摸索了好久,最后還是從網絡安全下手,篡改數據包。
最終的效果,點擊添加小米空白卡便可生成一張自定義數據的門禁卡。【最終測試,可以突破2張限制,最多添加5張門禁卡】
思路:
因為門卡模擬的通道必須要讀取一張未加密的卡才能觸發向服務器發送添加卡片及卡片信息的請求,
所以我不在門禁卡模擬那里添加,太麻煩了。
我選擇添加小米空白卡的選項,然后手機就會向服務器發送添加小米空白卡的請求。
我通過fiddler抓包神器攔截這個POST請求,並將數據包篡改成添加門禁卡的類型,同時將想添加的UID和扇區數據同時篡改。
至此,便實現向服務器發送添加自定義NFC卡數據的功能,服務器便會返回一些命令,手機再使用這些命令自動寫入手環。
上面是大概思路,我自己肯定成功了。
我編寫了一個fiddler腳本,自動攔截數據包並篡改成想要的UID和數據塊。
上代碼:
//自定義代碼 // 自定義的UID在這里修改 var UID = "1A2B3C4D";//卡ID var isMusicRequest = 0; // 判斷是否為目標請求 if ((oSession.host == "api-mifit.huami.com")&&(oSession.fullUrl.Contains("nfc/accessCard/script/init")||oSession.fullUrl.Contains("nfc/accessCard/script/request"))) { isMusicRequest = 1; } // 修改請求體JSON串 if (isMusicRequest == 1) { // 1, 獲取Request Body中字符串 var requestStringOriginal = oSession.GetRequestBodyAsString(); //FiddlerObject.log(responseStringOriginal); // 可在控制台中輸出Log // 2, 轉換為可編輯的JSONObject變量 var requestJSON = Fiddler.WebFormats.JSON.JsonDecode(requestStringOriginal) // 3, 修改JSONObject變量 // 3.1修改字段 requestJSON.JSONObject['fareCardType'] = "0"; requestJSON.JSONObject['fetch_adpu_mode'] = "SYNC"; requestJSON.JSONObject['sak'] = "08"; requestJSON.JSONObject['uid'] = UID; requestJSON.JSONObject['aid'] = ""; requestJSON.JSONObject['atqa'] = "0400"; requestJSON.JSONObject['action_type'] = "copyFareCard"; // 自定義的UID和扇區內容在這里修改 requestJSON.JSONObject['blockContent'] = UID + "b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff"; // 4, 重新設置Request Body var requestStringDestinal = Fiddler.WebFormats.JSON.JsonEncode(requestJSON.JSONObject); oSession.utilSetRequestBody(requestStringDestinal); }
上面的代碼請添加到flidder的規則->自定義規則-> 這個函數中static function OnBeforeRequest(oSession: Session) {}
代碼添加好后效果如下:static function OnBeforeRequest(oSession: Session)
static function OnBeforeRequest(oSession: Session) { // Sample Rule: Color ASPX requests in RED // if (oSession.uriContains(".aspx")) { oSession["ui-color"] = "red"; } // Sample Rule: Flag POSTs to fiddler2.com in italics // if (oSession.HostnameIs("www.fiddler2.com") && oSession.HTTPMethodIs("POST")) { oSession["ui-italic"] = "yup"; } // Sample Rule: Break requests for URLs containing "/sandbox/" // if (oSession.uriContains("/sandbox/")) { // oSession.oFlags["x-breakrequest"] = "yup"; // Existence of the x-breakrequest flag creates a breakpoint; the "yup" value is unimportant. // } if ((null != gs_ReplaceToken) && (oSession.url.indexOf(gs_ReplaceToken)>-1)) { // Case sensitive oSession.url = oSession.url.Replace(gs_ReplaceToken, gs_ReplaceTokenWith); } if ((null != gs_OverridenHost) && (oSession.host.toLowerCase() == gs_OverridenHost)) { oSession["x-overridehost"] = gs_OverrideHostWith; } if ((null!=bpRequestURI) && oSession.uriContains(bpRequestURI)) { oSession["x-breakrequest"]="uri"; } if ((null!=bpMethod) && (oSession.HTTPMethodIs(bpMethod))) { oSession["x-breakrequest"]="method"; } if ((null!=uiBoldURI) && oSession.uriContains(uiBoldURI)) { oSession["ui-bold"]="QuickExec"; } if (m_SimulateModem) { // Delay sends by 300ms per KB uploaded. oSession["request-trickle-delay"] = "300"; // Delay receives by 150ms per KB downloaded. oSession["response-trickle-delay"] = "150"; } if (m_DisableCaching) { oSession.oRequest.headers.Remove("If-None-Match"); oSession.oRequest.headers.Remove("If-Modified-Since"); oSession.oRequest["Pragma"] = "no-cache"; } // User-Agent Overrides if (null != sUA) { oSession.oRequest["User-Agent"] = sUA; } if (m_Japanese) { oSession.oRequest["Accept-Language"] = "ja"; } if (m_AutoAuth) { // Automatically respond to any authentication challenges using the // current Fiddler user's credentials. You can change (default) // to a domain\\username:password string if preferred. // // WARNING: This setting poses a security risk if remote // connections are permitted! oSession["X-AutoAuth"] = "(default)"; } if (m_AlwaysFresh && (oSession.oRequest.headers.Exists("If-Modified-Since") || oSession.oRequest.headers.Exists("If-None-Match"))) { oSession.utilCreateResponseAndBypassServer(); oSession.responseCode = 304; oSession["ui-backcolor"] = "Lavender"; } //自定義代碼 // 自定義的UID在這里修改 var UID = "1A2B3C4D";//卡ID var isMusicRequest = 0; // 判斷是否為目標請求 if ((oSession.host == "api-mifit.huami.com")&&(oSession.fullUrl.Contains("nfc/accessCard/script/init")||oSession.fullUrl.Contains("nfc/accessCard/script/request"))) { isMusicRequest = 1; } // 修改請求體JSON串 if (isMusicRequest == 1) { // 1, 獲取Request Body中字符串 var requestStringOriginal = oSession.GetRequestBodyAsString(); //FiddlerObject.log(responseStringOriginal); // 可在控制台中輸出Log // 2, 轉換為可編輯的JSONObject變量 var requestJSON = Fiddler.WebFormats.JSON.JsonDecode(requestStringOriginal) // 3, 修改JSONObject變量 // 3.1修改字段 requestJSON.JSONObject['fareCardType'] = "0"; requestJSON.JSONObject['fetch_adpu_mode'] = "SYNC"; requestJSON.JSONObject['sak'] = "08"; requestJSON.JSONObject['uid'] = UID; requestJSON.JSONObject['aid'] = ""; requestJSON.JSONObject['atqa'] = "0400"; requestJSON.JSONObject['action_type'] = "copyFareCard"; // 自定義的UID和扇區內容在這里修改 requestJSON.JSONObject['blockContent'] = UID + "b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff"; // 4, 重新設置Request Body var requestStringDestinal = Fiddler.WebFormats.JSON.JsonEncode(requestJSON.JSONObject); oSession.utilSetRequestBody(requestStringDestinal); } }
最后簡單講一下步驟:
1.電腦和手機連到同一個局域網;
2.電腦安裝Fiddler並運行,代理端口設置成8888(若不懂自行學習fiddler基礎使用方法);
3.手機連電腦代理,保證Fiddler能抓到手機的數據包(iOS 和安卓都要信任Fiddler的證書);
4.在Fiddler中,左上角選項卡,第3個,規則->自定義規則;
5.打開后,是javascript代碼,你找到static function OnBeforeRequest(oSession: Session) 這個函數,把我的代碼放在里面,保存即可;(代碼里面的UID和扇區數據肯定得改成你自己想要改的)
6.手機藍牙連接手環嘛,打開小米運動哇,直接添加一張小米空白卡,等待即可。
說在最后面的話,本來我買了幾張CUID的空白卡,可以直接用我女朋友的小米8寫卡。真沒想到我女朋友的小米8前天在春熙路被可惡的小偷偷走了,卡今天才到貨。
【大神完全可以通過代理的功能把端口暴露在公網上面,給其它朋友添加自定義數據的卡】
【此教程僅供自己小米手環數據使用,切勿用於違法行為】
【最后放點數據包筆記,以下內容不重要,無需理會】
1.初始化請求 https://api-mifit.huami.com/nfc/accessCard/script/init?r=894C7E51-A833-4AE6-B369-61A238788F43&t=1542653294011 刪除 request 數據包 {"fareCardType":0,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"A0000003964D344D1004283E3B644B05","atqa":"","size":1024,"action_type":"deleteapp","blockContent":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFF078069FFFFFFFFFFFF"} 空白卡 request 數據包 {"fareCardType":1,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"","atqa":"","size":0,"action_type":"copyFareCard","blockContent":""} {"fareCardType":1,"fetch_adpu_mode":"SYNC","sak":"","uid":"","aid":"","atqa":"","size":0,"action_type":"copyFareCard","blockContent":""} 門禁卡 request 數據包 {"fareCardType":0,"fetch_adpu_mode":"SYNC","sak":"08","uid":"9ab273e9","aid":"","atqa":"0400","size":1024,"action_type":"copyFareCard","blockContent":"9ab273e9b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff"} 2.請求腳本服務 https://api-mifit.huami.com/nfc/accessCard/script/request?r=894C7E51-A833-4AE6-B369-61A238788F43&t=1542653297773 門禁卡 request 數據包 {"blockContent":"11223344b208040062636465666768690000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff", "atqa":"0400", "fetch_adpu_mode":"SYNC", "action_type":"copyFareCard", "sak":"08", "fareCardType":"0", "command_results":{"results":[{"index":"1", "command":"00A4040008A000000151000000", "result":"6F108408A000000151000000A5049F6501FF9000", "checker":"^(9000|6283)$"}, {"index":"2", "command":"8050200008D2D8E32B3FCF71C7", "result":"000081841616969471152002003B62C50CBD6FD6E93D11C9C386A8409000", "checker":"^(9000)$"}], "succeed":true}, "session":"0871-260938047-94201481349", "size":1024, "aid":"", "current_step":"1", "uid":"11223344"} 空白卡 request 數據包 {"uid":"","fareCardType":1,"session":"851-4110831269-94201228953","blockContent":"","fetch_adpu_mode":"SYNC","size":0,"atqa":"","current_step":"1","sak":"","action_type":"copyFareCard","aid":"","command_results":{"succeed":true,"results":[{"result":"6F108408A000000151000000A5049F6501FF9000","checker":"^(9000|6283)$","command":"00A4040008A000000151000000","index":"1"},{"result":"000081841616969471152002003CD0C715650812529A2FA03735A0B19000","checker":"^(9000)$","command":"80502000081B4F460C59035575","index":"2"}]}} {"uid":"","fareCardType":1,"session":"851-4110831269-94201228953","blockContent":"","fetch_adpu_mode":"SYNC","size":0,"atqa":"","current_step":"1","sak":"","action_type":"copyFareCard","aid":"","command_results":{"succeed":true,"results":[{"result":"9000","checker":"^(9000)$","command":"848201001037A3E488255DCE5C1ABE1570D118C5C6","index":"1"}]}}
【轉載請注明出處】