background

Recently, some colleagues in the company used a wristband when they brushed access control. For migrant workers with short knowledge like us, B-grid instant MAX, they said that the access control card of the company was a non-encryption card and could be directly simulated. Then whether the encryption card could be simulated?

I have such a question, with Geek spirit, of course, to explore, there are many online about the NFC device simulation encryption card, but the basic knowledge and principles of the explanation is very little, so take this opportunity to incidentally sort out. Of course, if you want to see the way to simulate the encrypted access card, you can skip to the second half.

The relevant knowledge

What is the NFC

Near field Communication (NFC) evolved from contactless radio frequency identification (RFID), which was jointly developed by Philips Semiconductor (now NXP Semiconductor), Nokia and SONY in 2004. It is based on RFID and interconnection technology. Near field communication (NFC) is a short-range, high-frequency radio technology operating at 13.56MHz over a distance of 20 cm. The transmission speed is 106 Kbit/ s, 212 Kbit/ s or 424 Kbit/ s. At present, near field communication has been approved as ISO/IEC IS 18092, EMCA-340 and ETSI TS 102 190 standards. NFC adopts active and passive read modes.

Each complete NFC device can work in three modes:

  • Card Emulation Mode
  • Reader/Writer mode
  • Peer-to-peer mode

The core function we want to use is card simulation mode, which is available on smart devices such as mobile phones and wristbands.

NFC card classification

ID card

The full name of ID Card is Identification Card. It is a low-frequency Card with a working frequency of 125khz-1000khz (different from the working frequency of most mobile phones and smart devices, which cannot be simulated). The number is fixed, the Card number is open, and data cannot be written

IC card

Full name Integrated Circuit Card, also known as Smart Card, working frequency of 13.56MHz (with most mobile phone NFC frequency, can be simulated), read and write, large capacity, can be encrypted, In the identity authentication, banking, telecommunications, public transportation and other fields have been more and more applications

How to distinguish ID card from IC card

Here are two simple methods:

  1. If the card is engraved with 10, 8, or 18 digits starting with 00, it is an ID card
  2. Android phones with NFC function can sense IC cards, which can be used to distinguish BETWEEN IC cards and ID cards

Introduction to IC card data storage

IC cards have 16 sectors ranging from 0 to 15. Each sector has 4 blocks ranging from 0 to 3. Each block can hold 16 bytes of content





The 0 block in sector 0 is written by the manufacturer. The first 4 bytes are the card number (UID), the fifth byte is the check value of UID, and the last few bytes are the manufacturer information (most access cards only read the UID, not the manufacturer information. If the manufacturer information is read, there is no way to simulate access cards).



















IC card type

Since ID cards can not be simulated, and gradually phased out, so this article will not do in-depth discussion, the following several types of IC cards

Mifare S50 (M1)

MIFARE Classic is a contactless smart card developed by NXP Semiconductor and available in S20, S50(M1) and S70 specifications. M1 card capacity of 1K bytes, each card has a 4-byte global unique serial number, 0 sector can not be modified, other sectors can be repeatedly erased, the card data storage period of 10 years, can be rewritten 100,000 times, unlimited times. The elevator card, access control card and other smart card issuers used in daily use are all M1 cards, which can be understood as the original card (mother card) issued by property. Common campus cards and bus cards are also M1 cards. M1 card is only suitable for issuing new cards.

UID card

Common IC copy card, can repeatedly erase all sectors. The UID can be changed repeatedly in response to a backdoor directive (meaning it can be detected by a machine using the backdoor directive to detect whether it is a clone) and will fail in the event of a card reader with a firewall. The access control card that goes looking for the old man to match on the ground stall normally is this kind.

CUID card

An upgraded version of UID, erasable anti-shield card, can repeatedly erase all sectors, does not respond to backdoor instructions (meaning it is not easily detected by anti-clone systems), can bypass firewalls.

FUID card

This card has the feature that sector 0 can only be written once. After writing once, it becomes AN M1 card and cannot be reused. After modification, it is exactly the same as M1 card and difficult to be screened and detected.

