 So good afternoon. It's really great to, you know, meet awesome people and share my work here. And my name is Hockishan, and I'm a wireless hardware security researcher in, you know, in the team Unicron team and Chihua City, so which we located in China. And initially I have a colleague, to, you know, give presentations with me, but he had an issue with his visa, so he can't make it. Sorry about that. So now I need to stand here alone and make this presentation. So it's my third time to give presentation here and share my team's work. And I hope some of you can remember me and just don't pay me for my per-excent and my per-explanation. So I will, yeah, I will explain and demonstrate the, demonstrate you guys how to build NFC2 from Sketch. So in the end, maybe some of you can get a skills and steal some worth money from his credit card and please, please don't tell anybody you learn from here, all right? Yeah. So let's just step to the topic. So here's agenda of this presentation and I just draw a simple diagram. So I will introduce my great team and lead you guys back to the old time when we're trying to hack something, some NFC cards, something with RFID. So let's get back to the old fashioned but powerful hacking tools we used to use, okay? And then the details of the newest RFID hacking tools, which is my tools, Uniproxy will be introduced. So two demos will be showed by the video and I hope this one will work, okay? So the presentation is about how to build two. So I will focus on more of them on the idea and instead of some hacking skills and hopefully I won't let you guys disappointments. So by the way, this is the last, that's the presentation of the day I think. So I will try this fast and fun and I hope to won't delay you guys, I don't know, find this trip. And so here's the first quick demo of my hacking tool and I will let you guys have a simple impression of the Uniproxy. So let's just, okay, this won't work. Oh, so I will stop at a moment and to give you explanation, okay? So you can see on the table there are, is this, yeah, oh there's this one. So there are two hardware which, you know, it's Uniproxy and one cell phone to get notification and one post machine and one credit card with chip and PIN. So now we just turn our hardware on and we can see that we can turn our post machine on and choose how much money you want to spend. So you can see we place one credit card just near the Uniproxy master part and now we just get the post machine near to our Uniproxy slide part. So you can just tap it and now it's one moment, it's processing it. Now you got a receipt. So you don't need to, you know, so in this way you can just steal some of the money with, you know, just tap his credit card and if you want to steal someone's money, you know, some credit card with chip and PIN and you just tap somewhere and without password to process the payment, right? So, but if you want to try to steal money, you don't, apparently you can't just hold a giant post machine to steal his money or he will just cause cops, right? So now you can just, with a simple card to get around of him and just tap it, now you can get his money. And maybe someone just want to ask, is there any security protocol using the credit card and how did you just, you know, use some other people's credit card and use it to pay? And so here is the, so that's the Uniproxy tool we just built. So, I just want to introduce the team of, just want to introduce my team and wish you just know our name is Unicorn Team and we are an internal security team, a research team of Chihua Security and we also founded in 2014. So, we focus on the wireless hardware hacking and defencing and we do a lot of security research and hardware development and also the PAN test, and also the PAN test. So, we do have a serial wireless security research published in the DevCon and the BlackHeads and maybe some of you heard it before. So, it's about some low cost GPS spoofing and which presented in three years ago and also ROT direction attack and which present in here and last year. So, and also we do have a power communication attack on the DevCon last year and this year I don't have you guys heard it. It's about the ghost telephonist and which we can just hijack and spoof your call, your SMS, even you are on the 4G RT network. So, I think that's a little bit cool. And we also have some hardware development. So, we do have a lot of hacking tools and we do have the hack ID, but most focus on the RFID, okay? Just some hack ID, hack ID pro and etc. So, you can see all the details in our, yeah, in our website. So, let's just, I believe you guys are not in experience in the near file communication hacking because it's widely used in our life, right? So, your credit card, your ID card and your security door card and it's really inside around all of us. So, the NF card