Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-19 21:09:08

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

where can I find the access rights that I can go through door 1 but n

where can I find the access rights that I can go through door 1 but not door 2

door 1

32CFDA7D2D880400C823002000000018
6FDDF91119000000000000000000000 
00000000000000000000000000000000
A0A1A2A3A4A5787788C10D258FE90296
B2835267432EC4E3447D8691EF9ACE91
880016024CF7F45E0B0CA4FA43214B48
F53552204E542BB522E85647830000CA
CA17293E396778778801AAA2DD50E47
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
A0A1A2A3A4A578778800BD42DD50E37
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
EEB420209D0C78778800EEB420209D0C
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
911E52FD7CE478778800911E52FD7CE4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
752FBB5B7B4578778800752FBB5B7B45
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
66B03ACA6EE97877880066B03ACA6EE9
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
48734389EDC37877880048734389EDC3
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
17193709ADF47877880017193709ADF4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
1ACC3189578C787788001ACC3189578C
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
C2B7EC7D4EB178778800C2B7EC7D4EB1
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
369A4663ACD278778800369A4663ACD2
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF

door 2

222B26140E880400C844002000000018
7F015190519000000000000000000000
00000000000000000000000000000000
A0A1A2A3A4A5787788C10AAAFE902960E
BE0018E3003FFFFFFF4A463E604B9091
3D4B9ED44440F55C48E88E449BB0A8C7
15116473BED778778801611170D211CF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
A0A1A2A3A4A5787788056F2F70D211CF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
EEB420209D0C78778800EEB420209D0C
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
911E52FD7CE478778800911E52FD7CE4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
752FBB5B7B4578778800752FBB5B7B45
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
66B03ACA6EE97877880066B03ACA6EE9
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
48734389EDC37877880048734389EDC3
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
17193709ADF47877880017193709ADF4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
1ACC3189578C787788001ACC3189578C
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
C2B7EC7D4EB178778800C2B7EC7D4EB1
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
369A4663ACD278778800369A4663ACD2
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
FFFFFFFFFFFFFF078069FFFFFFFFFFFF

as soon as I change the access rights what do I change on the kay?

or does not change at the kay

Last edited by 3dmann (2019-06-23 11:30:18)

Offline

#2 2019-06-20 19:20:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: where can I find the access rights that I can go through door 1 but n

How about starting to compare the two dumps?   And start the data mapping process. ie figuring out which bytes does what.

Offline

#3 2019-06-21 05:33:25

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: where can I find the access rights that I can go through door 1 but n

Thanks iceman
Now I look at the sniff file where I got the first two kay from the sniff process until the door was open as well as the full kay file and the josn file from the chip,
Is not there a clear position where the respective authorization must be? and specifications of MIFARE Classic
what must an authorization look like?

[usb] pm3 --> hf list mf
[+] Recorded Activity (TraceLen = 604 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)[/b]

