This content comes from @WHAT IS WORTH BUYING APP, and the opinions only represent the author's own | Author: LifeIsKillingMe
As mentioned last time, Aunt Zhang took me into the trap and bought the Xiaomi bracelet 5 NFC version on Tmall. The price was 188 yuan at the time. It's quite affordable. However, the price of bracelets in PDD subsequently plummeted. Therefore, when you buy something, stop looking at Aunt Zhang to prevent your mentality from becoming unbalanced. At the same time, it is the spirit of a geek to find ways to squeeze out the performance of the purchased products and maximize them.
’s previous original article shared my basic feelings about Xiaomi Mi Band 5 NFC version when I first bought it. Because my wife usually wears it, I couldn’t experience the in-depth functions. My wife was very happy when she first started wearing the bracelet, especially when she used it to swipe her card through the turnstile and take the subway for the first time, which made her feel a lot more relaxed. However, when I checked in at the company in the morning, I found that the simulated access control card in the APP could not be used, and the gate machine no longer responded when I swiped my bracelet with my wristband after get off work. I scolded Xiaomi Lei Jun.
I have to solve it, otherwise I will have to spend money on Apple Watch 5 again. The customer service staff at the Tmall store and Xiaomi flagship store were clueless, so they had to do their own research. The problem of the transportation card was finally solved by resetting the factory configuration of the Xiaomi bracelet, but the problem of the access card was still studied for a long time and a lot of online information was found. Here we share the detailed solution process, hoping it will be helpful to many friends who follow the trend and purchase Xiaomi Mi Band 5NFC.
What is NFC?
A simple popular science, NFC is the abbreviation of Near Field Communication, which is short-range wireless communication technology. This mode simulates a device with NFC function into a contactless card, such as access control card, bank card, etc. Card simulation mode is mainly used in contactless mobile payment applications in shopping malls, transportation, etc. Users only need to bring their mobile phones close to the card reader and enter the password to confirm the transaction or directly receive the transaction. In this method, the card is powered through the RF domain of the contactless card reader, and the NFC device can still work even if there is no power. In this application mode, the NFC reading device collects data from the NFC mobile phone with TAG capability, and then transmits the data to the application processing system for processing. Typical applications based on this model include local payment, access control, electronic ticket applications, etc.
Currently, many Android phones and wearable devices support NFC and are used in various real-life scenarios. Unfortunately, the NFC of Apple devices only supports its own Apple Pay, and the apps installed on it do not have the right to use NFC. On the one hand, Apple does not want to let others share the benefits of electronic payment; on the other hand, the existence of NFC objectively makes it easier for customers' privacy to be leaked.
NFC card classification
Our commonly used NFC cards can be divided into ID cards and IC cards . The full name of ID card is Identification Card. It is a low-frequency card with an operating frequency of 125KHz-1000Khz (different from the operating frequency of most mobile phones and smart devices and cannot be simulated). The number is fixed, the card number is public, data cannot be written, and will be gradually phased out. middle. The full name of IC card is Integrated Circuit Card, also known as Smart Card. Its working frequency is 13.56MHz (the same as the NFC frequency of most mobile phones and can be simulated). If you have ever simulated an access card in the Xiaomi Sports or Xiaomi Wear APP, you can see that the APP prompts that it only supports non-encrypted access cards with a frequency of 13.56MHz, which means that it only supports the simulation of IC cards.
IC card types
Commonly used IC cards mainly include the following types (the following introduction comes from the Internet):
Mifare S50 (M1): MIFARE Classic is a contactless smart card developed by NXP Semiconductors and complies with the ISO/IEC 14443 Class A standard. It is used for applications such as public transportation tickets, and can also be used for various other applications. There are several specifications such as S20, S50 (M1), and S70. They are mainly divided according to the memory capacity. The memory capacities are 320B, 1K, and 4K respectively. It has the following anti-interference, easy and safe features. Issuers of smart cards such as elevator cards and access cards used daily use M1 cards, which can be understood as the original cards (mother cards) issued by the property management company. Common campus cards, bus cards, etc. are also M1 cards. M1 cards are only suitable for new cards issued by the card issuer.
UID card: ordinary IC copy card, which can repeatedly erase and write all sectors.The UID can be modified repeatedly, respond to backdoor commands (meaning it can be discovered by machines that use backdoor commands to detect whether it is a cloned card), and will fail when encountering a card reader with a firewall.
CUID card: an upgraded version of UID, a rewritable anti-shielding card that can repeatedly erase all sectors, does not respond to backdoor instructions (meaning it is not easily discovered by anti-cloning systems), and can bypass firewalls.
CPU card: The CPU card chip contains a microprocessor and cooperates with the operating system, the on-chip OS, to achieve financial-level security. Applicable to many fields such as finance, insurance, traffic police, and government industries. The CPU card consists of the CPU part 7K and the M1 part 1K. The M1 part can be cracked at most, and the CPU area data cannot be cracked. In fact, since the data in the CPU part and the M1 part interact, the CPU card is basically impossible to crack. The data storage of
IC card has 16 sectors (0-15). What we are most concerned about here is sector 0. This part of the data is written by the manufacturer. The first 4 bytes (8 bits) are the card number (UID). The fifth byte is the check value of the UID, and the following few digits are the manufacturer information (most access control cards only read the UID, not the manufacturer information. If the manufacturer information is read, there is no way to simulate the access control card).