don't need power itself and detect the power of the reader. So, there are many protocols using NFC cards, such as ISO 14443 and ISO 15673 and etc. But now we only focus on our choose on the ISO 14443, okay? And just for an example. So, this protocol is basically most popular protocol in NFC cards. It supports many applications. So, in China, the security card, the, the, your passport and the, your bank card, your bank card all based on this protocol. So, it's, the widely used leads to a lot of hacking methods, you know, aiming on the NFC card. And also, I do that too. So, here is what we are aiming. Why do we want to hack NFC card? So, as we mentioned before, we are hackers and of course we want to fake someone's security card under some forbidden area. And also, some people might want to, want to use other people's security card, just like me. Yeah, instead of mine. Yeah, which I highly recommend you don't do that. For me, that's, that's, that is, there is another story, okay? My, my company has, my company is a huge company in China. So, I have a strict rules to make sure the, the staff, my colleagues, my colleagues will, you know, to work and off, off work in time. So, everybody in my company has a unique security card. And the security system will lock the time when you enter every gaze, when you enter every room. And so, that's your boss will easily know you are late or not. And so, I was thinking maybe I can, and also, if you are late for work and your salary will lose, alright. Yeah. So, I was thinking maybe I can, I could build a tool to fake my ID card and place it near some, you know, secluded doors and with a reader. So, I don't have to get up early every day. Yeah. But, but it's, but, but the company is a security company. And actually the security system is developed by my team. Yeah. So, this is awkward. Yeah. So, we use the HID card and apparently as our ID card. So, I don't know any easy way to fake your HID card. So, cause we can break a security protocol. It's really hard. So, that was just thinking maybe I can just build a proxy tool to transfer a signal from the, between the reader and the card. So, then just let the near turns far away so I can, I can survive. So, when I was thinking, I was thinking I can use the same way on the credit card and with, you know, the chip and pins. So, you guys can do the, you guys do have the chip and pins card, right. You can just buy something and just to tap somewhere and without password. So, it also based on the empty tag. So, we are able to just to hide it. I'm sorry. So, the way we just used to hack is to have, just like to have a quick review. What we use it to do. Okay. To, we use it to use a Prima 3 and we use it to, uh, Chairman Mini and this is, the, the Prima 3 is the best HID hacking tool that I use it to use. Uh, yeah. We, I also use it, uh, Chairman Mini and, uh, this, this tool are focused on the protocol. So, with the Prima 3, you can just hack a high frequency and low frequency in both ways. So, it's very powerful. But with another one, it's just focused on the ISO 14443. Uh, and, um, you can just, uh, you can just clone a card if you can crack it. But, uh, most, uh, mostly focus on the Miffere. Miffere Classic 1K or Miffere Classic 4K. So, there's also another way such, uh, just like us, it's a proxy tool that, uh, I think they are talking the, the Z. So, it's a two app, Android app. So, you can Google it. Uh, you can Google and download and trust it. Uh, try it. So, it's named the NFC proxy and NFC get. But, uh, I use them, they are not very, I don't know, maybe not fit in Chinese environment. But that's okay. This, this, this, those tools are just inspiring me how to build a proxy tool. And, um, why not, uh, why not we use a Prima 3? So, it is, even though it supports a many protocols and it's powerful, but it can't hack a credit card or, I guess, we got, we got it's original. Yeah. So, and why don't we use the NFC get or NFC proxy? Uh, it's based on Android and, uh, it's, uh, it can use modified firmware to realize your NFC data. And it can monitor transmitted data and, um, but it relies on the Wi-Fi. So, the delay on the Wi-Fi network, it's really huge and it can be tolerable. But too much delays to complete the, the whole payment procedure and that's why I didn't use it. So, let's just say I build another build. So, why do, why do I need this tool? As I just mentioned before, I want to, I want to survive and I want to, you know, earn money and, uh, I inspire by the mentioned brilliant hacking tools and, uh, but I want to make it faster. So, I was thinking, uh, my team can build a lot of hardware. So, let's just focus on the pure hardware solution. Um, and also, uh, this tool is completely self-designed and modified. So, everything we can need is just product by us. So, we don't need to rely on reading some other source