leeechsh

leeechsh

HomeArchives

M1 Card

675
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses the theoretical aspects of cracking and copying M1 cards (such as water cards, meal cards, and access cards) for scientific research purposes, emphasizing the importance of data encryption upgrades. It begins with an overview of card types, distinguishing between IC cards (which can be read and written) and ID cards (which are read-only). The M1 card, a type of non-contact IC card, is highlighted for its structure, which includes 16 sectors, each containing 4 blocks of data. Each block can store 16 bytes, with specific blocks designated for data and keys. The document explains the significance of the sector keys in accessing and modifying card data, noting that the ability to crack these keys is crucial for overall card security.

A Brief Discussion on the Cracking and Cloning of M1 Cards (Water Cards, Meal Cards, Hot Water Cards, Access Control Cards, etc.) — Theoretical Knowledge Section#

Declaration: The cracking of cards is solely for scientific research purposes and to discuss the necessity of data encryption upgrades.

This article is intended for technical research and learning exchange only; it must not be used for illegal purposes, or the consequences will be at your own risk!!!

Introduction
Recently, I have been studying microcontrollers and hardware-related knowledge (not my major, purely a personal hobby). I happened to see a post from a netizen about cracking school water cards. So I thought about researching (cracking) the security of the school's one-card system and documenting the process.

Note: The entire text is divided into six chapters; this article is the [Theoretical Knowledge Section], and I will continue to update it.

Due to the length of the text, I have [bolded the key parts].

  1. Overview
    First, before cracking a card, it is necessary to understand the common types of cards available on the market, namely IC cards and ID cards.
  1. IC Card (Integrated Circuit Card), also known as a Smart Card or Microchip Card. Common IC cards include second-generation ID cards, mobile SIM cards, campus one-card systems, etc. They are divided into contactless IC cards and contact IC cards. In this article, the M1 card is a contactless IC card.

M1 Card

  1. ID Card (Integrated Circuit Card), which is an identity recognition card. ID cards cannot write data; they only have a fixed ID number and no confidentiality features.

Summary: ID cards are read-only, only recording the card number, and cannot be encrypted, hence low security; IC cards can be read and written, can be encrypted, and operations such as reading and writing data on IC cards require corresponding password authentication. Each block within the card has different password protection (which will be explained in detail later).

  1. Classification of IC Cards
    As preparatory work, it is first necessary to confirm the type of card, as this relates to whether the card can be cracked.

Using a mobile app to view card data is the most convenient method, provided that the phone supports NFC functionality. Alternatively, you can directly use a PN532 or ACR122u card reader (devices used for cracking later). Of course, a simple and crude method can be employed—judging by the appearance of the card (please search online for methods, which will not be elaborated here), but this may not be accurate.

The card type can be determined through SAK, as shown in the figure below:

The red box contains the SAK information
(Use Mifare Classic Tool software to view; a download link will be provided at the end of the article)
Where:

SAK:08 is for M1 cards or S50 cards — usually crackable

SAK:18 is for S70K cards — usually crackable

SAK:20 is for CPU cards — cannot be cracked

SAK:28 is for CPU emulation cards — simulates the M1 card structure, with very few that can be cracked

The M1 card mentioned in this article is fully named NXP Mifare1 series cards, belonging to contactless IC cards, commonly used in one-card systems, public transport, etc. They are commonly available in card and keychain styles. As shown in the figure below:

Left is card style, right is keychain style
The capacity of the M1 card is typically 1KB (note that the unit here is bytes, not bits; when converted to bits, it should be 8Kb). Although the storage space is relatively small, the structure of the M1 card is still quite complex.

  1. Sectors and Blocks
    The M1 card has a total of 16 sectors (sectors 0 to 15), each sector has 4 blocks (blocks 0 to 3), and each block can store 16 bytes of content. That is 16 (sectors) * 4 (each sector has 4 blocks) * 16 (each block is 16 bytes) = 1024 bytes = 8192 bits;

As shown in the figure below:

The 4th and 5th sectors of a blank M1 card
Among them, blocks 0, 1, and 2 are used to store data, and block 3 is used to store keys. As shown in the figure above, the block numbers are marked in red font. The keys are divided into Key A and Key B, with the control bits in between.

[The control bits determine the access permissions for that block; readers can refer to relevant materials for more information, which will not be elaborated here.]

For example, in sector 5, block 3: where "FF078069" is the control bit, and the keys A and B on either side are the same, namely "000000000000" (the M1 card used in this example is a blank card with no data or keys).

Typically, as long as you know block 3 of a certain sector, you can grasp the control permissions for that sector (reading, writing data, etc.). At the same time, each sector of the M1 card can have different keys set.

Additionally, each M1 card has a unique serial number (UID), stored in sector 0, block 0. Among them, the first 4 bytes are the card's UID, the 5th byte is a checksum, and the remaining data is vendor information, and this block cannot be modified (there are also modifiable cards, which will be mentioned later).

Therefore, to read and modify M1 card data, you must first obtain the keys for each sector, unless the card is unencrypted. The specific methods will be detailed later.

Thus, whether the M1 card key can be cracked is a key factor in cracking the entire card.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.