Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2021-11-19 10:40:53

Burak
Contributor
Registered: 2021-10-06
Posts: 16

Mifare 1k can lock system has an algorithm between UID and sectors?

Hello,


We are using mifare 1k in our hotel and I was inspecting an blank card (we can only get those cards from key lock manufacturer). I inspected it and I figured out it has some important blocks to make it work (making it accessible by reader and writer). I edited each block one by one until finding the blocks which affects access by reader. So according to my findings those blocks are important: 44,45,47 . So my question is: Can there be an algorithm between UID and those sectors so reader can access the card? because when I look at any other blank card it has different codes on those blocks none of them is same so it might be changing according to sector 0 is it possible? here is the blocks I am talking about

BLOCK 0        27 F8 4C EE 7D 08 04 00 02 36 48 B0 5A B1 9D 1D
         
[=] block  44: C0 71 E4 FF E8 FF E1 FE 14 FF ED FE 10 FF E9 FE
[=] block  45: 1C FF 15 84 E0 85 E9 F9 FC 2B ED FE 00 00 00 00
[=] block  47: 98 61 25 14 E1 8D FF 07 80 69 FF FF FF FF FF FF 

If I edit any of it card is not readable.
Whole card is here 

[+] loaded 1024 bytes from binary file hf-mf-27F84CEE-dump.bin

[=] ----+-------------------------------------------------+-----------------
[=] blk | data                                            | ascii
[=] ----+-------------------------------------------------+-----------------
[=]   0 | 27 F8 4C EE 7D 08 04 00 02 36 48 B0 5A B1 9D 1D | '.L.}....6H.Z...
[=]   1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   3 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   4 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   5 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   7 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]   8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]   9 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  11 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  12 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  13 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  14 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  15 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  16 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  18 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  19 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  21 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  22 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  23 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  24 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  25 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  26 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  27 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  28 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  29 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  31 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  32 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  33 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  34 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  35 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  36 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  37 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  38 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  39 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  41 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  42 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  43 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  44 | C0 71 E4 FF E8 FF E1 FE 14 FF ED FE 10 FF E9 FE | .q..............
[=]  45 | 1C FF 15 84 E0 85 E9 F9 FC 2B ED FE 00 00 00 00 | .........+......
[=]  46 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  47 | 98 61 25 14 E1 8D FF 07 80 69 FF FF FF FF FF FF | .a%......i......
[=]  48 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  49 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  51 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  52 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  53 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  54 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  55 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  56 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  57 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  58 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  59 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=]  60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  61 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  62 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
[=]  63 | FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF | .........i......
[=] ----+-------------------------------------------------+-----------------

Last edited by Burak (2021-11-19 10:51:33)

Offline

#2 2021-11-20 09:18:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,507
Website

Re: Mifare 1k can lock system has an algorithm between UID and sectors?

One,    is the key A static or diversified?   ie,   is it the same on other cards or not?
If diversified,  then usually there is some kind of algorithm involved.  Usually UID bytes are used. 

The data blocks,  those are strongly tied with the hotel system software.  You would need to identify the system.

So more background detail of the system used,  more data samples,  access to software etc.

Have fun and enjoy your research!

Offline

Pages: 1

Board footer

Powered by FluxBB