Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2020-01-10 18:44:38
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
MFC keygen Spanish transport system
Now, there was a PR over at the RRG/Iceman repo.
Some new default keys. Normal stuff but since I noticed it was a transport system, I asked if there was a keygen algo involved
for this Mifare Classic 1K / S50 card.
The user posted a list of the outputted keys. And for those sharp eyed people you can direct see patterns.
A strong indicator for a keygen algo.
So here we go.
The S0 A key seems to be direct involved with all KEY B for sector 1-15.
The A key for S 1 - 15, some fixed values.
Look at 0x38 value. And realise the keys are ROL().
I suppose there is a XOR involved before.
We would need some more dumps from other cards... Maybe a simulation for some specific UIDs but this seems to be a very simple algo involved.
Granada, ES transport Card keys
|---|---------------|---|---------------|---|
|sec| key A |res| key B |res|
|---|---------------|---|---------------|---|
|000| 0172066b2f03 | 1 | 000000270000 | 1 |
|001| 385efa542907 | 1 | 70172066b2f0 | 1 |
|002| b385efa64290 | 1 | 0b0172066b2f | 1 |
|003| 0f385ffb6529 | 1 | f0f0172066b2 | 1 |
|004| 913385ffb752 | 1 | 2f130172066b | 1 |
|005| 29173860fc76 | 1 | b2f170172066 | 1 |
|006| 6291b3860fc8 | 1 | 6b2f1b017206 | 1 |
|007| 87291f3861fc | 1 | 66b2f1f01720 | 1 |
|008| c9739233861f | 1 | 066b2f230172 | 1 |
|009| fc9839273862 | 1 | 2066b2f27017 | 1 |
|010| 2fca8492f386 | 1 | 72066b2f2b01 | 1 |
|011| 63fca9492f38 | 1 | 172066b2f2f0 | 1 |
|012| 863fcb959373 | 1 | 0172066b2f33 | 1 |
|013| 3864fcba5937 | 1 | 70172066b2f3 | 1 |
|014| f3864fcca693 | 1 | 3b0172066b2f | 1 |
|015| 3f3865fccb69 | 1 | f3f0172066b2 | 1 |
|---|---------------|---|---------------|---| Offline
#2 2020-01-11 12:19:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: MFC keygen Spanish transport system
So sector 1-15 keytype B is straight forward how they did it.
Doing it live on my stream 
https://youtu.be/-L5Z3inBhTM
// rotate right, n bits.
static void ror(uint64_t *key, int n) {
// 10001
while (n--) {
uint64_t lsb = *key & 0x1;
*key >>= 1;
*key |= (lsb << 47);
}
}
// sector 1-15 keytype B
uint8_t key_s0a[6] = { 0x01, uid[0], uid[1], uid[2], uid[3], 0x03};
uint64_t key = 0;
PrintAndLogEx(INFO, "Sector 0/A key %s\n", sprint_hex(key_s0a, sizeof(key_s0a)));
PrintAndLogEx(INFO, "Sector B keys");
for (int i=1; i<16; i++) {
key_s0a[5] += 4;
key = bytes_to_num(key_s0a, sizeof(key_s0a));
ror(&key, i*4);
PrintAndLogEx(INFO, "%012" PRIx64, key);
}Offline
Pages: 1