Moscow public transport fare collection system

Prehistory
Back in 2005, when I was still a small child, I first saw such a thing as a “Muscovite Social Card”. Looking at how pensioners put it on when they pass through the turnstiles of land transport and the underground, I began to think about how this whole thing works system. But in childhood I did not have the opportunity to do this. Later, when I myself began to earn money, I decided to seriously begin to study the system of payment for public transport.

RFID
Of course, I started by searching Google and effortlessly found the name of this one - RFID ( R adio F requency ID entification) or translated into Russian Radio Frequency Identification. After reading the article on Wikipedia, I realized that the labels (maps) are divided into 3 work bands, LF Band Tags (125-134 kHz), HF Band Tags (13.56 MHz), UHF Band Tags (860-960 MHz). In public transport used tags second range - HF .

Cards
The cards themselves are manufactured under the name of the brand Mifare , which combines several types of smartcard chips, reader chips and products based on them.
At the moment 5 types of microcircuits for cards are produced:

Mifare Classic 1k, Mifare Classic 4k
Mifare ultralight
Mifare ultralight c
Mifare Plus
Mifare DESFire EV1
')
Our public transport uses the first and second types of maps.

Muscovite social map is made on the basis of Mifare 1k
Student social card is made on the basis of Mifare 4k
Ticket for several trips on the subway made on the basis of Mifare Ultralight
1k and 4k indicate the amount of memory on the card 1 and 4 kilobytes, respectively.
I also had a social card of a resident of the Moscow region, which differed from the first only in name and design.


Practice
Naturally, to see the data recorded on the card and how to work with them, a reader was needed for these cards. During the search, I came across a model called ACR122U . For the price, it suited me perfectly, with delivery from an online auction ebay came out about $ 60.
Finally, 3 weeks later, I received the cherished package, the reader itself lay in it, two empty white Mifare 1k cards and a CD with drivers and a distribution kit.

Actually reader.

I immediately connected it to the laptop, installed the necessary drivers, the reader identified the card, everything went as it should. Now I have a question about how to count my card. Initially, I thought that the disk will have all the necessary programs for this and it will be easier than ever, but it turned out to be not there. From what was on the disk, only drivers turned out to be useful, no matter how funny it sounded. I had to use the search again.

Soft
After several days of searching, I found such a development kit called libNFC . Having studied it a little, I realized that this is exactly what is needed. Simultaneously, I stumbled upon a blog of one person named Alexander darksimpson Simonov, who spoke about the system of operation of the turnstiles of the metro, as well as about this project. Moreover, he even collected all the necessary programs for Windows, which was very convenient. Then I began to test. But first, let me tell you about the structure of the map.

Map structure
Here I will look at the structure of the Mifare 1k and 4k maps. The 1k card is divided into 16 sectors, from 0 to 15. The zero sector is the manufacturer’s unit, in which the individual serial number of the UID card is recorded; it is registered in production and cannot be changed. The remaining 15 sectors are available for reading / writing. Each sector has two keys of the form A and B , as well as LOCK-bits .
The combination of the latter gives the reader information about whether read / write is allowed and then using what kind of keys it can be done. Basically, reading occurs through keys of type A , writing through keys of type B. On empty cards in all sectors there are FFFFFFFFFFFF keys. For 4k, the situation is the same, but instead of 16 sectors there are 40 on it. That is, to read the contents of the card on a computer, you need to know the keys from all 16 sectors, but since all of the tickets are changed, a logical question arises, how do you know these keys? This was helped by the MFCUK utility that was modified and compiled for Windows by another blogger under the nickname Odinokij_kot . You can read about the work of this program in his article.

MFCUK operation example

Card reading
To read the card, I needed the downloaded program mfclassic_d.exe , the keys found for my social card of a resident of the Moscow region and the command line. In the latter, I indicated the path to the program, the file with the keys from my card, the type of keys, the request for reading and the name of the file in which the card dump is written. After pressing the cherished Enter button, the reading process started, after a couple of seconds it was over, as shown by the words Done, 64 of 64 blocks read. Writing data to file: card.mfd ... Done . After that, I tried to understand the data that was written on the card, but it didn’t lead to anything, since the file contained only a bunch of hexadecimal numbers, the only thing that was more or less clear was the passport data recorded in one of the sectors. The card is recorded in the same way, only you need to specify the file with the keys for the card to which we are recording.

Example of mfclassic_d

Start of experiments. Test number number 1
At first I counted the card before the passage through the turnstile of the bus, and after. I did the same thing with the turnstile in the subway. After comparing the dumps of the map, I found out that after the passage in buses, trams and trolleybuses only the data recorded in sector 4 changed, the remaining data remained the same, in the metro only the data of sector 1 changed. From here a conclusion, metal scissors use 1 sector, ground workers 4.

Test number 2. Land
The second question was the possibility of cloning my card to one of the two whites that came with the reader. Having indicated the file of my card in the program, as well as the keys to the blank card, I began the recording process, it took a little more than reading, approximately 4 seconds. The words “ Done, 64 of 64 blocks written” appeared in the command line window, which indicated successful writing to the card. After that I went to the baptism of fire . The bus came, at the bus stop there were 3 people, I came in last, so as not to create a queue in case of an unforeseen situation. So, I walk up to the turnstile, attach the card I just recorded, and lo and behold, the turnstile showed the validity period of my social card, blinked with a green lamp and friendly missed me at the salon. My happiness knew no bounds. Later I checked the map on trolley buses and trams, the result was the same.

