Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-11-04 13:45:43

Ulrich
Contributor
Registered: 2020-11-04
Posts: 4

Unknown data algo. Help needed!

Hello everybody!
I got few Mifare Classic 1K cards from undefined locking system.

I was able to read the info and even find out some additional information.
1) only sectors 5 and 6 are used
2) Keys A and B in Sector 5  =  44 <UID > 45 
3) Key A in Sector 6 = 44 <UID > 45  as well
4) Key B in Sector 6 is constant = 85fcd982ea5a
5) sector 6 (blocks 24-27) are used for writing the user data such as valid through date, permissions etc.
6) the lock doesn’t see the card when block 20 of Sector 5 is empty

I guess that data in Block 20 is somehow calculated from any data above.
I tried to use XOR decription with UID or other numbers, but with no luck.

Can someone give me any suggestion or hint, how can I crack it?

===================================
Card 1
Sector 0
blck0    edb075a98108040001bfe585c55f9e1d
blck1    00000000000000000000000000000000
blck2    00000000000000000000000000000000
blck3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF

Sector 5
blck20    2fe3e3ee428eb6969c20aa5576974911
blck21    00000000000000000000000000000000
blck22    00000000000000000000000000000000
blck23    44edb075a9457877880044edb075a945

Sector 6
blck24    00000000000000000000000000000000
blck25    00000000000000000000000000000000
blck26    00000000000000000000000000000000
blck27    44edb075a9457877880085fcd982ea5a

===================================
Card 2
Sector 0
blck0    0bc8813674080400012a8e4963b5031d
blck1    00000000000000000000000000000000
blck2    00000000000000000000000000000000
blck3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF

Sector 5
blck20    6c22f4f22e4927bced4bef8ba479a237
blck21    00000000000000000000000000000000
blck22    00000000000000000000000000000000
blck23    440bc881364578778800440bc8813645
Sector 6
blck24    a0c1bc3821e6b33525fb0983444c3961
blck25    e26b30b1da7b18b1429b90813a4b98a1
blck26    822b50f17a3bb8f1621bb0419a8bafbe
blck27    440bc88136457877880085fcd982ea5a

===================================
Card 3
Sector 0
blck0    2EA87455A7080400017E596C63A5C51D
blck1    00000000000000000000000000000000
blck2    00000000000000000000000000000000
blck3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF


Sector 5
blck20    CCC294124ECB9F3D4E8C4C4C477641F8
blck21    00000000000000000000000000000000
blck22    00000000000000000000000000000000
blck23    442EA874554578778800442EA8745545


Sector 6
blck24    6BEB253AA0E02A2EA0D134266EEED329
blck25    4833A9DB2339F9E31331D99B13590903
blck26    C3D1293BE3D93983935159BB9379BE4C
blck27    442EA87455457877880085FCD982EA5A

===================================
Card 4
Sector 0
blck0    1D4D8AA97308040001842313C667621D
blck1    00000000000000000000000000000000
blck2    00000000000000000000000000000000
blck3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF


Sector 5
blck20    6020A42D85CD5C7E9710716595AFFAD1
blck21    00000000000000000000000000000000
blck22    00000000000000000000000000000000
blck23    441D4D8AA94578778800441D4D8AA945


Sector 6
blck24    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
blck25    5858C380894A63C87912B340998A7368
blck26    A9F2836089EA6328F9F23320D9EA04C7
blck27    441D4D8AA9457877880085FCD982EA5A

===================================
Card 5
Sector 0
blck0    FD26F9496B080400012EAD4498BADF1D
blck1    00000000000000000000000000000000
blck2    00000000000000000000000000000000
blck3    FFFFFFFFFFFFFF078069FFFFFFFFFFFF


Sector 5
blck20    CEC2028FE32F29AC03B2DDA7499D5EFB
blck21    00000000000000000000000000000000
blck22    00000000000000000000000000000000
blck23    44FD26F949457877880044FD26F94945


Sector 6
blck24    E389CD7FEB8D49BE7E70BE93AC5B4868
blck25    93C2C08A0A6800F2CA40908A5A88F052
blck26    DAA040AA8A8840528AA0506A9AE877BD
blck27    44FD26F949457877880085FCD982EA5A
===================================

Thanx in advance for your help, guys!

Last edited by Ulrich (2020-11-04 20:39:01)

Offline

#2 2020-11-04 20:35:22

Ulrich
Contributor
Registered: 2020-11-04
Posts: 4

Re: Unknown data algo. Help needed!

Could someone tell if it's hackable or not?

Offline

#3 2020-11-05 06:51:20

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Unknown data algo. Help needed!

Hi Ulrich! it is Hotek Classic lock. it use MD5? AES?
they can use anything that has an output size is 16 bytes

Offline

#4 2020-11-07 20:44:38

Ulrich
Contributor
Registered: 2020-11-04
Posts: 4

Re: Unknown data algo. Help needed!

@Sentinel thank you for your reply! At least now I know the name of the system now.
How do you think is it hackable or known algo? I suggest, that it has some correlation with UID or Key A/ Key B.
But I'm new to all this stuff, and try to guess what should be my next step.

Offline

#5 2021-11-05 08:16:26

isomail07
Contributor
Registered: 2020-11-16
Posts: 4

Re: Unknown data algo. Help needed!

Once i acrossed same thing.Lock system was using sector 1. keyA was static and keyB was changing for every single uid. i had about 30 room cards. i cracked them all. and written each uid for each keyB then i reverse engineered, yes i worked 1-2 weeks for this. Saw the pattern and cracked the algorithm then wrote an application using acr120. At the end i was able to generate an empty hotel card for any uid.It was really exhausting. i dont recommend you to try but if you are gonna, you need more examples and a little bit more ambition.

Last edited by isomail07 (2021-11-05 08:18:25)

Offline

Board footer

Powered by FluxBB