1. No category

(University of Applied Sciences) How to manipulate a QR

FH JOANNEUM (University of Applied Sciences)
How to manipulate a QR-Code
Bachelor Thesis
Submitted in conformity with the requirements
for the degree of
Bachelor of Science in Engineering (BSc)
Bachelor’s degree program Internet Technology
FH JOANNEUM (University of Applied Sciences), Kapfenberg
Date of submission:
Supervisor: Michael Ulm
Submitted by: Katrin Feyrer
Personal identifier:
1110418008
(04/2014)
Declaration of Authenticity
I declare that all material presented in this bachelor thesis is my own work or fully and specifically
acknowledged wherever adapted from other sources. I understand that if at any time it is shown that
I have significantly misrepresented material here, any degree or credits awarded to me on the basis
of that material may be revoked.
I declare that all statements and information contained herein are true, correct and accurate to the
best of my knowledge and belief.
Kapfenberg, 30 April 2014
(Katrin Feyrer)
How to manipulate a QR-Code
Page 2 of 56
Abstract English
QR-Codes are nowadays everywhere to see. They are used on flyers, business cards or posters.
Companies use them to give mobile users the possibility to access their website easier. They also use
QR-Codes to give further information, which cannot be put on a poster because of the amount of
information or the information itself, which does not fit in the context of the poster.
On business cards, they are useful to save contact data. The user only scans it and saves it on the
mobile phone.
This paper is about the structure of the QR-Code 2005 and the project work 2 – “Create a QR-Code
Platform”. The goal of the project was to manipulate a version 2 QR-Code to make it more attractive
for marketing use.
Abstract German
Heutzutage sind QR-Codes überall sichtbar. Egal ob auf Prospekten, Plakaten oder Visitenkarten.
Unternehmen wollen zum Beispiel ihre Webseite für mobile Nutzer einfach zugänglich machen. Diese
nutzen QR-Codes auch, um Informationen, welche aufgrund der Menge oder der Information an sich
nicht auf ein Plakat passen, zur Verfügung zu stellen.
Auf Visitenkarten sind QR-Codes nützlich, da man durch scannen des QR-Codes die Kontaktdaten
sofort am Handy speichern kann.
Dieses Paper beschäftigt sich mit dem Aufbau, der Codierung und Decodierung des QR-Codes 2005.
Weiteres wird die Projektarbeit 2 – „Create a QR-Code Platform“ beschrieben, welche zum Ziel die
Manipulation eines Version 2 QR-Codes hatte.
How to manipulate a QR-Code
Page 3 of 56
List of contents
Declaration of Authenticity .................................................................................................................... 2
Abstract English ...................................................................................................................................... 3
Abstract German .................................................................................................................................... 3
1
Introduction ................................................................................................................................... 6
2
What is a QR-Code? ........................................................................................................................ 7
3
2.1
History .................................................................................................................................... 7
2.2
Structure ................................................................................................................................. 7
2.2.1
The Finder Pattern .......................................................................................................... 9
2.2.2
The Separators .............................................................................................................. 10
2.2.3
The Alignment Pattern .................................................................................................. 11
2.2.4
The Timing Pattern ....................................................................................................... 13
2.2.5
The Version ................................................................................................................... 13
2.2.6
The Format ................................................................................................................... 13
2.2.7
Error Correction Feature ............................................................................................... 14
How does a QR-Code work ........................................................................................................... 18
3.1
Which information can be saved? ........................................................................................ 18
3.2
How to encode data for a QR-Code ...................................................................................... 18
3.2.1
Data and Error Correction Code Words ........................................................................ 19
3.2.2
The Matrix .................................................................................................................... 21
3.2.3
The Masking ................................................................................................................. 25
3.3
4
How to decode data from a QR-Code ................................................................................... 28
3.3.1
Information finding ....................................................................................................... 29
3.3.2
The Demasking ............................................................................................................. 30
3.3.3
The Matrix Decoding .................................................................................................... 32
QR-Code Security ......................................................................................................................... 37
4.1
Attacking Human Interactions .............................................................................................. 37
4.1.1
Phisihing and Pharming ................................................................................................ 37
How to manipulate a QR-Code
Page 4 of 56
4.1.2
Fraud ............................................................................................................................ 37
4.1.3
Attacking Reader Software ........................................................................................... 38
4.1.4
Social Engineering Attacks ............................................................................................ 38
4.2
5
Attacking Automated Processes ........................................................................................... 38
4.2.1
SQL injection ................................................................................................................. 39
4.2.2
Command injection ...................................................................................................... 40
Manipulation of a QR-Code .......................................................................................................... 41
5.1
Step 1: The Generation ......................................................................................................... 41
5.2
Step 2: Find the important points ......................................................................................... 42
5.3
Step 3: The manipulation...................................................................................................... 44
5.3.1
5.4
What can be manipulated? ........................................................................................... 46
Step4: Inserting the picture .................................................................................................. 47
5.4.1
How visible can a picture be? ....................................................................................... 48
5.5
Step5: The Front-End ............................................................................................................ 50
5.6
Improvement Suggestions .................................................................................................... 52
6
Conclusion .................................................................................................................................... 53
7
References .................................................................................................................................... 54
8
List of figures ................................................................................................................................ 55
How to manipulate a QR-Code
Page 5 of 56
1 Introduction
The QR-Code (“Quick Response Code”), an invention of a Japanese company, has gained lots of
popularity in the last years. Back in the days, when the QR-Code was developed, it was only for the
automotive industry, for getting the material information faster, by scanning the QR-Code. Nowadays
the QR-Code is used for more than just getting material information. It is used for marketing
purposes or data transferring. Companies use them on business cards to give an easy access to their
phone number for the smartphone users, for example.
More and more companies find that the usual black and white QR-Code is boring and may not fit in
their marketing campaign. The QR-Code is then pushed to the corner of a poster, just to have it on it.
To draw attention to the QR-Code a QR-Code Generator can be used, where the QR-Code is
beautified with an image as background. It is also possible to just change the colour of the QR-Code,
if this is the problem for not giving attention to the QR-Code. The following video link shows the QRCode named Sam, who is sad, because he is pushed in a corner on a campaign poster. Watch the
video and see how happy he is, when he is integrated in the campaign poster where everyone can
see him:
http://www.bluhmsysteme.com/blog/von-sam-dem-hsslichen-qrcode/
The next articles are about the QR-Code in general, how the QR-Code works and how to create a QRCode with an image.
How to manipulate a QR-Code
Page 6 of 56
2 What is a QR-Code?
2.1 History
The QR-Code or Quick Response Code was developed by the Japanese company Denso Wave and
was released in 1994. Denso Wave is the affiliated company of Denso and develops identification
systems and devices for mobile data collection. The motivation for creating the QR-Code was the
request of barcode users. They wanted to save Kanji and Kana characters as well as alphanumeric
ones.
“The greatest challenge for the team was how to make reading their code as fast as possible. ”
(DENSO WAVE INCORPORATED, w.Y) To solve this problem Masahiro Hara, one of the
developers, decided to use positional pattern. This positional pattern should indicate that there is a
code to read. These patterns are the squares in the corners of the QR-Code. They used squares,
because they are least likely to appear in business marks. The positional pattern need to be unique,
so that the reader cannot mistake a similar-looking shape nearby the code.
When the QR-Code was released in 1994, the QR-Code was adopted by the automotive industry
Toyota to tag assemblies and components. It became popular outside the company, because of its
fast readability and great storage capacity. This is why the company decided to make it publicly
available. Nowadays the Code is used in different types of business like Manufacturing, Warehouse,
