Using the Troika card as a mandatory medical insurance policy
When the trees were a little higher, the grass is greener, the sun is brighter, and I studied at the institute, I had a student social card. I liked it for its functionality and thoughtfulness, but, like all good things, it expired and I had to forget about this good of Moscow civilization indefinitely. It was replaced by Troika, which was partially able to absorb the advantages of SCS, but not all ...
It all started with the fact that I got sick and found that I had lost my compulsory medical insurance card. Despite the fact that I remembered the number by heart, I needed something that could be attached to the green infomat in the clinic, otherwise, I could not sign up to the doctor and get a legal sick leave. There were many options: restore the policy (in order to find the old one at the first cleaning); generate and print the barcode of the policy (the barcode on the paper is not solid), or take my old social card with me ... I settled on the last option. To be more precise, I decided not to dwell on it, but to write my policy on the top three in the same way as it was recorded on the Muscovite's social card.
Knowing the capabilities of Mifare Classic - compatible cards, I decided to combine Troika and an old student card for the sake of convenience and just out of interest in the result of the experiment.
As we know, the Mifare Classic 1K and 4K cards were taken out of circulation due to vulnerabilities in favor of the more secure but compatible Mifare Plus S, Plus X 2k or Plus EV1 2k. But the essence remained the same: both social and Troika cards have the same filling, with a difference only in volume (the number of protected sectors, which in our case is absolutely irrelevant).
Armed with articles about Troika and Android security research using the Mifare Classic Tool application, I decided to first look inside the social card to find the place where the OMS policy number is recorded. Thanks to the document of almost twenty years ago, I already assumed that it would be in the 5th sector of the map, reserved as a medical application of MGFOMS, which was confirmed in practice.
')
The required policy number was in the 5th sector on the second line from the 2nd to the 9th byte, that is, in this case " 7700009016811218 ". Well, there’s a clue (or rather, there’s a clutch)!
As for the Troika card, there the 5th sector is packed with zeros, that is, it is not yet used. The keys A and B are different from those on the SCS, but this is fixable, they can be rewritten the same as there.
In addition to the coveted CHI number, the sector also contained other data, the purpose of which is unknown to me. Having read the articles about the 8th sector (electronic wallet) and its security with self-inserts, I suggested that here this data can play the same role as an self-insert or checksum to verify the integrity of data in the sector. Therefore, I decided to check this by rewriting the entire sector on one Troika exactly as on SCS, and on the second - only the policy number. No sooner said than done!
He removed the full dump from the SCS, and recorded the entire 5th sector on the first Troika, and on the second - wrote the edited dump of the 5th sector, where only the policy number appears.
Having walked to the clinic and checked both cards, I was able to enter the info from both of them and make an appointment with the doctor! Of course, as an authentication method, you should select “Muscovite Card” or “Muscovite Social Card” (both methods work) and attach the card to the reader.
It follows that infomats only need the policy number in the space allotted for it and the keys they know from the fifth sector.
Now it’s possible to surprise the clinic’s employees a lot by demonstrating the use of Troika as a mandatory medical insurance policy and through more convenient and modern contactless authentication, because even modern medical insurance policies do not support contactless information exchange — they must be inserted into the infomat with a chip. And the “Troika” is truly becoming the key to the city, in particular, to the clinics.
Update 1: At the request of the workers, I’ll tell you “on fingers” how to do it. As I wrote above, the Mifare Classic Tool for Android is great for this.
Further:
1. Click "Read tag"
2. Check that the key files std.keys and extended-std.keys are selected
3. We put the triple against the phone and click on Start mapping and read tag. The phone will think for a while while it will pick up the keys.
4. Upon completion, a dump will open (the card can be removed from the phone while editing). In it we are interested in sector number 5. It looks like this:
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FBC2793D540B 7C378800 D3A297DC2698
Below are the keys A and B
5. Our task right there is to edit this sector and bring it into this form:
00000000000000000000000000000000
00 888888888888888888 00000000000000
00000000000000000000000000000000
186D8C4B93F9 08778F02 9F131D8C2057
Where is 888 ... - Your OMS policy number. Pay special attention when rewriting keys to sectors: if there is a typo there, then you risk losing all or part of the access to the sector.
6. Click on the menu icon in the upper right corner and click Write Dump -> WRITE DUMP, select only sector 5 (remove the rest of the daws); attach the card to the phone -> see that both daws are next to the key files and press START MAPPING AND WRITE DUMP. Then, against the background of the dump, we should see the message "Data successfully written"
The card is ready to go to the clinic!
Three + OMS policy =? or how it all began
It all started with the fact that I got sick and found that I had lost my compulsory medical insurance card. Despite the fact that I remembered the number by heart, I needed something that could be attached to the green infomat in the clinic, otherwise, I could not sign up to the doctor and get a legal sick leave. There were many options: restore the policy (in order to find the old one at the first cleaning); generate and print the barcode of the policy (the barcode on the paper is not solid), or take my old social card with me ... I settled on the last option. To be more precise, I decided not to dwell on it, but to write my policy on the top three in the same way as it was recorded on the Muscovite's social card.
Tuning Three
Knowing the capabilities of Mifare Classic - compatible cards, I decided to combine Troika and an old student card for the sake of convenience and just out of interest in the result of the experiment.
As we know, the Mifare Classic 1K and 4K cards were taken out of circulation due to vulnerabilities in favor of the more secure but compatible Mifare Plus S, Plus X 2k or Plus EV1 2k. But the essence remained the same: both social and Troika cards have the same filling, with a difference only in volume (the number of protected sectors, which in our case is absolutely irrelevant).
Armed with articles about Troika and Android security research using the Mifare Classic Tool application, I decided to first look inside the social card to find the place where the OMS policy number is recorded. Thanks to the document of almost twenty years ago, I already assumed that it would be in the 5th sector of the map, reserved as a medical application of MGFOMS, which was confirmed in practice.
')
The required policy number was in the 5th sector on the second line from the 2nd to the 9th byte, that is, in this case " 7700009016811218 ". Well, there’s a clue (or rather, there’s a clutch)!
As for the Troika card, there the 5th sector is packed with zeros, that is, it is not yet used. The keys A and B are different from those on the SCS, but this is fixable, they can be rewritten the same as there.
The experiments
In addition to the coveted CHI number, the sector also contained other data, the purpose of which is unknown to me. Having read the articles about the 8th sector (electronic wallet) and its security with self-inserts, I suggested that here this data can play the same role as an self-insert or checksum to verify the integrity of data in the sector. Therefore, I decided to check this by rewriting the entire sector on one Troika exactly as on SCS, and on the second - only the policy number. No sooner said than done!
He removed the full dump from the SCS, and recorded the entire 5th sector on the first Troika, and on the second - wrote the edited dump of the 5th sector, where only the policy number appears.
results
Having walked to the clinic and checked both cards, I was able to enter the info from both of them and make an appointment with the doctor! Of course, as an authentication method, you should select “Muscovite Card” or “Muscovite Social Card” (both methods work) and attach the card to the reader.
It follows that infomats only need the policy number in the space allotted for it and the keys they know from the fifth sector.
Now it’s possible to surprise the clinic’s employees a lot by demonstrating the use of Troika as a mandatory medical insurance policy and through more convenient and modern contactless authentication, because even modern medical insurance policies do not support contactless information exchange — they must be inserted into the infomat with a chip. And the “Troika” is truly becoming the key to the city, in particular, to the clinics.
Update 1: At the request of the workers, I’ll tell you “on fingers” how to do it. As I wrote above, the Mifare Classic Tool for Android is great for this.
Further:
1. Click "Read tag"
2. Check that the key files std.keys and extended-std.keys are selected
3. We put the triple against the phone and click on Start mapping and read tag. The phone will think for a while while it will pick up the keys.
4. Upon completion, a dump will open (the card can be removed from the phone while editing). In it we are interested in sector number 5. It looks like this:
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FBC2793D540B 7C378800 D3A297DC2698
Below are the keys A and B
5. Our task right there is to edit this sector and bring it into this form:
00000000000000000000000000000000
00 888888888888888888 00000000000000
00000000000000000000000000000000
186D8C4B93F9 08778F02 9F131D8C2057
Where is 888 ... - Your OMS policy number. Pay special attention when rewriting keys to sectors: if there is a typo there, then you risk losing all or part of the access to the sector.
6. Click on the menu icon in the upper right corner and click Write Dump -> WRITE DUMP, select only sector 5 (remove the rest of the daws); attach the card to the phone -> see that both daws are next to the key files and press START MAPPING AND WRITE DUMP. Then, against the background of the dump, we should see the message "Data successfully written"
The card is ready to go to the clinic!
Source: https://habr.com/ru/post/461303/
All Articles