Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello everybody!
I got few Mifare Classic 1K cards from undefined locking system.
I was able to read the info and even find out some additional information.
1) only sectors 5 and 6 are used
2) Keys A and B in Sector 5 = 44 <UID > 45
3) Key A in Sector 6 = 44 <UID > 45 as well
4) Key B in Sector 6 is constant = 85fcd982ea5a
5) sector 6 (blocks 24-27) are used for writing the user data such as valid through date, permissions etc.
6) the lock doesn’t see the card when block 20 of Sector 5 is empty
I guess that data in Block 20 is somehow calculated from any data above.
I tried to use XOR decription with UID or other numbers, but with no luck.
Can someone give me any suggestion or hint, how can I crack it?
===================================
Card 1
Sector 0
blck0 edb075a98108040001bfe585c55f9e1d
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 2fe3e3ee428eb6969c20aa5576974911
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 44edb075a9457877880044edb075a945
Sector 6
blck24 00000000000000000000000000000000
blck25 00000000000000000000000000000000
blck26 00000000000000000000000000000000
blck27 44edb075a9457877880085fcd982ea5a
===================================
Card 2
Sector 0
blck0 0bc8813674080400012a8e4963b5031d
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 6c22f4f22e4927bced4bef8ba479a237
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 440bc881364578778800440bc8813645
Sector 6
blck24 a0c1bc3821e6b33525fb0983444c3961
blck25 e26b30b1da7b18b1429b90813a4b98a1
blck26 822b50f17a3bb8f1621bb0419a8bafbe
blck27 440bc88136457877880085fcd982ea5a
===================================
Card 3
Sector 0
blck0 2EA87455A7080400017E596C63A5C51D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 CCC294124ECB9F3D4E8C4C4C477641F8
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 442EA874554578778800442EA8745545
Sector 6
blck24 6BEB253AA0E02A2EA0D134266EEED329
blck25 4833A9DB2339F9E31331D99B13590903
blck26 C3D1293BE3D93983935159BB9379BE4C
blck27 442EA87455457877880085FCD982EA5A
===================================
Card 4
Sector 0
blck0 1D4D8AA97308040001842313C667621D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 6020A42D85CD5C7E9710716595AFFAD1
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 441D4D8AA94578778800441D4D8AA945
Sector 6
blck24 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
blck25 5858C380894A63C87912B340998A7368
blck26 A9F2836089EA6328F9F23320D9EA04C7
blck27 441D4D8AA9457877880085FCD982EA5A
===================================
Card 5
Sector 0
blck0 FD26F9496B080400012EAD4498BADF1D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 CEC2028FE32F29AC03B2DDA7499D5EFB
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 44FD26F949457877880044FD26F94945
Sector 6
blck24 E389CD7FEB8D49BE7E70BE93AC5B4868
blck25 93C2C08A0A6800F2CA40908A5A88F052
blck26 DAA040AA8A8840528AA0506A9AE877BD
blck27 44FD26F949457877880085FCD982EA5A
===================================
Thanx in advance for your help, guys!
Last edited by Ulrich (2020-11-04 20:39:01)
Offline
Could someone tell if it's hackable or not?
Offline
Hi Ulrich! it is Hotek Classic lock. it use MD5? AES?
they can use anything that has an output size is 16 bytes
Offline
@Sentinel thank you for your reply! At least now I know the name of the system now.
How do you think is it hackable or known algo? I suggest, that it has some correlation with UID or Key A/ Key B.
But I'm new to all this stuff, and try to guess what should be my next step.
Offline
Once i acrossed same thing.Lock system was using sector 1. keyA was static and keyB was changing for every single uid. i had about 30 room cards. i cracked them all. and written each uid for each keyB then i reverse engineered, yes i worked 1-2 weeks for this. Saw the pattern and cracked the algorithm then wrote an application using acr120. At the end i was able to generate an empty hotel card for any uid.It was really exhausting. i dont recommend you to try but if you are gonna, you need more examples and a little bit more ambition.
Last edited by isomail07 (2021-11-05 08:18:25)
Offline
Pages: 1