Retail Sales, Services (Events) or even in the Medical sector. They use it for Dispensing, Traceability,
Data Entry or Process Management. (cf. DENSO WAVE INCORPORATED, w.Y)
2.2 Structure
The QR-Code is a type of a matrix barcode or two-dimensional barcode. Compared to that a usual bar
code is a linear bar code.
The difference is that in a two-dimensional barcode, the data is saved horizontally and vertically. In a
linear bar code, the data is only saved horizontally as you can see in Figure 1: Information holding .
(cf. DENSO WAVE INCORPORATED, 2012)
How to manipulate a QR-Code
Page 7 of 56
Figure 1: Information holding (DENSO WAVE INCORPORATED, 2012)
When it comes to the amount of saving information, the difference is very big. While a usual bar
code is capable of saving up to 20 digits, a QR-Code can store up to 700 times more. This is possible
as the QR-Code uses four different standardized encoding modes, which are numeric, alphanumeric,
byte / binary, and kanji to store data. The amount of data which can be stored depends on the mode.
Modes
Data capacity
Numeric only
Max. 7,089 characters
Alphanumeric
Max. 4,296 characters
Binary (8 bits)
Max. 2,953 bytes
Kanji, full-width Kana
Max. 1,817 characters
Table 1: QR-Code Data capacity
The QR-Code has so called function patterns, which you can see in Figure 2: Function Pattern
(Carolyn Eby, 2013). These shapes are necessary to be placed in a specific area on the QR-Code to
ensure that the QR-Code Reader correctly identifies and orient the QR-Code for decoding. These
function patterns consist of the three Finder Patterns in the top left, top right and bottom left corner,
the Separators beside and under the Finder Pattern, the Alignment Pattern on the right bottom area,
the Timing Pattern between the Finder Pattern and the Dark Module, which is always placed beside
the bottom left Finder Pattern.
How to manipulate a QR-Code
Page 8 of 56
Figure 2: Function Pattern (Carolyn Eby, 2013)
Figure 3: QR-Code Structure (Wikipedia, 2014) shows the whole structure of the QR-Code. There are
the version and format information and the data and error correction keys marked, which are
described in points 1.2.5 - 1.2.7. The Quite zone is also necessary, because with this zone the QRCode Scanner knows where the QR-Code starts and ends. It is standardized that the quiet zone must
be at least four modules on each side. This was established as an ISO standard (ISO no. 18004) in
June 2000. Nowadays there is already a new ISO standard established in 2006.
Figure 3: QR-Code Structure (Wikipedia, 2014)
2.2.1 The Finder Pattern
The Finder Pattern or Position Detection Pattern allows the high speed and 360 degree reading of the
QR-Code. They are located in the three corners of the code and are unlikely to appear anywhere else
in the QR-Code.
How to manipulate a QR-Code
Page 9 of 56
As you can see in Figure 4 the Finder Pattern consists of a seven by seven dark modules square, a five
by five light modules square and a three by three dark modules square.
Figure 4: Finder Pattern (Carolyn Eby, 2013)
The module widths of the pattern has a 1:1:3:1:1 ratio. This means that there is one dark module,
one light module, three dark modules and again one light and one dark module. The QR-Code
Scanner looks for this ratio to find and orient the QR-Code for decoding. The patterns are always
found in the corners, no matter which size the QR-Code has or which version it is. (cf. Eby, 2013)
2.2.2 The Separators
The separators are for separating the finder patterns from the rest of the QR-Code. They have a
width of one light module, which are placed beside the edges of the pattern and touch the inside of
the code.
Figure 5: Separators (Carolyn Eby, 2013)
How to manipulate a QR-Code
Page 10 of 56
2.2.3 The Alignment Pattern
The alignment pattern is a smaller version of the Finder Pattern, as shown in Figure 6: Alignment
Pattern (Carolyn Eby, 2013) and only shows up in a version 2 QR-Code or in the QR-Code 2005. It has
a five by five dark modules box, a three by three light module box and a single module in the middle
(1:1:1:1:1 ratio).
Figure 6: Alignment Pattern (Carolyn Eby, 2013)
As shown in Figure 8: Correct placement of the alignment pattern (Carolyn Eby, 2013) the dark
module of the alignment pattern must be under the dark modules of the right top Finder Pattern and
the dark modules of the left bottom Finder Pattern. Where the virtual lines (in Figure 8: Correct
placement of the alignment pattern (Carolyn Eby, 2013) the red ones) cut across, the dark module of
the alignment pattern must be set.
It is very important that the alignment pattern must not overlap the Finder Patterns or separators in
any way, as shown in Figure 7: Incorrect placement of the alignment pattern (Carolyn Eby, 2013)
Because of the alignment pattern, it is possible to rotate the QR-Code. It always shows the bottom
right corner of the QR-Code and allows the scanner to determine the image and undo the rotation.
Figure 7: Incorrect placement of the alignment pattern (Carolyn Eby, 2013)
How to manipulate a QR-Code
Page 11 of 56
Figure 8: Correct placement of the alignment pattern (Carolyn Eby, 2013)
How to manipulate a QR-Code
Page 12 of 56
2.2.4 The Timing Pattern
The timing pattern does not contain any data. It is only for finding the position of each cell.
In the QR-Code it is placed between the Finder Patterns as you can see in Figure 9: Timing Pattern
(Carolyn Eby, 2013). The timing pattern consist alternately dark and light modules and connects the
three patterns. It always starts and ends with a dark one.
Figure 9: Timing Pattern (Carolyn Eby, 2013)
2.2.5 The Version
The version information can be found beside the top right separator and over the bottom separator.
There are 40 different versions. Together with the four different error correction level and the eight
possible masks, it is theoretically possible to create 1280 different QR-Codes with the same data. The
version combined with the error correction level leads to the size of the matrix.
2.2.6 The Format
The format information are placed beside the right separator of the bottom Finder Pattern and under
the separator of the right top Finder Pattern. This information consists of one fix module, the
information about the error correction level and the chosen masking pattern. More information
about the masking pattern is given in “How does a QR-Code work”.
How to manipulate a QR-Code
Page 13 of 56
2.2.7 Error Correction Feature
Because of the fact that the QR-Code is used in different environments, where the Code can become
a bit dirty, the error correction feature was implemented. The error correction is, as the name says,
for correcting errors. This means: If parts of the QR-Codes are destroyed for some reason, for
example it was not printed correctly or there is a bit of it missing, this feature can correct it. How this
feature works will be described later.
The QR-Code offers four different correction levels:
Error Correction Level
Degree of Damage in %
L
7
M
15
Q
25
H
30
These levels define the degree of damage, which means that 100% minus the error correction level
degree of damage of the QR-Code must be undamaged.
Example:
A QR-Code with a correction level L has a degree of damage of 7%. This level is very low, which mean
that 93% of the QR-Code must be intact. In Figure 10: Damaged QR-Code the Code is unreadable, as
the damage is too high for the correction level.
Figure 10: Damaged QR-Code (Lenk, 2012)
How to manipulate a QR-Code
Page 14 of 56
The usage of the different error correction levels are different. When to use which one is shown in
the table below.
Level
Usage
L
Perfect for a small amount of data and if the
code quality is good or very good.
M
Conform the standard and is the best
compromise between size and reliable
readability.
Q
If code quality is only satisfying this level has a
reliable readability
H
Has the highest readability, if the code quality is
bad.
The selection of the correction level is done by asking the following questions:
Is the expected code quality getting worse during the whole process?
No  L or M; Yes Q or H.
Is it important that the code is readable the first time?
Unimportant  L or M; Important  Q or H.
Is it possible to reread the code after not being able to read it the first time?
Yes  L or M; No  Q or H.
The two things that are important to keep in mind are:
1. The higher the level is, the bigger is the code.
2. Even with the highest error correction level it is not possible to offset the code if a bad
printer was used.
How to manipulate a QR-Code
Page 15 of 56
Reed Solomon
Reed Solomon (RS) is an error correction algorithm, which can find errors and correct them up to a
certain degree. It is used in different processes in the communication technology to check if the data
transfer is complete and correct. The Reed Solomon calculation is based on a polynomial with
coordinates. “Polynomial terms have variables which are raised to whole-number exponents”
(Stapel, 2013)
Because of the polynomial it is possible to recover the original message by restoring the incorrect or
missing coordinates. As the errors come up while transferring the data, the Reed Solomon algorithm
works on the side of the receiver.
Figure 11: Operating principle of the Reed Solomon algorithm (Lenk, 2012)
Figure 11: Operating principle of the Reed Solomon algorithm describes how the error correction
algorithm works. It starts with the data source, which is given to the Reed Solomon Encoder. The
Encoder takes a data package of the source and adds according to the Reed Solomon polynomial the
so called redundancy bits. While transferring the data errors can occur because of outside influences.
After receiving the data the Reed Solomon Decoder calculates the data blocks and scans the data for
incorrect data. If the decoder finds an error it uses the correction to restore the original data and
gives it to the Data sink.
As mentioned before, the Encoder takes a data package and adds redundancy bits. To do that the
Encoder builds so called RS-Code words. The Reed Solomon algorithm is a child of the BoseChaudhuri-Hocquenghem (BCH) Algorithm. This BCH-algorithm is for one-dimensional code blocks
and allows a correction of destroyed data up to 25%.
How to manipulate a QR-Code
Page 16 of 56
The Reed Solomon works with the RS ( n, k ) principle, where k stands for one data sign, which is built
of s Bits plus the parity sign to generate n Code words. This results in the following formula:
2t = n - k
The result t says how many errors the Decoder can correct in one Code word. To get t divide 2t by 2.
Example of a well-known Reed Solomon algorithm with 8 Bit signs:
The version for this example is RS ( 255, 223 ). There each Code word has 255 Code word bytes,
where 223 bytes are in the data and 32 bytes in the parity. Looking to the formula above and
remembering that RS ( n, k ) principle the calculation looks as follow:
n = 255
2t = 255 – 233
t = 32 : 2
k = 233
2t = 32
t = 16
s = 8 (8 bit / sign)
In this case, the Decoder is able to correct 16 errors in one Code word.
In the next two figures the QR-Code with and without exhaustion is shown.
Figure 12: QR-Code without exhaustion of Reed Solomon (Lenk, 2012)
Figure 13: QR-Code with 10% exhaustion of Reed Solomon (Lenk, 2012)
How to manipulate a QR-Code
Page 17 of 56
3 How does a QR-Code work
3.1 Which information can be saved?
At the beginning of the QR-Code it was possible to save text. Then it became standard to be able to
save URL, vCard, Phone number and SMS message. Nowadays it is possible to save:

