In a previous post, we saw how to implement a transparent reader with the Flipper Zero. What if we take the same concept but this time to implement a transparent card emulator? We could use our Flipper Zero like a cannon to attack digital fortresses, such as readers or smartphones, by sending erroneous requests. Malformed commands, commands not expected in the lifecycle, fuzzing, buffer overflow—the sky is the limit!
1 - Context
Just like with the transparent card reader, I want to communicate with the Flipper using its serial CLI from my computer. The computer handles all the logic, meaning it decides what response to give depending on the command, using a Python script, for example.
Now, regarding the implementation of the card emulator commands, it's essentially a kind of mirror mode compared to the reader:
- We need to detect when the RF field is activated by the terminal.
- We need to detect when the RF field is deactivated by the terminal.
- We need to be able to receive/send bits to the terminal.
- We need to be able to receive/send bytes to the terminal.
Except there's a small detail that complicates things. Remember that during card/reader communication, it's the reader that acts as the master, meaning it's the one that initiates communication and sends commands.
So, if we're creating a card emulator, it must be waiting for events from the reader. You can think of it like a server, with the reader acting as the client. We'll need to code this into the Flipper Zero.
Alright, first of all, let’s do a quick recap of the communication exchanges between a reader and a card using ISO 14443-A.
2 - Communication exchanges between a reader and a card using ISO 14443-A
Here is a diagram that summarizes the main exchanges between a reader and a card communicating via ISO 14443-A.
+----------------+ +----------------+
| Reader | | Card |
+----------------+ +----------------+
| |
Field activation |
| |
| --- REQA (Request Command Type A) -------------> |
| 26 |
| |
| |
| |
| |
| |
| |
| E0 50 BC A5 |
| |
| |
| D0 73 87 |
| |
| |
| 0200A404000E325041592E5359532E444446303100E042 |
| |
|
<p>Now the question is, "How do we implement all of this on the Flipper?"</p>
<h2>
4 - Flipper Zero implementation
</h2>
<p>As in my previous article, I will continue to expand the file applications/main/nfc/nfc_cli.c (see the file on my branch ).</p>
<p>First, a quick hardware point. For NFC management, the Flipper Zero uses the ST25R3916 chip. This is great because it allows us to create both a contactless reader and a card emulator. The chip automatically handles sending the commands involved from field activation to anticollision. All we need to do is specify the ATQA, SAK, UID, and its length that we want to send back.</p>
<p>The Flipper provides the function furi_hal_nfc_iso14443a_listener_set_col_res_data to handle all of this.</p>
<p>That's why I added 3 commands to the Flipper's NFC CLI to configure these elements:</p>
- set_atqa
- set_sak
- set_uid
And just before starting the emulation, we'll call furi_hal_nfc_iso14443a_listener_set_col_res_data with these parameters.
+----------------+ +----------------+
| Reader | | Card |
+----------------+ +----------------+
| |
Field activation |
| |
| --- REQA (Request Command Type A) -------------> |
| 26 |
| |
| |
| |
| |
| |
| |
| E0 50 BC A5 |
| |
| |
| D0 73 87 |
| |
| |
| 0200A404000E325041592E5359532E444446303100E042 |
| |
|
<p>Next, setting the Flipper Zero to card emulator mode is done using the function furi_hal_nfc_set_mode. This time, we specify the mode FuriHalNfcModeListener, and for the technologies, we use the standard values: FuriHalNfcTechIso14443a, FuriHalNfcTechIso14443b, and FuriHalNfcTechIso15693.</p>
<p>Finally, to start the emulation, I implemented the command run_emu, which will initiate an infinite loop waiting for a nearby reader. Event monitoring is handled by the function furi_hal_nfc_listener_wait_event.<br>
</p>
<pre class="brush:php;toolbar:false"> if(g_NfcTech == FuriHalNfcTechIso14443a) {
furi_hal_nfc_iso14443a_listener_set_col_res_data(g_uid, g_uid_len, g_atqa, g_sak);
fdt = ISO14443_3A_FDT_LISTEN_FC;
}
Next, the event can take several values depending on what has been detected:
- FuriHalNfcEventFieldOn indicates that a field activation has been detected.
- FuriHalNfcEventFieldOff indicates that the field has been turned off.
- The most important event is FuriHalNfcEventRxEnd, which indicates that a command from the terminal has been received. At this point, we need to send our response. Again, it's important to note that all the handling of command sending, up to and including anticollision, is done automatically. So, we can basically start processing a command like select, for example.
