Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2016-06-17 21:17:39

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hello Guys!

I have a Yale Doorman lock using RFID tags and were interested in what data is on them.
According to the company the key on the card is rotated every time its used, so would be interesting to verify this.

This is the card:
proxmark3> hf 14a read
UID : c9 22 c0 1b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO

So I start of as I usually do, with a darkside attack
This one responds a bit differently then the other cards I have tried on

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000005| 8 |  d  |0,0,0,0,0,0,0,0|
| 20 |00000025| 3 |  6  |0,0,0,0,0,0,0,0|
| 40 |00000045| 9 |  c  |0,0,0,0,0,0,0,0|
| 60 |00000065| 9 |  c  |0,0,0,0,0,0,0,0|
| 80 |00000085| 3 |  6  |0,0,0,0,0,0,0,0|
| a0 |000000a5| 6 |  3  |0,0,0,0,0,0,0,0|
| c0 |000000c5| 3 |  6  |0,0,0,0,0,0,0,0|
| e0 |000000e5| 4 |  1  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...
p1:a46 p2:511c p3:0 key:fb30276c0d3d
p1:f40 p2:7918 p3:1 key:f8d49565043c
p1:1108 p2:8645 p3:2 key:f8069c24c61d
p1:1751 p2:b965 p3:3 key:f504abfa2417
p1:1f94 p2:fc19 p3:4 key:f112d11b0149
p1:2373 p2:11afc p3:5 key:ef3522897c48
p1:2e2f p2:170d5 p3:6 key:ea1470f26682
p1:3284 p2:193e6 p3:7 key:e7ffcabbed4a
p1:329f p2:194fc p3:8 key:e7f0d8cc8e40
p1:383c p2:1c450 p3:9 key:e5238051f6fd
p1:3aef p2:1dabb p3:a key:e3d15531d141
p1:3e84 p2:1f72c p3:b key:e22847044d8b
p1:42d4 p2:21ac4 p3:c key:e00f34333d85
p1:4443 p2:226a0 p3:d key:df57b6d7bb13
p1:58c7 p2:2ceee p3:e key:d56110bb0f37
p1:5ae4 p2:2ddbc p3:f key:d47bb574e8e4
p1:5e06 p2:2f56f p3:10 key:d316ec8ea3fd
p1:5fbf p2:303ae p3:11 key:d2422efba7b1
p1:604d p2:3079e p3:12 key:d207aa8c47bd
p1:63ec p2:323b1 p3:13 key:d05827afeb60
p1:68bc p2:34778 p3:14 key:ce28d3605e62
p1:7af3 p2:3d6aa p3:15 key:c59ae88fb4dd
p1:8522 p2:42498 p3:16 key:c1001d72cffe
p1:8650 p2:42e4e p3:17 key:c06becb1d0ee
p1:8de0 p2:46b23 p3:18 key:bccd058f3544
p1:93a7 p2:499ab p3:19 key:ba15737c1eb3
p1:93f4 p2:49cb2 p3:1a key:b9e86d2fe9a5
p1:96b7 p2:4b2a0 p3:1b key:b89bb974b93e
p1:9972 p2:4c910 p3:1c key:b744b4d15602
p1:99b6 p2:4cb20 p3:1d key:b7280d23e078
p1:9c9e p2:4e0db p3:1e key:b5da16a50440