Facebook

Youtube

Business page

Follow on Twitter

Text

Twitter tweet

URL

Email

vCard

Application Url for Google Play or App

Phone number

SMS message

Rich Text

Cupon

Youku
Store
3.2 How to encode data for a QR-Code
Three steps need to be done to save data in the QR-Code. The first step is to encode the data to code
words. The second one is to put the code words on the QR-Code matrix. After putting the data on the
matrix the format and version information are added. To finish the final printable QR-Code a mask
must be laid over it. These three steps are described in the following articles with the example
“Encoding numbers” from Bernhard Lenk.
Example: Encoding number
Data:
01234567
Number of digits:
8
01234567 = 8 digits
Matrix size:
Version 1  26 Code words
This means that depending on the error correction level 17 to 43
numbers can be encoded.
Error correction level:
M
16 Data Code Words (DCW) + 10 Error Correction Code Words (ECCW)
Numeric:
0001
Operating mode:
Terminator (0000)
How to manipulate a QR-Code
Page 18 of 56
3.2.1 Data and Error Correction Code Words
In this step the code words for encoding are created.
Firstly, the data 01234567 is split into groups of three:
012D, 345D, 67D
Secondly, 012D and 345D are converted into 10-bits binary code words and 67D is converted into a
7-bit binary code word:
Decimal
Binary
012
0000001100
345
0101011001
67
1000011
Convert decimal to binary
Figure 14: Convert decimal to binary
The decimal number is calculated modulo with two. This means it calculates the remainder until the
decimal number is zero. After calculating it the remainder is looked up from the bottom to the top.
As the binary must be 10-bits in this example, the rest of the bits is filled up with zeros.
How to manipulate a QR-Code
Page 19 of 56
In Figure 14: Convert decimal to binary all three groups are converted. The second one has a one at
the end, but is not given in the final binary number. This is because of the 10-bits. It cuts off the first
number as the number is read from right to left.
After converting the numbers, the number of digits is filled up to get a 10-bit code word as shown in
Figure 15: Conversion of the number of digits.
Figure 15: Conversion of the number of digits
When the conversion of the number of digits is finished, the Numeric, the number of digits, the data
and the terminator are chained up, as followed:
0001
0000001000
0000001100
Numeric
Number of digits
0101011001
1000011
Data
0000
Terminator
After linking the binary values, the chain,
000100000010000000001100010101100110000110000
, is split up into 8-bit groups. Started from left to right it is obvious, that there are missing bits for the
8-bit group in the end. To solve this problem three 0 are added at the end of the number.
00010000
00100000
00001100
01010110
01100001
10000000
Currently there were six code words generated. These code words must be replenished with ten
other code words, as 16 data code words are needed. There are two filling code words, which are
filled in alternately, to reach this amount of code words.
How to manipulate a QR-Code
Page 20 of 56
Filling code words (FCW): 11101100 and 00010001
When the FCW are filled in ten times after the six code words, the data code words look like this:
00010000
00100000
00001100
01010110
01100001
10000000
11101100
00010001
11101100
00010001
11101100
00010001
11101100
00010001
11101100
00010001
Now that the 16 data code words are complete, the ten error correction code words are added.
The ECCW are calculated with the Reed-Solomon algorithm to ensure the data safety with a
maximum of 15% damage. The result of the algorithm:
10100101
00100100
11010100
11000001
11000111
10000111
00101100
01010101
11101101
00110110
In the end, all the code words are put together to get the following data for the matrix in the next
article:
00010000
00100000
00001100
01010110
01100001
10000000
11101100
00010001
11101100
00010001
11101100
00010001
11101100
00010001
11101100
00010001
10100101
00100100
11010100
11000001
11101101
00110110
11000111
10000111
00101100
01010101
3.2.2 The Matrix
When all the code words are generated, they are filled in the matrix. As shown in Figure 17: Encoding
path (Eby, 2013) the encoding starts in the right bottom corner. The 8-bit code words are encoded
from right to left. As the encoding path is going up and down, there is one scheme for upwards
encoding and one for downwards encoding. These two schemes are shown in Figure 16: Encoding
schemes (Lenk, 2012).
How to manipulate a QR-Code
Page 21 of 56
Code word
encoding
upwards
Code word
encoding
downwards
Figure 16: Encoding schemes (Lenk, 2012)
Figure 17: Encoding path (Eby, 2013)
Taking the first 8-bit code word of the example the encoding will look like the following:
00010000
Figure 18: Encoding of frist code word (Lenk, 2012)
How to manipulate a QR-Code
Page 22 of 56
The first code word is encoded with the upwards scheme, as it start with going up according to the
encoding path. Going from right to left from top to bottom:
0=0
1=0
2=0
3=0
4=1
5=0
6=0
7=0
The next two code words, 00100000 and 00001100, are encoded the same way:
0=0
1=0
0=0
1=0
2=0
3=0
2=1
3=1
4=0
5=0
4=1
5=0
6=1
7=0
6=0
7=0
After encoding these two code words the path is leading down. This is where the downwards
encoding is used. According to this the next code word, 01010110, would be encoded the following
way:
6=1
7=0
4=1
5=0
2=1
3=0
0=0
1=1
After the encoding the QR-Code should look like in Figure 19: Final encoded QR-Code without format
information (Lenk, 2012). This figure only shows the QR-Code after the encoding, but format and
version information must be placed on the QR-Code. As visible on the figure, there are some spaces
between the encoded data and the Finder Patterns. This is where the information are placed.
Figure 19: Final encoded QR-Code without format information (Lenk, 2012)
How to manipulate a QR-Code
Page 23 of 56
As written in the article The Format the format information is placed beside the separators. First, the
fix dark module is placed as shown in Figure 20: Setting the fix dark module .
Figure 20: Setting the fix dark module (Lenk, 2012)
After setting the fix dark module, the format information string is build. 5-bits of the string contain
the mask number and the error correction level. The other 10-bits contain the error correction
according to BCH for data backup.
In this case, the format string will look like the following:
ECL: M
00
Mask 2
010
BCH:
1001101110
Final String:
000101001101110
After creating the string, the mask number 2 is added with XOR. The mask for this is always
101010000010010
000101001101110
⊗ 101010000010010
Final String
101111001111100
After masking the string, it is placed on the matrix, as shown in Figure 21: Position of the format
string (Lenk, 2012).
How to manipulate a QR-Code
Page 24 of 56
Figure 21: Position of the format string (Lenk, 2012)
After setting all information, the QR-Code looks like in Figure 22: QR-Code before masking and The
Masking can start.
Figure 22: QR-Code before masking (Lenk, 2012)
3.2.3 The Masking
In the example before the data was encoded into code words and was put on the QR-Code. The same
was done with the error correction level code words and the format information. Now one of the
eight possible mask (000 – 111), which are shown in Figure 23 - Figure 29, must be chosen. The mask
prevents cell combinations that give accidentally a searching template. This would interfere with the
fast decoding of the QR-Code. The mask and the encoded code words are combined via EXCLUSIVE
OR (XOR).
How to manipulate a QR-Code
Page 25 of 56
XOR:
0⊗0=0
1⨂0=1
0⨂1=1
1⨂1=0
Figure 23: Mask 0 (Lenk, 2012)
Figure 24: Mask 1 (Lenk, 2012)
Figure 25: Mask 2 (Lenk, 2012)
Figure 26: Mask 3 (Lenk, 2012)
How to manipulate a QR-Code
Page 26 of 56
Figure 27: Mask 4 (Lenk, 2012)
Figure 28: Mask 5 (Lenk, 2012)
Figure 29: Mask 6 (Lenk, 2012)
Figure 30: Mask 7 (Lenk, 2012)
Figure 31: Masking example (self-made)
In Figure 31: Masking example (self-made) the process with the third mask is pictured.
Take one pixel of the encoded QR-Code and the same pixel of the mask. Leaving the space of the
How to manipulate a QR-Code
Page 27 of 56
format and version information unmasked, going from left to right, the encoded first top left module
