⼩⽶⼿环3NFC⾃定义门禁卡数据
摸索了好久,最后还是从⽹络安全下⼿,篡改数据包
最终的效果,点击添加⼩⽶空⽩卡便可⽣成⼀张⾃定义数据的门禁卡。【最终测试,可以突破2张限制,最多添加5张门禁卡】
思路:
因为门卡模拟的通道必须要读取⼀张未加密的卡才能触发向服务器发送添加卡⽚及卡⽚信息的请求,
所以我不在门禁卡模拟那⾥添加,太⿇烦了。
我选择添加⼩⽶空⽩卡的选项,然后⼿机就会向服务器发送添加⼩⽶空⽩卡的请求。
我通过fiddler抓包神器拦截这个POST请求,并将数据包篡改成添加门禁卡的类型,同时将想添加的UID和扇区数据同时篡改。
⾄此,便实现向服务器发送添加⾃定义NFC卡数据的功能,服务器便会返回⼀些命令,⼿机再使⽤这些命令⾃动写⼊⼿环。
上⾯是⼤概思路,我⾃⼰肯定成功了。
我编写了⼀个fiddler脚本,⾃动拦截数据包并篡改成想要的UID和数据块。
上代码:
//⾃定义代码
// ⾃定义的UID在这⾥修改
var UID = "1A2B3C4D";//卡ID
var isMusicRequest = 0;
// 判断是否为⽬标请求
if ((oSession.host == "api-mifit.huami")&&(oSession.fullUrl.Contains("nfc/accessCard/script/init")||oSession.fullUrl.Contains("nfc/accessCard/script/request")))
{
isMusicRequest = 1;
}
// 修改请求体JSON串
if (isMusicRequest == 1)
{
// 1, 获取Request Body中字符串
var requestStringOriginal =  oSession.GetRequestBodyAsString();
//FiddlerObject.log(responseStringOriginal);    // 可在控制台中输出Log
// 2, 转换为可编辑的JSONObject变量
var requestJSON = Fiddler.WebFormats.JSON.JsonDecode(requestStringOriginal)
// 3, 修改JSONObject变量
// 3.1修改字段
requestJSON.JSONObject['fareCardType'] = "0";
requestJSON.JSONObject['fetch_adpu_mode'] = "SYNC";
requestJSON.JSONObject['sak'] = "08";
requestJSON.JSONObject['uid'] = UID;
requestJSON.JSONObject['aid'] = "";
requestJSON.JSONObject['atqa'] = "0400";
requestJSON.JSONObject['action_type'] = "copyFareCard";
// ⾃定义的UID和扇区内容在这⾥修改
requestJSON.JSONObject['blockContent'] = UID + "b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000 // 4, 重新设置Request Body
var requestStringDestinal = Fiddler.WebFormats.JSON.JsonEncode(requestJSON.JSONObject);
oSession.utilSetRequestBody(requestStringDestinal);
}
上⾯的代码请添加到flidder的规则->⾃定义规则-> 这个函数中static function OnBeforeRequest(oSession: Session) {}
代码添加好后效果如下:static function OnBeforeRequest(oSession: Session)
static function OnBeforeRequest(oSession: Session) {
// Sample Rule: Color ASPX requests in RED
// if (oSession.uriContains(".aspx")) {    oSession["ui-color"] = "red";    }
// Sample Rule: Flag POSTs to fiddler2 in italics
// if (oSession.HostnameIs("www.fiddler2") && oSession.HTTPMethodIs("POST")) {    oSession["ui-italic"] = "yup";    }
// Sample Rule: Break requests for URLs containing "/sandbox/"
// if (oSession.uriContains("/sandbox/")) {
//    oSession.oFlags["x-breakrequest"] = "yup";    // Existence of the x-breakrequest flag creates a breakpoint; the "yup" value is unimportant.
// }
if ((null != gs_ReplaceToken) && (oSession.url.indexOf(gs_ReplaceToken)>-1)) {  // Case sensitive
oSession.url = oSession.url.Replace(gs_ReplaceToken, gs_ReplaceTokenWith);
}
if ((null != gs_OverridenHost) && (LowerCase() == gs_OverridenHost)) {
oSession["x-overridehost"] = gs_OverrideHostWith;
}
if ((null!=bpRequestURI) && oSession.uriContains(bpRequestURI)) {
oSession["x-breakrequest"]="uri";
}
if ((null!=bpMethod) && (oSession.HTTPMethodIs(bpMethod))) {
oSession["x-breakrequest"]="method";
}
if ((null!=uiBoldURI) && oSession.uriContains(uiBoldURI)) {
oSession["ui-bold"]="QuickExec";
}
if (m_SimulateModem) {
// Delay sends by 300ms per KB uploaded.
oSession["request-trickle-delay"] = "300";
// Delay receives by 150ms per KB downloaded.
oSession["response-trickle-delay"] = "150";
}
if (m_DisableCaching) {
oSession.oRequest.headers.Remove("If-None-Match");
oSession.oRequest.headers.Remove("If-Modified-Since");
oSession.oRequest["Pragma"] = "no-cache";
}
// User-Agent Overrides
if (null != sUA) {
oSession.oRequest["User-Agent"] = sUA;
}
if (m_Japanese) {
oSession.oRequest["Accept-Language"] = "ja";
}
if (m_AutoAuth) {
// Automatically respond to any authentication challenges using the
// current Fiddler user's credentials. You can change (default)
// to a domain\\username:password string if preferred.
