Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-03-27 05:30:17

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

Card 1 - Access for only Sun 3/1/2020.
Card 2 - Access from 3/3/2020 - 3/8/2020.

Question - Is there a way to create a card that will have access with no time limit (infinitely)?
What would be the solution?

Card 1 - Access for only Sun 3/1/2020:

 

 0 2806cc49ab0804006263646566676869
 1 e9c0999f7b26c20be90d0d45a310fba9
 2 52000400010000000000000000000000
 3 e1f98f01e8aaff078069ffffffffffff
 4 2100010000000000000000c10000001e
 5 2100010000000000000000c10000001e
 6 00000000000000000000000000000000
 7 2a2c13cc242aff078069ffffffffffff
 8 02d7c800000000000000000000000000
 9 00000000000000000000000000000000
 10 00000000000000000000000000000000
 11 ffffffffffffff078069ffffffffffff
 12 00000000000000000000000000000000
 13 00000000000000000000000000000000
 14 00000000000000000000000000000000
 15 ffffffffffffff078069ffffffffffff
 16 a802d0e220d700530000000000000000
 17 00000000000000000000000000000000
 18 00000000000000000000000000000000
 19 e1f98f01e8aaff078069ffffffffffff
 20 00000000000000000000000000000000
 21 00000000000000000000000000000000
 22 00000000000000000000000000000000
 23 e1f98f01e8aaff078069ffffffffffff
 24 00000000000000000000000000000000
 25 00000000000000000000000000000000
 26 00000000000000000000000000000000
 27 e1f98f01e8aaff078069ffffffffffff
 28 00000000000000000000000000000000
 29 00000000000000000000000000000000
 30 00000000000000000000000000000000
 31 e1f98f01e8aaff078069ffffffffffff
 32 00000000000000000000000000000000
 33 00000000000000000000000000000000
 34 00000000000000000000000000000000
 35 e1f98f01e8aaff078069ffffffffffff
 36 00000000000000000000000000000000
 37 00000000000000000000000000000000
 38 00000000000000000000000000000000
 39 e1f98f01e8aaff078069ffffffffffff
 40 00000000000000000000000000000000
 41 00000000000000000000000000000000
 42 00000000000000000000000000000000
 43 e1f98f01e8aaff078069ffffffffffff
 44 00000000000000000000000000000000
 45 00000000000000000000000000000000
 46 00000000000000000000000000000000
 47 e1f98f01e8aaff078069ffffffffffff
 48 00000000000000000000000000000000
 49 00000000000000000000000000000000
 50 00000000000000000000000000000000
 51 e1f98f01e8aaff078069ffffffffffff
 52 00000000000000000000000000000000
 53 00000000000000000000000000000000
 54 00000000000000000000000000000000
 55 e1f98f01e8aaff078069ffffffffffff
 56 00000000000000000000000000000000
 57 00000000000000000000000000000000
 58 00000000000000000000000000000000
 59 e1f98f01e8aaff078069ffffffffffff
 60 00000000000000000000000000000000
 61 00000000000000000000000000000000
 62 00000000000000000000000000000000
 63 e1f98f01e8aaff078069ffffffffffff