is light (0) and the mask module is dark (1) in this case. This means that in the final QR-Code this
module becomes dark. Looking on the next module, the encoded is light (0) and the mask one is light
(0) too. As it is compared with XOR we take the light one. After masking the QR-Code the format and
version information are filled in. This information have their own rules how the dark and light
modules are placed. The information modules are taken from the encoded Code and are put on the
same place on the finished QR-Code. After doing that the quite zone, which must be at least four
modules on each side, is laid around the QR-Code. The final and ready to print QR-Code is shown in
Figure 32: Finished QR-Code (Lenk, 2012).
Figure 32: Finished QR-Code (Lenk, 2012)
3.3 How to decode data from a QR-Code
The decoding process is as complex as the encoding process. The user do not realise this process,
except there are many data to decode. The amount of data does not make the decoding process
slow, but finding the data is difficult. The bigger the picture the more difficult it is to find the code for
the decoder. Compared to a picture the QR-Code has the advantage, as the Code can be found very
fast because of the search patterns.
How to decode a QR-Code will be explained in the following articles with an example from Bernhard
Lenk.
How to manipulate a QR-Code
Page 28 of 56
3.3.1 Information finding
When the decoding starts, the decoder has the printable QR-Code, like the left one in Figure 33:
Matrix determination (Lenk, 2012). Now the first step is to determinate the matrix size. This is very
easy because of the spaces between the search patterns. In this example is about a 21 by 21 cells QRCode 2005 version 01 matrix.
Figure 33: Matrix determination (Lenk, 2012)
In the second step, it is necessary to find the format information. As described in The Format the
format information are placed beside the right separator of the bottom Finder Pattern and under the
separator of the right top Finder Pattern. In the format information, the error correction level and
the used mask are encoded. In Figure 34: Analysis of the format information (Lenk, 2012) the 15-Bit
format information is analysed (first: left bottom, from bottom to top: 1011011 second: right top,
from left to right: 01001011)
Figure 34: Analysis of the format information (Lenk, 2012)
After analysing the format information, the result is combined with the decoding mask
101010000010010. This mask is always the same and is also used for the encoding.
101101101001011
⊗ 101010000010010
Unmasked Bit sequence
How to manipulate a QR-Code
000111101011101
Page 29 of 56
From this unmasked Bit sequence only the first five bits are important. The other bits are only for
data backup. Looking on the first five bits (00011) the first two contain the error correction level (00)
and the last three contain the mask (011). The error correction level 00 is the error correction level
“M”. The mask 011 is mask number 3, which can be compared in article The Masking.
3.3.2 The Demasking
The next Step is to remove the mask from the printable QR-Code to get the original one. The mask is
removed with the XOR operation. To do that a short table is needed. This table contains the possible
results out of an XOR operation.
Printable Code
Mask
Original Code
0
0
0
1
1
0
1
0
1
0
1
1
Figure 35: Printable Code and mask (Lenk, 2012)
How to manipulate a QR-Code
Page 30 of 56
Original Code
Printable Code
Mask
Figure 36: Removing mask, first line (Lenk, 2012)
In Figure 36: Removing mask, first line (Lenk, 2012) the first line of the mask and the QR-Code are
taken. The number of the mask was in the format information, which were decoded in the step
before. In this case the mask number is number three. The mask will be removed from the left
marked module to the right one. To do that the first module from the printable code is taken and the
first module from the mask is taken.
As shown in the figure the printable module is black and the mask module is black. This means,
looking at the XOR table mentioned before, 1 ⨂ 1 = 0. This means that the first module in the first
line of the original QR-Code is 0 and therefore white. Looking at the next module the printable
module is white and the mask module is white. Both are 0 and so is the module in the original code.
The next module is in this case the same as the one before. The last module in the printable code is
white and the one in the mask is black. Looking again at the XOR table 0 ⊗ 1 = 0 and therefore the
last module in the first line of the original code is 0 and therefore white.
After removing the mask the format information are removed too. The final original QR-Code is
shown in Figure 37: Original Code without mask and without format information
How to manipulate a QR-Code
Page 31 of 56
Figure 37: Original Code without mask and without format information
3.3.3 The Matrix Decoding
In step three, the data code words are extracted. To do that it is important to know, how many code
words are on the matrix. In this example, the matrix contains 26 code words - Ten code words for the
error correction level M and 16 data code words, as shown in Figure 38: Code words for data
extraction (Lenk, 2012).
Figure 38: Code words for data extraction (Lenk, 2012)
Decoding the code words works the same way as encoding them. The same scheme (Figure 16:
Encoding schemes (Lenk, 2012)) is used for that. The decoding path is the same as the encoding path
(Figure 17: Encoding path (Eby, 2013)). According to the path the first code word is encoded upwards
and so it is decoded. The first code word of the QR-Code in Figure 39: QR-Code with data code words
(Lenk, 2012) will look like this:
How to manipulate a QR-Code
0=0
1=0
2=0
3=0
4=0
5=1
6=0
7=0
Page 32 of 56
Figure 39: QR-Code with data code words (Lenk, 2012)
After decoding all the 16 data code words, the final binary data string looks like the following:
00100000 10100010 01010011 10100100 01101111 01011000 01110001 00100100 00000011
11000001 01001100 01011111 01000101 00101011 10001001 11100000
How to manipulate a QR-Code
Code word
Binary data string
D1
00100000
D2
10100010
D3
01010011
D4
10100100
D5
01101111
D6
01011000
D7
01110001
D8
00100100
D9
00000011
D10
11000001
D11
01001100
D12
01011111
D13
01000101
D14
00101011
D15
10001001
D16
11100000
Page 33 of 56
When all data code words are decoded, the error correction code words are decoded the same way.
The following table shows these data code words and the final binary string.
Code word
Binary data string
F1
11111110
F2
00111011
F3
01000000
F4
01011000
F5
11101100
F6
11010000
F7
00100010
F8
11011011
F9
11101010
F10
10001110
11111110 00111011 01000000 01011000 11101100 11010000 00100010 11011011 11101010
10001110
The data code words together with the error correction code words are all 26 code words. Now the
binary string is converted into the alphanumeric data. The first four bits from the left side of the
whole string determine the mode (Table 1: QR-Code Data capacity). The next nine bits define the
number of alphanumeric characters in the QR-Code. In this example, 20 characters are encoded. As
in this example the encoded data is alphanumeric eleven bits were used to encode two characters
and so is it for the decoding. The next eleven bits contain the first two alphanumeric characters.
How to convert binary to decimal is described later in this article. After converting the first bits, the
decimal number is 595D. To encode the alphanumeric data the first character is multiplied by 45 and
the second is added to the result. To decode it 45 divide the decimal number with remainder. The
quotient of this division is the first character and the remainder is the second one. These numbers
are looked up in Table 2: Decimal - Alphanumeric character list (Eby, 2013).
How to manipulate a QR-Code
Page 34 of 56
For example taking the first eleven bits the first character is 13 and the second is 10:
01001010011B = 595D
595
:
45
=
13
145
Remainder:
10
Bits
Decimal
Characters
Final Characters
01001010011
595
13 , 10
D,A
10100100011
1315
29, 10
T,A
01111001001
969
21, 24
L,O
01011100010
738
16, 18
G,I
01001000000
576
12, 36
C , (space)
00111100000
480
10, 30
A,U
10100110001
1359
29, 24
T,O
01111101000
1000
22, 10
M,A
10100101011
1323
29, 18
T,I
10001001111
1103
24, 23
O, N
00000
Filling characters
