Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-11-25 20:18:26

iceman
Administrator
Registered: 2013-04-25
Posts: 6,276
Website

Yale Doorman V2N

A thread about Yale Doorman V2N. 

Other threads that has gone into this subject, for reference

http://www.proxmark.org/forum/viewtopic.php?id=3216


I decided with the help from my patreons to buy a Yale Doorman V2N door lock.
https://twitter.com/herrmann1001/status … 64672?s=20
EJgNNKXWkAAKB0J?format=jpg&name=4096x4096


It came with three keyfobs.  No markings on them besides the "Yale" text logo.
Link to a rar-archive with the dumps.
http://www.icesql.se/proxmark3/traces/y … _dumps.rar

The keyfobs is old Mifare Classic S50 1K cards.  As seen darkside/nested works.

[usb] pm3 --> hf 14a info
 UID : BA 5C 84 4B
ATQA : 00 04
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: WEAK
[usb] pm3 -->
[usb] pm3 --> hf mf autopwn
[!] no known key was supplied, key recovery might fail
[+] loaded 23 keys from hardcoded default array
[=] running strategy 1

[+] Chunk: 1.3s | found 25/32 keys (23)

[=] running strategy 2

[+] Chunk: 1.3s | found 25/32 keys (23)

[+] target sector:  0 key type: B -- found valid key [  FF FF FF FF FF FF  ] (used for nested / hardnested attack)
[+] target sector:  1 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  2 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  3 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  4 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  5 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  6 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  7 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  7 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  8 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  8 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  9 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector:  9 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 10 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 10 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 11 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 11 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 12 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 12 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 13 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 13 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 14 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 14 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 15 key type: A -- found valid key [  FF FF FF FF FF FF  ]
[+] target sector: 15 key type: B -- found valid key [  FF FF FF FF FF FF  ]
[+] target block:  0 key type: A  -- found valid key [60961613b7e1]
[+] target sector:  0 key type: A -- found valid key [  60 96 16 13 B7 E1  ]
[+] target block:  0 key type: A
[-] Nested attack failed, trying again (1/10)
[+] target block:  0 key type: A
[-] Nested attack failed, trying again (2/10)
[+] target block:  0 key type: A  -- found valid key [c5a582131c05]
[+] target sector:  1 key type: A -- found valid key [  C5 A5 82 13 1C 05  ]
[+] target block:  0 key type: A  -- found valid key [c2220f786982]
[+] target sector:  2 key type: A -- found valid key [  C2 22 0F 78 69 82  ]
[+] target block:  0 key type: A
[-] Nested attack failed, trying again (1/10)
[+] target block:  0 key type: A
[-] Nested attack failed, trying again (2/10)
[+] target block:  0 key type: A  -- found valid key [1fffd241b05f]
[+] target sector:  3 key type: A -- found valid key [  1F FF D2 41 B0 5F  ]
[+] target block:  0 key type: A  -- found valid key [8323c4555a43]
[+] target sector:  4 key type: A -- found valid key [  83 23 C4 55 5A 43  ]
[+] target block:  0 key type: A
[-] Nested attack failed, trying again (1/10)
[+] target block:  0 key type: A  -- found valid key [02e2ff485942]
[+] target sector:  5 key type: A -- found valid key [  02 E2 FF 48 59 42  ]
[+] target block:  0 key type: A  -- found valid key [f55532a39cb5]
[+] target sector:  6 key type: A -- found valid key [  F5 55 32 A3 9C B5  ]

[=] found Keys:
|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  60961613b7e1  | N |  ffffffffffff  | D |
|001|  c5a582131c05  | N |  ffffffffffff  | D |
|002|  c2220f786982  | N |  ffffffffffff  | D |
|003|  1fffd241b05f  | N |  ffffffffffff  | D |
|004|  8323c4555a43  | N |  ffffffffffff  | D |
|005|  02e2ff485942  | N |  ffffffffffff  | D |
|006|  f55532a39cb5  | N |  ffffffffffff  | D |
|007|  ffffffffffff  | D |  ffffffffffff  | D |
|008|  ffffffffffff  | D |  ffffffffffff  | D |
|009|  ffffffffffff  | D |  ffffffffffff  | D |
|010|  ffffffffffff  | D |  ffffffffffff  | D |
|011|  ffffffffffff  | D |  ffffffffffff  | D |
|012|  ffffffffffff  | D |  ffffffffffff  | D |
|013|  ffffffffffff  | D |  ffffffffffff  | D |
|014|  ffffffffffff  | D |  ffffffffffff  | D |
|015|  ffffffffffff  | D |  ffffffffffff  | D |
|---|----------------|---|----------------|---|
( D :Dictionary / S :darkSide / U :User / R :Reused / N :Nested / H :Hardnested / A :keyA )