p1:a5e4 p2:52d41 p3:1f key:b150a3c55f78
p1:cbc8 p2:658ad p3:20 key:9f91f601821e
p1:d534 p2:6a30f p3:21 key:9b2dda0265b6
p1:de49 p2:6e8eb p3:22 key:970a39620665
p1:ef39 p2:76cfa p3:23 key:8f2d909ba313
p1:f11b p2:77b4a p3:24 key:8e55e9a2c64d
p1:fcc9 p2:7d595 p3:25 key:88f55e46b929
p1:107f2 p2:82e2b p3:26 key:83aaf9096156
p1:10f1b p2:8680c p3:27 key:8035cec08680
p1:10f26 p2:8685b p3:28 key:803139ef2ab7
p1:111f5 p2:87c96 p3:29 key:7ef90b6347ea
p1:1168a p2:89f92 p3:2a key:7ce1edf769d5
p1:11d47 p2:8d828 p3:2b key:7985bda0e03d
p1:1270a p2:9245f p3:2c key:75043191e9e7
p1:1281c p2:92d03 p3:2d key:7482c70e6ae4
p1:129a3 p2:93a46 p3:2e key:73b6def10d40
p1:12a74 p2:940ad p3:2f key:735439ca49ef
p1:12acf p2:9437f p3:30 key:73285c3eee8a
p1:12aff p2:944a8 p3:31 key:7313568cf2d0
p1:12c9d p2:95044 p3:32 key:725b3e80c06a
p1:1338d p2:9879f p3:33 key:6f0ff441e7ee
p1:139dc p2:9b801 p3:34 key:6c3aa1feec3a
p1:13e87 p2:9ddd0 p3:35 key:69fb7b7cd8ee
p1:14881 p2:a2b38 p3:36 key:65568b4be13a
p1:15194 p2:a72e6 p3:37 key:61025ad4ad66
p1:15466 p2:a891d p3:38 key:5fad419f7d97
p1:15594 p2:a9219 p3:39 key:5f236df6b283
p1:16833 p2:b2530 p3:3a key:565bb85a0fe0
p1:16b77 p2:b3f90 p3:3b key:54cb4a08a24f
p1:173d0 p2:b836a p3:3c key:50d0230222fe
p1:181a0 p2:bf0e4 p3:3d key:4a412d7fa6b9
p1:1936f p2:c7992 p3:3e key:42179d35fa92
p1:19588 p2:c8827 p3:3f key:41375bd91cde
p1:195a0 p2:c8935 p3:40 key:41267fc4a72b
p1:1a748 p2:d1604 p3:41 key:38d2b17af19c
p1:1bb91 p2:db503 p3:42 key:2f6022158248
p1:1bbaf p2:db5e9 p3:43 key:2f52254f0515
p1:1be93 p2:dcc91 p3:44 key:2e0062d95bd8
p1:1c0ff p2:de114 p3:45 key:2cca1051b4f3
p1:1c1b7 p2:de66d p3:46 key:2c786ec29965
p1:1ce16 p2:e47ca p3:47 key:26b0d2970f3a
p1:1e88b p2:f17e9 p3:48 key:1a4888c02a97
p1:1eae7 p2:f2a92 p3:49 key:1927bb798cc2
p1:1ef52 p2:f4d4b p3:4a key:171785a0b674
p1:1f240 p2:f657c p3:4b key:15ab1dfcd274
p1:2008c p2:fdb2f p3:4c key:0ead5edf383e
p1:20394 p2:ff2f0 p3:4d key:0d4b8161938d
p1:2092d p2:101e8d p3:4e key:0ab75a454a3b
p1:213d7 p2:107336 p3:4f key:05ace272aff4
p1:215db p2:108297 p3:50 key:04bfb2a62cad
p1:21e2d p2:10c5b8 p3:51 key:00c3562f16f6
p1:21e98 p2:10c8fa p3:52 key:0094363fa614
key_count:83
------------------------------------------------------------------
Found valid key:69fb7b7cd8ee