When all characters are calculated and every number is looked up in the table the original data
before the encoding is DATALOGIC AUTOMATION.
How to manipulate a QR-Code
Page 35 of 56
Character Decimal
Character Decimal
Character Decimal
0
0
F
15
U
30
1
1
G
16
V
31
2
2
H
17
W
32
3
3
I
18
X
33
4
4
J
19
Y
34
5
5
K
20
Z
35
6
6
L
21
7
7
M
22
$
37
8
8
N
23
%
38
9
9
O
24
*
39
A
10
P
25
+
40
B
11
Q
26
-
41
C
12
R
27
.
42
D
13
S
28
/
43
E
14
T
29
:
44
36 (space)
Table 2: Decimal - Alphanumeric character list (Eby, 2013)
Convert binary to decimal
For converting decimal to binary modulo is used. For converting binary to decimal, the
exponentiation is needed. To explain it easier the third eleven-Bit row (01111001001) from the
example above will be used. The number two and an exponentiation number will multiply every Bit.
The exponentiation number starts with zero and goes further with one, two, three and so on, until the
end of the Bit-String is reached. At the end, all the numbers are added together. The Bit-String is
calculated from right to left.
0*210 + 1*29 + 1*28 + 1*27 + 1*26 + 0*25 + 0*24 + 1*23 + 0*22 + 0*21 + 1*20 = 969
How to manipulate a QR-Code
Page 36 of 56
4 QR-Code Security
Computers are possible to hack, websites can be hacked and so can QR-Codes. QR-Code users may
think, that the codes are not easy to hack or to change, as they are printed on paper. However, even
QR-Codes can be maliciously manipulated. What people may forget is that computers use QR-Codes
and computers are the targets for the attackers. QR-Codes are mostly used to transport the website
link easy to mobile phone users and the link is an easy target for attacks. They change for example
the link to a fake website to get bank information. More about these attacks is described in the next
articles. One important thing to know is that it takes a lot of time to fake an existing QR-Code, but
compared to the amount of money the attackers may get, it is worth the time.
4.1 Attacking Human Interactions
For humans it is impossible to make out if a QR-Code is maliciously manipulated or not, as they
cannot read the encoded data without a QR-Code Reader. By reading the maliciously manipulated
data the browser or the reader software might get triggered. Attackers want to get for example the
banking information of the QR-Code user or harm a company by making a contract in their name and
never fulfill it. There are many more attacks. A few of them are described next. (cf. Kieseberg, et al.,
w.Y)
4.1.1 Phisihing and Pharming
Most times the QR-Code is used for links to a website. Attackers then set up a fake website, which
looks the same as the original. Humans cannot tell, if the link is modified or not. This attack is mostly
used on websites, where any form of credentials is needed. (cf. Kieseberg, et al., w.Y)
4.1.2 Fraud
QR-Codes are also used for advertisement and if hackers can clone a website and redirect the user to
it, they can redirect the user to a faked advertisement too. The danger of this attack is, that the
attacker make contracts without fulfilling the conditions, which can harm the company, which uses
the QR-Code for it. (cf. Kieseberg, et al., w.Y)
How to manipulate a QR-Code
Page 37 of 56
4.1.3 Attacking Reader Software
The Reader Software on a smartphone or on a computer may be attacked with a command injection.
Hereby the attacker gains control over the system and can read all communication information on a
smartphone like contacts, emails or SMS. No matter if the attacker gains control of a smartphone
system or of a personal computer system, it is possible that he/she may get control of further
computer systems in the network or outside the network; via sending an E-Mail for example. (cf.
Kieseberg, et al., w.Y)
4.1.4 Social Engineering Attacks
Social Engineering Attacks do not harm computers, but their users. The user is responsible for what
he/she uses and installs. These attacks enable more specific attack variants like spear phishing or
other social engineering attacks, depending on the goal of the attacker. For example an attacker may
place a QR-Code poster on the parking lot of a well-known company, with a discount offer for a
nearby restaurant. An employee scans the QR-Code and maybe needs to enter a mail address and
other personal data. The attacker can now send a virus via mail or can do whatever he/she wants to
do with the data. (cf. Kieseberg, et al., w.Y)
4.2 Attacking Automated Processes
While humans might fall for phishing attacks, automated readers are most likely vulnerable to SQL
injections and command injections. According to the paper, QR Code Security from the SBA Research,
software developer may not treat the encoded data of a QR-Code as possibly insecure input.
Companies that use the QR-Codes for logistics, in fully automated assembly lines or for public
transportation are especially affected from SQL or command injections. What these two injections do
will be described now. (cf. Kieseberg, et al., w.Y)
How to manipulate a QR-Code
Page 38 of 56
4.2.1 SQL injection
SQL injection means, that unauthorized users can delete or change a database or add a new
superuser. This happens mostly on websites, where the developer do not think of this possibility.
Mostly the website contains a login page, where the user has to pass his username and password.
There it is easy to pass a SQL command after the username; separated with a semicolon. For
example:
Figure 40: Login field (self-made) shows a usual login field for a Blog, which was created in the second
semester of my studies. A user without the intention to do harm to the owner of the page will fill in
the form like shown in
Figure 41: Usually filled in login (self-made). Someone who
want to harm the page owner will fill in the form like in Figure 42: SQL injection login (self-made). In
the Login field stands the following:
katrin;"UPDATE usertable SET pwd='hehehe' WHERE uid='' or uid like '%admin%';"
This SQL statement after the semicolon is for setting the admins password to ‘hehehe’.
Figure 40: Login field (self-made)
Figure 41: Usually filled in login (self-made)
Figure 42: SQL injection login (self-made)
This is just a harmless example. It is also possible to attack the operating system if there is no
prevention. This kind of injection happens, because the sent data is not validated correctly on the
server. Instead, it is filled in without checking if there is a SQL command or not. To prevent this kind
of injection it is necessary to check the data before calling a database command. There are several
How to manipulate a QR-Code
Page 39 of 56
possibilities to avoid such attacks, like never connect to the database as superuser and a second
possibility is to define the send input to the data type that is needed, like String or Integer.
4.2.2 Command injection
The Command injection is nearly doing the same as the SQL injection, but instead of attacking a
database this injection attacks the system. It uses UNIX commands like “cat” to get the information
of a file. This command is executed by the application, with all its privileges and environments, which
uses it. The attacker then uses this application as pseudo shell and accesses everything as an
authorized user. (cf. OWASP, 2012)
How to manipulate a QR-Code
Page 40 of 56
5 Manipulation of a QR-Code
This article is about the project work two “Creating a QR-Code Platform”. For the complete code look
at the attached CD. The Platform was to create QR-Codes with an image for marketing use. In the
following article the word manipulation will be used, but it does not mean to maliciously manipulate
the QR-Code. To create such a platform four steps are needed: the generation, finding the important
points, the manipulation and inserting the picture. What was done in these steps is described in the
next four sections.
5.1 Step 1: The Generation
There are many possibilities how to generate a QR-Code. On the internet many QR-Code generators
can be found. If someone, like me, wants to create his/her own generator platform there is the
possibility to use a JavaScript library to generate the QR-Code or to use a PHP library. As I needed to
insert a picture and to send it over HTTP, I found it was easier to use the open source PHP library
“phpqrcode” from Dominik Dzienia. I used Javascript too, but more about that in chapter 5.5 Step5:
The Front-End.
In Figure 43: QR-Code generation code (self-screenshot) is the generation function png. This function
generates the QR-Code and saves it as .png file.
Figure 43: QR-Code generation code (self-screenshot)
Parameters
String
$text
text string to encode
String
$outfile
(optional) output file name, if false outputs to browser with required
headers
Integer
$level
(optional) error correction level QR_ECLEVEL_L, QR_ECLEVEL_M,
QR_ECLEVEL_Q or QR_ECLEVEL_H
Integer
$size
(optional) pixel size, multiplier for each 'virtual' pixel
Integer
$margin
2013) (silent zone) in 'virtual' pixels
(optional)(doxygen,
code margin
Boolean
$saveandprint
(optional) if true code is outputed to browser and saved to file,
otherwise only saved to file. It is effective only if $outfile is specified.
How to manipulate a QR-Code
Page 41 of 56
In the project, the QR-Code was generated with the following parameter values:
QRcode::png($url, "qrcodes/test.png", $level, 9, 9);
Parameters
String
$text
($url) The URL the user enters in the input field.
String
$outfile
"qrcodes/test.png"
Integer
$level
($level) The level was defined with Q. As it worked best.
Integer
$size
9
Integer
$margin
9
Boolean
$saveandprint
Not necessary to define, as it is set false by default.
5.2 Step 2: Find the important points
In the second step it is important to find the points, where changes are not allowed. These points are
the Finder Patterns, the Separators and the Alignment Pattern. To find these it is necessary to load
the generated QR-Code.
Depending on the file type one of the following commands is used:
imagecreatefrompng (string $filename)
imagecreatefromjpeg (string $filename)
imagecreatefromgif (string $filename)
To find out where the Finder Patterns, the Separators and the Alignment Pattern are placed, I first
drew a QR-Code on a piece of squared paper (Figure 44: Drawn QR-Code Patterns). According to the
parameters, the QR-Code has 21 x 21 modules. This means that one Finder Pattern has seven times
seven modules. To find out how many pixel one module has, I put the QR-Code array with the
numbers 0 and 1 on the monitor.
How to manipulate a QR-Code
Page 42 of 56
Figure 44: Drawn QR-Code Patterns
After going through the array and drawing the dark and light pixels, it was clear, that one module is
nine times nine pixels and the Finder Pattern consists of seven times seven modules. I took one
square of the paper for nine times nine pixel. As described in the chapter The Finder Pattern the ratio
of the pattern is 1:1:3:1:1 (one dark, one light, three dark, one light, one dark). As the QR-Code
contains 21 x 21 modules, it is easy to find the other two Finder Patterns. The Alignment Pattern is
easy to find too, when knowing where to place it (cf. 2.2.3 The Alignment Pattern).
The next step after drawing is to generate an algorithm to find these patterns in the array of the
QR-Code image. In Figure 45: Algorithm for the modify template (self-made) it is obvious that the
function takes three arguments: $firstb, $lastb and $img. The first two arguments define the first and
last black pixel of the QR-Code and the $img defines the generated QR-Code as Array. The first and
last black pixel are calculated(cf. Code on the CD). The next line shows that there is an array named
“modifytemplate” created. This array is for creating a mask, to know which parts can be modified.
Next, two loops are created. The first loop is going through the rows (y-axis) and the second one is
going through the columns (x-axis). For each row another array is created, which will contain all
column values and will be pushed into the created “modifytemplate” array. In the columns loop the
important points are defined. To do that an if-construct is used. As known one Finder Pattern is
seven times seven modules big and one module has nine times nine pixe. Therefore the if-construct
for the top left Finder Pattern is:
If ( $x < 8 * 9 + $firstb[0] && $y < 8 * 9 + $firstb[0] )
The variable $firstb is an array and the first position defines the value of the x-axis. It is necessary to
add it, otherwise one pixel is missing at the end of the column and the Code becomes unreadable.
How to manipulate a QR-Code
Page 43 of 56
When this query is true, the value “-1” is pushed to the array of the y-axis. If no query is true, the
current value of the pixel is pushed to it.
After going through all pixel of the image array the $modifytemplate will be returned. This template
will be used in Step 3: The manipulation.
Figure 45: Algorithm for the modify template (self-made)
5.3 Step 3: The manipulation
In this step, the QR-Code is modified. The c in
Step 2: Find the important points created template is needed. The function modifyQR is used for the
modification and needs four parameters: $modifytemplate, $lastb, $firstb, $img. The
$modifytemplate is the one which was created before, $lastb and $firstb are the last and first black
pixel of the QR-Code and $img is the original QR-Code picture.
First a new image, called $dest, is created, which has the height and the width of the QR-Code
without the quiet-zone.
“imagecreatetruecolor() returns an image identifier representing a black image of the specified size.”
(The PHP Group, 2001-2014)
Next the QR-Code picture without the quiet-zone is copied on $dest. When this is done, the original
How to manipulate a QR-Code
Page 44 of 56
white (0) pixel have turned into 16777215 and the black (1) pixel have turned into 0. This happens,
because of the $dest, as it is created as a true colour picture.
After putting the QR-Code on the image, the $dest image background is turned transparent with:
imagecolortransparent($dest, imagecolorallocate($dest, 255, 255, 255));
“Returns a color identifier representing the color composed of the given RGB components.
imagecolorallocate() must be called to create each color that is to be used in the image represented
by image.” (The PHP Group, 2001-2014)
Before the pixel colour can be set, the alphablending must be disabled and the imagesavealpha
enabled to allow saving full alpha channel information when saving the QR-Code as PNG image.
When this is done, two loops are created. In these loops each pixel on the $dest is compared with
the pixel in the template. If the value of the pixel in the template is -1, another if-query checks if the
colour of the original pixel is 1 and then changes the next nine pixel (nine times nine is one module)
to white with a transparency. Otherwise, the colour is not changed.
If the value of the pixel is not -1, another if-construct follows, which is shown in Figure 47: IfConstruct for changing not important points. This if-construct checks the value of the original pixel. If
the pixel is white, the same code happens like described before. If it is black, a module like in Figure
46: Single modified black module should be created. Several if-queries are used to check if a module
is finished or not. To keep the position, the variable $count is used.
After modifying all pixel the new QR-Code is saved as .png and the image is inserted. I used .png,
because with the .jpg or .jpeg format the transparency will get lost.
Figure 46: Single modified black module
How to manipulate a QR-Code
Page 45 of 56
Figure 47: If-Construct for changing not important points
5.3.1 What can be manipulated?
This question is a good one. First, it is possible to manipulate everything from the generated QRCode. Maliciously it is possible to manipulate the mask, the data or to manipulate it by changing the
amount of dark and light modules. However, this is not what is expected in this chapter. The
manipulation is for beautifying the QR-Code. Now it is possible to change the colour and the
How to manipulate a QR-Code
Page 46 of 56
transparency of a QR-Code. This is also how I started my project work, by changing the colour and
getting to know the possible PHP commands.
Changing the colour of the Code is no problem, as long as the transparency and the contrast between
the “dark” (the foreground of the QR-Code) and “light” (the background of the QR-Code) modules is
big enough. The transparency I tried was 30%, 50%, 80%, 100%. I realised that it depends where the
transparency is set. If it is set on the background even the 100% worked, but if the transparency is
set on the foreground, the transparency started to make the Code unreadable at about 70%
