banner
Regex520

Regex520

Regex520 | CN #Android Phones #IT #Games #Others
bilibili
x
telegram
email
HomeArchives

M1 Card NFC Duplication Tutorial

#NFC#PC工具50
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the increasing use of NFC technology in everyday life, particularly for applications like NFC payments and access cards. It provides a tutorial on how to clone Mifare Classic® EV1 cards (referred to as M1 cards) using a Windows PC, a PN532 module, and both source and target cards. Key points include: 1. **Card Structure**: M1 cards consist of 16 sectors, each with data and control blocks. The control blocks store keys that manage access permissions. 2. **Card Types**: Cards can be non-encrypted (all keys are FFFFFFFFFFFF), semi-encrypted (some keys are FFFFFFFFFFFF), or fully encrypted (no keys are FFFFFFFFFFFF). The tutorial focuses on cloning semi-encrypted and fully encrypted cards. 3. **Cloning Process**: Users need to download the MifareOneTool (M1T) and connect their PN532 to the PC. The process involves scanning the card, detecting encryption, and unlocking the data. 4. **Writing Data**: Once data is extracted, it can be written to a new card. Different methods are suggested depending on the phone's wallet capabilities. 5. **Experimental Challenges**: The author shares their struggles with simulating NFC cards on a custom ROM and suggests using Card Emulator Pro for further experimentation. The article concludes with a note that the author is not a professional and leaves some questions unanswered regarding NFC wallet simulation.

Preface#

As NFC technology becomes increasingly widespread in various aspects of life, such as NFC contactless payments, NFC access cards, NFC music tags, and the growing support for NFC functionality in smartphones, the demand for writing NFC tags into phones to facilitate daily needs continues to rise. This article provides a tutorial on copying and writing traditional Mifare Classic® EV1 type cards (hereinafter referred to as M1). More advanced CPU cards and other types of cards are not discussed in this article.
Regarding the equipment, you need to prepare a Windows computer, a pn532 module, and the target and source cards.
Please confirm that your phone has a system wallet that can add NFC cards.
If your phone has a wallet but struggles to add the required access card, this article may help you. If you have already dumped the data, you can skip to the last section.

Overview#

Most cards on the market operate on the standard NFC frequency of 13.56 MHz, such as some community access cards, and the NFC chip in our Android devices operates at this frequency.
To completely copy an NFC card, there are two main parts: 1 is the card number (i.e., the 0 sector content), and 2 is the data.

About the Card Number#

In a normally compliant M1 UID card, the 0 sector is locked. To resolve this issue, a CUID card that supports writing to the 0 sector must be used, utilizing the built-in emulation chip in the phone, etc.
Using a CUID card, you can directly write the file through the writer to complete the process naturally, and I won’t elaborate further.
The process of using phone emulation varies from person to person, which will be introduced later.
This article will use MifareOneTool from xcicode for cracking and writing cards (hereinafter referred to as M1T).

xcicode/MifareOneTool

A GUI Mifare Classic tool on Windows(停工/最新版v1.7.0)

C#962247

About the Data#

Below is the structure of an M1 card.
image
The card has a total of 16 sectors numbered 0-15, each sector has 0-3 blocks, with blocks 0~2 being data blocks and block 3 being the control block. The control block stores KeyA, KeyB, and the control word of that block. The control word indicates the access permissions of the two keys for the block, and the permissions for each sector in the M1 card are independent.
Most of the cards we need to copy will be encrypted, which can be divided into the following three types:

  1. Unencrypted card: All sector keys are FFFFFFFFFFFF.
  2. Semi-encrypted card: Some sector keys are FFFFFFFFFFFF.
  3. Fully encrypted card: All sector keys are not FFFFFFFFFFFF.

Unencrypted cards can be added directly.
If the M1 card you need to copy happens to be encrypted (both fully and semi-encrypted can be cracked) and meets SAK08/18/28, then this article is suitable for you.

Cracking Card Data#

First, download M1T from the repository provided above and correctly connect your PN532 to the computer, then click the "Detect Device" button.

image
If all goes well, you have connected to the device.
Next, place the card you need to crack on the PN532, and sequentially click scan card -> detect encryption (this step can determine whether the card is semi-encrypted or fully encrypted) -> one-click unlock original card. If all goes well, you should have obtained the data of your semi-encrypted card and can proceed to the next section for writing.

image

The image shows the interface upon successful unlocking, at which point a file manager should pop up asking for a name for the saved file.

What if it’s a fully encrypted card?

image

Click to download mfcuk (tool from the internet)
Unzip, double-click Open MFCUK, enter 1 and press Enter.
After that, theoretically, you can obtain the key after a super long wait (laugh).

(Actually, the author failed to replicate the running results at that time and could not continue writing, will supplement when available, at least I am sure that fully encrypted cards can be cracked.)

Writing to Phone#

At this point, it’s quite simple; you just need a straightforward writing approach:
For some built-in wallets on phones, when selecting to write to a blank card, the first step will require copying the card number, and then it will ask to use the writer to write data.
First, place the original card to obtain the card number, then use M1T to write the obtained data.
For another part of built-in wallets on phones (like VIVO), when creating a blank card, a random card number will be generated, requiring a change in approach:

Based on this information, we have another approach to copying cards: first, copy a card that is destined to fail, then write the data.
On the phone, select to add a physical access card, copy the original card; at this point, the card on the phone should have a card number but be completely empty (even if there is data, all keys are known).
Then, open the advanced features tab in M1T, execute a clear M1 once to obtain blank data, and write in the dumped original card data.
At this point, your phone has written the access card you expected.
If you want to write some other functional data, such as opening a link, playing music, connecting to WiFi, etc., you can search for NFC Tools Pro for personalized editing.

Unfinished Experiments#

After flashing a quasi-native system on my phone, I have been suffering from the inability to perfectly emulate NFC cards and cannot access the community gate. Now that I have switched back to the original system, I can’t experiment anymore. Below is a proposed experimental idea regarding quasi-native systems, hoping to find a way to copy access cards in such systems.

  1. Install Card Emulator Pro.
  2. Use the software to copy a UID, activate the card, and try to read the card information on M1T.
  3. Similar to the conclusions drawn from the above methods that cannot directly write UID, attempt to write data directly.

I am not a professional and do not understand the principles of wallet emulation for NFC, so I can only leave a suspense.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.