Ok seems like it found an A key anyway after a bit of hassle.

So lets try a nested attack using this A key

proxmark3> hf mf nested 1 0 a 69fb7b7cd8ee d
Testing known keys. Sector count=16
nested...
Time in nested: 20.607 (inf sec per key)

-----------------------------------------------
Iterations count: 0


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...

Hmm, wait a minute. One of the A keys were 69fb7b7cd8ee, but now its saying they are all ffffffffffff?

Okay, so lets try and dump the card with the keys suggested, all ffffffffffff

proxmark3> hf mf dump
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  0. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  1. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  2. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  3. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  4. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  5. Trying with defaults...
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not get access rights for sector  6. Trying with defaults...
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# Authentication failed. Error card response.
#db# Auth error
#db# READ BLOCK FINISHED
Could not read block  0 of sector  0
proxmark3>

Nope, that didnt work, as expected.

So what is happening here?

Also something worth mentioning is that if I try to use the A key with mf hf chk it doesnt work

proxmark3> hf mf chk *1 A 69fb7b7cd8ee
chk key[ 0] 69fb7b7cd8ee
--sector: 0, block:  3, key type:A, key count: 1
--sector: 1, block:  7, key type:A, key count: 1
--sector: 2, block: 11, key type:A, key count: 1
--sector: 3, block: 15, key type:A, key count: 1
--sector: 4, block: 19, key type:A, key count: 1
--sector: 5, block: 23, key type:A, key count: 1
--sector: 6, block: 27, key type:A, key count: 1
--sector: 7, block: 31, key type:A, key count: 1
--sector: 8, block: 35, key type:A, key count: 1
--sector: 9, block: 39, key type:A, key count: 1
--sector:10, block: 43, key type:A, key count: 1
--sector:11, block: 47, key type:A, key count: 1
--sector:12, block: 51, key type:A, key count: 1
--sector:13, block: 55, key type:A, key count: 1
--sector:14, block: 59, key type:A, key count: 1
--sector:15, block: 63, key type:A, key count: 1

But if I let it try the default keys, including ffffffffffff it matches on ffffffffffff

proxmark3> hf mf chk *1 ? d
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block:  3, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:A, key count:13
Found valid key:[ffffffffffff]
--sector: 0, block:  3, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 1, block:  7, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 2, block: 11, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 3, block: 15, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 4, block: 19, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 5, block: 23, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 6, block: 27, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 7, block: 31, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 8, block: 35, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector: 9, block: 39, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:10, block: 43, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:11, block: 47, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:12, block: 51, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:13, block: 55, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:14, block: 59, key type:B, key count:13
Found valid key:[ffffffffffff]
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.

Feels like I am missing something. Why would darkside give one key, and chk and nested give only ffffffffffff? And key that doesn't work to dump the card content with after.

Offline

#2 2016-06-17 21:29:30

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Are you using the latest PM3 master from GitHub?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2016-06-18 08:21:42

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hello!

This is solved, but probably someone might save some time if I explain how I ended up where I did.
So when I got my proxmark I followed the instructions at:
https://github.com/Proxmark/proxmark3/wiki/Windows

Most of the instructions are straight forward, you download your ProxSpace, which is your support tools like mingw etc.
You then fetch the latest proxmark3 sourcecode and build it.

Where it gets a little fuzzy is when you need to fetch the drivers from a code.google.com project also called proxmark3, and a file called pm3.bin-756 (cdc+lua)
I did that, and installed the drivers successfully.

The guide also mentions you should run the bat files in the pm3.bin-756 folder: FLASH - Bootrom.bat,  FLASH - FPGA fullimage.bat, FLASH - OS.bat
Here are two problems. One: The fullimage should according to what I have read include the OS image. Two: You are now flashing quite old firmware from the pm3-bin-756 branch, when the guide is for how to use the github branch. This caused me to get unexpected results.

When realizing this, only after reading a good comment from Iceman in regards to his iceman fork I tried to flash the bootloader and fullimage from the github project following instructions here: https://github.com/Proxmark/proxmark3/wiki/compiling
It mentions sudo ./flasher -b ../bootrom/obj/bootrom.elf, which in windows should be flasher.exe -b COMX ../bootrom/obj/bootrom.elf
Here I got stuck on a silly thing, where you are supposed to use the syntax flasher.exe COM3 -b ../bootrom/obj/bootrom.elf instead.

Anyway, with all that sorted I now get predictable restuts and my version is now:
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-203-g83f11cc-suspect 2016-06-17 19:52:42
os: master/v2.2.0-203-g83f11cc-suspect 2016-06-17 19:52:47
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

Using with the code from github.

Maybe this will help someone in the future!

Also, it turns out that these were the true keys:
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 69fb7b7cd8ee | 1 | ffffffffffff | 1 |
|001| 28b676631457 | 1 | ffffffffffff | 1 |
|002| 18a2e2cfc483 | 1 | ffffffffffff | 1 |
|003| f97737021556 | 1 | ffffffffffff | 1 |
|004| 6be5251007c4 | 1 | ffffffffffff | 1 |
|005| 5d2beb9489c8 | 1 | ffffffffffff | 1 |
|006| 5ae4241106c5 | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|

So it was close : )

Offline

#4 2016-06-18 08:42:44

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Good to hear that your issues is solved.

If you look under the folder "drivers" in the github project,  you'll find all needed drivers...

It seems like the wiki instructions would need some updating.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2016-06-18 08:44:16

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

To follow up, is the keys rotated after one usage?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2016-06-18 10:28:52

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Ah that explains it.

I am not in the house that uses the lock today, but I will check it next week and report back. I wonder if they rotate the A/B keys, or only rotate some identifier in the data.
I assume the goal of the security is so that if the key is copied the copy will be rendered useless after the original key has been used again after the copy.
So with that in mind I guess its enough to change some unique identifier in the data after each use and keeping track of what each key has at the moment.
I wonder why they have a key on 7 sectors, and how much on them actually change.

