Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2012-09-07 12:17:09

plexer
Member
Registered: 2012-09-06
Posts: 2

SALTO Access Control System

Hi everyone.

We use the SALTO access contol system using 1k Mifare classic cards.

Due to the way the system works the cards contains access control information it isn't just a case of the readers reading the rom code from the chip.

Before a card can be used on the system it has to be "activated" by the SALTO SAM software which from what I can gather is not the same as the SAM talked about elsewhere on here. What it does is program 2 keys into the card which are embedded in the door locks and ceates the relevant card structure.

Most smaller companies ours included buy cards from a reseller who purchase them from SALTO allready setup to be integrate in the on-site system.

If I wanted to purchase the SAM software myself from SALTO it would cost £3500 apparently and I would received a SAM card which then has 2 customer keys programmed to it which I would use to program my locks and on-site blank cards.

I'm wondering if I were to clone one of my existing cards that's allready has the SALTO default keys in it if I could avoid this expense.

Any thoughts grateful and if anyone in the uk wanted to work with me and possibly see if they can clone a card which doesn't have any user access levels on it that'd be possible.

Thanks.

Offline

#2 2012-09-07 14:13:20

elektryk
Contributor
Registered: 2009-09-10
Posts: 43

Re: SALTO Access Control System

You can get authentication keys for the card and then extract whole card data. You can put all data except UID on any blank card. You can also get cards which can be programmed with specific UID from China. So everything it is possible.

BUT Proxmark or any other devices will no make this "Automatic", it is just tool so you must get some knowledge and use it properly.

Personally I think full cloning the card is stupidity, if you loose cloned card you have to blacklist your own card and make clone again.

If you are private person, and want to clone card for parking entrance or sth, I guess it will be more expensive to buy proxmark than pay to register new card.

If you want to do this for company to manage users, it is also stupid idea, because many people with share same cards, so you cannot distinguish who entered the company and add selective access rights. Of course you try to break system and find how information is coded on the card. I feel the reverese engineering of SALTO system and then writing your own software to generate cards, will be more expensive than £3500.

Last edited by elektryk (2012-09-07 14:14:43)

Offline

#3 2012-09-07 17:26:26

plexer
Member
Registered: 2012-09-06
Posts: 2

Re: SALTO Access Control System

Hi elektryk,

Thanks for the response.

What about however if the only data needing to be written to a blank mifare card to make it acceptable to the front desk issuing software was the 2 keys held in a specific location, if when the card is issued by the front desk software the writer then writes the rest of the data needed this could be a solution?

I'm guessing I could dump 2 virgin cards where they have yet to be incorporated into the system and therefore only contain the keys?

Thanks.

Offline

#4 2012-09-09 10:03:29

elektryk
Contributor
Registered: 2009-09-10
Posts: 43

Re: SALTO Access Control System

plexer wrote:

What about however if the only data needing to be written to a blank mifare card to make it acceptable to the front desk issuing software was the 2 keys held in a specific location, if when the card is issued by the front desk software the writer then writes the rest of the data needed this could be a solution?

I have no idea, I do not know this system.
That thing that you call "keys" does not need to be a really (or only) encryption keys, this could be anything, like sector configuration or sector value.

Offline

#5 2016-05-10 14:12:28

ronnieku
Member
Registered: 2015-02-19
Posts: 6

Re: SALTO Access Control System

I am running a hotel with mifare doorlock. I have done numerous test. It the UID and Key A/B must be the same for it to work at the front desk and door lock. I guess they have a software to generate Key A/B that correlated to the UID. I have know a Mifare cards factory in china that could clone for you. However, you have to provide the dumpdata file for each card you cracked so that could copy exactly. This will be tedious. But it will be a one time job. Anyone has better idea? my email is ronnieku10@hotmail.com . Plexer, do you have better idea?

Offline

#6 2016-06-11 13:45:29

Aliendennis
Contributor
Registered: 2016-04-04
Posts: 29

Re: SALTO Access Control System

Sorry about it. Removed the post. Terribly sorry.

I hope you remove my particular too. Thank you.

Last edited by Aliendennis (2016-06-11 13:53:09)

Offline

#7 2016-06-11 14:38:13

lohcm88
Contributor
Registered: 2016-02-05
Posts: 59

Re: SALTO Access Control System

Seriously... I don't know what has been leaked... Different encrypted cards has different keys even though the cards came from same company. Is Salto so dumb to use the same encrytion keys for all their cards? I am noob.. Care to explain?

Last edited by lohcm88 (2016-06-11 15:46:51)

Offline

#8 2016-11-04 08:24:15

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: SALTO Access Control System

Salto Access cards and fobs use the default A and B keys for Sectors 0 to 4 inclusive
Sector 5 to 15 all have a single A key and a single B key so only 2 keys. They are the same whether you have a card a fob or a disc.
The only difference between the above and the Salto Construction Card which you offer to the system is that in
Sector 14 Block 0 the construction card has data and Sector 15 Blocks 1 and 2 are different, block 0 is always the same.
sectors 5 to 14 are all blank on standard access cards and fobs.

Offline

#9 2017-01-22 23:47:37

GabrielTK
Contributor
Registered: 2017-01-17
Posts: 3

Re: SALTO Access Control System

Did you guys know how to emulate a Salto Card??

Offline

#10 2017-12-08 11:10:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

Did anyone get all keys out from a Salto Card?   If so,  share it with me?