code or, uh, to, to product another hardware design. We just build our own. So, I just want to, uh, introduce what is Uniproxy. So, I believe you guys have a clear view now. Uh, it's, uh, PN74628U-Best NFC Proxy 2. So, it's a chipset which manufactured by the AXP. Uh, currently this device is only in support ISO 14438 protocol now. But it can easily to, you know, to extend it for some other protocols as long as a chipset supports. Uh, so now the device are targeting the QuickPass credit card. So, I don't know if, uh, if you guys, uh, the American version QuickPass name may be EMV or VistaPie, but it's similar. Uh, the Uniproxy contains two parts, the, the reader emulator and the card emulator, which I call them a master one and the slave one. So, the payment transfer information will be transferred between the master and the slave. Uh, via the 2401 chipset, which means it's point to point wireless data transmission. So, as I just mentioned, it's easily to extend, uh, adapt to ISO 14443B and 15693 standard MC card. So, it's, it's another protocol, but uh, as you know, it's opened and you can just, and the chipset supports it so you can modify by yourself. So, here is the corral of Uniproxy. Uh, we use PN chipsets as a corral. So, it's N, uh, as I mentioned, it's an XP chip and the support full Miffere family, uh, cause it's, it can read, it can write and emulator card and quite powerful. And it's really, really cheap used, I think, uh, because, uh, this is, uh, because when I, when I try to find some document, it's not easy to Google it. So, then it's to say we didn't buy the device, uh, service of XP, so we don't have any official spot. So, but we are practice, right? So, the, the architecture of Uniproxy is, as I said, on the screen. It's, it's simple. And we use, uh, a simple electronic circle design which, uh, slide modified by the XP official recommendation. So, don't worry about the hardware designs, it's not a big deal, not a big issue. So, it's chipset is highly integrated and very powerful. This is also the reason why we choose this one. So, this is the front face of our Uniproxy 2. So, you can see the FD antenna, uh, here, I'm sorry. So, this is, this is the antenna. So, sorry about that, I use a pen on my iPad to, to mark this, cause I'm not good at the PowerPoint. So, this is the antenna with the team logo on it. And, uh, in the left corner, where is, uh, where is, uh, here. In the left corner, uh, you can see the power supply is occurred. And, uh, this 2 is powered by leading batteries. So, just, so it's also chargeable. So, you can take this outside and do something evil and, uh, without any notice. So, in the right side, it's, you can see the, uh, the 2, 4, L01 chip, chip model. We use, we use these chipsets to communicate between the master and slave. So, I don't know if you guys see the color chip, it's right on here. Yeah, it's a little bit dark. It's an XP chip under the, under the narrow. Um, it's a little bit dark. So, you can see the hardware of this hack into is quite simple. It's, uh, isn't complicated. Uh, it's not complicated at all. So, with the official recommendation of everybody can draw their, uh, own device and build the same one. But, uh, uh, it's quite easy. So, don't, don't fret it. So, this is the back side of the master part. You can see there's nothing else, just a tenor, just a battery. And, uh, after the hardware design, I'd like to introduce the software design here. Uh, so let's step to the software processing of this hack into. So, actually in my opinion, I really want to, I really believe the source code can explain anything, right? So, when I'm going to make this presentation, I thought, let's just make this open source and voila, we can just, I can just play around. So, but as I, as you see, it's a big company and it's not my own work. So, uh, it's quite a company property. And, uh, that's why I need to stand here and, uh, only to present a few source codes, screenshots, and then we fix, fix whatever, sorry. So, just back to the topic. So, firstly, you need to, uh, init the read library API and, uh, where, uh, and there will be a loop to put our chip and the sniffering, in the sniffering model and it will detect any RF field with, uh, protocol we want, we are aiming and around, uh, if it is the code, we'll just go to the handshake stop. So, in our math part, as you know, uh, read emulator will try to run the handshake and, uh, handshake routine with, uh, with the card which just for the RF range of it. And after the handshake, our math part will get the, uh, parameters of the card and set a time out. So, then it will pack and transfer all the raw data, uh, raw data to the card emulator immediately. Then the, uh, the master will just wait to receive the data which comes back from the slave and, uh, before it's time out. So, if everything okay, the whole