All the information you need to extract information from HDU student ID cards. May apply to other hzsun RFID cards; your mileage may vary.
杭州电子科技大学校园卡存储分析结果。可能也适用于其它正元智慧方案的 RFID 卡。
This project is licensed under WTFPL 2.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
There are 2 types of student card. Everyone is given an initial student card when registering at school; this initial card is a Mifare 4K-compatible card. When you got a re-issued card from student center, the new card will be a Mifare 1K-compatible card.
Payment Clients are typically used to pay use student card. They have a numeric keyboard and Ethernet connection. They can also be configured to:
- Undo the last transaction on this client (requires card presence and supervisor password)
- Charge money (This may be another type of device)
- Write specific data to specific card sector (programmable, will display "CArd" on screen)
And it can be configured to ask for payment password if paying a large amount of money in a single transaction. The authentication model is unclear.
Counterfeit Mifare 1K clone cards will be reported as unrecognizable card. Maybe an private card authentication method is implemented somewhere.
Typically an infrared access logger which beeps when people pass, and have a card reader connecting to a Windows XP computer displaying card reader log. This logger may have racing condition, when you quickly put and take card in certain timing, the beeper won't beep or makes lower sound then usual.
The gate uses reflection infrared method to detect human; you may use some reflection board or infrared light to interfere it. The light source and detector is located on the 2 stands near the wall; the center stand provides 2 reflecation boards to each side.
A read-then-pass access control machine which displays student name on embedded LCD and also connects to an PC displaying log. In 2th floor.
A metal box with a B/W LCD, camera, PM2.5 sensor and a card reader (maybe PN532). Uses wired power and wireless networking (frequency unclear, but the antennas are visible). The card reader is configured to read the first 8 bytes of sector 15 (no matter which card type) as ASCII (maybe also GBK, although usually there is only 8-digit numeric student ID) string then display it on the LCD.
- Cash Charge Machine (yellow kiosk running Windows XP + Java application): charge with cash, change payment password, and query last 5 transactions.
- To be done
All HDU cards have 6 encrypted sectors and other sectors use the universal key ffffffffffff
.
Keys (.key
files) are in plain text format, hex representation, in the following sequence (one key per line):
1 universal key for unencrypted sectors
6 A keys for encrypted sectors
6 B keys for encrypted sectors
These key files can be used directly in MifareClassicTool.
Data structs (.bt
files) are plain text files representint dump structure in C-like struct definitions to help analyze card dump files. They can be used directly as templates in 010 Editor.
Empty dump files (.mfd
) are provided with all data bytes nulled but keys kept.
ACS ACR122 is a common-seen NFC reader. Install Libnfc to get access to the tools we need.
In the following commands, use the empty dump file corresponding to your card type.
nfc-mfclassic r a new_dump.mfd dumps/HDU-Mifare1k-empty.mfd f
Writing to a standard Mifare card (UID won't be changed):
nfc-mfclassic w a edited_dump.mfd
Writing to a Chinese unlockable Mifare-compatible card:
nfc-mfclassic W a edited_dump.mfd
MifareClassicTool is an Android application used to read and write Mifare cards. You need a compatible device to use it.
Put keys/*.keys
to your devices' /sdcard/MifareClassicTool/key-files
, then when reading in app, select the corresponding keys file. (If you are not sure which card you are reading, tick both.)
This section is to be done.
hf mf dump
CAUTION: Proxmark3 have an issue preventing setting the correct key for encrypted sectors.
All glory to the schoolmates who donated their card dumps to me.