結論:
方案1.小米手環5 NFC可以通過修改HTTPS的POST 數據來自定義NFC卡片的所有扇區數據;
方案2.先手環復制一張沒有加密的實體門禁卡(實體門禁卡卡號要提前寫成自己想要的卡號),並且啟用,然后通過電腦+NFC讀卡器(ACR122U)直接修改這張卡的數據。除去0扇區第0行外,其它所有數據都可以修改。因為0扇區第0行包含卡號、校驗碼和廠商碼,所以小米手環不允許改。
着重介紹一下方案1:
方案1的實現:
可以借鑒我以前的小米手環3 NFC數據修改的方式借鑒電腦抓包和改包。https://www.cnblogs.com/storyline/articles/9986860.html
抓包改包軟件很多,自行選擇。
起作用的兩個鏈接和請求體參數
第一個api和參數:
https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198
Request Body為:
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}
第二個api和參數:
https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974
Request Body為:
{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$",
"command": "00A4040008A000000151000000",
"index": "1"
},
{
"result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000",
"checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}
你的任務:
首先手機處於被抓包的狀態,然后點擊復制門禁卡(需要未加密的門禁卡,后面的api才會被觸發)
利用抓包和改包工具,在Request請求前,攔截這兩個API請求,並修改這兩個請求體的兩個參數:uid和blockContent,最后復制成功后的卡就是你自定義的NFC數據了。
里面涉及較多電腦相關知識,無法做到一一解釋,不懂可以問問百度。
安卓我不確定能不能抓包,安卓系統信任證書太嚴格了。iOS絕對有效,我寫了一個thor腳本,會用thor的應該能明白怎么去自定義數據了。