(depending on the colour). The problem is that when the foreground, where the data is saved gets
invisible and the background does not have a dark enough colour, the QR-Code Reader cannot find
the modules.
This knowledge is important for creating a QR-Code with an image, as the image should be as visible
as possible.
5.4 Step4: Inserting the picture
The final step is inserting the picture. To do that the function putPicture (Figure 48: Function to insert
a picture (self-made)) is used. This function needs eight parameters: $filename, $img, $img2, $firstb,
$picx, $picy, $picw, $pich. $filename defines the name of the downloadable QR-Code. $img is the
original QR-Code and $img2 is the picture. $firstb defines the first black pixel, which we need, to
know where the QR-Code starts. More information will be given later. $picx, $picy, $picw and $pich
defines the position and size of the picture, which will be inserted.
The first two lines in the function create images. $img3 holds the modified QR-Code from before and
$dest1 is a new image with the size of the original QR-Code. This is why we need the first black pixel
of the QR-Code, as the $dest1 image has the size of the original image with the quiet-zone and
without knowing where the first black pixel should be, placing the QR-Code on the correct position is
difficult.
In the next step, the $dest1 image is filled with white, because otherwise, the image is black and the
QR-Code is not visible because of the transparency. After filling $dest1 the image is put on it with:
imagecopyresized($dest1, $img2, $picx+$firstb[0], $picy+$firstb[1],0 ,0, $picw, $pich,
imagesx($img2), imagesy($img2));.
How to manipulate a QR-Code
Page 47 of 56
“
bool imagecopyresized ( resource $dst_image , resource $src_image , int $dst_x , int $dst_y , int $src_x , int$src_y , int
$dst_w , int $dst_h , int $src_w , int $src_h )
imagecopyresized() copies a rectangular portion of one image to another image. dst_image is the
destination image, src_image is the source image identifier.
In other words, imagecopyresized() will take a rectangular area from src_image of width src_w and
height src_h at position (src_x,src_y) and place it in a rectangular area of dst_image of width dst_w
and height dst_h at position (dst_x,dst_y).” (The PHP Group, 2001-2014)
After placing the picture, the modified QR-Code is placed without resizing and $dest1 is saved as .png
again.
Figure 48: Function to insert a picture (self-made)
5.4.1 How visible can a picture be?
The visibility of the picture depends on the error correction level. If for example level L is used, the
information needs to be undamaged for 93 %. This makes it difficult to make a picture visible. With
level Q it is possible for the user to recognise the picture. To make the picture visible it is necessary
to choose a light colour like grey and make it transparent. The difficulty with the transparency is that
if it is too transparent, the QR-Code Reader cannot differ between the picture and the QR-Code and
cannot read the data. Figure 49: First visibility try (scan able) (self-made) shows a QR-Code which is
scan able. Here the colour light grey is used with an opacity of 70. Figure 50: Second visibility try
(scan able) (self-made) also shows a scan able QR-Code. This time I tried to create a small square with
less transparency than the inner small one. As my QR-Code Reader was not able to read the second
try, I decided to create a bigger square with less transparency in the middle of the module, which is
shown in Figure 51: Final visibility (self-made).
How to manipulate a QR-Code
Page 48 of 56
Figure 49: First visibility try (scan able) (self-made)
Figure 50: Second visibility try (scan able) (self-made)
Figure 51: Final visibility (self-made)
How to manipulate a QR-Code
Page 49 of 56
5.5 Step5: The Front-End
The last four steps were about the Code that happens in the background and the user cannot see.
This step is about the front end, the UI (user interface). The user interface is what the user really
sees, and where all inputs are done. The UI contains three steps. In step one the user needs to enter
an URL and a picture (Figure 52: Step1 of the UI).
After hitting the button “Create”, the data will be sent. To not create many html files, the data is sent
again to index.php, where the file createQR.php is included. With the flags “create”, “modify” or
“download” the file knows, what to do.
In this step, the server starts creating and modifying the QR-Code and uploading the picture. At the
same time, a JavaScript file is reading the value of the picture input field and saves it to the local
Storage, for further usage.
Figure 52: Step1 of the UI
When the server finished uploading the image and creating the QR-Code, a canvas with the picture
and the QR-Code is created. This is where the picture of the local Storage is needed. In this step, the
user can place the picture wherever he/she wants and can change the size. To do that the arrows of
the keyboard are used to change the position and the keys AWSD are used for the size. When the
user is satisfied with the position and the size of the picture, he/she hits the button “Modify”. This
action triggers an event inside the JavaScript file “createQRCode.js”. The function gets the position
and size of the image and the path of the image file.
When these information are ready, the data is sent again to index.php with the flag “modify”. The
PHP file then creates the QR-Code with the image and the quiet-zone and makes it available for the
download. The last step (Figure 54: Step3 of the UI) is to look at the final QR-Code and download it.
How to manipulate a QR-Code
Page 50 of 56
Figure 53: Step2 of the UI
Figure 54: Step3 of the UI
How to manipulate a QR-Code
Page 51 of 56
5.6 Improvement Suggestions
This platform is only a prototype and holds many possibilities for improvements. The current state
first creates the QR-Code, then calculates the position of the important points and after that it is
possible to move the image. The better way, as I saw it on http://www.visualead.com/, where it is
possible to try a QR-Code generator, is to place the QR-code on the image and not the other way.
Maybe the algorithm of finding the important point can be improved too. I also think that the
visibility of the image can be still improved, maybe by comparing the QR-Code pixel with the image
pixel and if the image pixel is darker, the QR-Code pixel is lighter. This may be possible, when the QRCode is placed on the image. Changing the transparency of the QR-Code pixel like in Figure 50:
Second visibility try (scan able) (self-made), is also an option, as I realised that it is readable too.
The design is also improvable like the selection of the Error Correction Level, as it is currently static
on “Q”. Currently it is also only possible to enter an URL, which can be improved, by giving the
possibility to use other information like text or E-Mail. As far as I saw in the PHP-library, it is possible
to generate at least a QR-Code with an E-Mail address.
How to manipulate a QR-Code
Page 52 of 56
6 Conclusion
This paper mainly focuses on how a QR-Code works and how to manipulate it. The first part is mainly
about how the QR-Code data is encoded and decoded and furthermore about the security features
used. It is important to know, that even printed QR-Codes are vulnerable and people still find a way
to attack it. The second part is about the project work two with the goal of manipulating a version
two QR-Code to make it more attractive for marketing purposes. This part of the paper also holds
suggestions for improvement, as it is only a prototype platform and not all the potential for
alteration was used. It can be said that when creating such a platform, it is necessary to try the QRCode with different QR-Code Reader. The prototype platform described in this paper was mainly
tested with the standard QR-Code reader for Windows Phone in combination with an HTC S8. During
testing it was already discovered that manipulated QR-Codes were not always readable with the
Windows application but other applications for Android and iOS did not experience these difficulties.
Overall it can be said that the QR-Code is a good way to transport and save information very fast in a
graphical way.
How to manipulate a QR-Code