//
// WARNING: This setting poses a security risk if remote
// connections are permitted!
oSession["X-AutoAuth"] = "(default)";
}
if (m_AlwaysFresh && (oSession.oRequest.headers.Exists("If-Modified-Since") || oSession.oRequest.headers.Exists("If-None-Match")))
{
oSession.utilCreateResponseAndBypassServer();
oSession["ui-backcolor"] = "Lavender";
}苹果手机nfc怎么复制门禁卡
//⾃定义代码
// ⾃定义的UID在这⾥修改
var UID = "1A2B3C4D";//卡ID
var isMusicRequest = 0;
// 判断是否为⽬标请求
if ((oSession.host == "api-mifit.huami")&&(oSession.fullUrl.Contains("nfc/accessCard/script/init")||oSession.fullUrl.Contains("nfc/accessCard/script/request")))
{
isMusicRequest = 1;
}
// 修改请求体JSON串
if (isMusicRequest == 1)
{
// 1, 获取Request Body中字符串
var requestStringOriginal =  oSession.GetRequestBodyAsString();
//FiddlerObject.log(responseStringOriginal);    // 可在控制台中输出Log
// 2, 转换为可编辑的JSONObject变量
var requestJSON = Fiddler.WebFormats.JSON.JsonDecode(requestStringOriginal)
// 3, 修改JSONObject变量
// 3.1修改字段
requestJSON.JSONObject['fareCardType'] = "0";
requestJSON.JSONObject['fetch_adpu_mode'] = "SYNC";
requestJSON.JSONObject['sak'] = "08";
requestJSON.JSONObject['uid'] = UID;
requestJSON.JSONObject['aid'] = "";
requestJSON.JSONObject['atqa'] = "0400";
requestJSON.JSONObject['action_type'] = "copyFareCard";
/
/ ⾃定义的UID和扇区内容在这⾥修改
requestJSON.JSONObject['blockContent'] = UID + "b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000 // 4, 重新设置Request Body
var requestStringDestinal = Fiddler.WebFormats.JSON.JsonEncode(requestJSON.JSONObject);
oSession.utilSetRequestBody(requestStringDestinal);
}
}
最后简单讲⼀下步骤:
1.电脑和⼿机连到同⼀个局域⽹;
2.电脑安装Fiddler并运⾏,代理端⼝设置成8888(若不懂⾃⾏学习fiddler基础使⽤⽅法);
3.⼿机连电脑代理,保证Fiddler能抓到⼿机的数据包(iOS 和安卓都要信任Fiddler的证书);
4.在Fiddler中,左上⾓选项卡,第3个,规则->⾃定义规则;
5.打开后,是javascript代码,你到static function OnBeforeRequest(oSession: Session) 这个函数,把我的代码放在
⾥⾯,保存即可;(代码⾥⾯的UID和扇区数据肯定得改成你⾃⼰想要改的)
6.⼿机蓝⽛连接⼿环嘛,打开⼩⽶运动哇,直接添加⼀张⼩⽶空⽩卡,等待即可。
说在最后⾯的话,本来我买了⼏张CUID的空⽩卡,可以直接⽤我⼥朋友的⼩⽶8写卡。真没想到我⼥朋友的⼩⽶8前天
在春熙路被可恶的⼩偷偷⾛了,卡今天才到货。
【⼤神完全可以通过代理的功能把端⼝暴露在公⽹上⾯,给其它朋友添加⾃定义数据的卡】
【此教程仅供⾃⼰⼩⽶⼿环数据使⽤,切勿⽤于违法⾏为】
【最后放点数据包笔记,以下内容不重要,⽆需理会】
1.初始化请求
api-mifit.huami/nfc/accessCard/script/init?r=894C7E51-A833-4AE6-B369-61A238788F43&t=1542653294011
删除 request 数据包
{"fareCardType":0,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"A0000003964D344D1004283E3B644B05","atqa":"","size":1024,"action_type":"deleteapp","blockContent":"000000000000000000000000000000000000000000000000000000000
空⽩卡 request 数据包
{"fareCardType":1,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"","atqa":"","size":0,"action_type":"copyFareCard","blockContent":""}
{"fareCardType":1,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"","atqa":"","size":0,"action_type":"copyFareCard","blockContent":""}
门禁卡 request 数据包
{"fareCardType":0,"fetch_adpu_mode":"SYNC","sak":"08","uid":"9ab273e9","aid":"","atqa":"0400","size":1024,"action_type":"copyFareCard","blockContent":"9ab273e9b2080400626364656667686900000000000000000000000000000000000000000 2.请求脚本服务
api-mifit.huami/nfc/accessCard/script/request?r=894C7E51-A833-4AE6-B369-61A238788F43&t=1542653297773
门禁卡 request 数据包
{"blockContent":"11223344b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000空⽩卡 request 数据包
{"uid":"","fareCardType":1,"session":"851-4110831269-94201228953","blockContent":"","fetch_adpu_mode":"SYNC","size":0,"atqa":"","current_step":"1","sak":"","action_type":"copyFareCard","aid":"","command_results":{"succeed":true {"uid":"","fareCardType":1,"session":"851-4110831269-94201228953","blockContent":"","fetch_adpu_mode":"SYNC","size":0,"atqa":"","current_step":"1","sak":"","action_type":"copyFareCard","aid":"","command_results":{"succeed":true
【转载请注明出处】