Offline

#11 2017-12-08 11:48:03

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: SALTO Access Control System

iceman wrote:

Did anyone get all keys out from a Salto Card?   If so,  share it with me?

You know better than to ask for keys on here Iceman...     :-)   hehehe

I emailed you on an unrelated topic.

Offline

#12 2017-12-08 11:49:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

....thanks friendly user!   

In order to explain why me asking for it, is that I don't have any access to a salto key. 
But I heard that Salto has both Mifare Classic and Desfire.   Can someone confirm that?

Offline

#13 2017-12-08 11:53:21

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: SALTO Access Control System

Salto uses the same keys for its standard Mifare access 1K and 4 K cards
They also have Desfire, Magstripe and dual technology.
http://www.saltopartner.com/carriers-2-en-us/mifare-desfire-nl-nl-en-us/

Offline

#14 2017-12-08 11:54:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

Turns out I already had them, but hard to test/verify without a card...

https://github.com/iceman1001/proxmark3 … s.dic#L283

Offline

#15 2017-12-08 11:54:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

So,  they do have Desfire,  now the question,  does someone have a Salto Desfire card?

Offline

#16 2017-12-08 12:00:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

Re-assembled dump from another thread.

ae e8 56 34 24 88 04 00 47 c1 35 14 c9 00 24 08
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff ff ff ff ff ff ff 07 80 69 ff ff ff ff ff ff
c1 9d 8f 23 c6 5e ea 7d 98 62 c7 78 c1 c7 18 a4
0a 46 59 f5 5b a2 96 70 b8 04 7d f1 e8 2a be b3
64 bb 12 c2 80 d5 c3 66 31 d4 66 f2 bb 10 d2 f7
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
74 0a bb f0 6f 6d 6b a3 87 dd 7c 6b 79 8d 64 22
99 c0 a1 24 fd 79 d8 7f fd d4 7c 4a ef b2 f0 4d
72 85 c8 f7 73 ff 93 28 d5 f9 6f 7c f0 63 0b 58
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
ca b3 02 21 a8 72 4b 34 8a 3c b3 5d 85 d6 9f 6b
d5 ec 15 fe 39 6c 3b 43 78 08 bf 01 73 41 08 0b
a5 d1 7d 65 6b 35 79 b4 c5 a4 ef 0a be f0 b8 8d
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
0b e2 d5 8e b4 68 0f 9e a2 a0 42 1a 00 1e e3 58
2d c1 36 d4 4f 91 69 46 a4 e6 01 26 51 0f c3 07
e8 e7 2a 68 4c 13 2e c3 4e 7f a8 b0 ac 87 7a 87
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
54 04 d9 19 5b ac c4 5c 00 00 00 00 00 00 00 00
00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
d2 57 71 86 bc fe d9 bd 71 09 f8 9a 64 09 a0 48
ff a6 31 1f 51 36 04 5c 8f 81 d0 a0 fe 03 62 67
ce 27 23 97 27 f4 1b 76 8c 0d 25 8b 92 78 16 00
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
0b 57 00 e6 00 40 00 18 00 00 00 00 f1 00 00 00
00 4b b4 1f fb 29 1b 5f 33 74 d4 1f 10 da ae e4
4f f3 56 30 a1 80 03 c6 bc b3 ec 77 46 83 7f 5f
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29
e0 ff 00 00 00 48 ef 48 1f 00 ff ff ff b7 10 b7
ff 81 68 00 10 02 00 2f 00 00 00 00 00 00 00 00
ff ff 0e f1 01 fc a5 4a 3d 0b 4f 5d fc 21 0d 0a
6a 19 87 c4 0a 21 f7 8f 00 5a 7f 33 62 5b c1 29

Offline

#17 2017-12-11 20:36:25

ikarus
Contributor
Registered: 2012-09-20
Posts: 249
Website

Re: SALTO Access Control System

I have a Desfire card of Salto wink. We are using this system at work... Contact me if I can help you with anything.

Offline

#18 2017-12-11 20:41:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

Nice,
do you know which encryption it uses or the key? ....  Are you able to dump it?

Offline

#19 2017-12-11 22:15:38

ikarus
Contributor
Registered: 2012-09-20
Posts: 249
Website

Re: SALTO Access Control System

No, I only see the AID of the Salto application, the key configuration and one file inside the application (1184 bytes).
But reading the file fails. The application master key is required and I don't have it. What I have is the PICC master key,
but I'm not sure if this helps in this situation.

And if I'm not mistaken, sniffing will not help because MIFARE Desfire tags always encrypt the communication, right?
And during the authentication a challenge response protocol is used. Not sure if anything can be recovered from this
using only sniffing.

I can talk to some guys at work and see if there are willing to give me the key for research purposes.
Oh, and in that case we should start a new thread over at "Desfire".  wink

Offline

#20 2017-12-11 22:35:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: SALTO Access Control System

Yes.  if you do get access,  to either key or firmware of the reader involved...   then start a thread over at the Desfire category

Offline

#21 2017-12-13 00:25:25

ABChip
Contributor
Registered: 2017-12-08
Posts: 2

Re: SALTO Access Control System

I have mifare 1K and 4K salto cards. Contact me if you need the dump.

Offline

#22 2018-01-08 13:45:03

speedlimits
Contributor
Registered: 2017-06-28
Posts: 31

Re: SALTO Access Control System

Hi all,

I have:

-  a salto config card (for use first time )
- a salto mifare card with sectors coded by salto
- a salto Desfire card with salto application on it

what do you want to know ?

Offline

Board footer

Powered by FluxBB