UFUID card

Advanced IC copy card, can be understood as UID and FUID synthesis card, need to seal the card operation, not seal the card is UID card, after sealing the card becomes M1 card.

CPU card

The CPU card chip contains a microprocessor, and the operating system, known as OS on chip, can achieve financial security level. Applicable to finance, insurance, traffic police, government industry and other fields. The CPU card is composed of 7K CPU part and 1K M1 part. M1 part can be cracked at most, but the DATA in the CPU area cannot be cracked. In fact, the CPU card is basically unbreakable because of the interaction between CPU and M1 data.

Simulation principle

General process for making access control cards

General property companies make access control cards, first purchase THE UID of M1 card into the access control of the community, and then some encrypted data (such as building pillars, unit number, floor, effective time, etc.) into the card, so that in the corresponding card reader, after reading the card data, you can perform the corresponding functions.

Replication process

Now card replication technology, in fact, the copy card data of all sectors, and then simulates card UID for encryption card UID, then the rest of the sector data, along with all the write UID, but due to the time of some CARDS with encrypted data, so if your card expired, you need to copy the data again, to simulate.

If you want to make a village entrance guard card into a universal card, then you need to decrypt data, and then modify the data after decryption, (such as modified village door, building, floor, time, etc.), encryption to simulate card again, which requires a high level, and a lot of time and energy, all strengths, if is big ignore me…

Because most NFC equipment does not support analog encryption card, but support data writing, but we can use the curve to save the country, simulate a non-encrypted UID card, and then copy the encrypted data, directly write analog card, Ok!

Steps as shown in figure







Need equipment

  1. PN532 (Taobao search)
  2. CUID blank card
  3. An encrypted access card
  4. A WINDOWS computer
  5. PN532 drive
  6. MifareOne Tool 1.7

steps

Install the PN532 driver

PN532 is a serial port driver or has been connected to the CH430 conversion chip, if it is CH430, generally do not need to install the driver, the rest may need to install a PL2303 serial port driver, many online, casually find a next line

Scan the encrypted access card

Connect PN532 to computer with USB, open MiFareOne Tool, and check the connection

Contact the access card with PN532 and scan the card

Click “One click unpack the card” to read the card bump data and save

The decryption time of the card will vary according to the encrypted data of the card. For example, mine ran for about 288 seconds. In short, just wait

Make a common card with the UID

  • Place the blank card on the PN532 and scan the card
  • Copy the UID of the encryption card

Advanced operation mode => Hex editor => Open the bump data => select sector 0 => copy the first 8 digits of block 0 (UID of the original card)

  • Write the UID of the encrypted card to the blank card:

Advanced operation mode => UID Write number => Paste the previous eight digits



At this point, a common card with the UID has been created

Mi wristband analog access card

  • Use mi wristband to simulate a regular card just finished

  • Place the bracelet on the PN532 and scan the card. Normal cards can be detected
  • Write the original card bump data you just saved to the bracelet

Operation: Advanced operation mode => CUID Write

Note: at this time the software may block, just wait a little and finally succeed, and then take the card to brush access control!

Afterword.

  1. When xiaomi wristband simulates non-encrypted cards, it is also easy to fail. For example, our company’s access control card has been successfully simulated by other colleagues. However, when I simulated it, I always showed that I could not simulate encrypted cards.
  2. It is said that the PN532 sometimes overheats and can be cooled by a refrigerator. — from diygod. Me/pn532 /

reference

  1. [Online]. Available at: zh.wikipedia.org/wiki/%E8%BF…
  2. Hceng Blog. (n.D.). NFC Mobile Phone Analog Encryption access card. [online]. Available at: hceng.cn/2019/07/12/…
  3. DZRAB. (n.D.). IC Card Introduction. [Online]. Available at: pn532.com/portal.php?…
  4. Yearito Blog. (n.D.).type A card storage structure and communication. [online]. Available at: yearito.cn/posts/stora…