FuriHalNfcEvent event = furi_hal_nfc_listener_wait_event(100);
5 - Handling the reception of the command and sending the response
Now, let's see how to handle the reception of the command and sending the response.
while(true) {
FuriHalNfcEvent event = furi_hal_nfc_listener_wait_event(100);
if(event == FuriHalNfcEventTimeout) {
if(cli_cmd_interrupt_received(cli)) {
break;
}
}
if(event & FuriHalNfcEventAbortRequest) {
break;
}
if(event & FuriHalNfcEventFieldOn) {
printf("on\r\n");
}
if(event & FuriHalNfcEventFieldOff) {
furi_hal_nfc_listener_idle();
printf("off\r\n");
}
if(event & FuriHalNfcEventListenerActive) {
// Nothing
}
if(event & FuriHalNfcEventRxEnd) {
- Data reception is handled via furi_hal_nfc_listener_rx(rx_data, rx_data_size, &rx_bits);. We display the received data using a printf, which sends the response to the terminal connected to the Flipper. An important thing to understand is that as soon as we receive the command, we must respond very quickly. This means we cannot manually write the response in the shell—it will be too late. This is why the only way to communicate with the Flipper is by using a Python script with a dispatcher that specifies which response to give for each received command.
-
Then, the terminal sends a response that we retrieve using the function nfc_emu_get_resp(cli, rx_cmd). This part is a bit tricky because, in a shell command, you don’t typically have a back-and-forth exchange. So, I use the function cli_getc(cli) to read a character.
- Sometimes, I get an unwanted character 0xA. If it's the first character received, I skip it, as I read character by character.
- The first character indicates whether the Flipper Zero should calculate and add the CRC to the command itself (0x31 means yes, otherwise no).
- Then, I read the characters of the response in hexadecimal string format. When we receive the character 0xA, it indicates the reception is complete.
Finally, we convert the hexadecimal string into a uint8_t array using unhexify(tmp, (uint8_t*)bit_buffer_get_data(rx_data), len);.
If necessary, we add a CRC using add_crc.
Lastly, we can send the response to the reader using:
FuriHalNfcError r = furi_hal_nfc_listener_tx(rx_data, bit_buffer_get_size(rx_cmd));.
And now, how do we go about validating all of this?
6 - Card emulation validation
6.1 - How it started ... (Hydra NFC v2)
Well, we could use our transparent reader from the previous post to validate our emulator. So, we would need two Flipper Zeros... which I don’t have. However, I do have a Hydra NFC v2, which allows for a transparent reader setup.
I just need to use a script from pynfc.
+----------------+ +----------------+
| Reader | | Card |
+----------------+ +----------------+
| |
Field activation |
| |
| --- REQA (Request Command Type A) -------------> |
| 26 |
| |
| |
| |
| |
| |
| |
| E0 50 BC A5 |
| |
| |
| D0 73 87 |
| |
| |
| 0200A404000E325041592E5359532E444446303100E042 |
| |
|
<p>It’s very practical because it allows us to send commands one by one to validate everything:</p>
- Sending the REQA
- Anticollision
- Select
- PPS
- Sending a TPDU
6.2 - How it finished... (PC/SC reader).
However, in reality, communications are a bit more complicated. So, I used a PC/SC reader, the ACR122U, to send/receive a full APDU command, in combination with a Python script (using pyscard ) to make a real-world test.
In my case, I simply select the PPSE application.
if(g_NfcTech == FuriHalNfcTechIso14443a) {
furi_hal_nfc_iso14443a_listener_set_col_res_data(g_uid, g_uid_len, g_atqa, g_sak);
fdt = ISO14443_3A_FDT_LISTEN_FC;
}
So now, the card emulator needs to handle many more events. Therefore, I created a Python script below to manage this case. There’s a lot to explain, such as the different types of TPDU (i-block, r-block, s-block), but that will be in a future blog post.
FuriHalNfcEvent event = furi_hal_nfc_listener_wait_event(100);
With this, it works very well, and the emulation is extremely stable. I can place or remove the Flipper from the reader and send the commands multiple times, and it works every time. Once again, the Flipper has an excellent implementation of its NFC layer, and its API allows for a lot of functionality with minimal effort in the implementation.
Below, you have a sample of the output from the Python script.
