banner
Regex520

Regex520

Regex520 | CN #Android Phones #IT #Games #Others
bilibili
x
telegram
email
HomeArchives

M1 Card NFC Copy Tutorial

#NFC#PC工具46
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the increasing use of NFC technology in everyday life, focusing on the copying and writing of Mifare Classic® EV1 cards (M1). It outlines the necessary equipment, including a Windows computer, a PN532 module, and both the target and source cards. The process involves understanding the card structure, which consists of sectors and blocks, and the types of encryption that may be present on the cards. To copy an NFC card, one must extract the card number and data. The article explains how to use the MifareOneTool (M1T) to crack and write data to the card. It details the steps for connecting the PN532, scanning the card, and determining its encryption type. If the card is fully encrypted, alternative tools like mfcuk may be needed. For writing the data to a mobile wallet, the process varies depending on the phone model. The article provides strategies for both types of wallets, emphasizing the importance of obtaining the card number and using M1T to write the data. It also mentions the possibility of customizing NFC functionalities using NFC Tools Pro. Lastly, the author shares an incomplete experiment regarding emulating NFC cards on a custom ROM, suggesting further research into this area.

Foreword#

With the increasing application of NFC technology in various aspects of life, such as NFC contactless payments, NFC access cards, NFC music tags, and the growing support for NFC functionality in smartphones, the demand for writing NFC tags into phones to facilitate daily needs is continuously increasing. This article provides a tutorial for copying and writing traditional Mifare Classic® EV1 type cards (hereinafter referred to as M1). More advanced CPU cards and other types of cards are not discussed in this article.
Regarding the equipment, you need to prepare a Windows computer, a PN532 module, and the target and source cards.
Please confirm that your phone has a system wallet that can add NFC cards.
If your phone has a wallet but has difficulty adding the access card you need, this article may help you. If you have already dumped the data, you can skip to the last section.

Overview#

Most cards on the market operate on the standard NFC frequency of 13.56 MHz, such as access cards for some residential communities, and the NFC chip in our Android devices operates at this frequency.
To completely copy an NFC card, there are two main parts: 1 is the card number (i.e., the 0 sector content), and 2 is the data.

About the Card Number#

In a normally compliant M1 UID card, the 0 sector is locked. To solve this problem, you must use a CUID card that supports writing to the 0 sector, utilizing the built-in emulation chip in the phone, etc.
Using a CUID card, you can directly write the file using a card writer, and I won't elaborate further.
The process of using the phone for emulation varies from person to person, which will be introduced later.
This article will use MifareOneTool from xcicode for cracking and writing cards (hereinafter referred to as M1T).

About the Data#

Below is the structure of an M1 card.
image
The card has a total of 16 sectors from 0-15, each sector has 0-3 four blocks, with blocks 0~2 being data blocks and block 3 being the control block. The control block stores KeyA, KeyB, and the control word of that block. The control word indicates the access permissions for the two keys to the block, and the permissions for each sector in the M1 card are independent.
Most of the cards we need to copy will be encrypted, which can be divided into the following three types:

  1. Unencrypted card: All sector keys are FFFFFFFFFFFF.
  2. Semi-encrypted card: Some sector keys are FFFFFFFFFFFF.
  3. Fully encrypted card: All sector keys are not FFFFFFFFFFFF.

Unencrypted cards can be directly added.
If the M1 card you need to copy happens to be encrypted (both fully encrypted and semi-encrypted can be cracked) and meets SAK08/18/28, then this article is suitable for you.

Cracking Card Data#

First, download M1T from the repository provided above and correctly connect your PN532 to the computer, then click the "Detect Device" button.

image
If all goes well, you have connected to the device.
Next, place the card you need to crack on the PN532, and sequentially click scan card -> detect encryption (this step can determine whether the card is semi-encrypted or fully encrypted) -> one-click unlock original card. If all goes well, you should have obtained the data of your semi-encrypted card and can proceed to the next section for writing.

image

The image shows the interface when successfully unlocked, at which point a file manager should pop up asking for a name for the saved file.

What if it is a fully encrypted card?

image

Click to download mfcuk (tool from the internet)
Unzip, double-click Open MFCUK, enter 1 and press Enter.
After that, theoretically, you can obtain the key after a super long wait (laugh).

(Actually, the author failed to replicate the results at that time and couldn't continue writing, will supplement when available, at least I am sure that fully encrypted cards can be cracked.)

Writing to Phone#

At this point, it is very simple; you just need a straightforward writing approach:
For some built-in wallets on phones, the first step when choosing to write to a blank card will require copying the card number, and then it will require using a card writer to write data.
First, place the original card to obtain the card number, then use M1T to write the obtained data.
For another part of built-in wallets on phones (like VIVO), when creating a blank card, a random card number will be obtained, so a different approach must be taken:

Based on this information, we have another approach to copying the card: first copy a card that is destined to fail, then write the data.
On the phone, select to add a physical access card, copy the original card; at this point, the card on the phone should have a card number but be completely empty (even if there is data, all keys are known).
Then, open the advanced features tab in M1T and execute a clear M1 once to obtain blank data, then write the dumped original card data.
At this point, your phone has written the access card you expected.
If you want to write some other functional data, such as opening a certain link, playing music, connecting to WiFi, etc., you can search for NFC Tools Pro for personalized editing.

Unfinished Experiments#

After flashing a quasi-native system on my phone, I have been suffering from the inability to perfectly emulate NFC cards and cannot access the community gate. Now that I have switched back to the original system, I cannot experiment. Below is a proposed experimental idea regarding quasi-native systems, hoping to find a way to copy access cards in quasi-native systems.

  1. Install Card Emulator Pro.
  2. Use the software to copy a UID, activate the card, and try to read the card information on M1T.
  3. Similar to the conclusions obtained from the above solutions that cannot directly write UID, try to write data directly.

I am not a professional and do not understand the implementation principles of wallet emulation for NFC, so I can only leave a suspense.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.