[b]      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       2368 | Tag |04  00                                                                   |     |
   38983420 |   38984412 | Rdr |52                                                                       |     | WUPA
   38985680 |   38988048 | Tag |04  00                                                                   |     |
   39033580 |   39036044 | Rdr |93  20                                                                   |     | ANTICOLL
   39037248 |   39037888 | Tag |02                                                                       |     |
   39096300 |   39106764 | Rdr |93  70  11  bf  da  7b  FF  86  c3                                       |  ok | SELECT_UID
   39108000 |   39111520 | Tag |08  b6  dd                                                               |     |
   39158220 |   39162924 | Rdr |60  00  f5  7b                                                           |  ok | AUTH-A(0)
   39167760 |   39172432 | Tag |50  7e  70  6f                                                           |     | AUTH: nt
   39173836 |   39183148 | Rdr |76  30  dc  fc  1d  32  1f  68                                           |     | AUTH: nr ar (enc)
   39184416 |   39189152 | Tag |c9! 7e  2c! cc!                                                          |     | AUTH: at (enc)
   39213116 |   39217820 | Rdr |b3  dd  0d  3f                                                           |     |
            |            |  *  |                                              key a0a1a2a3a4a5 prng HARD  |     |
            |            |  *  |30  01  8B  B9                                                           |  ok | READBLOCK(1)
   39219088 |   39239888 | Tag |54! f5! c9  9d  16  fe  1f  1f! ee! 57! d6! d8! 43! 1c  d3! f8! 1a  da!  |     |
            |            |  *  |6F  01  51  90  51  90  00  00  00  00  00  00  00  00  00  00  0A  6D   |  ok |
   39296940 |   39301708 | Rdr |39  cb  25  71                                                           |     |
            |            |  *  |30  02  10  8B                                                           |  ok | READBLOCK(2)
   39302896 |   39323760 | Tag |c3  f2! a0  2a! 64  67! fe  0b  13! 50  a6! bf  67! ee  d2  48! 82! 51   |     |
            |            |  *  |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
   39381148 |   39385916 | Rdr |56  5c  6b  6a                                                           |     |
            |            |  *  |50  00  57  CD                                                           |  ok | HALT
   39438860 |   39439916 | Rdr |26                                                                       |     | REQA
   39485836 |   39486828 | Rdr |52                                                                       |     | WUPA
   39488080 |   39490448 | Tag |04  00                                                                   |     |
   39535996 |   39538460 | Rdr |93  20                                                                   |     | ANTICOLL
   39539648 |   39545472 | Tag |32  bf  da  7a  2d                                                       |     |
   39598700 |   39609164 | Rdr |93  70  11  bf  dd  3a  1d  86  c3                                       |  ok | SELECT_UID
   39610416 |   39613936 | Tag |08  b6  dd                                                               |     |
   39754444 |   39759212 | Rdr |60  04  d1  3d                                                           |  ok | AUTH-A(4)
   39763968 |   39768704 | Tag |6a  17  35  51                                                           |     | AUTH: nt
   39770060 |   39779372 | Rdr |7b  0b  e6  25  7e  e2  43  53                                           |     | AUTH: nr ar (enc)
   39780624 |   39785360 | Tag |ed! e4  0a! 7e!                                                          |     | AUTH: at (enc)
   39809468 |   39814236 | Rdr |9a  ce  c3  89                                                           |     |
            |            |  *  |                                              key ca17111e3997 prng HARD  |     |
  

does the "Rdr" calculate itself by a matematiche solution whether he may open the door 1 and the door 2 not or is it in plain text in the json file?

Last edited by 3dmann (2019-06-23 11:34:33)

Offline

#4 2019-06-21 06:17:40

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: where can I find the access rights that I can go through door 1 but n

@3dmann
Mifare is simply a storage system.  Depending on the mifare type it will have a set of features.
In a basic view think of it like this.
Mifare Classic 1 K
There are 16 Sectors (0-15), each sector having 4 blocks.
Sector 0 is a little different from the rest as Block 0 stores the UID and some other data.
The 4th block in every sector holds the keys and what those keys can do on that sector.
The remaining blocks can store what ever the vendor/user wants in what every format they want (as long as it fits).
In short, that is what the mifare does/is.

Now, lets think about an access system.
When you present the card to the reader, the reader will read what ever it has been told to, using the keys it has been told to use.  It will do this inline with the protocol of the system and the cards it uses).
The reader MAY have enough data to tell the door to open, OR it may pass that data to a bigger back end system for the answer.
How this works is up to the system in use and how that system is setup.

So, for example.
You MAY have a list of Door IDs on the card in one or more of blocks.  The Door IDs MAY be in clear OR they may be encrypted (nothing to do with the mifare).
Then again the card MAY not have any Door IDs and rely on a back end system/database to decide.

e.g. (And this is a made up example)
1. Card is placed on reader.
2. Card Sends UID to reader.
3. The reader sends the UID to the back end and asks "Is this UID one of our valid users?"
3. The back end could respond and say No.  End transaction.  or Yes, but lets check.
4. The reader could then read the data from blocks 4,5,6 (for example) and send that data, as is, to the back end server.
5. The back end then "decodes" that data and is happy the data is valid.
6. The back end could then lookup a database for UID (or data from step 5) and find out if that ID can open door X.
7. If yes, then the reader is told to open the door, or No, dont open.

So when looking at these things you need to work out HOW the system works (home work and testing). 

Part of the process is working out where things might be and working out how to find out more information.
e.g. At a very quick look at the two dumps.
The UID and other block 1 data is different.
The Data and keys to Sector 1 are different
The keys to Sector 2 are different.
The rest is the same.
So, if its based on data on the card and it does not get access, its not going to be anything that is the same.