Card 2 - Access for only 3/3/2020 - 3/8/2020

0 859c8637a80804006263646566676869
1 0dc0999f1e26783f06880d7f4d10d953
2 8a000400010800000000000000000000
3 00dd50251ae8ff078069ffffffffffff
4 2400030000000000000000c100000019
5 2400030000000000000000c100000019
6 00000000000000000000000000000000
7 2a2c13cc242aff078069ffffffffffff
8 02d7c800000000000000000000000000
9 00000000000000000000000000000000
10 00000000000000000000000000000000
11 ffffffffffffff078069ffffffffffff
12 00000000000000000000000000000000
13 00000000000000000000000000000000
14 00000000000000000000000000000000
15 ffffffffffffff078069ffffffffffff
16 008c831c89200000a802d25e20d800d2
17 a802d25e20d800d2a802e20720d7008a
18 00000000000000000000000000000000
19 00dd50251ae8ff078069ffffffffffff
20 00000000000000000000000000000000
21 00000000000000000000000000000000
22 00000000000000000000000000000000
23 00dd50251ae8ff078069ffffffffffff
24 00000000000000000000000000000000
25 00000000000000000000000000000000
26 00000000000000000000000000000000
27 00dd50251ae8ff078069ffffffffffff
28 00000000000000000000000000000000
29 00000000000000000000000000000000
30 00000000000000000000000000000000
31 00dd50251ae8ff078069ffffffffffff
32 00000000000000000000000000000000
33 00000000000000000000000000000000
34 00000000000000000000000000000000
35 00dd50251ae8ff078069ffffffffffff
36 00000000000000000000000000000000
37 00000000000000000000000000000000
38 00000000000000000000000000000000
39 00dd50251ae8ff078069ffffffffffff
40 00000000000000000000000000000000
41 00000000000000000000000000000000
42 00000000000000000000000000000000
43 00dd50251ae8ff078069ffffffffffff
44 00000000000000000000000000000000
45 00000000000000000000000000000000
46 00000000000000000000000000000000
47 00dd50251ae8ff078069ffffffffffff
48 00000000000000000000000000000000
49 00000000000000000000000000000000
50 00000000000000000000000000000000
51 00dd50251ae8ff078069ffffffffffff
52 00000000000000000000000000000000
53 00000000000000000000000000000000
54 00000000000000000000000000000000
55 00dd50251ae8ff078069ffffffffffff
56 00000000000000000000000000000000
57 00000000000000000000000000000000
58 00000000000000000000000000000000
59 00dd50251ae8ff078069ffffffffffff
60 00000000000000000000000000000000
61 00000000000000000000000000000000
62 00000000000000000000000000000000
63 00dd50251ae8ff078069ffffffffffff

Last edited by actionbias (2020-03-28 20:29:00)

Offline

#2 2020-03-27 16:26:25

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

look at the password of sector 1 (2a2c13cc242) this is the password of the locks Kaba/Saflok
the information is encrypted, you need a lot of samples to understand where to look for the data you need

Offline

#3 2020-03-28 20:38:02

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

I've had some progress discussing with a smart friend of mine. There was something interesting we found:

Check out blocks #16 and #17:

For e.g. converting the first 10 digits of block 16 >> A802D0E2, that converts to 03/23/1923 6:32:18 (UTC)

Converting the Hex to timestamps using a converter online shed some light. I'm still trying to figure out the nuances. But this may spark some problem solving skills.

Also, is there a way to make a master key for this scenario?


 
Card 1 - Access only for 3/1/2020

Block 16: a802d0e220d700530000000000000000
Block 17: 00000000000000000000000000000000
Card 2 - Access from 3/3/2020 throught the rest of the week

Block 16: 008c831c89200000a802d25e20d800d2
Block 17: a802d25e20d800d2a802e20720d7008a

Last edited by actionbias (2020-03-28 20:44:20)

Offline

#4 2020-03-29 10:28:20

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

Forced to disappoint you ((( locks never use UNIX time. Because time is counting MK41T56/MCP7940

Offline

#5 2020-03-29 10:40:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

locks maybe not,  but backend for sure.

Offline

#6 2020-04-02 17:18:48

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

Any leads or hints would be greatly appreciated... Or we can work a deal ($$) for "consulting" work.

Offline

#7 2020-04-02 20:02:23

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

You did not confirm/refute my guesses about the type of lock )  Kaba/Saflok? On two card dumps - cryptanalysis not possible. You will need a lot of dumps, and a lot of time ...

Offline

#8 2020-04-02 20:24:56

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

You also did not indicate the check in time, check out time, and hotel room number

Offline

#9 2020-04-02 20:46:40

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

The cards are KABA and specifically access the hotel elevator. The goal is to have a "Master" card access that will be able to access the elevators for a desired length of time. Currently they can only produce cards for a certain time for several day.

I discussed with my friend about the out the check in time, check out time and hotel number and he can easily produce those.

We can play with the scenarios.

And have him to produce different variables:

For e.g.

Hotel Number: 123
Check in time: 4/1/2020 3pm
Check out time: 4/3/2020 11am

Last edited by actionbias (2020-04-03 20:33:52)

Offline

#10 2020-04-14 13:28:20

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

Hotel Number: 123
Check in time: 4/1/2020 3pm
Check out time: 4/3/2020 11am

it is Card 1?

Offline

#11 2020-04-14 13:39:05

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: MIFARE 1k - KABA SAFLOK - pattern between 2 hotel cards

Here is an interesting pattern for you)
a8+02+d0+e2+20+d7+00=353
a8+02+d2+5e+20+d8+00=2d2
a8+02+e2+07+20+d7+00=28a

Offline

Board footer

Powered by FluxBB