Test number 3. Subway
Inspired by the success in ground transportation, I went to the subway. Downstairs, I went to the turnstile, attached the same white card, on the monitor of the turnstile the inscription Valid until: hh.mm.gg , then I calmly passed through the turnstile. For me, of course, the result was expected, but there were still notes of doubt. I was pleased as an elephant, in my head was the thought of an unconditional victory over the public transport of the city of Moscow. Having arrived at one place, about an hour later I had to go down to the subway again and then the biggest surprise awaited me. Attaching a white card to the turnstile, I saw the ominous inscription Ticket is not working . I attached it to another pair of turnstiles, the result was the same. Then I got a real social card and only with its help I successfully passed through the turnstile. In the subway, I kept thinking what happened after all. Out on the street I went to the bus stop, got on the bus, attached a white card, it worked. Strange, I thought. Returning home, I began to find out what is wrong. Finding no logical explanation, I went to bed. The next morning I went down to the subway, put my original social map and saw that same notorious inscription. The ticket is not working properly . After that, I proceeded to the cashier for an explanation of what was happening, where I was told that “maybe you handed over the card to another person who went through it and noticed it. Because of this, your card was added to the STOP list. ”Then they explained to me what to do and where to go in order to unblock the card. After 2 weeks, according to my application, the card was unblocked and I continued to drive it.


STOP list
There is not so much information about this very sheet on the Internet, everything I know about it, I heard from people who know this system firsthand. It contains the serial numbers of the cards ( UID ) of those cards that do not behave correctly, as well as, for example, the numbers of student cards whose owners have been deducted from the university. This STOP list is stored in each turnstile on the subway and synchronizes with the common base approximately every 10 minutes. If you attach a card with a UID listed on this sheet, the turnstile will not let you through, even if the card’s validity period has not yet expired. Now an explanation of why my cards were blocked. After I attached the white card, the turnstile sent the data to the database for verification, where the UID and the rest of the card information, the validity period and its number (not the UID) are compared. During the test, the database finds out that there is no issued card for this UID , it searches for the real UID from this data and then sends both UIDs to the STOP list . That is, the cards were blocked due to the fact that the serial number of the white card was different from the original one. Why this did not happen on land transport? Because all ground turnstiles do not have a common database in which data could be compared, it does not exist because it is impossible to put all the turnstiles together. Thus, the turnstile reads only the card type and its validity, ignoring the UID , which in turn can be anything.

MIfare Zero
I couldn’t stop in my experiments, and I don’t think so much more. And here I was visited by the thought that if suddenly, somehow, I changed the UID to the same as the original map. And after searching in Google, I came across a blog of another person named Andrew, who wrote about the method of cloning Mifare cards. It turned out that there are unofficially produced cards called Mifare Zero . In these same cards, the manufacturer’s block, that is, the UID can be changed to any other. After talking with Andrew, I found out that he had the data cards, and that for experiments he was ready to sell me one of them. We agreed to meet at one of the metro stations, where I got this card.

Image of Mifare Zero from Andrey's blog

Experiment number 5. Return to the subway
Writing my card to the Mifare Zero card, using the mfsetuid_d.exe utility , I put the UID of my social card on it. Now these were two identical cards that differed only in pattern, on one he was, on the other not. Having gone down the subway, I successfully went through this map, but it was too early to rejoice, I had to repeat the passage after a while in order to make sure that the card was working and that it would not be blocked. For a whole week I passed through the turnstile on a white card, everything was fine, it was not entered into the STOP list . Success!

Experiment number 6
The next thing I wanted was to test if several people could pass at once, because it was possible to go through my map 1 time in 7 minutes. Taking both cards, my friend and I went to the subway. First, I went through the original map, then a friend on white at the neighboring turnstile, so far everything is fine, after sitting in McDuck, we went back, but unfortunately both cards were blocked. The explanation for this is that after my passage the data about my map came to the database, they checked, everything converges, a friend passed and the data was again correct. But the system saw that one card went through 2 times without having sustained the 7 minute interval, this can not be, the card behaves not correctly and therefore the system blocked it. The conclusion from this is that you can still clone the map, but the protection system in the metro works fine and it is probably impossible to get around it. But a couple of pans still remained.

Experiment No. 7
The subject of this test are student cards. Once I suggested that if, for example, there are two student passes. One of them is extended for this month, the second is not. So, if it is trivial to copy 1 sector from an extended travel card to a non-renewed one, then what can be done? .. Beginning of the month. I did not renew the student card and took my friend’s extended card for several hours, counted the contents of sector 1 and wrote it on my card. After that, I went to the subway with my map, having attached it, I saw that the validity of the card until the end of this month. As a result, I traveled on this map all day long, it was not blocked. Then I thought again that it was a victory, the card is not blocked and it can be renewed from any extended student, but as usual it was not there. The card was blocked the next morning. Apparently this happens because at the end of each day the base checks whether the student card has really been renewed for the current month, in our case it does not, therefore the card in the STOP list

findings
The fare payment system in the Moscow metro was created with accurate knowledge of all the discoveries in the Mifare field. No, of course you can go through a non-original ticket, but you can only do this a few times, after which it will be blocked. The STOP list system works at the proper level. As they say "free cheese only in a mousetrap."

In the next article I will talk about my experiments on ground transportation, with various types of maps and types of travel. Thanks for attention.

This article is written only for familiarization, and in no case does not call to engage in falsifying travel tickets, since this is contrary to article 327 of the Criminal Code of the Russian Federation. The author is not responsible for any illegal actions committed by people under the influence of this article.