小米手环5 自定义NFC数据区【2020-07-04更新】【厂商码失效】

uestcer

仅作技术研究，切勿用作非法用途

【2020-07-04更新】【目前厂商码无法成功写入】【https://api-mifit-cn.huami.com】也被替换成了【https://api-mifit-cn2.huami.com】

（第一次发帖，如有错误，望大佬指正）

结论：

方案1

小米手环5 NFC可以通过修改HTTPS的POST 数据来自定义NFC卡片的所有扇区数据；【2020-07-04更新】【目前厂商码无法成功写入】

方案2

1. 先手环复制一张没有加密的实体门禁卡（实体门禁卡卡号要提前写成自己想要的卡号），并且启用。
2. 然后通过电脑+NFC读卡器（ACR122U）直接修改这张卡的数据。除去0扇区第0行外，其它所有数据都可以修改。因为0扇区第0行包含卡号、校验码和厂商码，所以小米手环不允许改。

着重介绍一下方案1：

方案1的实现：

我们利用小米手环NFC（3，4和5代）进行门卡模拟，需要读取一张非加密门禁卡。读取成功后，手机会将这张卡的卡号（uid）和所有数据(blockContent)上传至服务器，所有的手环指令都由服务器生成，再下发到手机，手机通过蓝牙将指令传给手环。这些指令我全都看不懂，也没办法自己生成手环指令。但是我可以在手机将卡号（uid）和所有数据(blockContent)上传至服务器前进行更改成自己想要的，然后由小米服务器自己去生成指令即可成功。

可以借鉴我以前的小米手环3 NFC数据修改的方式借鉴电脑抓包和改包。

抓包改包软件很多，自行选择。

接下来，介绍两个关键请求和上传参数

第一个api和参数：【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】

https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198

Request Body为：
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}

第二个api和参数：【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】

https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974

Request Body为：

{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$", "command": "00A4040008A000000151000000", "index": "1" }, { "result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000", "checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}

你的任务：

1. 首先手机处于被抓包的状态，然后点击复制门禁卡（需要未加密的门禁卡，后面的api才会被触发）
2. 利用抓包和改包工具，在Request请求前，拦截这两个API请求，并修改这两个请求体的两个参数：uid和blockContent，最后复制成功后的卡就是你自定义的NFC数据了。
3. 安卓我不确定能不能抓包，安卓系统信任证书太严格了。iOS亲测有效，我写了一个thor脚本，用过thor的应该能明白怎么去自定义数据了。【2020-07-04更新】【目前厂商码无法成功写入】
   里面涉及较多电脑相关知识，无法做到一一解释，可以搜百度。

   iPhone 演示 NFC全部数据模拟【视频已经被B站下架了】

   天翼云盘 小米手环5 NFC体验视频(视频中的工具为iOS平台某HTTP调试工具演示，需要自己实现相应规则)

   https://cloud.189.cn/t/iqEbymr6Nvqi【2020-07-04更新】【视频已删除】

   （访问码：lfz5）

   不出意外手环3，4，5NFC版本都是用的同一套接口，各位爱友可以试试手环3，4

寒墨轩

小米5手环已经出来了吗

uestcer

zhjjhz 发表于 2020-6-29 15:53
楼主，我的是手环4，我的校园卡是cpu卡，然而我们学校门禁其实并不读取后面的信息，而是只读取了uid号用于 ...

你这种问题比较玄学。我理解的是："你的手环模拟你自己的卡uid是成功刷门禁了，但你的手环和你室友的手环分别模拟你室友的卡uid，都刷门禁失败了。把你室友卡uid写入cuid实体卡却刷成功了门禁。”
现在我觉得需要重点测试的是，你要检验你手环和你室友手环模拟你室友卡uid的时候，是否真正模拟成功了的。就是手环模拟你室友uid的时候，用你的pm532去读你手环的uid，看是不是成功模拟了你室友的uid。

zhjjhz

楼主，我的是手环4，我的校园卡是cpu卡，然而我们学校门禁其实并不读取后面的信息，而是只读取了uid号用于门禁，我自己用pm532读取了一张空白卡（我也不知道这个dump文件是哪个卡的），将uid号修改为我的uid后成功在手环模拟了我的门卡并且完美支持，然而，正当我喜庆帮舍友也弄一张的时候，我发现如果只是将uid区域修改为他的卡的uid，我们两个人的手环都不能模拟，不过刷了他的uid的cuid卡是可以刷门禁的。这不知道是什么情况。

我傻瓜1991

去天翼网盘看看什么情况

BBoy蓝牙

zhe.....这图片也看不了

uestcer

BBoy蓝牙 发表于 2020-6-29 15:34
zhe.....这图片也看不了

重新上传了图片

子风遥遥1988

跪求视频教程，楼主厉害了

lqq197

感觉好复杂，但是思路应该可以学习~谢谢分享

cdtily

学习了，学习了，谢谢分享