leeechsh

leeechsh

HomeArchives

M1 card

240
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses the theoretical aspects of cracking and copying M1 cards, which are a type of contactless IC card commonly used in various systems like campus cards and public transport. It emphasizes the importance of understanding the differences between IC cards and ID cards, noting that IC cards can be read and written to, while ID cards are read-only. The text outlines the classification of IC cards and provides methods for identifying card types using tools like mobile apps or card readers. It explains the structure of M1 cards, detailing their sectors and blocks, as well as the significance of control bits and keys for accessing and modifying data. Each M1 card has a unique serial number and specific keys that must be obtained to read or alter the card's data. The ability to crack the M1 card's keys is highlighted as crucial for successful card hacking.

A Brief Discussion on the Cracking and Cloning of M1 Cards (Water Cards, Meal Cards, Hot Water Cards, Access Control Cards, etc.) — Theoretical Knowledge Section#

Declaration: Cracking cards is solely for scientific research purposes and to discuss the necessity of data encryption upgrades.

This article is for technical research and learning exchange only; do not use it for illegal purposes, or you will bear the consequences!!!

Introduction
Recently, I have been studying microcontrollers and hardware-related knowledge (not my major, purely a personal hobby). I happened to see a post from a netizen about cracking the school's water card. So I thought about researching (cracking) the security of the school's one-card system and recording the process.

Note: The entire text is divided into six chapters; this article is the [Theoretical Knowledge Section], and I will continue to update it.

Due to the length, I have [bolded the key parts].

  1. Overview
    First, before cracking the card, it is necessary to understand the common types of cards on the market today, namely IC cards and ID cards.
  1. IC Card (Integrated Circuit Card), also known as Smart Card or Microchip Card. Common IC cards include second-generation ID cards, mobile SIM cards, campus one-card systems, etc. They are divided into contactless IC cards and contact IC cards. In this article, the M1 card is a contactless IC card.

M1 Card

  1. ID Card (Integrated Circuit Card), which is an identity recognition card. ID cards cannot write data, only have a fixed ID number, and have no confidentiality functions.

Summary: ID cards are read-only, only recording the card number, cannot be encrypted, hence have low security; IC cards can be read and written, can be encrypted, and operations such as reading and writing IC card data require corresponding password authentication. Each block within the card has different password protection (which will be explained in detail later).

  1. Classification of IC Cards
    As preparatory work, it is first necessary to confirm the type of card, which relates to whether the card can be cracked.

Using a mobile app to view card data is the most convenient, provided that the phone supports NFC functionality. Alternatively, you can directly use a PN532 or ACR122u card reader (devices used for cracking later). Of course, a simple and straightforward method can be taken—by observing the appearance of the card to make a judgment (methods can be searched online, not elaborated here), though it may not be accurate.

By checking the SAK, the type of card can be determined, as shown in the figure below:

The red box contains the SAK information
(Use Mifare Classic Tool software to view; a download link will be provided at the end)
Where:

SAK:08 is for M1 cards or S50 cards — usually can be cracked

SAK:18 is for S70K cards — usually can be cracked

SAK:20 is for CPU cards — cannot be cracked

SAK:28 is for CPU emulation cards — emulates M1 card structure, very few can be cracked

The M1 card mentioned in this article, fully named NXP Mifare1 series cards, belongs to the contactless IC card category, commonly used in one-card systems, public transport, etc. They are commonly available in card and keychain styles. As shown in the figure below:

Left is card style, right is keychain style
The capacity of the M1 card is typically 1KB (note that the unit here is bytes, not bits; in bits, it should be 8Kb). Although the storage space is relatively small, the structure of the M1 card is still quite complex.

  1. Sectors and Blocks
    The M1 card has a total of 16 sectors (0~15 sectors), each sector has 4 blocks (0~3), and each block can store 16 bytes of content. That is 16 (sectors) * 4 (each sector has 4 blocks) * 16 (each block is 16 bytes) = 1024 bytes = 8192 bits;

As shown in the figure below:

The 4th and 5th sectors of a blank M1 card
Among them, the 0th, 1st, and 2nd blocks are used to store data, and the 3rd block is used to store keys. As shown in the figure above, the block numbers are marked in red font. The keys are divided into Key A and Key B, with the control bits in between.

[The control bits determine the access permissions for that block; readers can refer to relevant materials, and this article will not elaborate further]

For example, in sector 5, block 3: where "FF078069" is the control bit, and the left and right keys A and B are the same, i.e., "000000000000" (the M1 card used in this example is a blank card with no data or keys).

Typically, as long as you know block 3 of a certain sector, you can master the control permissions for that sector (reading, writing data, etc.). At the same time, each sector of the M1 card can set different keys.

Additionally, each M1 card has a unique serial number (UID), stored in sector 0, block 0. Among them, the first 4 bytes are the card's UID, the 5th byte is the checksum, and the rest are manufacturer data, and this block cannot be modified (there are also modifiable cards, which will be mentioned later).

Therefore, to read and modify M1 card data, you must first obtain the keys for each sector, unless the card is unencrypted. The specific methods will be detailed later.

Thus, whether the M1 card key can be cracked is a key factor in cracking the entire card.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.