[=] saving keys
[+] Printing keys to binary file hf-mf-BA5C844B-key.bin ...
[+] Found keys have been dumped to hf-mf-BA5C844B-key.bin  --> 0xffffffffffff has been inserted for unknown keys.
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[=] downloading the card content from emulator memory
[+] saved 1024 bytes to binary file hf-mf-BA5C844B-data-4.bin
[+] saved 64 blocks to text file hf-mf-BA5C844B-data-4.eml
[+] saved to json file hf-mf-BA5C844B-data-4.json
[=] autopwn execution time: 19  seconds

The six first sector key A's is unique. Now the interesting part.  I suspected that the keyfobs is using a keygen algo for those keys. After programing the keys to the system,  the keys is the same.  Also after using the keyfob, the keys stays the same.  So thats not so bad for my purpose.


Goal:
Being able to generate my own "empty" keyfob.


Process:
Simulate UID's in order to collect a interesting set of data on to which I can apply some known tactics.


First I sniffed all traffic between reader and a programmed keyfob.   And also sniffing all traffic between reader and unprogrammed keyfob.  And repeating it for the "programing keyfob  to system" process.

Here I noticed the reader authenticates to S0,  so its time to bring out the hf 14a sim x command and see what happens.

Simulating a all zeros UID and the reader happily tries to read sector zero.  Excellent. Time to do the bitshifting UID simlation to collect one bit changes.


After all the data was gathered, its quite clear whats going on.  Some experiments and I got decent success in generating a key for any UID for sector 0.  Some more tests and I get the keygen algo out.  Its quite striking, so I give you some data to look at.

    01 23 45 67                      a a a a a0a
UID 80 00 00 00  Key A, sector 00: [02901015b183]
UID 40 00 00 00  Key A, sector 00: [c250d0d57143]
UID 20 00 00 00  Key A, sector 00: [a230b0b55123]
UID 10 00 00 00  Key A, sector 00: [9220a0a54113]

1 down,  5 to go....

Here starts the troubles. The reader compares the block1,block2 before going on to read sector 1. If data doesn't matches up, it stops. Well,  block2 isn't hard. Just copy it right of.  Block1 seems to be a signature or something.
What to do?

Time to bring out hf mf sim

Load up emulator memory with a S0 from an unprogrammed tag and start simulating.  When presenting the pm3 the reader reads B1/B2 and happily tries to authenticate to Sector one. I was happy for 5 seconds until I noticed the reader does a nested authentication.  I should have seen this before when sniffing the traffic. I go back and look in my logs, sure enough, its a nested authentication.  Bugger

Some how time ran out and I haven't touched it since. Life has a tendency to get in the way.

During this process I find some bugs in pm3 commands. I haven't pushed some fixes for it yet. 

Lets see if this will enable others in the community to be excited enough to look at their own Yale Doorman locks.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#2 2020-01-11 10:58:48

Lowrider
Contributor
Registered: 2020-01-10
Posts: 4

Re: Yale Doorman V2N

According to specs, the fobs can only be used on six locks. Have you tried pairing it to another lock and see if any of the other keys change? I think it would make sense if the sectors 1-6 is lock specific, and sector 0 contains UID and information to the algorithm.

Last edited by Lowrider (2020-01-11 11:44:25)

Offline

#3 2020-01-11 11:34:08

iceman
Administrator
Registered: 2013-04-25
Posts: 6,276
Website

Re: Yale Doorman V2N

No, I don't have access to more locks.   
So one sector per lock would make sense then....