To be continued!

Offline

#7 2016-08-22 10:22:49

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hi,

I am a bit curious about this thread.
I have a Yale doorman V2N, with the new mifare tags.

Have you managed to get a dump of the contents of the tag?
If so, i believe that the dump can make regular mifare tags to work with yale.

And as i don't have Proxmark 3 just yet, only a ARC 122 reader.

Is there a possibility if you got a dump of the tag make it available for download to test if i can make a non yale tag to work with the door.


Regards

Last edited by xLostx (2016-08-22 10:23:52)

Offline

#8 2016-08-22 10:31:33

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hello!

I do have a dump of the key, but I havent used the key after that, as the goal was to see if they key data on it did indeed change it.
Is your goal to get a normal mifare 2k classic card to work with your door, or a card that can change the S/N also? I am not sure but I assume it would look at the S/N as well as the codes on the card.

Offline

#9 2016-08-22 13:30:40

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hi,

As i dont have a dump of a tag, i dont know whats in it.
But sector 0 - 7 probably as you say contains a S/N and a payload for yale doorman to recognize it as a yale tag.
May be a S/N as you say.

My first thing is i want to make a dump of the tags myself.
This to get understanding how yale works.
And able to change S/N to make it uniqe, if thats the identifyer.

What i want to accomplish is to be able to brand a normal non yale tag so that it gets accepted with the system.
Being able to buy a special tag of some for example cartoon for the kids to enjoy better then the standard.
And not that obvious that it goes to my kids (my) door at home if he looses.

Last edited by xLostx (2016-08-22 13:42:29)

Offline

#10 2016-08-22 20:10:42

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Hello!

I previously emailed the maker of yale doorman who replied that they use sector 0-6.
The major obstacle I believe is the serial number (UID) of the tag. The only way I know if having a mifare classic tag that can change the UID is a special kind, called "chinese magic cards"
I bought a few of those and seemed to work okay, however they are all in the form of blank white cards. I dont know of any that are in the shape of cartoons or similar.

So what you need to see is:

1. Dump the content of one of your tags and put it on a random other mifare classic card. If this works then you are in the clear. Then that would mean the system only checks sector 1-6 only and doesnt check the UID which is in sector 0.

If this doesnt work, then I think the only option is to dump the key to a special "chinese magic card" on which you can change the UID as well. If you do that the reader should not be able to tell the difference between the real key.

Offline

#11 2016-08-23 09:55:13

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Exactly,

I dont think the system has all its UID's in the database, that would need a bigger memory then what is fitted in the yale doorman.
I think it is the payload in sector 0 - 6 that identifies it as a yale doorman tag. And as long it has that, any mifare card can work as a tag.

The thing is i can only do basic micare classic dumps with mfoc.
As that dosent work on the yale tag. And my basic skills ends there.

If you would be so kind and direct me to the darkside (phun intended), how to crack the security of yale tags.
Do i need Proxmark 3, or is it doable with any mifare writer/reader.
And/Or post the yale dump, to write on empty mifare tags, meanwhile i try to figure out the use of darkside, and hardware required.

Offline

#12 2016-08-24 16:10:04

jontaa
Contributor
Registered: 2016-06-17
Posts: 12

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

True they probably don't know all the UIDs, but I would expect then to use the UID in their proprietary data they have in the sectors 1-6 since its a very easy thing to do and it would make it harder for someone to make a copy, which is something they want to prevent.

As for dumping it, it is the same as any mifare classic card using the nested and darkside attacks.
I think it could be performed withouth a proxmark 3, as long as you can make a dump of the card in another way.
With the proxmark I first dump the encrypted content of the card to a file, and then work with the tools included in the software against the file to recover the keys and decrypt the data.
But even if you decode the data it will be unreadable by you unless you also know how the data is structured. Otherwise you are just reading HEX values.

Offline

#13 2017-04-26 15:11:28

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

As of the new version in 2016 the so called V2N
They have some new tags.
What i have tested and understand is that they may be Mifare Classic Plus or has a security mechanism
to prevent darkside attack.
It says mifare Classic when i scan/list the tag

The tags i have is the V2N they are not backwards compatible with V1 or V2.
As V1 and V2 tags works with V2N.