Page 53 of 56
7 References
DENSO WAVE INCORPORATED, 2012. About 2D Code | QR Code.com. [Online]
Available at: http://archive.is/20120915040049/http://www.qrcode.com/en/aboutqr.html
[Accessed 01 February 2014].
DENSO WAVE INCORPORATED, w.Y. History of QR Code | QRcode.com | DENSO WAVE. [Online]
Available at: http://www.qrcode.com/en/history/
[Accessed 02 February 2014].
doxygen, 2013. PHP QrCode Liblary 2.0. [Online]
Available at: http://phpqrcode.sourceforge.net/docs/html/class_q_rcode.html
[Accessed 19 February 2014].
Eby, C., 2013. Thonky. [Online]
Available at: http://www.thonky.com/qr-code-tutorial/module-placement-matrix/
[Accessed 02 February 2014].
Kieseberg, P. et al., w.Y. QR Code Security, Vienna, Austria: SBA Research.
Legal Information Institute, w.Y.. Legal Information Institute. [Online]
Available at: http://www.law.cornell.edu/uscode/text/44/3542
[Accessed 01 April 2014].
Lenk, B., 2012. QR Code. 1. ed. Germany: Monika Lenk Fachbuchverlag.
OWASP, 2012. Command Injection - OWASP. [Online]
Available at: https://www.owasp.org/index.php/Command_Injection
[Accessed 18 April 2014].
Stapel, E., 2013. Polynomials: Definitions / Evaluation. [Online]
Available at: http://www.purplemath.com/modules/polydefs.htm
[Accessed 01 April 2014].
The PHP Group, 2001-2014. PHP: imagecolorallocate. [Online]
Available at: http://at2.php.net/manual/en/function.imagecolorallocate.php
[Accessed 24 April 2014].
The PHP Group, 2001-2014. PHP: imagecopyresized. [Online]
Available at: http://at1.php.net/manual/en/function.imagecopyresized.php
[Accessed 25 April 2014].
How to manipulate a QR-Code
Page 54 of 56
The PHP Group, 2001-2014. PHP: imagecreatetruecolor. [Online]
Available at: http://www.php.net/manual/en/function.imagecreatetruecolor.php
[Accessed 24 April 2014].
8 List of figures
Figure 1: Information holding (DENSO WAVE INCORPORATED, 2012) ................................................... 8
Figure 2: Function Patterns (Carolyn Eby, 2013) .................................................................................... 9
Figure 3: QR-Code Structure (Wikipedia, 2014) ..................................................................................... 9
Figure 4: Finder Pattern (Carolyn Eby, 2013) ........................................................................................ 10
Figure 5: Separators (Carolyn Eby, 2013) ............................................................................................. 10
Figure 6: Alignment Pattern (Carolyn Eby, 2013) ................................................................................. 11
Figure 7: Incorrect placement of the alignment pattern (Carolyn Eby, 2013) ...................................... 11
Figure 8: Correct placement of the alignment pattern (Carolyn Eby, 2013) ......................................... 12
Figure 9: Timing Patter (Carolyn Eby, 2013) ......................................................................................... 13
Figure 10: Damaged QR-Code (Lenk, 2012) .......................................................................................... 14
Figure 11: Operating principle of the Reed Solomon algorithm (Lenk, 2012) ...................................... 16
Figure 12: QR-Code without exhaustion of Reed Solomon (Lenk, 2012) .............................................. 17
Figure 13: QR-Code with 10% exhaustion of Reed Solomon (Lenk, 2012) ........................................... 17
Figure 14: Convert decimal to binary ................................................................................................... 19
Figure 15: Conversion of the number of digits ..................................................................................... 20
Figure 16: Encoding schemes (Lenk, 2012) ........................................................................................... 22
Figure 17: Encoding path (Eby, 2013) ................................................................................................... 22
Figure 18: Encoding of frist code word (Lenk, 2012) ............................................................................ 22
Figure 19: Final encoded QR-Code without format information (Lenk, 2012) ..................................... 23
Figure 20: Setting the fix dark module (Lenk, 2012) ............................................................................. 24
Figure 21: Position of the format string (Lenk, 2012) ........................................................................... 25
Figure 22: QR-Code before masking (Lenk, 2012) ................................................................................ 25
Figure 23: Mask 0 (Lenk, 2012)
Figure 24: Mask 1 (Lenk, 2012) ........................................................ 26
Figure 25: Mask 2 (Lenk, 2012)
Figure 26: Mask 3 (Lenk, 2012) ........................................................ 26
Figure 27: Mask 4 (Lenk, 2012)
Figure 28: Mask 5 (Lenk, 2012) ........................................................ 27
Figure 29: Mask 6 (Lenk, 2012)
Figure 30: Mask 7 (Lenk, 2012) ........................................................ 27
Figure 31: Masking example (self-made).............................................................................................. 27
Figure 32: Finished QR-Code (Lenk, 2012) ............................................................................................ 28
Figure 33: Matrix determination (Lenk, 2012)...................................................................................... 29
How to manipulate a QR-Code
Page 55 of 56
Figure 34: Analysis of the format information (Lenk, 2012) ................................................................. 29
Figure 35: Printable Code and mask (Lenk, 2012) ................................................................................ 30
Figure 36: Removing mask, first line (Lenk, 2012) ................................................................................ 31
Figure 37: Original Code without mask and without format information ............................................ 32
Figure 38: Code words for data extraction (Lenk, 2012) ...................................................................... 32
Figure 39: QR-Code with data code words (Lenk, 2012) ...................................................................... 33
Figure 40: Login field (self-made)
Figure 41: Usually filled in login (self-made).............................. 39
Figure 42: SQL injection login (self-made) ............................................................................................ 39
Figure 43: QR-Code generation code (self-screenshot) ........................................................................ 41
Figure 44: Drawn QR-Code Patterns..................................................................................................... 43
Figure 45: Algorithm for the modify template (self-made) .................................................................. 44
Figure 46: Single modified black module.............................................................................................. 45
Figure 47: If-Construct for changing non-important points .................................................................. 46
Figure 48: Function to insert a picture (self-made) .............................................................................. 48
Figure 49: First visibility try (scan able) (self-made) ............................................................................. 49
Figure 50: Second visibility try (scan able) (self-made) ........................................................................ 49
Figure 51: Final visibility (self-made) .................................................................................................... 49
Figure 52: Step1 of the UI ..................................................................................................................... 50
Figure 53: Step2 of the UI ..................................................................................................................... 51
Figure 54: Step3 of the UI ..................................................................................................................... 51
How to manipulate a QR-Code
Page 56 of 56

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz