On how to cook a meal elegantly: Clone and tamper with the company meal card (M1 card)

On how to cook a meal elegantly: Clone and tamper with the company meal card (M1 card)

Recently, I used Proxmark3 to play RFID technology for entertaining purposes. I had to take the company meal card experiment with a low salary and cool it out. The real estate Uncle beat me! The following operations are purely for the purpose of learning. Beginners may encounter many errors.

??First, understand the M1 card structure:??See http://bobylive.com/static/1491

??Lab device:PM3 and antenna + meal card + UID white card ??????

 

?? Connect the device and pass through ???? Hw tune observes voltage variation ,???? Judging high and low frequency cards, there is an article in Freebuf .????

Voltage value of the last release card

 

Voltage value after card placement

 

?

?? The above steps can be ignored, and the following is the answer directly .???

?

1. clone card

Read the data of the M1 card. Write down the UID number, and copy a card with the same UID. If the information of other vendors in sector0 cannot be changed, it will be useless. Therefore, there will be a little difference in data comparison after this data area, so we can use a UID white card to clone and modify the data to ensure that the data can be compared .??????

Connect to the com3 port proxmark3COM3 to enter the command line

 

Execute: hf 14a reader and write down UID: b3 9422 d4 for subsequent clone card usage

 

Obtain the/B key of Block 1

 

Use hf mf nested to enumerate other block keys

 

 

 

 

As you can see, the block basically uses the default card secret. After the operation, we can dump the original data of our card, and then back up the dumpdate. binfile, and use C32asm to personalize the data. To clone the card and verify that the modified data can be used properly, first modify the name on the card.

 

Then, we re-write the modified dumpdata. bin to the UID white card. To prevent UID detection, we should first change the white card UID.

Command:

hf mfcsetuid b39422d4

Then you can clone the dumapdata. bin content to the new card.

Run the command: hf mf restore for cloning. The PM3 light will be cloned soon. After lunch, brush off the card and change the name of the clone card to work properly.

Ii. elegantly tamper with the card balance

After lunch, I fl the card once, and then dump the cloned card data as soon as possible to compare the original card data with the card data. Use bcompare to compare the two data.

 

Comparing the two card swiping records, we found that there were two data changes in the blocks. In the same card swiping, the data above was one to one. I guess it is used as backup data.

The 0e 06 on the left of the red box is converted to decimal, that is, 1550, and F0 05 on the right is converted to decimal, that is, 1520. It corresponds to my card balance of 155 and the card balance of 152. It indicates that this position is the balance space.

The Green Box indicates the checkpoint of the balance. After two data comparisons, it is easy to find the method for generating checkpoint.

Balance calibration algorithm:

OE+06=14f0+05=f5

Change balance 200.0 to hexadecimal: 07 D0

Write in descending order 06 27 checkpoint 2D

Modify data records

 

Run the hfmf restore command to re-write the data to the white card.

After swiping the card again:

[Conqu3r, Team:Pax. MacTeam, Reprinted, please indicate from FreeBuf. COM]