+----------------+ +----------------+
| Reader | | Card |
+----------------+ +----------------+
| |
Field activation |
| |
| --- REQA (Request Command Type A) -------------> |
| 26 |
| |
| |
| |
| |
| |
| |
| E0 50 BC A5 |
| |
| |
| D0 73 87 |
| |
| |
| 0200A404000E325041592E5359532E444446303100E042 |
| |
|
<h3>
6.3 A little bit of Proxmark as well
</h3>
<p><img src="/static/imghwm/default1.png" data-src="https://img.php.cn/upload/article/000/000/000/172964254814325.jpg?x-oss-process=image/resize,p_40" class="lazy" alt="Flipper Zero NFC Hacking - cannon fooder"></p>
<p>Using the Proxmark 3 was useful for debugging communication in sniffing mode: I placed it between the reader and the card (which could be a genuine card or the Flipper), and I was able to check the data exchanges.<br>
</p>
<pre class="brush:php;toolbar:false"> if(g_NfcTech == FuriHalNfcTechIso14443a) {
furi_hal_nfc_iso14443a_listener_set_col_res_data(g_uid, g_uid_len, g_atqa, g_sak);
fdt = ISO14443_3A_FDT_LISTEN_FC;
}
What's next?
Good, what's next?
- First, I could give more explanations about the card emulation Python script.
- Also, I should implement a way to stop the card emulation when a button is pressed, because currently the event-waiting loop never finishes. The only way to exit is to restart the Flipper.
- Also, we could do some fun stuff by using both a transparent reader and a card emulator at the same time, for instance, to perform a man-in-the-middle attack and modify the communication live!
The above is the detailed content of Flipper Zero NFC Hacking - cannon fooder. For more information, please follow other related articles on the PHP Chinese website!
How Do I Use Beautiful Soup to Parse HTML?Mar 10, 2025 pm 06:54 PMThis article explains how to use Beautiful Soup, a Python library, to parse HTML. It details common methods like find(), find_all(), select(), and get_text() for data extraction, handling of diverse HTML structures and errors, and alternatives (Sel
Mathematical Modules in Python: StatisticsMar 09, 2025 am 11:40 AMPython's statistics module provides powerful data statistical analysis capabilities to help us quickly understand the overall characteristics of data, such as biostatistics and business analysis. Instead of looking at data points one by one, just look at statistics such as mean or variance to discover trends and features in the original data that may be ignored, and compare large datasets more easily and effectively. This tutorial will explain how to calculate the mean and measure the degree of dispersion of the dataset. Unless otherwise stated, all functions in this module support the calculation of the mean() function instead of simply summing the average. Floating point numbers can also be used. import random import statistics from fracti
Serialization and Deserialization of Python Objects: Part 1Mar 08, 2025 am 09:39 AMSerialization and deserialization of Python objects are key aspects of any non-trivial program. If you save something to a Python file, you do object serialization and deserialization if you read the configuration file, or if you respond to an HTTP request. In a sense, serialization and deserialization are the most boring things in the world. Who cares about all these formats and protocols? You want to persist or stream some Python objects and retrieve them in full at a later time. This is a great way to see the world on a conceptual level. However, on a practical level, the serialization scheme, format or protocol you choose may determine the speed, security, freedom of maintenance status, and other aspects of the program
How to Perform Deep Learning with TensorFlow or PyTorch?Mar 10, 2025 pm 06:52 PMThis article compares TensorFlow and PyTorch for deep learning. It details the steps involved: data preparation, model building, training, evaluation, and deployment. Key differences between the frameworks, particularly regarding computational grap
What are some popular Python libraries and their uses?Mar 21, 2025 pm 06:46 PMThe article discusses popular Python libraries like NumPy, Pandas, Matplotlib, Scikit-learn, TensorFlow, Django, Flask, and Requests, detailing their uses in scientific computing, data analysis, visualization, machine learning, web development, and H
How to Create Command-Line Interfaces (CLIs) with Python?Mar 10, 2025 pm 06:48 PMThis article guides Python developers on building command-line interfaces (CLIs). It details using libraries like typer, click, and argparse, emphasizing input/output handling, and promoting user-friendly design patterns for improved CLI usability.
Scraping Webpages in Python With Beautiful Soup: Search and DOM ModificationMar 08, 2025 am 10:36 AMThis tutorial builds upon the previous introduction to Beautiful Soup, focusing on DOM manipulation beyond simple tree navigation. We'll explore efficient search methods and techniques for modifying HTML structure. One common DOM search method is ex
Explain the purpose of virtual environments in Python.Mar 19, 2025 pm 02:27 PMThe article discusses the role of virtual environments in Python, focusing on managing project dependencies and avoiding conflicts. It details their creation, activation, and benefits in improving project management and reducing dependency issues.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SublimeText3 Linux new version
SublimeText3 Linux latest version
SublimeText3 English version
Recommended: Win version, supports code prompts!
