table of Contents
Crack NFC card
concept
Various cards
ID cards work in low frequency (125Khz)
| ID card | Feature | |
|---|---|---|
| EM4XX series, mostly EM4100 / EM4102 card | Commonly used curing ID card, factory ID cured , can only read but not written; useful for low cost access cards, access cards cell, parking access cards | |
| White card ID : EM4305 or T5577 | Can be used to clone the ID card, factory white card , readable and writable internal EEPROM, the contents of the EEPROM can be modified to modify the card outside the card ID number, the purpose of copying an ordinary ID card; T5577 writing the ID number can be turned into ID card write HID HID card number can be transformed, write Indala card, the card can be turned Indala |
|
| HID ProxⅡ | United States commonly used low-frequency card, erasable , and not with the other cartoon |
IC card
| IC card | Feature |
|---|---|
| M1 card full name Mifare S50, | Is the most common card, factory cured UID (UID refers to the card number, the world's only), you can modify the data store; commonly used in the student card, meal card, bus cards, access cards; |
| M0 card full name Mifare UltraLight, | M1 corresponds to a simplified version of the card, smaller capacity, less functional but cheaper, factory curing the UID , modify the data may be stored; commonly used in subway cards, bus cards; |
| UID card full name Mifare UID Chinese magic card | , Called the Chinese foreign magic card, M1 card version variation, using backdoor command (magic command), you can modify the UID (UID in block0 partition) can be used to clone M1 card data integrity; but now a new reader system by detecting card command response to the back door, the card UID can be detected, it is possible to deny access card UID, to achieve the function of shielding copy card (i.e., firewall system UID); |
| CUID card | In order to avoid the UID firewall system, CUID card came into being, cancel response backdoor command (magic command), you can modify the UID , it is currently on the market most commonly used copy card; the last two years, smart card systems manufacturing company, according to the characteristics CUID card developed CUID card firewall, although now (2019) is not very popular, but faced with the same CUID card will be eliminated one day and UID card |
| FUID card | FUID card can only be written once UID , where UID is automatically finished after curing partitions, the equivalent of M1 card, any current firewall system can not be shielded, card and copy of the original card is almost exactly the same; but the drawback is relatively clear, high prices, bad writing card rate, wrong to waste cards. |
| UFUID card | FUID card UID and advantages set in a card, using backdoor instruction can be modified UID, and then manually lock the card into the card M1 . First UID can be repeatedly read and write, to confirm the data is correct, manually lock the card becomes M1, solve the firewall shield UID UID card, also address FUID write-once easy wrong question, and the price is cheaper than FUID card; |
M0 is determined card (Mifare UltraLight), or M1 card (Mifare Classic 1k), is determined by the value of SAK.
IC card memory structure
Cracking tools
Analog phones
| tool | |
|---|---|
| APP the NFC card emulation | Already root. Read UID and non-encrypted data encryption card and NFC mobile phones in to write UID |
| Millet system comes with the door card emulation function | No root. You can not carry out any operation on the encryption card |
| Third-party software MifareClassicTool | UID read, because there is no root, can not write the phone NFC, but can write IC card, and therefore also need a CUID card (UID card can not be used) , more than one on a certain treasure, the idea is to first read the UID card encryption and then read CUID card, then changed to the UID CUID card encryption card the same UID, data is written back then modify CUID card, and finally with millet system comes with the door card emulation feature to copy unencrypted the CUID card can be a matter of luck, my area of access control system will only recognize UID, get |
| Proxmark3 decryption access cards | https://hceng.cn/2019/07/12/NFC%E6%89%8B%E6%9C%BA%E6%A8%A1%E6%8B%9F%E5%8A%A0%E5%AF%86%E9%97%A8%E7%A6%81%E5%8D%A1/ |
| Proxmark3 + door with millet phone comes with an analog card | Copy non-encrypted card UID - "written to the encrypted area with Proxmark3 |