What about RFID in residential areas?

What about RFID in residential areas?

Environment and tools

Win xp pro sp3m1card cracking tool nfcgui-pro.exehexcmp.exe

Let's take a look at our leading role.

 

 

At the beginning, when I started the card, I said that I had to pay for the card once, but I did not provide a new charge! It's no longer a matter of determination! Use the M1 card cracking tool to successfully crack the key and dump the source data. I don't have to worry about it. I want to use it first. I don't have to talk about it anymore! I just found that I couldn't get a card when I was charging yesterday. I thought I had no money. I came back to dump and found that I really had no money.

 

No way, you have to charge it ). The first thing that comes to mind is replay, which is the simplest task (but it may fail ). Remember the source data dumped by dump when the card was first run. The data will not be written into the card )"

 

 

In, 10 27 is displayed in hexadecimal notation, and data is written in inverted order in the card. Therefore, the correct data is 0x2710, that is, 10000 (decimal ), plus, keep two decimal places, that is, 100.00 is the amount of money when the card is processed. The EF D8 in the middle is the check bit which will be analyzed when any amount is modified below.

 

The write tool uses a RadioWar NFCGUI-Pro1.5.

 

Notes:

1. Be sure to select Key B to write data. 2. Both files are selected from the source dump data. 3. The Done 64 of 64 blocks write is displayed at the bottom. This indicates that the write is successful.

Now that the write is successful, I am excited to test it on the card swipe machine. yeah, the replay is successful! (￣ )"

 

Since replay is acceptable, try modifying any amount. If you want to modify any amount, you must set the check bit. To analyze the check bit, you need a large amount of data to support it. The following is a comparison of several groups of data.

100 blocks:

 

99.5 blocks:

 

Get the two groups of data first (it's too hot outside for 37 degrees ~~~ T_T)

The above two groups of data are organized as follows:

 

Check whether the data above finds that this check bit is weak, but it is so weak ~~~ To help me sum up a formula:

((65535-55535)/T)*0.5=100。

It is much more convenient to modify any amount below the formula. Change it to 500 yuan first.

 

Then C32 modifies the data, which is not easy.

Then we write the modified data packet into the card, also with the NFCGUI-Pro1.5.

Successful test diagram:

 

 

Summary

1. There are many articles on rfid, especially on 2cto. If you want to learn more, please read more technical articles. 2. Check bit and amount bit. Some cards must first be different or reverse, and then be saved to the card in reverse order. What's more unusual is encrypted and stored. 3. The analysis check bit is a bit of detail, and it takes a long time to rush. I remember that the last time I analyzed a school meal card, I did not finish the analysis for dozens of groups of data. Finally, the analysis is completed only after the analysis is completed in the evening.