As described below:
http://www.yale.se/sv/yale/yalese/support/category-yale-doorman/uppfyller-yale-doorman-kraven-for-godkand-lasenhet/

Is there something else i can try to get the dump/payload on it to try to understand it with a HEX editor?
what i use is mfoc, https://github.com/nfc-tools/mfoc
and mfcuk, https://github.com/nfc-tools/mfcuk

Theese are very old technics
and cant get the A and/or B keys

Last edited by xLostx (2017-04-26 15:16:19)

Offline

#14 2017-04-27 12:17:29

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

V1 AND V2 tags mifare classic algo is key disverfication + roll code key A and B each sector represents one yale doorman lock
sector 0 16 byte payload is tied to all key A and B and UID. Looking at entropy of 20 samples payload might be encrypted with aes
only way to know sure to dump mcu code.

V2N tags might use simmilar algo new tags are not vulnerable mfoc or mfcuk.

Offline

#15 2017-05-29 09:57:47

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Just got my hand on a Yale Doorman keyfob. Don't know the version of the lock.
However its a Mifare Classic 1k,   nested attack works.   Several sectors with default key.

Don't know if tag was used on a lock but the data dump shows only sector 0-6 with custom A-keys. 
On this tag the relevant sector data is :

d1d43d556d08040001dee92c71326e1d
100095522afd822d34200124c3c8dd7f
02020700000000000000000000000000
8735b5b2d600ff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
c486fef9e01cff078069ffffffffffff
b8a2e701030000000000000000000000
63eb3d7cd00000000000000000000000
00000000000000000000000000000000
98da82fff460ff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
37f1292ad34fff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ebad85868f23ff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
d99bf3fee511ff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
afe991928b77ff078069ffffffffffff

Sector 0 and 2 has some data.  Doesn't look encrypted. Sector 2 doesnt look checksumed.  Sector 0 might be.

p.s.
Yeah I know u see the uid, but you don't know where this keyfob goes anyway....


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#16 2017-05-29 16:52:05

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

That's a early V1 tag uid is checksummed with block 1 for sure 100095522afd822d34200124c3c8dd7f flipping 1 bit uid (bcc is corrected too) or block 1 and adding tag will fail, also key A  for all 7 sectors has some algo could be tied to uid and block 1 or something else. 020207 probably has to with number of locks the tag is used in. That tag has been used in a lock btw anyways I kinda gave up figuring out the algo long time ago might do simple hardware hack instead with arduino mini pro and rc522.

Offline

#17 2017-05-29 19:55:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Not sure I follow your toughs,   uid - checksumed w block1, flipping 1bit uid, or block1, and adding tag will fail.   Are you trying to explain the purpose of a checksum? 

Keygen-algo for the 7 keyA, is most likely,  I've heard somewere the keyA should rotate with each usage of the key on lock. Impliciting uid, num-of-usage in keygen algo.

I also heard each sector is a key ?!? meaning a lock can have 7 keys?!?  It would be fun to verify all of this, instead of pure guesses and hearsay.

For keygen-algo, much more samples is needed.   Sadly I don't have access to the lock.  400€ is a bit too much for a hobby-research.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2017-05-31 17:11:32

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

After some testing unlocking and locking block 1 unchanged, also all 7 key A unchanged.
Unused tag have empty sectors and with bytes written in 2 sectors block 2 is 030307.
It dosent look like a weak keygen scheme likes simple xor and add etc...

Offline

#19 2017-05-31 18:53:56

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

well, you might just get the keys,  unlock/lock,  get the keys and repeat until you have a good dataset.  With that dataset you can start analysing if there is some obvious algo...


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2017-06-01 19:09:11

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Well I back in 2015 I dumped 5 of these tags and analyzed it without any luck both differential and basic cryptanlysis.
Anyways for me its just a hobby too, will opt for a hardware hack later and use my own algo.
V1 tags are vulnerable to card only attacks anyways.

Offline

#21 2017-06-01 21:17:05

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

since they are mifare classic tags,  with a default key,  all versions is subject to hardnested attack (card only aswell)

Share the dumped tags?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#22 2017-06-01 21:57:30

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

all versions is subject to hardnested attack

Could be misunderstood. hardnested will NOT work for old Mifare Classic cards. You need to use hf mf nested for those.

Offline

#23 2017-06-02 08:51:15

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

wut?  hardnested doesnt work on the old cards?  the parity information leakage (or bit flip properties?) existed before the improved prng? no?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#24 2017-06-09 23:03:22

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Sure iceman how about 20$ for 4 dumped tags?.

