Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
[EDIT]
All solved, nothing needed anymore. Leaving the original post for reference
Hello,
Now, this is a callout for vingcard dumps / cards of new model which uses Ul-EV1
I don't have more details about this than
old system uses UL with diversified otp and xor of data.
old system uses mifare classic 1k/4k with diversified key
new system w version uses UL-EV1 with diversified pwd / otp
Post here, sendfile.com, ghostbin.com, pastebin.com, email me, doesn't matter to me. Same same but different.
UL-EV1 with a pwd. This pwd is most likely diversified. So, complete dumps with pwd and pack is needed.
Default pwd 0xffffffff has also been seen. Use hf mfu info
More gathered information.
Vingcard has seven different versions with different cardmodels, some even use the antique CryptoRF
A - Old system
Uses many default keys/pwd,
OTP-algo known.
Mifare Classic sector1 keyA /B algos known.
Mifare Ultralight
Mifare Ultralight-C
Mifare Classic 1K
Mifare Classic 4K
B - Old system clones
These are chinese clones, which is based on the old system but didn't work properly until version3
Mifare Classic 1K (version2)
Mifare Classic 1K (version3)
C - New system
Uses PWD/PACK, against new readers.
Mifare Ultralight EV1
Features of concern
A - The ultralight based cards is old, some uses the default password
A - The classic based cards, some keys are default, some are fixed, and some is diversified
A - There is two key diversification algos for classic for sector 1. (algo known)
B -(dated 2015) - some keys only for sectors 0, 1 and 2
B -(dated 2017) - random keys for sectors: 0, 1, 2 and 6
C - uses PWD/PACK (algo known)
To be figured out
old - the two key diversification algos. *solved*
new - pwd algo *solved*
datamapping
datamapping
The s50/s70 cards uses MAD type2 in sector0, block1,2. Which explains the use of the default key 0xa1a2a3a4a54
S70 also uses s10, block1,2
Seen AIDs: 7005,7006,7007,7009 which belongs to vingcard and grouping Hotels. *obviously*
After getting a lot of different info back, I can summerize that Vingcard uses many types of cards. At least seven (seen in post above) is used in the wild.
Funny tidbits of info:
UL-ev1 are supposed to work on UL readers.
This suggest that the system doesn't take advantage of the new functionality ul-ev1 offers. Which would explain the default keys found.
UL-C is used on brand new system, on top-of-the-line cruise ship, also with default 3des key.
Classic tags has a key diversification scheme for some few sectors. But so many default ones, that you can get all keys anyway.
So how did I gather this information? Well, its an puzzle where ppl give me a little bit of information, I look at dumps and I make assumptions. Funny, how ppl release more and more pieces of this puzzle as times goes. I'm going to update my previous posts to paint the picture as clear as I understand it today.
And no, I didn't read vingcard homepage nor assa abloy's. All you see here is a bit hearsay and the rest is validated against tagdumps. (thank you all for sharing)
Go nuts bro!
Just try sniff, read, dump all cards you can get your hands on. Sometimes they (the hotel reception) reprograms it for you. Just tell them it doesn't work Keep track of data, like time, date, roomnumber etc. Also try asking what system they use..
Hello.
These are 99 vingcard dumps, old, MFUL
I'm looking for algo calculate OTP by UID
UID UID OTP
[1][2][3] [4][5][6][7] [1][2][3][4]
04 3e c4 76 8a db 49 81 99 48 00 00 04 08 3e 19
04 45 5e 97 12 dc 3f 80 71 48 00 00 2e 01 d5 0b
04 5e e5 37 e2 db 3f 81 87 48 00 00 b5 06 ce 22
04 0f 1e 9d 12 dc 3f 85 74 48 00 00 8e 00 3f 04
04 b0 26 1a 7a 06 3f 80 c3 48 00 00 a6 0e f0 15
04 29 52 f7 12 dc 3f 81 70 48 00 00 22 07 39 09
04 ea 46 20 62 e7 40 80 45 48 00 00 e6 0c 8a 19
04 e4 b8 d0 62 e7 40 80 45 48 00 00 58 04 c4 20
04 8a ca cc aa a0 35 80 bf 48 00 00 aa 0f aa 20
04 6d 48 a9 ba db 3f 80 de 48 00 00 f8 09 5d 17
04 1c f2 62 22 dc 3f 80 41 48 00 00 72 0d 5c 13
04 2c 2d 8d 12 dc 3f 85 74 48 00 00 9d 01 dc 06
04 e2 12 7c 12 dc 3f 84 75 48 00 00 72 0e 42 10
04 67 ed 06 e2 db 3f 80 86 48 00 00 ad 07 c7 23
04 27 fb 50 e2 db 3f 80 86 48 00 00 9b 04 a7 20
04 76 23 d9 8a 41 3e 80 75 48 00 00 d3 0d 06 12
04 9a c0 d6 12 dc 3f 80 71 48 00 00 80 05 9a 17
04 25 b7 1e e2 db 3f 80 86 48 00 00 f7 07 05 1c
04 72 0f f1 d2 e3 3e 84 8b 48 00 00 bf 0a 02 15
04 ad 33 12 12 dc 3f 80 71 48 00 00 b3 08 cd 0f
04 96 3e 24 12 dc 3f 80 71 48 00 00 1e 0c 36 0e
04 52 66 b8 7a 06 3f 81 c2 48 00 00 06 05 32 13
04 3d 7e cf 7a 06 3f 81 c2 48 00 00 4e 04 ad 13
04 bd 48 79 72 06 3f 84 cf 48 00 00 78 08 0d 17
04 e8 19 7d 12 dc 3f 80 71 48 00 00 89 0e 98 11
04 3b c8 7f 8a 06 3f 81 32 48 00 00 98 08 2b 19
04 53 fe 21 d2 e3 3e 80 8f 48 00 00 ae 08 23 22
04 02 fc 72 d2 e3 3e 81 8e 48 00 00 7c 03 42 1d
04 cb 1c 5b d2 e3 3e 84 8b 48 00 00 2c 00 1b 1b
04 49 e1 24 7a 06 3f 81 c2 48 00 00 41 0e c9 1a
04 72 ee 10 8a 41 3e 81 74 48 00 00 0e 02 92 1e
04 27 20 8b 1a dc 3f 85 7c 48 00 00 b0 01 77 06
04 4f 0f cc 92 06 3f 84 2f 48 00 00 6f 0d 0f 0f
04 8e 5e 5c 12 dc 3f 80 71 48 00 00 be 0c ae 10
04 e6 2c 46 8a 06 3f 84 37 48 00 00 6c 04 e6 1a
04 f8 12 66 7a 06 3f 80 c3 48 00 00 52 09 78 18
04 c4 aa e2 8a 06 3f 80 33 48 00 00 aa 0e 04 1f
04 38 41 f5 8a 06 3f 81 32 48 00 00 b1 0f 48 10
04 d7 10 4b 12 dc 3f 84 75 48 00 00 20 0d 07 0f
04 37 fe 45 12 dc 3f 81 70 48 00 00 ee 0e 87 14
04 2a 32 94 12 dc 3f 81 70 48 00 00 12 01 0a 07
04 2b 7c db 12 dc 3f 80 71 48 00 00 8c 04 fb 0b
04 11 22 bf 12 dc 3f 85 74 48 00 00 72 02 81 04
04 6b b1 56 fa df 3f 81 9b 48 00 00 f1 02 cb 21
04 80 3d 31 72 06 3f 80 cb 48 00 00 ed 0c b0 13
04 55 37 ee 02 e0 3f 81 5c 48 00 00 77 06 75 09
04 2d 09 a8 22 dc 3f 85 44 48 00 00 29 00 ed 05
04 d1 f4 a9 da db 3f 80 be 48 00 00 a4 10 e1 2a
04 53 cb 14 e2 db 3f 81 87 48 00 00 ab 08 13 20
04 7d 67 96 7a 06 3f 80 c3 48 00 00 a7 06 5d 16
04 1c c3 53 02 e0 3f 81 5c 48 00 00 53 0e 4c 0e
04 76 22 d8 7a 06 3f 80 c3 48 00 00 c2 02 16 11
04 c1 de 93 e2 db 3f 80 86 48 00 00 6e 10 91 28
04 d2 dc 82 ea db 3f 80 8e 48 00 00 dc 0e 12 29
04 64 2e c6 02 e0 3f 80 5d 48 00 00 ee 04 e4 09
04 94 eb f3 02 e0 3f 80 5d 48 00 00 7b 08 c4 18
04 4e 0c ce ca e3 3e 84 93 48 00 00 cc 08 ce 12
04 2d ec 4d ca e3 3e 81 96 48 00 00 dc 01 5d 1e
04 70 e4 18 ca e3 3e 80 97 48 00 00 84 06 50 22
04 1d 70 e1 12 dc 3f 80 71 48 00 00 20 08 2d 0a
04 6e 45 a7 72 06 3f 80 cb 48 00 00 15 06 fe 12
04 18 61 f5 7a 06 3f 81 c2 48 00 00 d1 00 68 0f
04 7b 62 95 7a 06 3f 80 c3 48 00 00 d2 06 cb 15
04 b1 a5 98 8a 06 3f 80 33 48 00 00 45 0a f1 1e
04 95 78 61 12 dc 3f 80 71 48 00 00 28 10 a5 12
04 af b1 92 12 dc 3f 80 71 48 00 00 31 01 cf 17
04 22 13 bd 02 e0 3f 85 58 48 00 00 83 03 92 03
04 7a 21 d7 e2 db 3f 84 82 48 00 00 f1 0b 6a 18
04 7f f7 04 e2 db 3f 81 87 48 00 00 d7 07 bf 25
04 36 cd 77 e2 db 3f 81 87 48 00 00 9d 02 a6 1e
04 d7 db 80 e2 db 3f 80 86 48 00 00 7b 0f 57 29
04 6a e3 05 8a 41 3e 80 75 48 00 00 53 01 da 1d
04 e2 6e 00 12 dc 3f 80 71 48 00 00 0e 0a 82 16
04 18 3b af fa df 3f 85 9f 48 00 00 0b 0e 08 15
04 f7 48 33 8a 41 3e 80 75 48 00 00 58 03 27 1c
04 50 11 cd 12 dc 3f 85 74 48 00 00 81 05 20 07
04 e7 18 73 d2 e3 3e 84 8b 48 00 00 a8 02 b7 1d
04 37 97 2c ca e3 3e 81 96 48 00 00 77 07 f7 19
04 a0 bd 91 0a e0 3f 80 55 48 00 00 ed 01 10 16
04 26 e5 4f d2 e3 3e 81 8e 48 00 00 35 02 36 1e
04 04 65 ed fa df 3f 81 9b 48 00 00 55 0a 74 16
04 d5 5d 04 fa df 3f 80 9a 48 00 00 bd 07 d5 23
04 cd 7a 3b 02 e0 3f 80 5d 48 00 00 8a 0b 1d 14
04 4b e5 22 02 e0 3f 81 5c 48 00 00 65 0b 2b 13
04 7c fd 0d d2 e3 3e 81 8e 48 00 00 6d 06 8c 24
04 8c 38 38 ea db 3f 84 8a 48 00 00 d8 05 ac 1b
04 3b 2e 99 ea db 3f 85 8b 48 00 00 de 0f 4b 15
04 a9 f8 dd ea db 3f 80 8e 48 00 00 e8 0c 59 28
04 1e 49 db ea db 3f 85 8b 48 00 00 d9 0b 4e 15
04 62 bd 53 ea db 3f 81 8f 48 00 00 cd 03 b2 20
04 c6 fa b0 12 dc 3f 80 71 48 00 00 9a 03 a6 1d
04 ae 11 33 da db 3f 84 ba 48 00 00 21 06 7e 19
04 74 3b c3 da db 3f 84 ba 48 00 00 4b 09 a4 18
04 1d ed 7c fa df 3f 81 9b 48 00 00 cd 01 9d 20
04 58 53 87 02 e0 3f 81 5c 48 00 00 23 01 48 0b
04 41 0a c7 da db 3f 85 bb 48 00 00 5a 09 d1 12
04 3f 67 d4 8a 41 3e 80 75 48 00 00 c7 0d 7f 13
04 76 ca 30 e2 db 3f 81 87 48 00 00 6a 06 16 22
04 aa ec ca e2 db 3f 80 86 48 00 00 ec 0a 6a 27
PS. I have over 1000 cards, can make dumps and upload to somewhere if needed
Last edited by nistix (2017-07-18 21:50:07)
Holidays "followup": No Vingcard yet but found strange system in hotel. They use standard mechanical keys but chip card for the light switch. You have to put the card in a shitty smartcard reader to have electricity in the room. By looking on the chip it looks like the SLE4442 (not sure but Infineon micromodule) Not dumped but probably just an id and might be copied to another card. I said SLE4442 because it's incredibly popular and also used in some vingcard system. So they might have designed the thing to be compatible w' Vingcard
Some light switches detect the presence of any 13.56 MHz card. They consist of quartz 13.56MHz, 74HC04 (logical element NOT), generator is made of this chip, and an operational amplifier. When the card in the pocket - it takes away energy from the contour - the light turns on)
Some light switches detect the presence of any 13.56 MHz card. They consist of quartz 13.56MHz, 74HC04 (logical element NOT), generator is made of this chip, and an operational amplifier. When the card in the pocket - it takes away energy from the contour - the light turns on)
Yes indeed. Also, most (NXP) modern NFC frontend chips has interrupt pin when card is detected in field, so you can easily handle that with low cost MCU....
Don't get me for 100 % sure, but I think PN512 has it and it's cost is pretty low...
On the other hand, hotel business is serious money...
PN512 expensive chip. And for him need a microcontroller .. I can not find this Chinese card at 74HC04 ((( ... when I find it - I'll post a photo )
For example, SALTO locks use clrc632 (USD $5..6) and an optical prism to detect a card near the lock
iceman, are you still looking for Ultralight EV1 dumps?
I'm at a hotel now with those keys but I cant seem to figure out how to get the Proxmark3 to clone them. Is that even possible in the latest firmware? I just get some dump data and authentication failed error messages. These are Assa Abloy cards.
Yes, I still look for UL-ev1 dumps. Complete ones.
you will sniff pwd , using pm3 - card - reader.
hf 14a sniff
hf list 14a
The pwd should be easy to read in the tracelog output.
you use key to dump the card.
hf mfu dump k bbbbbbb
To enable ppl to have a go at it, have some Ultraligth Ev1 samples. (thanks @dot.com)
UID | OTP | pwd | pack |
---------------+----------+-----------+------+
042490D27B4A81 | B0068418 | BBB3 5F35 | 1BBF
043E75DA7B4A81 | C5092E19 | D3F4 2D6E | BAF4
0405ABDA7B4A81 | AB07E518 | 2E52 7D26 | 93AA
044646D27B4A81 | A60D6616 | 1E15 28C9 | 7B11
04442952FA4E81 | D903740C | 9B25 C489 | 0BC1
046233D27B4A84 | A308D216 | 9EE9 F34E | 5E56
046639D27B4A84 | C9083617 | 7529 C0BB | 5897
049A3AD27B4A84 | 9A073A1A | 3B18 1386 | E075
049141D27B4A84 | A100111A | FBEF CBD5 | 4C00
04633A5AFA4E84 | AA00D30F | DFC0 41BA | EEC5
@mrials, 10.000 samples with pwd / pack? that would be a great starting point.
It depends if the samples are in sequential order with uid.
But if you have a dataset with it, do please share.
...but only the UL-Ev1 new pwd / pack samples is of interest, 10.000 samples sounds like a Vingcard hotel device found on this forum, data from that one is of no interest for me.
Nice.
I have a sneaky feeling the pwd/pack is all set to the same if un-programmed,..
Secondly, to get the pwd/pack you would need to sniff the com traffic between valid reader / card.
Still, its interesting to see what kind of tags it is. Are you able to sniff with a pm3?
10k. Interesting. It would be best if we can get a 1-2 working lockset with 200 sequential cards, if not the desktop encoder with the software and 200 cards to start. And it will be best if you have them all!
If you are interested, I can email you my address and we can start working on things
There we go,
http://www.bbc.com/news/technology-43896360
Makes me wonder why they waited until now to mention it?
djolemag wrote:NfcMan wrote:do you have Vingcard installation files? i can reverse the files and find algo
Great, will try to get the latest version and let you know!
Hi,
Any News About Vingcard Software?
Hi, still waiting to get it to my hands... Hope to have it soon.
any news regarding UL EV1 PWD/Pack algo?
you can leave me a PM/email
@iceman: are you still interested or do you have a solution?
I have some hotel card dumps with default passwd 0xFFFFFFFF, they are probably not useful here?
Last edited by Mackwa (2019-06-19 16:47:17)
MF Ultralight EV1 with default pwd:
https://pastebin.com/Wp5QYFP0
https://pastebin.com/03zcagDB
https://pastebin.com/zwNUGXP2
https://pastebin.com/B5Mw40r0
Here are 694 samples of sniffed PWD/PACK pairs of UL EV 1, sharing to community. Any input is highly appreciate.
https://drive.google.com/file/d/1F3212C … sp=sharing