmeH?f)(uiyc`p`H;O&s_ekQWdt1_)+J-kH6_PM+F8N zr*2-L&XLMJX#e@#k79ymZrW#{Q+p&T(l zYu6;NG_0#73b33iIC#!W-sd;35O{o^lL7E*p-}qjEbl3P`8qCA_+D5xFhixi|9iH` zj5|-x*0@`4+Klb=>s<02X3|5FeRJwdhl}rFU$xqoA`$*O$Wz}qP=UOzbahCY%7#yu zMRWgzUe}>4=Jf zbDrN@)e#AFxZUQh-PbV{QfcRa3PvTTM*n>JmNBQ{mNargCB^m)8G=d%Gto_v@D@Xcj!y$Ylee%HXHR#;d z+gSGi^gT+7wK}=!cy%pkYgy2IcHD;6&fA-%oL#wU+gb@TWz*;_Gj=A{M}L#mm$pGC zC|jeYmhDdYjOX@bg&S`<^REw!V${z@vCU}?4S6eTCx|p7UZbo+XAC0N%{T1E%)R@U z|5<5|pZ&x8hz6RS;zkT(?kkcPh* z*ur-hGUY$xHb01VNf%WCn^1q!^~rwb9zti9{=A{3o^oK8`L9Ei$u6p*?e0fANQbJs zSUOaBr;aHl|8gK{vu9F{v zY{|TCc*I(!{T|1BlYF%v&yDU-xqIiJZ70GkRnI@Qc)T}EwKr#jhP;0-Btyh`?rR5} z)wQ13bO73-1Qi2>*}_F=pzia6*ISdF&>YWP$hQeAGn6@CnK?sjbt|jAnU}Rt~t#+B1Qwn-pZZ5lO6}kV$%{QOy)9r zJN@*2yH43>aRN+X{8RrpRp}EU=9Yj!s8jXZ2^~5;-KExyrk=}B84mvKGdG`Eh=|L> z3L~<45XV^#?9>P6?Cp=g*FT7MEIV$X4uy`6DDx&_oD(5w_NEaf*iwcT07mw+I#W6G z+xtH3m6L>aQnwn6?W?~ZeZt-y6t&1v0Y#_Q9)0MRrL6Nd>;QN1GLWhyI&d)#y?e-b z|A@}V|L9rWY7zenV~h=pM+0Plon|_*;2*C}>Z}MT)d3nJfKsVs@16i~z$>Fk8Ucx_ z^hG9FbRvRK;GQfNXK6Fg!`UrDhS=A{%x6R`8u3c}36k7~M~?NkL<8`!<|k**Zd{6q zxej)SgS3Q&zmNL5w)%>L9?pOKeXo>tT!f~$GXI|YZEP632Niqu^LV-x`B#1SKK*>) oW(~_fy}su#f4xHbM&b%3{4|D2@~$0m-RLsEc;y1t=w{Ua10HKl`v3p{ literal 0 HcmV?d00001 diff --git a/docs/technical_whitepaper.md b/docs/technical_whitepaper.md index 308b6d6f..527fcf9a 100644 --- a/docs/technical_whitepaper.md +++ b/docs/technical_whitepaper.md @@ -5,58 +5,67 @@ # ChameleonUltra Why not keep using ATXMEGA128? -First of all, it is difficult to buy chips because the lead time for the main chip is too long, and because the price has skyrocketed. Secondly, because the interaction speed of the ATXMEGA, emulation is slow, the decryption performance of the READER mode cannot meet the needs, and the LF support cannot be added, so we have been trying to upgrade it, such as using the latest ARM to replace the AVR framework, and the performance will definitely be greatly improved. +First of all, it is difficult to buy chips because the lead time for the main chip is too long, and because the price +has skyrocketed. Secondly, because the interaction speed of the ATXMEGA, emulation is slow, the decryption performance +of the READER mode cannot meet the needs, and the LF support cannot be added, so we have been trying to upgrade it, such +as using the latest ARM to replace the AVR framework, and the performance will definitely be greatly improved. # Why nRF52840? -NRF52840 has a built-in NFC Tag-A module, but no one seems to care about it. After playing with HydraNFC's TRF7970A and FlipperZero's ST25R3916, the developers found that they can only emulate MIFARE Classic with a very high FDT. -We accidentally tested the NFC of nRF52840, and found that it is not only surprisingly easy to emulate a complete MIFARE Classic card, but also has very good emulation performance, friendly data flow interaction, and very fast response, unlike the former which is limited by the SPI bus clock rate. We also found that it has ultra-low power consumption, ultra-small size, 256kb/1M large RAM and Flash, also has BLE5.0 and USB2.0 FS, super CortexM4F, most importantly, it is very cheap! This is undoubtedly a treasure discovery for us! +NRF52840 has a built-in NFC Tag-A module, but no one seems to care about it. After playing with HydraNFC's TRF7970A and +FlipperZero's ST25R3916, the developers found that they can only emulate MIFARE Classic with a very high FDT. +We accidentally tested the NFC of nRF52840, and found that it is not only surprisingly easy to emulate a complete MIFARE +Classic card, but also has very good emulation performance, friendly data flow interaction, and very fast response, +unlike the former which is limited by the SPI bus clock rate. We also found that it has ultra-low power consumption, +ultra-small size, 256kb/1M large RAM and Flash, also has BLE5.0 and USB2.0 FS, super CortexM4F, most importantly, it is +very cheap! This is undoubtedly a treasure discovery for us! -Below we will explain in detail how we exploited the performance of the NRF52840, and what seemingly impossible functions have been realized with it! +Below we will explain in detail how we exploited the performance of the NRF52840, and what seemingly impossible +functions have been realized with it! # Supported functions ## High Frequency Attack -| Attack Type | Tag Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | -|--------------|:-------------:|------------------------------:|---------------------------|:--------------------------------------:|------------------------:| -| Sniffing | No | No | No | No | | +| Attack Type | Tag Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | +|--------------|:--------------:|------------------------------:|---------------------------|:--------------------------------------:|-------------------------:| +| Sniffing | No | No | No | No | | | MFKEY32 V2 | MIFARE Classic | Support | Support | Support | MIFARE Classic Detection | -| Darkside | MIFARE Classic | Support | Support | Support | Encrypted 4 bit NAck | -| Nested | MIFARE Classic | Support | Support | Support | PRNG(Distance guess) | -| StaticNested | MIFARE Classic | Support | Support | Not yet implemented | PRNG(2NT Fast Decrypt) | -| HardNested | MIFARE Classic | Support | Support | Not yet implemented | No | -| Relay attack | ISO14443A | Support | Support | Not yet implemented | No | +| Darkside | MIFARE Classic | Support | Support | Support | Encrypted 4 bit NAck | +| Nested | MIFARE Classic | Support | Support | Support | PRNG(Distance guess) | +| StaticNested | MIFARE Classic | Support | Support | Not yet implemented | PRNG(2NT Fast Decrypt) | +| HardNested | MIFARE Classic | Support | Support | Not yet implemented | No | +| Relay attack | ISO14443A | Support | Support | Not yet implemented | No | ## High Frequency emulation -| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | -|-------------------------------|:--------------------:|------------------------------:|---------------------------|:--------------------------------------:|-----------------------------------------:| -| Other than ISO14443A | No | No | No | No | [NRF52 NFC Module][nrf52_nfc_module_doc] | -| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | +|--------------------------------|:--------------------:|------------------------------:|---------------------------|:--------------------------------------:|-----------------------------------------:| +| Other than ISO14443A | No | No | No | No | [NRF52 NFC Module][nrf52_nfc_module_doc] | +| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | | MIFARE Classic1K/2K/4K (4B/7B) | ISO14443A/106 kbit/s | Support | Support | Support | | -| MIFARE DESFire | ISO14443A High Rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | -| MIFARE DESFire EV1 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | Backward compatible | -| MIFARE DESFire EV2 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | -| MIFARE Plus | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | +| MIFARE DESFire | ISO14443A High Rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | +| MIFARE DESFire EV1 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | Backward compatible | +| MIFARE DESFire EV2 | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | +| MIFARE Plus | ISO14443A High rate | Only supported Low rate | Only supported Low rate | Not yet implemented | | ## High Frequency Reader -| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | -|-------------------------------|:--------------------:|---------------------------------------------:|----------------------------------------------|:--------------------------------------:|-------------------------------------------:| -| Non <13.56MHz or ISO14443A> | No | No | No | No | [NXP RC522 Datasheet][nxp_rc522_datasheet] | -| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | -| MIFARE Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | +|---------------------------------|:--------------------:|---------------------------------------------:|----------------------------------------------|:--------------------------------------:|-------------------------------------------:| +| Non <13.56MHz or ISO14443A> | No | No | No | No | [NXP RC522 Datasheet][nxp_rc522_datasheet] | +| NTAG 21x (210-218) | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight Ev1 | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | +| MIFARE Ultralight C | ISO14443A/106 kbit/s | Support | Support | Not yet implemented | | | MIFARE Classic 1K/2K/4K (4B/7B) | ISO14443A/106 kbit/s | Support | Support | Support | | -| MIFARE DESFire | ISO14443A High Rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | -| MIFARE DESFire EV1 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | Backward compatible | -| MIFARE DESFire EV2 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | -| MIFARE Plus | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | +| MIFARE DESFire | ISO14443A High Rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | +| MIFARE DESFire EV1 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | Backward compatible | +| MIFARE DESFire EV2 | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | +| MIFARE Plus | ISO14443A High rate | Supports low rates, or possibly higher rates | Supports low rates, or possibly higher rates | Not yet implemented | | ## Low Frequency Attack @@ -67,103 +76,113 @@ Below we will explain in detail how we exploited the performance of the NRF52840 ## Low Frequency emulation -| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | -|--------------------------|:-------------:|------------------------------:|---------------------------|:--------------------------------------:|----------------------------------------------:| +| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | +|---------------------------------|:-------------:|------------------------------:|---------------------------|:--------------------------------------:|----------------------------------------------:| | Other than <125KHz/ASK/PSK/FSK> | No | No | No | No | Only 125 khz RF, Modulation ASK, FSK and PSK. | -| EM410x | ASK | Support | Support | Support | EM4100 is support(AD 64bit) | -| T5577 | ASK | Support | Support | Not yet implemented | | -| EM4305 | ASK | Support | Support | Not yet implemented | | -| HID Prox | FSK | Support | Support | Not yet implemented | | -| Indala | PSK | Support | Support | Not yet implemented | | -| FDX-B | ASK | Support | Support | Not yet implemented | | -| Paradox | FSK | Support | Support | Not yet implemented | | -| Keri | PSK | Support | Support | Not yet implemented | | -| AWD | FSK | Support | Support | Not yet implemented | | -| ioProx | FSK | Support | Support | Not yet implemented | | -| securakey | ASK | Support | Support | Not yet implemented | | -| gallagher | ASK | Support | Support | Not yet implemented | | -| PAC/Stanley | ASK | Support | Support | Not yet implemented | | -| Presco | ASK | Support | Support | Not yet implemented | | -| Visa2000 | ASK | Support | Support | Not yet implemented | | -| Viking | ASK | Support | Support | Not yet implemented | | -| Noralsy | ASK | Support | Support | Not yet implemented | | -| NexWatch | PSK | Support | Support | Not yet implemented | | -| Jablotron | ASK | Support | Support | Not yet implemented | | +| EM410x | ASK | Support | Support | Support | EM4100 is support(AD 64bit) | +| T5577 | ASK | Support | Support | Not yet implemented | | +| EM4305 | ASK | Support | Support | Not yet implemented | | +| HID Prox | FSK | Support | Support | Not yet implemented | | +| Indala | PSK | Support | Support | Not yet implemented | | +| FDX-B | ASK | Support | Support | Not yet implemented | | +| Paradox | FSK | Support | Support | Not yet implemented | | +| Keri | PSK | Support | Support | Not yet implemented | | +| AWD | FSK | Support | Support | Not yet implemented | | +| ioProx | FSK | Support | Support | Not yet implemented | | +| securakey | ASK | Support | Support | Not yet implemented | | +| gallagher | ASK | Support | Support | Not yet implemented | | +| PAC/Stanley | ASK | Support | Support | Not yet implemented | | +| Presco | ASK | Support | Support | Not yet implemented | | +| Visa2000 | ASK | Support | Support | Not yet implemented | | +| Viking | ASK | Support | Support | Not yet implemented | | +| Noralsy | ASK | Support | Support | Not yet implemented | | +| NexWatch | PSK | Support | Support | Not yet implemented | | +| Jablotron | ASK | Support | Support | Not yet implemented | | ## Low Frequency Reader -| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | -|--------------------------|:-------------:|------------------------------:|---------------------------|:--------------------------------------:|----------------------------------------------:| +| Card Type | Encoding Type | Whether the hardware supports | Does the software support | Whether the application layer supports | Note | +|---------------------------------|:-------------:|------------------------------:|---------------------------|:--------------------------------------:|----------------------------------------------:| | Other than <125KHz/ASK/PSK/FSK> | No | No | No | No | Only 125 khz RF, Modulation ASK, FSK and PSK. | -| EM410x | ASK | Support | Support | Support | | -| T5577 | ASK | Support | Support | Support(Write) | | -| EM4305 | ASK | Support | Support | Not yet implemented | | -| HID Prox | FSK | Support | Support | Not yet implemented | | -| Indala | PSK | Support | Support | Not yet implemented | | -| FDX-B | ASK | Support | Support | Not yet implemented | | -| Paradox | FSK | Support | Support | Not yet implemented | | -| Keri | PSK | Support | Support | Not yet implemented | | -| AWD | FSK | Support | Support | Not yet implemented | | -| ioProx | FSK | Support | Support | Not yet implemented | | -| securakey | ASK | Support | Support | Not yet implemented | | -| gallagher | ASK | Support | Support | Not yet implemented | | -| PAC/Stanley | ASK | Support | Support | Not yet implemented | | -| Presco | ASK | Support | Support | Not yet implemented | | -| Visa2000 | ASK | Support | Support | Not yet implemented | | -| Viking | ASK | Support | Support | Not yet implemented | | -| Noralsy | ASK | Support | Support | Not yet implemented | | -| NexWatch | PSK | Support | Support | Not yet implemented | | -| Jablotron | ASK | Support | Support | Not yet implemented | | +| EM410x | ASK | Support | Support | Support | | +| T5577 | ASK | Support | Support | Support(Write) | | +| EM4305 | ASK | Support | Support | Not yet implemented | | +| HID Prox | FSK | Support | Support | Not yet implemented | | +| Indala | PSK | Support | Support | Not yet implemented | | +| FDX-B | ASK | Support | Support | Not yet implemented | | +| Paradox | FSK | Support | Support | Not yet implemented | | +| Keri | PSK | Support | Support | Not yet implemented | | +| AWD | FSK | Support | Support | Not yet implemented | | +| ioProx | FSK | Support | Support | Not yet implemented | | +| securakey | ASK | Support | Support | Not yet implemented | | +| gallagher | ASK | Support | Support | Not yet implemented | | +| PAC/Stanley | ASK | Support | Support | Not yet implemented | | +| Presco | ASK | Support | Support | Not yet implemented | | +| Visa2000 | ASK | Support | Support | Not yet implemented | | +| Viking | ASK | Support | Support | Not yet implemented | | +| Noralsy | ASK | Support | Support | Not yet implemented | | +| NexWatch | PSK | Support | Support | Not yet implemented | | +| Jablotron | ASK | Support | Support | Not yet implemented | | ## Low Frequency Modulation - -| Modulation Type | wav | -|-----------------|----------------------------:| +| Modulation Type | wav | +|-----------------|------------------------------------:| | PSK | ![PSK WAV](images/measured-psk.png) | | FSK | ![FSK WAV](images/measured-fsk.png) | | ASK | ![ASK WAV](images/measured-ask.png) | # Ultra-low power consumption -It integrates a high-performance and low-power NFC module inside. When the NFC unit is turned on, the total current of the chip is only 5mA@3.3V. +It integrates a high-performance and low-power NFC module inside. When the NFC unit is turned on, the total current of +the chip is only 5mA@3.3V. The underlying interaction is done independently by the NFC unit and does not occupy the CPU. -In addition, the nRF52840 itself is a high-performance low-power BLE chip, and the encryption and calculation process is only 7mA@3.3V. It can greatly reduce the battery volume and prolong the working time. That is to say, the 35mAh 10mm*40mm button lithium battery can guarantee to be charged once every half a year under the working condition of swiping the card 8 times a day for 3 seconds each time. Full potential for everyday use. +In addition, the nRF52840 itself is a high-performance low-power BLE chip, and the encryption and calculation process is +only 7mA@3.3V. It can greatly reduce the battery volume and prolong the working time. That is to say, the 35mAh 10mm* +40mm button lithium battery can guarantee to be charged once every half a year under the working condition of swiping +the card 8 times a day for 3 seconds each time. Full potential for everyday use. # Not just UID, but a real and complete MIFARE Classic emulation -We can easily and completely emulate all data and password verification of all sectors, and can customize SAK, ATQA, ATS, etc. Similar to an open CPU card development platform, 14A interaction of various architectures can be easily realized. +We can easily and completely emulate all data and password verification of all sectors, and can customize SAK, ATQA, +ATS, etc. Similar to an open CPU card development platform, 14A interaction of various architectures can be