See if you can work out from your data what I am talking about.
That said, what is of some interest (to me) is why the data in block 1 is the same, interesting, but no meaning yet.

Offline

#5 2019-06-21 07:20:01

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: where can I find the access rights that I can go through door 1 but n

Thank you for your detailed reply.
Now I can continue testing.
Yes the system for all doors here is based on the same system so I think the same content in block 1
"6F0FFFDD519"
have a total of 7 chips for the 3 doors and the number in block 1 is always the same

Last edited by 3dmann (2019-06-23 11:35:02)

Offline

#6 2019-06-21 12:10:37

Mackwa
Contributor
Registered: 2016-06-10
Posts: 51

Re: where can I find the access rights that I can go through door 1 but n

you should probably pay more attention to Block 4 - 7 (in Sector 1, counting begins with 0)

door1:

B28AABAB8A1EC4E3447D8691EF9ACE91
8800160A5CF7F45E0B0CA4FAEFD14B48
F53553F04E542BB5DEE85647830000CA
CA17293E396778778801ABD42DD50E37

door2:

2F25253E31017906ECE8922C7532528E
BE0018E30034F0D32D4A463E604B9091
3D4B9EDB8CB0F55C48E88E449BB0A8C7
15CF6473BED7787788016F2F70D211CF

- diffrent sector 1 keys for the two cards
- diffrent data in block 0-3 in sector 1

What about the other cards you have?

Offline

#7 2019-06-21 16:58:33

3dmann
Contributor
From: BRD- Deutschland
Registered: 2019-05-18
Posts: 43

Re: where can I find the access rights that I can go through door 1 but n

search at door 1 chip 1 + 2 for equality at door 2 chip 1 equations in the block to find to see where to find the door ID
Only I do not see it yet


door 1 Chip 1 + chip 2

door 1 Chip 1                          
                                why is chip 1 + 2 for door 1 so different

"0": "FFFFFFFF2D880400C823002000000018",
    "1": "9FDDDD111519000000000000000000000",
    "2": "00000000000000000000000000000000",
    "3": "A0A1A2A3A4A5787788C10FFFFFE90211",
    "4": "B28AAFFFFF1EC4E3447DFFFFFFFACE91",
    "5": "8800160A5CF7F45E0B0CA4FAEFD14B48",
    "6": "F51111F04E542BB5DEE85647811100CA",
    "7": "CA17293E396778778801ABD42DD50E99",
    "8": "00000000000000000000000000000000",
    "9": "00000000000000000000000000000000",
    "10": "00000000000000000000000000000000",
    "11": "A0A1A2A3A4A578778805ABD42DD50E37",

door 1 chip 2

"0": "1FFFFF7AB1880400C823002000000018",
    "1": "9F015DDD5119000000000000000000000",
    "2": "00000000000000000000000000000000",
    "3": "A0A1A2A3A4A5787788C10D2FFFE90296",
    "4": "56EDBCC3CC6EA88F2247DF0A0A62C54A",
    "5": "04001FFFFCF7F45E0B0CA4FAEFD14B48",
    "6": "F53551114E542BB5D1111647830000CA",
    "7": "5A00000771EE7877880166034A04DDD7",
    "8": "00000000000000000000000000000000",
    "9": "00000000000000000000000000000000",
    "10": "00000000000000000000000000000000",
    "11": "A0A1A2A3A4A57877880566034A0424B7",

door 2 Chip 1

"0": "EDDDDB3A72880400C823002000000018",
    "1": "9F01FFF4419000000000000000000000",
    "2": "00000000000000000000000000000000",
    "3": "A0A1A2A3A4A5787788C10D333FE90AA6",
    "4": "2AE551E5333DDFFAAFEA0DCA6C8B41EA",
    "5": "BD00160A5CF7F45E0B0CA4FAEFFFFF48",
    "6": "F53553F04EFF2BB5DEE85FF7830000CA",
    "7": "CE1DFF7C754D78778801981DD8FF7DB6",
    "8": "00000000000000000000000000000000",
    "9": "00000000000000000000000000000000",
    "10": "00000000000000000000000000000000",
    "11": "A0A1A2A3A4A578778805981DD8357DB6",

Last edited by 3dmann (2019-06-23 11:40:25)

Offline

Board footer

Powered by FluxBB