|
1 | 1 | # magspoof_flipper |
2 | 2 | WIP of MagSpoof for the Flipper Zero. Currently rewriting from the ground up; basic TX of saved files should now work over both RFID (using the Flipper's internal coil) and GPIO (pins A6 and A7: such that one can connect an H-bridge and external coil). A sample file with test data is included in `assets`, for anyone wishing to experiment. Using this README as coarse notes of what remains to be done; anyone is welcome to contribute! |
3 | 3 |
|
4 | | -Disclaimer: use responsibly, and at your own risk. While in my testing, I've seen no reason to believe this could damage the RFID hardware, this is inherently driving the coil in ways it was not designed or intended for; I take no responsibility for fried/bricked Flippers. Similarly, please only use this with magstripe cards and mag readers you own — this is solely meant as a proof of concept for educational purposes, and I neither condone nor am sympathetic to malicious uses of my code. |
| 4 | +Disclaimer: use responsibly, and at your own risk. While in my testing, I've seen no reason to believe this could damage the RFID hardware, this is inherently driving the coil in ways it was not designed or intended for; I take no responsibility for fried/bricked Flippers. Similarly, please only use this with magstripe cards and mag readers you own — this is solely meant as a proof of concept for educational purposes. I neither condone nor am sympathetic to malicious uses of my code. |
5 | 5 |
|
6 | 6 | ## TODO |
7 | 7 | Emulation: |
8 | | -- Clean up old testing scenes, remove deprecated helpers |
9 | | -- Reverse track precomputation |
10 | | -- Does the main timing-sensitive section need to be branchless? (Remove `if`s from the `FURI_CRITICAL...` section of `mag_spoof()`?) |
11 | | -- Implement/integrate better bitmap than hacky first pass? antirez's better approach (from ProtoView) included at bottom of `helpers/mag_helpers.c` |
| 8 | +- General code cleanup |
| 9 | +- Reverse track precompute & replay |
| 10 | +- Implement/integrate better bitmap than hacky first pass? Boilerplate from [antirez](https://github.com/antirez)'s better approach (from [ProtoView](https://github.com/antirez/protoview)) included at the bottom of `helpers/mag_helpers.c` |
| 11 | +- Should the main timing-sensitive section be branchless? (Remove `if` and `switch` statements from the `FURI_CRITICAL...` section of `mag_spoof()`?) |
12 | 12 | - Pursue skunkworks TX improvement ideas listed below |
13 | 13 |
|
14 | 14 | Scenes: |
15 | | -- Complete emulation config scene (include reverse track functionality; possibly expand settings list to include prefix/between/suffix options) |
| 15 | +- Finish emulation config scene (reverse track functionality; possibly expand settings list to include prefix/between/suffix options) |
16 | 16 | - Improved saved info display (better text wrapping options? remove and just include that info on the emulate scene? decode data to fields?) |
17 | | -- Edit saved card scene |
| 17 | +- "About" scene? |
| 18 | +- "Edit" scene (generalize "Add manually") |
18 | 19 |
|
19 | 20 | File management: |
20 | | -- Parsing loaded files into relevent fields (would we need to specify card type as well, to decode correctly?) |
21 | | -- Modify manual add scene to allow editing and renaming of existing files |
22 | 21 | - Validation of card track data? |
| 22 | +- Parsing loaded files into human-readable fields (would we need to specify card type to decode correctly?) |
23 | 23 | - Update Add Manually flow to reflect new file format (currently only sets Track 2, and Info/Emulate scene only displays Track 2) |
24 | 24 |
|
25 | 25 | Known bugs: |
26 | 26 | - Custom text input scene with expanded characterset (Add Manually) has odd behavior when navigating the keys near the numpad |
27 | 27 | - Track 1 data typically starts with a `%` sign. Unless escaped, it won't be displayed when printed, as C considers it a special character. To confirm: how does this impact the emulation when iterating through the chars? Does it get played correctly? |
| 28 | +- Possible file format issues when Track 2 data exists but Track 1 is left empty; doesn't seem to load happily. |
| 29 | +- Attempting to play a track that doesn't have data results in a crash (as one might expect). Need to lock out users from selecting empty tracks in the config menu or do better error handling |
28 | 30 |
|
29 | 31 | ## Skunkworks ideas |
30 | 32 | Internal TX improvements: |
31 | 33 | - Attempt downstream modulation techniques, in addition to upstream, like the LF RFID worker does when writing, for stronger signal |
32 | 34 | - Implement using the timer system, rather than direct-writing to pins |
33 | 35 | - Use the NFC (HF RFID) coil instead of or in addition to the LF coil (likely unfruitful from initial tests; we can enable/disable the oscillating field, but even with transparent mode to the ST25R3916, it seems we don't get low-enough-level control to pull it high/low correctly) |
34 | 36 |
|
35 | | -External RX options (What is simplest read module?): |
36 | | -- Some UART mag reader (bulky, but likely easiest to read over GPIO, and means one can read all tracks) |
37 | | -- Square audio jack mag reader (this may be DOA; seems like newer versions of the Square modules have some form of preprocessing, that also modifies the signal, perhaps in an effort to discourage folks using their hardware independent of their software. Thanks @[arha](https://github.com/arha) for your work investigating this) |
| 37 | +External RX options: |
| 38 | +- UART-connected mag reader (bulky, but likely easiest to read over GPIO, and means one can read all tracks) |
| 39 | +- Square audio jack mag reader (this may be DOA; seems like newer versions of the Square modules have some form of preprocessing that also modifies the signal, perhaps in an effort to discourage folks using their hardware independent of their software. Thanks [@arha](https://github.com/arha) for your work investigating this) |
38 | 40 | - Some read-head directly connected to GPIO, ADC'd, and parsed all on the Flipper. Likely the most compact and cheapest module option, but also would require the most work. |
39 | | -- USB HID input feasible? Flipper seemingly can't act as an HID host, is there any way to circumvent this or is it due to a hardware incompatibility? This would be the easiest / best option all-around if feasible. |
| 41 | +- USB HID input likely infeasible; seems the FZ cannot act as an HID host. |
40 | 42 |
|
41 | 43 | ---- |
42 | 44 | ## Credits |
43 | | -This project interpolates work from [Samy Kamkar's original MagSpoof project](https://github.com/samyk/magspoof), [dunaevai135's Flipper hackathon project](https://github.com/dunaevai135/flipperzero-firmware), and the Flipper team's [LF RFID](https://github.com/flipperdevices/flipperzero-firmware/tree/dev/applications/main/lfrfid) and [SubGhz](https://github.com/flipperdevices/flipperzero-firmware/tree/dev/applications/main/subghz) apps. |
| 45 | +This project interpolates work from [Samy Kamkar's original MagSpoof project](https://github.com/samyk/magspoof), [dunaevai135 & AlexYaro's Flipper hackathon project](https://github.com/dunaevai135/flipperzero-firmware), and the Flipper team's [LF RFID](https://github.com/flipperdevices/flipperzero-firmware/tree/dev/applications/main/lfrfid) and [SubGhz](https://github.com/flipperdevices/flipperzero-firmware/tree/dev/applications/main/subghz) apps. |
44 | 46 |
|
45 | 47 | Many thanks to everyone who has helped in addition to those above, most notably: |
46 | 48 | - [antirez](https://github.com/antirez) for bitmapping suggestions and general C wisdom |
|
0 commit comments