easily +realized. # Super compatibility with low-power locks using batteries -The structure of the old Chameleon AVR is slow to start during emulation. Faced with a battery-powered low-power lock and an integrated lock on the door, it will be frequently interrupted, and the verification interaction cannot be completed completely, resulting in no response when swiping the card. +The structure of the old Chameleon AVR is slow to start during emulation. Faced with a battery-powered low-power lock +and an integrated lock on the door, it will be frequently interrupted, and the verification interaction cannot be +completed completely, resulting in no response when swiping the card. -In order to reduce power consumption, the battery lock will send out a field signal as short as possible when searching for a card, which is no problem for the original card, but it is fatal for the MCU emulated card. Cards or mobile smart bracelets emulated by the MCU cannot wake up and respond in such a short time, so many battery locks cannot open the door, which greatly reduces the user experience. +In order to reduce power consumption, the battery lock will send out a field signal as short as possible when searching +for a card, which is no problem for the original card, but it is fatal for the MCU emulated card. Cards or mobile smart +bracelets emulated by the MCU cannot wake up and respond in such a short time, so many battery locks cannot open the +door, which greatly reduces the user experience. -This project specially optimizes the start-up and interaction logic and antenna for low-power reading heads. After testing a variety of common low-power reading heads, they can open the door perfectly by swiping the card. +This project specially optimizes the start-up and interaction logic and antenna for low-power reading heads. After +testing a variety of common low-power reading heads, they can open the door perfectly by swiping the card. # Ultra-fast response speed and low interaction delay(MIFARE Classic) -| Tag/Emulation | FDT | "**_FDT_**" Rating | -|----------------------|:---------------------------:|:--------------------------------------------------------------------------------:| -| Standard MIFARE Card | ![Standard_m1_s50](images/fdt_standard_s50.png) | ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ | -| Chameleon Ultra | ![Chameleon Ultra](images/fdt_chameleon_ultra.png) | ⭐⭐⭐⭐⭐⭐⭐⭐ | -| Proxmark3 Rdv4.01 | ![Proxmark3_Rdv4_RRG_(Firmware build at 20201026)](images/fdt_pm3_rdv401.png) | ⭐⭐⭐⭐ | -| RedMi K30 | ![Xiaomi_k30u_smartkey](images/fdt_redmi_k30.png) | ⭐⭐⭐⭐⭐⭐ | -| Chameleon Tiny | ![Chameleon Tiny](images/fdt_chameleon_tiny.png) | ⭐⭐⭐⭐⭐ | -| Flipper Zero | ![Flipper Zero](images/fdt_flipper_zero.png) | ⭐⭐ | +| Tag/Emulation | FDT | "**_FDT_**" Rating | +|----------------------|:-----------------------------------------------------------------------------:|:--------------------------------------------------------------------------------:| +| Standard MIFARE Card | ![Standard_m1_s50](images/fdt_standard_s50.png) | ⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ | +| Chameleon Ultra | ![Chameleon Ultra](images/fdt_chameleon_ultra.png) | ⭐⭐⭐⭐⭐⭐⭐⭐ | +| Proxmark3 Rdv4.01 | ![Proxmark3_Rdv4_RRG_(Firmware build at 20201026)](images/fdt_pm3_rdv401.png) | ⭐⭐⭐⭐ | +| RedMi K30 | ![Xiaomi_k30u_smartkey](images/fdt_redmi_k30.png) | ⭐⭐⭐⭐⭐⭐ | +| Chameleon Tiny | ![Chameleon Tiny](images/fdt_chameleon_tiny.png) | ⭐⭐⭐⭐⭐ | +| Flipper Zero | ![Flipper Zero](images/fdt_flipper_zero.png) | ⭐⭐ | # 256kB super large RAM cooperates with RC522 to enable attacks - -| Attack Type | CLI | -|--------------|:------------------------------:| -| MFKEY32 V2 | ![attack_MIFARE_mfkey32](images/cli_mfkey32v2.png) | -| Darkside | ![attack_MIFARE_darkside](images/cli_darkside.png) | -| Nested | ![attack_MIFARE_nested](images/cli_nested.png) | -| StaticNested | Coming Soon | -| HardNested | Coming Soon | -| Relay attack | Coming Soon | +| Attack Type | CLI | +|--------------|:----------------------------------------------------------:| +| MFKEY32 V2 | ![attack_MIFARE_mfkey32](images/cli_mfkey32v2.png) | +| Darkside | ![attack_MIFARE_darkside](images/cli_darkside.png) | +| Nested | ![attack_MIFARE_nested](images/cli_nested.png) | +| StaticNested | ![attack_MIFARE_staticnested](images/cli_staticnested.jpg) | +| HardNested | Coming Soon | +| Relay attack | Coming Soon | # Hardware frame diagram