Offline

#25 2017-06-10 07:44:23

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

hehe, why not bring in capitalism? How about next time you ask a question, I'll charge 200$ for the answer.   Every time you want support on the firmware,  I'm gonna ask 1000$ for it.

I think your chances of getting help here or on github from me is very limited as of now.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#26 2017-06-10 12:12:40

jackque
Contributor
Registered: 2017-04-27
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

First off big open source projects usally have some monetizing scheme (capitalism) paid support or some other revenue stream.
The fact that you want donate your time and effort for open source for free is great, thank you. But what makes you think that I need your help by trade i'm EE 11 years now and obviously I know other experienced RF engineers and also developers that work with fpga development for work (capitalism). Software development for me has always been a hobby for for 9++ years now in both ASM (x86-x64), C, C++. Needless to say I've written and solved my fair share of KeygenMes too.

Offline

#27 2017-06-10 13:04:21

iceman
Administrator
Registered: 2013-04-25
Posts: 6,277
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

I'm looking forward to see your contributions.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#28 2017-06-10 14:02:46

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

That is not a nice way to getting thing processing forward @jackque, calm down and try see thing for a minute from different perspective, you may not be that bitter any more. I dont think there is a language barrier here ...

there is a joke went bad, no need to escalate the situation let resolve it in different way ... sorry is the hardest word to say

Last edited by ntk (2017-06-10 14:06:03)


modhex(ichbifhkhghuhehghkiehbihhkidifighgebecedfchihthbhkhrduhehvht)

Offline

#29 2017-06-12 05:25:24

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 178
Website

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

Ego ego ego flying all over. Come on. We are all experts at work.

You give a bit to the community, you take a bit from the community.

A lot of people forget about the word call 'reciprocate'.

We are not here to create problems yet solve problem.

Note: To some in this forum, money isn't an issue anymore.

@jackque

Experience, knowing people and being in the forum (asking for solution) are completely different factors to bring across.

We look at numbers and stats. All I see is 7 posts from you, 3511 posts from iceman and 618 posts from ntk.

No one owes anyone a living in this forum/life.

To think about it. If Jonathan Westhues didn't share the schematic design to proxmark3 first gen, we wouldn't even have this forum in the first place.

So be very thankful. smile


You live, you learn.
You give, you take.
You win, you lose.

Offline

#30 2017-06-22 06:32:54

samburner3
Contributor
From: Sydney AUS
Registered: 2015-03-01
Posts: 51

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

jontaa wrote:

I dont know of any that are in the shape of cartoons or similar.


https://www.aliexpress.com/item/5pcs-lo … 50853.html

Last edited by samburner3 (2017-06-22 06:34:14)

Offline

#31 2017-09-19 10:21:40

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

--- All my posts it about the new tag V2N ---
What i understand from this and has read else where it that it is in fact encrypted.

What i am interested in is not hacking/cracking the encryption.
I want to make any empty mifare tag to be recognized by the door.
But if it require to go more deeper with hacking the encryption so be it.
And what you have revealed its a god step in the encryption, thats great.

As i need to present the tag to the lock and initialize the tag before i can even use it, it still needs to be yale verified tag.
It means whatever encryption on it is reset when i add it to my lock/system, and is re encrypted for my lock. Yes/no?

What i am interested in is what tells the lock that this is a valid yale tag to be used with a yale lock, as an empty tag will not be valid/recognized.
And with that write that identification on an empty tag of my likings, to be recognized by the lock.

If someone have a V2N tag payload/dump, i am happy to test the dump on my lock and see if it works writing it on an empty mifare 1k tag.
PM me if you do.

Or guide me how to get the dump of one of my tags to elaborate with.
I do have a ARC122U reader im not familiar with the "new" hardnested attack.
I presume you need to read the transaction between the tag and reader to get the nounce ?
And with the transaction you can calculate the keys?
Is this possible with the ARC122U? and in that case, what is the prerequisite?

Offline

#32 2017-10-03 10:46:23

xLostx
Contributor
Registered: 2016-07-22
Posts: 7

Re: Darkside gives 69fb7b7cd8ee, but nested says they are all ffffffffffff

I managed to get a dump of the tag with hardnested attack.
Wow, it took quite some time for that one but it did get the job done.

I got the dump, wrote it on an empty mifare 1k generic tag.
Yale did not recognize it as a yale tag..Then it leaves me to dig a bit deeper.

Offline

Board footer

Powered by FluxBB