Hello everyone, let me introduce to you the Fudan FM1208-10 card. Obviously, the M1 part of the card has been cracked. What I want to do now is to crack its CPU part. The CPU part mainly includes key authentication for external authentication. Other management files include similar file keys and password key pairs inside files. Some cards will also have TAC or MAC (generally used for bank cards in China). For example, the main difference between TAC verification and external authentication is that TAC authentication does not include the second half of the ciphertext, so the difficulty of cracking will be increased. The cards introduced this time generally do not include TAC authentication, and the main authentication method is still external authentication.
On the PC/SC software, you can simulate the external authentication of the card by entering the apdu command. For specific commands, please refer to the fmcos manual. I will not introduce or give examples here, but only explain the cracking ideas.
External authentication: 1. The card reader asks the card to take a 4-byte hexadecimal random number
2. After receiving the command, the card sends four random numbers (the above steps have been completed after the card is selected and anti-collision)
3. The card reader adds 8 zeros to the end of the random number, all of which are hexadecimal numbers instead of decimal numbers
4. The card reader encrypts the 8-byte hexadecimal number with des, and the key is contained in the card reader
5. After the card reader calculates, it sends the ciphertext to the card
6. After receiving the ciphertext, the card runs its internal cpu and calls the des key (des encryption is a symmetric encryption algorithm, so encryption and decryption are the same and there is only one key) to decrypt, and compares the decrypted plaintext with the random number it sent. After the verification passes, it succeeds
Please note that for the Mifare Classic series of cards, no one has provided a method to change the UID. I have not found the backdoor yet. Most people use the Chinese Magic Card as a Mifare card with a modifiable UID. However, for CPU cards with external authentication, the UID modification principle should be similar to that of the Mifare Classic card. I noticed that some Chinese card manufacturers have some special instructions for changing the UID of Mifare Classic cards, such as Guangzhou Xingyetong Company and Guangzhou Rongsheng Company. They showed how to modify the UID of Mifare Classic cards on YouTube, or provided instructions on their website that they can change the UID, but the backdoor functions and instructions are not disclosed on the Internet.
Note that most card readers do not shuffle or re-encrypt the ciphertext they send. Therefore, we determined that after sniffing the ciphertext and plaintext, we used Python to perform DES on the graphics card to estimate the known plaintext and ciphertext decryption key. Using a 4090 graphics card, exhaustive cracking would take up to 20 hours. The verification principle of the file key and the password key in the file is similar, so I will not introduce it here.
I sincerely hope that everyone can verify whether this method can crack the card. In other words, the m1 part of the card has been cracked, and the key contained in the cpu has also been cracked. You only need to change the uid at the end or simulate the card’s response method to completely crack this card for authentication.