結論:html
方案1.小米手環5 NFC能夠經過修改HTTPS的POST 數據來自定義NFC卡片的全部扇區數據;api
方案2.先手環複製一張沒有加密的實體門禁卡(實體門禁卡卡號要提早寫成本身想要的卡號),而且啓用,而後經過電腦+NFC讀卡器(ACR122U)直接修改這張卡的數據。除去0扇區第0行外,其它全部數據均可以修改。由於0扇區第0行包含卡號、校驗碼和廠商碼,因此小米手環不容許改。session
着重介紹一下方案1:工具
方案1的實現:fetch
能夠借鑑我之前的小米手環3 NFC數據修改的方式借鑑電腦抓包和改包。https://www.cnblogs.com/storyline/articles/9986860.htmlui
抓包改包軟件不少,自行選擇。加密
起做用的兩個連接和請求體參數spa
第一個api和參數:htm
https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198blog
Request Body爲:
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}
第二個api和參數:
https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974
Request Body爲:
{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$",
"command": "00A4040008A000000151000000",
"index": "1"
},
{
"result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000",
"checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}
你的任務:
首先手機處於被抓包的狀態,而後點擊複製門禁卡(須要未加密的門禁卡,後面的api纔會被觸發)
利用抓包和改包工具,在Request請求前,攔截這兩個API請求,並修改這兩個請求體的兩個參數:uid和blockContent,最後複製成功後的卡就是你自定義的NFC數據了。
裏面涉及較多電腦相關知識,沒法作到一一解釋,不懂能夠問問百度。
安卓我不肯定能不能抓包,安卓系統信任證書太嚴格了。iOS絕對有效,我寫了一個thor腳本,會用thor的應該能明白怎麼去自定義數據了。
