0.24 Cyborg
Update M11-12-2023
libnfcseems to be not working correctly. If it does not write any data to the destination, compile it yourself from here
Hello friends!
Some time ago I've got a NFC Chip (X3 Elite) implanted on my right hand.
As I've never documented the steps what to do when I've finally taken the jump to be one step closer to the machinegod, I thougth it would be appropriate do do it here.
Entrypoint & Pain
The implant itself is 3x13mm.
As you can see in the following image there's almost no visible scar.
The scar after the injection healed after around 3 days.
The pain was also not that bad (like a normal vaccine injection) even though the needle was pretty big. On a daily basis I don't feel the implant at all. It only gets a little uncomfortable when doing grip strenght training.
Sadly I don't have any pictures of the procedure itself.
Chip
UID
Each chip comes with an unique UID which normaly can't be changed.
At least until someone found an exploit hacking mifare classic
Not all cards contain those chinese UID implementations. So it's crucial that the implant uses such a chip.
Protocols
The X3 Elite supports mifare classic which is enough for my purposes.
ACR122U
I've ordered an ACR122u from aliexpress Buy now!.
But please check your local store first. Usually is not a big price difference.
Software
Software comes already with the kit from chip-implants.com. ( Windows software that is... )
On GNU/Linux there is an excellent nfc library which you can download for free nfc-tools.
There are also multiple apps for android available.
Install drivers'n stuff
Libnfc is the driver which handles the USB<=>NFC connection.
MFOC contains multiple tools that we'll need to use later.
# pacman -S libnfc mfoc
Get them keys & dump it!
Every sector is normally encrypted with a specific key.
Mifare classic implementations use the so called A and B key for those sections.
I can straight up dump the card which already contains the keys A&B.
If you're just interested in the keys you can use this tool.
mfoc -O hand_dump.dmp
# swap out your hand with the card to dump
mfoc -O card_dump.dmp
mfoc bruteforces each block and dumps to content to the output file.
It looks something like this:
@tatsumaki x$ mfoc -O card_dump.dmp
Found Mifare Classic 1k tag
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
* UID size: single
* bit frame anticollision supported
UID (NFCID1): 1a a4 91 0e
SAK (SEL_RES): 08
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:
Try to authenticate to all sectors with default keys...
Symbols: '.' no key found, '/' A key found, '\' B key found, 'x' both keys found
[Key: ffffffffffff] -> [xxxx.xxxxxxxxxxx]
[Key: a0a1a2a3a4a5] -> [xxxx.xxxxxxxxxxx]
[Key: d3f7d3f7d3f7] -> [xxxx.xxxxxxxxxxx]
[Key: 000000000000] -> [xxxx.xxxxxxxxxxx]
[Key: b0b1b2b3b4b5] -> [xxxx.xxxxxxxxxxx]
....
Clone the card onto your hand
As the implant is already unlocked (allows overwriting of block 0) I can run the following command to write the contents right into my hand.
@tatsumaki mydumps$ nfc-mfclassic W a u card_dump.dmp hand_dump.dmp
NFC reader: ACS / ACR122U PICC Interface opened
Found MIFARE Classic card:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): 3b a9 15 1f
SAK (SEL_RES): 08
RATS support: no
Guessing size: seems to be a 1024-byte card
Sent bits: 50 00 57 cd
Sent bits: 40 (7 bits)
Received bits: a (4 bits)
Sent bits: 43
Received bits: 0a
Card unlocked
Writing 64 blocks |................................................................|
Done, 64 of 64 blocks written.
nfc-mfclassic uses hereby the keys from hand_dump.dmp to write the new sections onto it.
If the destination card has default keys, you can just use nfc-mfclassic W a u card_dump.dmp
Comparing my hand with my dump
Just like before I dump my hand again into a file.
As I know the right keys to A and B, I can speed up this process
mfoc -O hand_card.dump -k {KeyA} -k {KeyB}
I used cmp to quickly compare them
tatsumaki $ cmp hand_card.dmp card_dump.dmp
tatsumaki $ echo $?
0
Conclusion
The injection wasn't that bad and it's a great topic to talk about.
NFC can travel around 2cm through the tissue so it isn't that bad.
It gets a little uncomfortable during strength training but it's not worth talking about.
If you're paranoid you should get yourself an implant before they'll force you to get one.