routine will just start the blocks transmission. So you can just, uh, download the, uh, the, uh, the, the, the PDF, uh, the PDF and you can see the, uh, source code detail. So, this is the block transmit, uh, transmission routine and also the last routine of the, of the math part. So, when it starts to transmit I, transmit block data and, uh, it will just wait a response from the card emulator before, before it's time out. And then just forward and spray the data, uh, to the, to the real card. So, and, uh, through, uh, yeah. And the wait a response of the real card. So, if there is something wrong with the real card and it didn't get a response before time out, the master will notify the slave and the communication is ended. Or, our com, uh, or our emulator will just get the I block. The I block didn't, is a real data. So you can just process it and you can directly response to the real card. So, you don't need to pack the, you don't need to pack the data, you don't need to transfer the data. So, uh, it will directly to, uh, response, when it's finish the directly response, in the other case, the direct, uh, the data will directly forward to the card emulator. So, that's from a loop. So until the, until the whole procedure is ended. So this is the front of our slave part of our hacking tools. So now you can notice the hardware is almost, is exactly the same. So you need, you, you can build one and one for master, one for slave. You don't need to, you know, to, to build, uh, different, different parts. They are same hardware design, but the software is the most different. So the process of our slave part is just, you know, just correspond, corresponded to the master one. Or we can call it master and slave, right? So after the start of the hardware, the program will just init the card emulator function and try to receive the one for, for three parameters. And from the two, seven, yeah, from the, from the year. As we described before, it's coming from a read emulator. So once it gets the parameters and the slave one will just send a successful, a successful commander response and back to the master, master part and notify it. So here is the second part of our slave, uh, slave software design. The slave will just start integration with a read emulator and it needs the card emulator. So which received the, uh, uh, which, which received the parameters. So if there is a real card reader nearby. So the slave part, uh, which also you know is our card emulator will start to communication between the real card with the received parameters. So then it will act like a card, uh, a real, a real card, a real card to make handshake with a real card, a real reader. So then the corresponding to our, uh, master part, uh, start the block transmission. So the, the card emulation is just more complicated than the card emulator to the software design. Uh, so after the start of the block transmission, uh, the card emulator will receive data from a real one. So if the data is not iBlock data, the, the slave will detect if, if it is deselect command and if it is, just get, just forward to the reader emulator and send this command to a real reader. So this process will just save time. So if there is a S block instead, uh, R block, uh, instead of R block data, uh, so the card emulator will just process it by itself. So back to the upper level, um, a card emulator will just forward the data to, to a card, uh, to a card emulator and send a delay command after half time waiting. And this is actually will also level up with the success rate, cause, uh, it's, uh, a success rate, uh, rate of very efficiency cause there will be always be some unexpected delays. So then the slave and, uh, so the, then the slave part will receive data from a reader emulator and then forward it to a real reader and all the actions would, would form a loop and would cooperate with a reader and read emulator and finally finish the whole transmission. So in the end of, in the end you can just, uh, uh, complete, uh, marine transmission procedure. So the principle I just described is very simple but, uh, I would like to know, uh, I would like you to know there was a lot of issues occurred in the development. So I would like, you know, to, you know, to have an impression that you have when you're stuck in there, you know, if you want to make a new proxy too. Okay. So first the chipment, the chipsets we just use can't, cannot change the first byte of UID. So, uh, it's, it's burned in the firmware. So it can change the UID, uh, the first byte of UID of your chipset. So it's, uh, it will always be 08. Uh, it's but luckily if you want to fake a credit card, uh, the credit card reader won't verify the first, uh, verify the UID, uh, through, won't, won't verify, verify your credit card via UID and, um, and we didn't find a way to modify it in, in our long time