• Registered: 2009-11-19
  • Posts: 30

Topic: Any experience with environment using mifare classic?

Actually, I don't know if the topic name is appropriate enough neutral

I am interested in doing some analysis of our city transport service. It is using MfC for prepaid time-based longterm travel tickets. I've already made some dumps (dump before charging, dump after charging, dump of few friends' cards, with knowledge of their expiration dates as well) and now I would like to get the meaning of those 48 bytes, to be available to tell the expiration date from them, and vice versa, to generate blocks' values that will correspond to given date.

So I would like to know if someone here has experience with methods being used to store actual data into Mifare Classic's blocks.

  • rconty
  • Administrator
  • Offline
  • Registered: 2009-04-22
  • Posts: 640

Re: Any experience with environment using mifare classic?

Hello,

whitewash wrote:

So I would like to know if someone here has experience with methods being used to store actual data into Mifare Classic's blocks.

If you read MIFARE Classic specifications, you will learn that there are two hardcoded way to write datas on this card:
You can write "data block" : raw data per 16 bytes or "value block": that can be used to ensure data integrity but hold 4 usefull bytes (usually 32bits integer ) in one block (16 bytes).

If you see that there are value blocks on your card, you will need to implement read/write operations (at least) on theses value blocks. If its the case, you can be interesting in libfreefare : Library for high level manipulation of MIFARE cards.
That's a WIP project but that implement near whole MIFARE Classic specifications.

http://code.google.com/p/nfc-tools/wiki/libfreefare

Romuald Conty
  • nodh
  • New member
  • Offline
  • Registered: 2010-02-11
  • Posts: 5

Re: Any experience with environment using mifare classic?

Hi there,

I think his question was more about how to read properly the data stored, I mean, encryption and everthing...
If so, you should be aware that companies might be very tricky in the way the want to "encrypt" their data. As they is sensitive information they don't want us to read it. So, they develop their own "algorithm" or an easier way to do it is to change some of the part of well-known algorithms (changing crc32's keys...). I'm currently working on the same thing and trying to create a new program that only takes the changed bytes and turn them in all the possible ways to see if I can go back to my datas.
One thing you should be aware of, is the reversal of the algorithms...companies want to write confidential datas...they also want to be able to read them, if you can't reverse the "algorithm" it's useless (for example, to see how much money's left). That is one of the main reason why xor-casacade or xor-distribution is often used I guess.

Otherwise forget about my post smile

  • Registered: 2009-11-19
  • Posts: 30

Re: Any experience with environment using mifare classic?

Hello,
Yes, that's right, I'm interested in method a company could use for storing data into the 16B block (and probably encrypt it).
So far, I know, that the prolongation of prepaid public transport ticket written on my mifare changes only two bytes, both are in the same block(so I doubt there is some hashing algorithm used, because those are irreversible, and hashing algorithms usually produce significally different hashes at the change of mere 1 byte in the input data)
I have analyzed that block with a hex editor (quite good one, which also displays, what do those highlighted bytes mean when representing int32, uint32, unix timestamp, DOS date etc...), but so far, no representation made sense sad I'm now in the process of collecting as many blocks from as many tickets I can, along with information on their expiration date, however, someone with some experience in cryptoanalysis would really come handy big_smile

  • Registered: 2011-03-19
  • Posts: 9

Re: Any experience with environment using mifare classic?

Still doing this research??

I'm doing the same thing in Argentina.