结论:html
方案1.小米手环5 NFC能够经过修改HTTPS的POST 数据来自定义NFC卡片的全部扇区数据;api
方案2.先手环复制一张没有加密的实体门禁卡(实体门禁卡卡号要提早写成本身想要的卡号),而且启用,而后经过电脑+NFC读卡器(ACR122U)直接修改这张卡的数据。除去0扇区第0行外,其它全部数据均可以修改。由于0扇区第0行包含卡号、校验码和厂商码,因此小米手环不容许改。session
着重介绍一下方案1:工具
方案1的实现:fetch
能够借鉴我之前的小米手环3 NFC数据修改的方式借鉴电脑抓包和改包。https://www.cnblogs.com/storyline/articles/9986860.htmlui
抓包改包软件不少,自行选择。加密
起做用的两个连接和请求体参数spa
第一个api和参数:htm
https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198blog
Request Body为:
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}
第二个api和参数:
https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974
Request Body为:
{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$",
"command": "00A4040008A000000151000000",
"index": "1"
},
{
"result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000",
"checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}
你的任务:
首先手机处于被抓包的状态,而后点击复制门禁卡(须要未加密的门禁卡,后面的api才会被触发)
利用抓包和改包工具,在Request请求前,拦截这两个API请求,并修改这两个请求体的两个参数:uid和blockContent,最后复制成功后的卡就是你自定义的NFC数据了。
里面涉及较多电脑相关知识,没法作到一一解释,不懂能够问问百度。
安卓我不肯定能不能抓包,安卓系统信任证书太严格了。iOS绝对有效,我写了一个thor脚本,会用thor的应该能明白怎么去自定义数据了。