test. But, uh, uh, because most of money related application won't check the identity, the card with the UID and on the other hand, I think it's a good way to prevent this kind of attack. So secondly, the waiting and the wake up time is a real issue when you're developing a, a proxy too. When you be, uh, uh, it's a real issue when you want to develop and say proxy too. So as you know, the NFC card, it doesn't carry a power, right? So, uh, it uses a power from a reader and if the, if the card haven't receive any response from a reader and you will lose the power and turn off. So apparently the whole attack and proceed, the progress is just failed. So please remember to modify and, uh, wake up a time and when you're programming. So remember the hacking tool, NFC gate, which I just used in my, in my experiment and, uh, uh, it's, it's that's, that's the same reason I said, okay, I don't want to use this too cause it didn't modify the wake up time and it also use a Wi-Fi network. It won't, it also increase the delay time. So, uh, just remember to modify the wake up time, okay? Thirdly, okay. Thirdly, in order to fasten the whole progress, we don't need to transfer all kind of data between the reader emulator and the card emulator. So we just need to transfer I block data and just directly transfer progress S or R block, uh, block data to response in real time. So it's also mentioned in ISO 144438 part four. So please just read it carefully and, um, also the power supply may also cause the corrupt of the, of the chipset. So if you want to design the hardware of the, of the power circuit, you can just, you can just use a regular and don't try to use any tricks, okay? So, uh, let's just see another demo video of our, in our real environment, which I use the someone's credit card to buy a big Mac in the Mac Don. So you can see, we turn on the master one and step one. So you can see someone's wallet, just press here, use someone else. Of course I didn't steal someone's money. It's, it's my credit card. The payment, preparing, use Apple Pay or QuickPass. Just press it and just grab your food. Thank you. Thank you. So, uh, we just described how to attack a credit card, right? So, this is how we defend it. Uh, I, I don't know, I, I saw a lot of people use, uh, block and sleeve to protect the card and also there is an RFID wallet to prevent this, this kind. And this, this, there are also the good ways and, uh, you can use it. And also we have the RFID jammer, which, uh, of course I built it, uh, uh, we design a manufacturer one, but, uh, um, yeah, uh, we sell it and, uh, that's it. And, uh, guard bonding, you can use, uh, you, in America, I think you can just buy, uh, blocking sleeve and RFID wallet or just guard bonding. It's really high efficiency. I, I recommend you to have a try. So, uh, here's a summary and what we learned in this development. So, you need to read the protocol and, uh, you need to read, read the protocol and document well and it's a lot of tricks inside. So, uh, better not to develop it without official spot. Cause when we are using the XP chipsets, it's, it's really a waste of time cause we are stuck in some, uh, some weird mistakes and we just can't read the document. So there is no official spot and we developed this about, uh, using, I think six months and, uh, if we is an official spot, I think this could be done in two months. So, first of all, I, I'd like to, uh, said we, what do we want to improve? So we want to improve the transmission range up to 100 meters. Now currently, we can use this master and slave, uh, such as about, uh, more than 50 minutes, uh, I'm sorry, 50 meters. So you can, I can just stand here and around you. So my partner will stand about 50 meters away and to steal your, your, your information, steal your money. Yeah. But, uh, with, uh, with some kind of amplifier, we can just level up the, the range to 100 meters. It's, it's easy, but we need to do that. And also we, as I just said, my, my initial point is to fake my security card, but, uh, you know, the range between my home and to my company is about six kilometers away. So I need to fix, uh, I need to fix this issue, right? Yeah. And also I want to make this, uh, self-competitive, uh, competitive because when it, uh, now it's just attacking one, uh, ISO, you know, uh, 14443A and I want to make it, uh, adapt it to HID, adapt it to, uh, 15693 and I want to let, uh, let it, uh, to, uh, you know, know which protocol it is using and I want to make it. So the rest is how. And, uh, I just want to make this fast and, uh, publish it on the network so everybody can, you know, everybody can learn and everybody can build their own prostitutes. So we, here is our reference and I want to really thank them. And, uh, also the hardware activation of my team and, uh, uh, the MC tools, uh, which inspired me a lot. So, any question?