When the trees were a little higher, the grass was greener, the sun was brighter, and I studied at the institute, I had a student's social card. I liked it for its functionality and thoughtfulness, but, like all good things, it expired and I had to forget about this blessing of Moscow civilization for an indefinite time. It was replaced by Troika, which was partially able to absorb the advantages of SCS, but not all ...
Troika + CHI policy =? or how it all began
It all started with the fact that I fell ill and discovered that I had lost the CHI card. Despite the fact that I remembered the number by heart, I needed something that could be attached to the green infomat in the clinic, otherwise, I would not be able to make an appointment with a doctor and get a legitimate sick leave. There were many options: to restore the policy (to then find the old one at the first cleaning); generate and print a policy barcode (a barcode on a piece of paper is undignified), or take your old social card with you ... I settled on the last option. To be more precise, I decided not to dwell on it, but to write down my policy on the top three in the same way as it is written on the social card of a Muscovite.
Tuning Troika
Knowing the capabilities of Mifare Classic - compatible cards, I decided to combine the Troika and the old student card for the sake of convenience and just out of interest in the result of the experiment.
As we know, the Mifare Classic 1K and 4K cards were taken out of circulation due to vulnerabilities in favor of the more secure but compatible Mifare Plus S, Plus X 2k or Plus EV1 2k. But the essence remains the same: both social and Troika cards have the same filling, with the only difference in volume (the number of protected sectors, which in our case does not matter at all).
Armed with articles about Troika and Android security research using the Mifare Classic Tool application, I decided to first look inside the social card to find the place where the MHI policy number is recorded. Thanks to I already assumed that it would be in the 5th sector of the map, reserved as a medical application of the MGFOMS, which was confirmed in practice.
The desired policy number was in the 5th sector on the second line from the 2nd to the 9th byte, that is, in this case, "7700009016811218". Great, a lead (or rather, there is a lead)!
As for the Troika card, the 5th sector is filled with zeros there, that is, it is not used yet. The keys A and B are different from those on the SCS, but this is fixable, they can be rewritten the same as there.
Experiments
In addition to the desired CHI policy number, there were other data in the sector, the purpose of which is unknown to me. After reading articles about the 8th sector (electronic wallet) and its protection by imitated inserts, I suggested that here this data can play the same role of an imitated insert or a checksum to check the integrity of data in the sector. Therefore, I decided to check this by rewriting the entire sector on one Troika exactly as on the SCS, and on the second - only the policy number. No sooner said than done!
I took a complete dump from the SCS, and wrote down the entire 5th sector on the first Troika, and on the second one I recorded an edited dump of the 5th sector, where only the policy number appears.
The results
After walking to the clinic and checking both cards, I was able to enter the infomats from both and make an appointment with the doctor! Of course, as the authentication method, you should select "Muscovite Card" or "Moskvich Social Card" (both methods work) and attach the card to the reader.
From this it follows that infomats need only the number of the policy in the place allotted for it and the keys to the fifth sector familiar to them.
Now you can surprise the employees of the polyclinic a lot by showing them the use of Troika as a compulsory medical insurance policy and undergo a more convenient and modern contactless authentication, because even modern compulsory medical insurance policies do not support contactless information exchange - they must be inserted with a chip into the infomat. And "Troika" is truly becoming the key to the city, in particular, to clinics.
Update 1: At the request of the workers, I'll tell you "on the fingers" how to do it. As I wrote above, the Mifare Classic Tool for Android is great for this.
Next:
1. Click "Read tag"
2. Check that the key files std.keys and extended-std.keys are selected
3. Lean the three against the phone and click Start mapping and read tag. The phone will think for a while while it picks up the keys.
4. Upon completion, a dump will open (the map can be removed from the phone while editing). In it, we are interested in sector number 5. It looks like this:
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FBC2793D540B7C378800D3A297DC2698
At the bottom are keys A and B
5. Our task is to edit this sector right there and bring it into this form:
00000000000000000000000000000000
00888888888888888800000000000000
00000000000000000000000000000000
186D8C4B93F908778F029F131D8C2057
Where 888 ... - The number of your compulsory medical insurance policy. Pay special attention when rewriting keys to sectors: if there is a typo there, then you risk losing all or part of access to the sector.
6. Click on the menu icon in the upper right corner and click Write Dump -> WRITE DUMP, select only sector 5 (we remove the rest of the checkboxes); put the card on the phone -> make sure that both checkboxes are next to the key files and click START MAPPING AND WRITE DUMP. After that, against the background of the dump, we should see the message βData successfully writtenβ
The card is ready to go to the clinic!
Source: habr.com