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2020-01-11 11:47:10

Lowrider
Contributor
Registered: 2020-01-10
Posts: 4

Re: Yale Doorman V2N

If you provide a dump for a paired fob, I can try pairing it with my lock and take a new dump of it. Unless you have someone more adept, I'm pretty green. If I'm no help, then please just bluntly tell me.

I extracted keys and successfully copied a fob. When I used the copy, the original was barred from the lock. I have not tried to pair it again, but I did a comparison between the original and the copy, which now has two more unlocks than the original, and data in sector two changed:

Sector 2
A: bf 83 70 0a 4d 00 00 00 00 00 00 00 00 00 00 00
B: d2 c7 8c 56 d6 00 00 00 00 00 00 00 00 00 00 00
   ## ## ## ## ## -- -- -- -- -- -- -- -- -- -- --
A: ef 9a e0 3a b6 00 00 00 00 00 00 00 00 00 00 00
B: 8a 2f eb 8e c7 00 00 00 00 00 00 00 00 00 00 00
   ## ## ## ## ## -- -- -- -- -- -- -- -- -- -- --
A: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
B: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
A: ca 04 f2 df 87 9d ff 07 80 69 ff ff ff ff ff ff
B: ca 04 f2 df 87 9d ff 07 80 69 ff ff ff ff ff ff


A is original, B is the copy. Key has, as you can see, not changed.

Last edited by Lowrider (2020-01-11 12:17:18)

Offline

#5 2020-01-11 12:16:56

iceman
Administrator
Registered: 2013-04-25
Posts: 6,276
Website

Re: Yale Doorman V2N

Sure,  just send me an email, so I know where to send the file


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2020-01-11 12:18:36

Lowrider
Contributor
Registered: 2020-01-10
Posts: 4

Re: Yale Doorman V2N

I edited my last post, so not to be spamming, but see you replied after the edit. My mail is in my profile.

I copied one of your un-paired fobs and paired it to my  lock. Block three changed:
A: 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
B: 02 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00

Then I used it to unlock once, block three and block nine changed:

Block three:
A: 02 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00
B: 02 02 07 00 00 00 00 00 00 00 00 00 00 00 00 00

Block nine:
A: 8a 2f eb 8e c7 00 00 00 00 00 00 00 00 00 00 00
B: 64 ad c4 c8 cc 00 00 00 00 00 00 00 00 00 00 00


There's more going on than just rotation (once again: I don't know much about these securitymeasures), just ask if there's any information you want me to try and find from my lock. I have no clue as to how to start figuring out an algorithm.

Last edited by Lowrider (2020-01-11 13:51:55)

Offline

#7 2020-03-11 04:09:37

Rosco
Contributor
Registered: 2019-12-10
Posts: 3

Re: Yale Doorman V2N

@iceman:

I bought a Yale Doorman V2N of my own, to use with my Mifare Classic implant. So I first cloned one of the tags that came with the lock into a magic Chinese card - to check that it would work with the lock - and then I cloned another tag into my implant. Both the clone card and my implant work fine.

But since I knew you wanted to reverse-engineer how the lock writes to the key each time the lock is unlocked (and I'm interested in doing that also smile), I kept a log of changes on the clone card and on my implant at each step of the way. See this post on the DT forum to see what I did exactly.

Are you interested in the log?

Offline

#8 2020-03-11 07:01:00

iceman
Administrator
Registered: 2013-04-25
Posts: 6,276
Website

Re: Yale Doorman V2N

Or course I am interested in the log smile


I haven't gotten much time for this lock.  Its sits on the desk as a constant reminder to me everyday. 
The idea was to figure out the keygen part.
Right now I would need to get better support for nested authentications logs in the pm3 client in order to more easily analyse its key gen algo as a black box.   
Don't wanna extract the firmware before.   With the firmware of the lock, the data mapping would be easier.

I see in your post over at DT that you got some parts mapped. 
Good thing with your log smile


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2020-03-11 08:54:49

Rosco
Contributor
Registered: 2019-12-10
Posts: 3

Re: Yale Doorman V2N

I emailed you the tarball.

Offline

Board footer

Powered by FluxBB