Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello everybody!
I got few Mifare Classic 1K cards from undefined locking system.
I was able to read the info and even find out some additional information.
1) only sectors 5 and 6 are used
2) Keys A and B in Sector 5 = 44 <UID > 45
3) Key A in Sector 6 = 44 <UID > 45 as well
4) Key B in Sector 6 is constant = 85fcd982ea5a
5) sector 6 (blocks 24-27) are used for writing the user data such as valid through date, permissions etc.
6) the lock doesn’t see the card when block 20 of Sector 5 is empty
I guess that data in Block 20 is somehow calculated from any data above.
I tried to use XOR decription with UID or other numbers, but with no luck.
Can someone give me any suggestion or hint, how can I crack it?
===================================
Card 1
Sector 0
blck0 edb075a98108040001bfe585c55f9e1d
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 2fe3e3ee428eb6969c20aa5576974911
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 44edb075a9457877880044edb075a945
Sector 6
blck24 00000000000000000000000000000000
blck25 00000000000000000000000000000000
blck26 00000000000000000000000000000000
blck27 44edb075a9457877880085fcd982ea5a
===================================
Card 2
Sector 0
blck0 0bc8813674080400012a8e4963b5031d
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 6c22f4f22e4927bced4bef8ba479a237
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 440bc881364578778800440bc8813645
Sector 6
blck24 a0c1bc3821e6b33525fb0983444c3961
blck25 e26b30b1da7b18b1429b90813a4b98a1
blck26 822b50f17a3bb8f1621bb0419a8bafbe
blck27 440bc88136457877880085fcd982ea5a
===================================
Card 3
Sector 0
blck0 2EA87455A7080400017E596C63A5C51D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 CCC294124ECB9F3D4E8C4C4C477641F8
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 442EA874554578778800442EA8745545
Sector 6
blck24 6BEB253AA0E02A2EA0D134266EEED329
blck25 4833A9DB2339F9E31331D99B13590903
blck26 C3D1293BE3D93983935159BB9379BE4C
blck27 442EA87455457877880085FCD982EA5A
===================================
Card 4
Sector 0
blck0 1D4D8AA97308040001842313C667621D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 6020A42D85CD5C7E9710716595AFFAD1
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 441D4D8AA94578778800441D4D8AA945
Sector 6
blck24 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
blck25 5858C380894A63C87912B340998A7368
blck26 A9F2836089EA6328F9F23320D9EA04C7
blck27 441D4D8AA9457877880085FCD982EA5A
===================================
Card 5
Sector 0
blck0 FD26F9496B080400012EAD4498BADF1D
blck1 00000000000000000000000000000000
blck2 00000000000000000000000000000000
blck3 FFFFFFFFFFFFFF078069FFFFFFFFFFFF
Sector 5
blck20 CEC2028FE32F29AC03B2DDA7499D5EFB
blck21 00000000000000000000000000000000
blck22 00000000000000000000000000000000
blck23 44FD26F949457877880044FD26F94945
Sector 6
blck24 E389CD7FEB8D49BE7E70BE93AC5B4868
blck25 93C2C08A0A6800F2CA40908A5A88F052
blck26 DAA040AA8A8840528AA0506A9AE877BD
blck27 44FD26F949457877880085FCD982EA5A
===================================
Thanx in advance for your help, guys!
Last edited by Ulrich (2020-11-04 20:39:01)
@Sentinel thank you for your reply! At least now I know the name of the system now.
How do you think is it hackable or known algo? I suggest, that it has some correlation with UID or Key A/ Key B.
But I'm new to all this stuff, and try to guess what should be my next step.
Once i acrossed same thing.Lock system was using sector 1. keyA was static and keyB was changing for every single uid. i had about 30 room cards. i cracked them all. and written each uid for each keyB then i reverse engineered, yes i worked 1-2 weeks for this. Saw the pattern and cracked the algorithm then wrote an application using acr120. At the end i was able to generate an empty hotel card for any uid.It was really exhausting. i dont recommend you to try but if you are gonna, you need more examples and a little bit more ambition.
Last edited by isomail07 (2021-11-05 08:18:25)