Moscow public transportation system
Background
Back in 2005, when I was still a small child, I first saw such a thing as the “Muscovite Social Card”. While pensioners apply it when passing through the turnstiles of ground transportation and the subway, I began to think about how the whole thing works. this system. But as a child, I did not have the opportunity to do this. Later, when I myself began to earn money, I decided to seriously begin to study the system of fare payment in public transport.
RFID
Of course I started by searching in Google and effortlessly found the name of this one - RFID ( R adio F requency IDentification) or translated into Russian Radio Frequency Identification. After reading the wikipedia article, I realized that the labels (cards) are divided into 3 operating ranges, LF band labels (125-134 kHz), HF band labels (13.56 MHz), UHF band labels (860-960 MHz). In public transport labels of the second range - HF are used .
Cards
The cards themselves are issued under the name of the Mifare trademark , which combines several types of smartcard chips, reader chips, and products based on them.
Currently, 5 types of chip for cards are produced:
Mifare Classic 1k, Mifare Classic 4k
Mifare Ultralight
Mifare Ultralight C
Mifare Plus
Mifare DESFire EV1
In our public transport, the first and second types of cards are used.
Muscovite social card made on the basis of Mifare 1k.
Student social card made on the basis of Mifare 4k.
A ticket for several trips on the subway made on the basis of Mifare Ultralight
1k and 4k mean the amount of memory on the card 1 and 4 kilobytes, respectively.
I also had a social card for a resident of the Moscow region, which differed from the first only in name and design.
Practice
Naturally, to see the data recorded on the card and somehow work with them, a reader was needed for these cards. In the process of searching, I came across a model called ACR122U. For the price, he was quite fine with me, with delivery from an ebay online auction, about $ 60 came out.
Finally, 3 weeks later, I received the coveted package, it contained the reader itself, two empty white Mifare 1k cards and a disk with drivers and distribution.
Reader itself.
I immediately connected it to the laptop, installed the necessary drivers, the reader detected the card, everything went as it should. Now I have a question about how to read my card. Initially, I thought that there would be all the programs necessary for this program on the disk and it would be easier than simple, but it turned out to be wrong. From what was on the disk, only drivers turned out to be useful, however funny it may sound. I had to use the search again.
Software
After several days of searching, I found such a development kit called libNFC . Having studied it a little, I realized that this is exactly what you need. At the same time, I stumbled upon a blog of one person named Alexander darksimpson Simonov, who talked about the system of the subway turnstiles, as well as about this project. Moreover, he even collected all the necessary programs for Windows, which was very convenient. Then I proceeded to the tests. But first, I’ll talk about the structure of the map.
Map Structure
Here I will discuss the structure of Mifare 1k and 4k cards. The 1k card is divided into 16 sectors, from 0 to 15. The zero sector is the manufacturer’s block in which the individual serial number of the UID card is recordedit is prescribed in the production and is not amenable to change. The remaining 15 sectors are read / write. Each sector has two keys of the form A and B , as well as LOCK bits .
The combination of the latter gives the reader information about whether writing / reading is allowed, and then with what kind of keys it can be done. Basically, reading occurs through keys type A , the record key through type B . On blank cards in all sectors are the keys FFFFFFFFFFFF. For 4k the situation is similar, but instead of 16 sectors there are 40 on it. That is, to read the contents of the card on a computer, you need to know the keys for all 16 sectors, but since all keys are changed on all tickets, the logical question arises, how do you find these keys ? The MFCUK utility modified and compiled for Windows by another blogger under the nickname Odinokij_kot helped me in this . You can read about the work of this program in his article.
MFCUK operation example.
Reading a card.
To read a card, I needed the downloaded program mfclassic_d.exe, the keys found for my social card resident of the Moscow region and the command line. In the last one, I indicated the path to the program, the file with the keys to my card, the type of keys, the read request and the name of the file to which the card dump will be written. After pressing the coveted Enter button , the reading process started, after a couple of seconds it was all over, as indicated by the inscription Done, 64 of 64 blocks read. Writing data to file: card.mfd ... Done. After that, I tried to figure out the data that was written on the map, but it didn’t lead to anything, since there were only a bunch of hexadecimal numbers in the file, the passport data written in one of the sectors turned out to be the only less clear. The card is recorded in the same way, only you need to specify the file with the keys for the card on which we are writing.
An example of mfclassic_d work
Starting experiments. Test number 1
At first I read the card before passing through the bus turnstile, and after. I did the same with the turnstile in the subway. After comparing the map dumps, I found out that after passing in buses, trams and trolleybuses, only the data recorded in 4 sectors changes, the rest of the data remained the same, only the data of 1 sector changed in the subway. Hence the conclusionmetroshniki use one sector landsmen 4.
Test №2. Ground The
second question was the possibility of cloning my card to one of the two white ones that came with the reader. Pointing to the program the file of my card, as well as the keys to the empty card, I started the recording process, it took a little more time than when reading, about 4 seconds. The inscription Done, 64 of 64 blocks written appeared in the command window , which testified to a successful write to the card. After that I went to Baptism of Fire. A bus came up, there were 3 people at the bus stop, I last came in so as not to create a queue in case of an unforeseen situation. So, I go to the turnstile, put the card just recorded, and lo and behold, the turnstile showed the validity of my social card, blinked a green lamp and amiably let me into the salon. My happiness knew no bounds. Later I checked the map on trolleybuses and trams, the result was the same.
Test number 3. Metro
Inspired by the success of ground transportation, I set off for the subway. Having gone down, I went to the turnstile, attached the same white card, on the turnstile monitor the inscription was displayed Valid until: hh.mm.yyafter which I calmly went through the turnstile. For me, of course, the result was expected, but notes of doubt were still present. I was pleased as an elephant, in my head was the thought of an unconditional victory over public transport in Moscow. Having arrived at one place, after about an hour I had to go down the subway again and the biggest surprise was waiting for me. Attaching a white card to the turnstile, I saw an ominous inscription. The ticket is not working.. I attached it to a couple of turnstiles, the result was the same. Then I took out a real social card and only with its help I successfully passed through the turnstile. In the subway, I continued to think about what had happened. Having gone outside I went to a stop, got on a bus, put a white card, it worked. Strange, I thought. Having returned home, I began to find out what was wrong. Finding no logical explanation, I went to bed. The next morning I went down to the subway, attached my original social card and saw that same notorious inscription. The ticket is not working . Then I went to the cashier to get an explanation of what was happening, where they told me that “maybe you gave the card to another person who passed it and noticed it. Because of this, your card was entered in the STOP list»Then they explained to me what to do and where to go to unlock the card. After 2 weeks, according to my application, the card was unlocked and I continued to drive on it.
STOP list
There is not much information about this sheet on the Internet, I heard everything that I know about it from people who know this system firsthand. It contains serial numbers of cards ( UIDs ) of those cards that do not behave correctly, as well as, for example, student card numbers whose owners were expelled from the university. This STOP list is stored in each turnstile in the subway and is synchronized with a common base approximately every 10 minutes. If you attach a card, with a UIDentered in this list, the turnstile will not let you through, even if the card has not expired yet. Now an explanation of why my cards were blocked. After I attached the white card, the turnstile sent the data to the database for verification, where the UID and the rest of the card information are compared , the validity period and its number (not the UID). During the check, the database finds out that there is no card issued for this UID , it searches for the real UID from this data and then sends both UIDs to the STOP list. That is, the cards were blocked due to the fact that the serial number of the white card was different from the original. Why didn’t this happen on land transport? Yes, because all ground-based turnstiles do not have a common database in which data can be compared, it does not exist because it is impossible to combine all the turnstiles together. Thus, the turnstile reads only the type of card and its validity period, not paying attention to the UID , which in turn can be any.
MIfare Zero
I could not stop in my experiments, and even more so in my thoughts. And so the thought came to me that if you suddenly somehow change the UID to the same as the original card. And after searching on Google, I came across a bloganother person named Andrew, who wrote about a method for cloning Mifare cards. It turned out that there are unofficially issued cards called Mifare Zero . In these same cards, the manufacturer’s block, that is, the UID, can be changed to any other. Having talked with Andrei, I found out that he has these cards, and that for experiments he is ready to sell me one of them. We agreed to meet at one of the metro stations, where I got this card.
Image of Mifare Zero from Andrey's blog.
Experiment No. 5. Returning to the metro
Having recorded my card on the Mifare Zero card , using the mfsetuid_d.exe utility , I put the UID on ityour social card. Now these were two identical cards, which differed only in drawing, on one it was, on the other not. Going down the subway, I successfully walked on this card, but it was too early to rejoice, it was necessary to repeat the passage after a while to accurately verify that the card was working and that it would not be blocked. For a whole week I went through the turnstile on a white card, everything was fine, it was not added to the STOP list . Success!
Experiment 6
The next thing I wanted to test was whether it would be possible to pass several people at once, because it was possible to go through my card once every 7 minutes. Taking both cards, a friend and I went to the subway. First, I went through the original card, then a friend on white at a nearby turnstile, so far so good, after sitting in the mackdack, we drove back, but unfortunately both cards were blocked. The explanation for this is that after my passage to the database came the data about my card, they were checked, everything converges, a friend followed and the data is correct again. But the system saw that they passed 2 times on one card and could not stand the 7 minute interval, this could not be, the card did not behave correctly and therefore the system blocked it. The conclusion from this is that you can still clone a card, but the protection system in the subway works fine and it’s probably impossible to get around it. But a couple of pans still remained.
Experiment 7
The subject of this test were student cards. I once suggested that if for example there are two student travel cards. One of them is extended for this month, the second is not. So, if it is corny to copy 1 sector from an extended travel card to an non-renewed one, then maybe that will come out? .. Beginning of the month. I did not renew the student card and took for several hours an extended card of my girlfriend, counted the contents of 1 sector and wrote on my card. After that, I went to the subway with my card, attaching it I saw that the card is valid until the end of the current month. As a result, I traveled all day on this card, it was not blocked. Then I again thought now exactly victory, the card is blocked and it can be renewed from any extended student, but as usual it wasn’t there. The map was blocked the next morning.STOP list
Conclusions
The fare payment system in the Moscow metro was created with accurate knowledge of all discoveries in the Mifare field . No, of course you can go through an unoriginal ticket, but you can do this only a few times, after which it will be blocked. The STOP list system works at the proper level. As the saying goes, "free cheese only in a mousetrap."
In the next article I will talk about my experiments in land transport, with various types of maps and types of travel. Thanks for attention.
This article is written for informational purposes only and does not in any way encourage falsification of travel tickets, as this contradicts Article 327 of the Criminal Code of the Russian Federation. The author is not responsible for any illegal actions committed by people under the influence of this article.