So the access control simulation function in NFC devices is actually the process of IC card copying. Some access control cards simulated by the Xiaomi bracelet NFC cannot be used because this function of Xiaomi does not support encryption cards and cannot write the key UID data in sector 0 on the bracelet. So how to solve this problem? You can simulate a blank IC card as a medium, and then write other encrypted data on the bracelet; the two parts of data are combined into one, thereby copying the complete data.
preparation work
still has to pay a certain cost to implement this function. (This can also be achieved if you have an Android phone with NFC function)
first needs to purchase a card reader (card writer) and search with PN532 as the keyword on Taobao .
There are several types of PN532 on Taobao. The one with a shell costs about 50 yuan.
, which requires you to connect yourself, is cheaper, about 30 yuan.
I chose the latter, which is the package I bought from Yunuo Electronics . This store also provides software downloads and basic tutorials.
This is the PN532 card reader. The
340 chip provides USB serial port conversion and runs stably under Win10.
Connect the two chips in this order. Do not connect them incorrectly, otherwise they will be easily burned out. (PN532 card reader on the left, 340 chip on the right)
GND-GND, VCC-5.0V, SDA-RXD, SCL-TXD
Connect the 340 chip to the USB port of the computer. After success, both chips will have a red light. Generally, 340 chip Win10 computers can recognize it directly without installing additional drivers (I am Win10 2004).
In addition, you also need a UID card (or CUID card). Generally, the seller will provide 2 when buying a package, either a blank card or a blue round card.
software MifareOne Tool, the version I use is 1.66 provided by the seller. Here is the download address , extraction code: 8qkh.
Detailed process
The detailed process begins below. They are all actual operations by myself and can be used for personal testing.
opens the software MifareOne Tool. The opening interface of
software is as follows, with more buttons; but don’t worry, you generally don’t need so many functions.
Click to detect the connection to . If you see the following information displayed on the terminal, it means that the NFC device has been successfully connected.
Place the access control card on the PN532 chip.
Click to scan the card . When you see the card information displayed on the terminal, it means the reading is successful.
Click to decode the original card with one click. After a moment, the terminal will display a series of numbers, indicating that the decoding has been successful. At the same time, a dialog box will pop up allowing you to save the DUMP file and name it whatever you want.
Place a blank card (UID card) on the PN532 card reader, click to scan the card to ensure that the blank card is recognized normally.
Then click advanced operation mode -Hex editor
Click file , open the DUMP file just saved, click sector 0 to have data , copy the first 8 bits of data in block 0 of to .
Return to the advanced operation mode, click UID to write the number , and paste the 8-digit hexadecimal code you just copied in the pop-up box. After
is successful, the terminal will display the words card has unlocked .
At this point, the ordinary card with the same UID has been produced.
uses Xiaomi bracelet to simulate this ordinary card. Door card detection-door card simulation takes a few minutes.
As you can see, here we are going to use a curved approach to save the country. First, copy the first 8-digit code in the access card to a blank card, simulate it on the Xiaomi bracelet, and then write the rest of the encrypted data into the Xiaomi bracelet. Ring, thereby achieving the purpose of completely replicating the access card.
then switches to the previously simulated card in the bracelet, approaches PN532, clicks to scan card .
The bracelet will vibrate to prompt if the scan is successful. Then go to advanced operation mode and click CUID to write. In the pop-up dialog box, selects the DUMP file created in the first step to import into . After
is written successfully, you can see the completion of in the terminal! 63/64 blocks of words are written. Why are 63 blocks written? Because in the previous step, 8 bits, which is 1 block of data, have been written from the ordinary card.
If there are multiple access cards that need to be simulated, repeat the above operations. Blank cards can be read, written, and used multiple times. After
is completed, if you need to bind multiple access control cards, you can switch between them in the bracelet. It will take about a second for the access control card to automatically activate, and the speed is acceptable. If " is close to the card reader " is displayed, it means the card can be swiped. .
Now my wife only needs to swipe the bracelet she wears when she goes out to enter and leave the community, take the subway, enter and exit the building, and enter the company to check in, which is a lot more convenient. She, who usually beats and scolds me, seldom praises me. It is very satisfying to be recognized by her family~
Finally, if the blank card you are using is a CUID card, write in the 8-digit card number. The operation of this step will be slightly different. You need to create a DUMP file with the original UID card number, and then click CUID to write to import the blank card. Using the CUID card can bypass the firewall. If you fail to simulate through the UID card, you can try the CUID card.
This method is also valid for Xiaomi Mi Band 4NFC. At the same time, there are other ways to achieve this function. For example, someone can simulate an encrypted access card without an additional UID card, but the operation is more complicated and the probability of misoperation is higher.
Of course, the access control cards of each company are different. For example, my company uses a HID thick card, which cannot be recognized by PN532 at all, so it cannot be simulated and copied. Also, if the card reader verifies the complete manufacturer information in the card, which is the second half of sector 0, there is basically no solution.
