12558网页游戏私服论坛

 找回密码
 立即注册
游戏开服表 申请开服
游戏名称 游戏描述 开服状态 游戏福利 运营商 游戏链接
攻城掠地-仿官 全新玩法,觉醒武将,觉醒技能 每周新区 经典复古版本,长久稳定 进入游戏
巅峰新版攻 攻城掠地公益服 攻城掠地SF 新兵种、新武将(兵种) 进入游戏
攻城掠地公 散人玩家的天堂 新开 进入游戏
改版攻城掠 上线即可国战PK 稳定新区 全新改版,功能强大 进入游戏
少年江山 高福利高爆率 刚开一秒 江湖水落潜蛟龙 进入游戏
太古封魔录 开服送10亿钻石 福利多多 不用充钱也可升级 进入游戏
神魔之道 签到送元宝 稳定开新区 送豪华签到奖励 进入游戏
神奇三国 统帅三军,招揽名将 免费玩新区 激情国战,征战四方 进入游戏
龙符 三日豪礼领到爽 天天开新区 助你征战无双 进入游戏
王者之师 免费领豪华奖励 免费玩新区 6元送6888元宝 进入游戏
查看: 372|回复: 0

小米手环5 自定义NFC数据区【2020-07-04更新】【厂商码失效】

[复制链接]
发表于 2021-5-7 22:51:27 | 显示全部楼层 |阅读模式
仅作技能研究,切勿用作非法用途

【2020-07-04更新】【目前厂商码无法乐成写入】【https://api-mifit-cn.huami.com】也被替换成了【https://api-mifit-cn2.huami.com】

(第一次发帖,如有错误,望大佬指正)

结论:

方案1

小米手环5 NFC可以通过修改HTTPS的POST 数据来自界说NFC卡片的所有扇区数据;【2020-07-04更新】【目前厂商码无法乐成写入】
方案2


  • 先手环复制一张没有加密的实体门禁卡(实体门禁卡卡号要提前写成自己想要的卡号),并且启用。
  • 然后通过电脑+NFC读卡器(ACR122U)直接修改这张卡的数据。除去0扇区第0行外,其它所有数据都可以修改。由于0扇区第0行包含卡号、校验码和厂商码,所以小米手环不答应改。
着重先容一下方案1:

方案1的实现:

我们利用小米手环NFC(3,4和5代)进行门卡模拟,必要读取一张非加密门禁卡。读取乐成后,手机会将这张卡的卡号(uid)和所有数据(blockContent)上传至服务器,所有的手环指令都由服务器天生,再下发到手机,手机通过蓝牙将指令传给手环。这些指令我全都看不懂,也没办法自己天生手环指令。但是我可以在手机将卡号(uid)和所有数据(blockContent)上传至服务器前进行更改成自己想要的,然后由小米服务器自己去天生指令即可乐成。
可以借鉴我以前的小米手环3 NFC数据修改的方式借鉴电脑抓包和改包。
抓包改包软件很多,自行选择。

接下来,先容两个关键请求和上传参数

第一个api和参数:【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】

https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198
Request Body为:
{
"fareCardType": 0,
"fetch_adpu_mode": "SYNC",
"product_sub_type": "",
"sak": "08",
"uid": "12345678",
"aid": "",
"atqa": "0400",
"size": 1024,
"action_type": "copyFareCard",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"
}
第二个api和参数:【2020-07-04更新】【https://api-mifit-cn.huami.com】被华米替换成了【https://api-mifit-cn2.huami.com】

https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974
Request Body为:
{
"uid": "12345678",
"fareCardType": 0,
"product_sub_type": "",
"blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff",
"fetch_adpu_mode": "SYNC",
"session": "3581-547405239-44086875137",
"size": 1024,
"atqa": "0400",
"current_step": "1",
"sak": "08",
"command_results": {
"succeed": true,
"results": [
{
"result": "6F108408A000000151000000A5049F6501FF9000",
"checker": "^(9000|6283)$", "command": "00A4040008A000000151000000", "index": "1" }, { "result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000", "checker": "^(9000)$",
"command": "8050200008691C3B013B3EED18",
"index": "2"
}
]
},
"aid": "",
"action_type": "copyFareCard"
}
你的任务:


  • 首先手机处于被抓包的状态,然后点击复制门禁卡(必要未加密的门禁卡,后面的api才会被触发)
  • 利用抓包和改包工具,在Request请求前,拦截这两个API请求,并修改这两个请求体的两个参数:uid和blockContent,末了复制乐成后的卡就是你自界说的NFC数据了。
  • 安卓我不确定能不能抓包,安卓系统信任证书太严格了。iOS亲测有效,我写了一个thor脚本,用过thor的应该能明确怎么去自界说数据了。【2020-07-04更新】【目前厂商码无法乐成写入】
    里面涉及较多电脑相关知识,无法做到一一解释,可以搜百度。iPhone 演示 NFC全部数据模拟【视频已经被B站下架了】

    天翼云盘 小米手环5 NFC体验视频(视频中的工具为iOS平台某HTTP调试工具演示,必要自己实现相应规则)

    https://cloud.189.cn/t/iqEbymr6Nvqi【2020-07-04更新】【视频已删除】

    (访问码:lfz5)

    不出意外手环3,4,5NFC版本都是用的同一套接口,各位爱友可以试试手环3,4








来源:http://www.12558.net
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
楼主热帖
回复

使用道具 举报

*滑块验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|12558网页游戏私服论坛 |网站地图

GMT+8, 2024-3-29 23:57 , Processed in 0.109375 second(s), 31 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表