Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-01-10 18:44:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

MFC keygen Spanish transport system

Now,  there was a PR over at the RRG/Iceman repo.
Some new default keys.  Normal stuff but since I noticed it was a transport system,  I asked if there was a keygen algo involved
for this Mifare Classic 1K / S50 card.

The user posted a list of the outputted keys.   And for those sharp eyed people you can direct see patterns.
A strong indicator for a keygen algo.

So here we go. 
The S0 A key seems to be direct involved with all KEY B  for sector 1-15.
The A key for S 1 - 15,  some fixed values. 
Look at 0x38 value.  And realise the keys are ROL().
I suppose there is a XOR involved before.

We would need some more dumps from other cards...  Maybe a simulation for some specific UIDs but this seems to be a very simple algo involved.

Granada, ES transport Card keys

|---|---------------|---|---------------|---| 
|sec| key A         |res| key B         |res| 
|---|---------------|---|---------------|---| 
|000|  0172066b2f03 | 1 |  000000270000 | 1 | 
|001|  385efa542907 | 1 |  70172066b2f0 | 1 | 
|002|  b385efa64290 | 1 |  0b0172066b2f | 1 | 
|003|  0f385ffb6529 | 1 |  f0f0172066b2 | 1 | 
|004|  913385ffb752 | 1 |  2f130172066b | 1 | 
|005|  29173860fc76 | 1 |  b2f170172066 | 1 | 
|006|  6291b3860fc8 | 1 |  6b2f1b017206 | 1 | 
|007|  87291f3861fc | 1 |  66b2f1f01720 | 1 | 
|008|  c9739233861f | 1 |  066b2f230172 | 1 | 
|009|  fc9839273862 | 1 |  2066b2f27017 | 1 | 
|010|  2fca8492f386 | 1 |  72066b2f2b01 | 1 | 
|011|  63fca9492f38 | 1 |  172066b2f2f0 | 1 | 
|012|  863fcb959373 | 1 |  0172066b2f33 | 1 | 
|013|  3864fcba5937 | 1 |  70172066b2f3 | 1 | 
|014|  f3864fcca693 | 1 |  3b0172066b2f | 1 | 
|015|  3f3865fccb69 | 1 |  f3f0172066b2 | 1 | 
|---|---------------|---|---------------|---| 

Offline

#2 2020-01-11 12:19:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: MFC keygen Spanish transport system

So sector 1-15 keytype B is straight forward how they did it.
Doing it live on my stream smile  https://youtu.be/-L5Z3inBhTM

// rotate right, n bits.
static void ror(uint64_t *key, int n) {
    // 10001
    while (n--) {
        uint64_t lsb = *key & 0x1;
        *key >>= 1;
        *key |= (lsb << 47);
    }
}

 // sector 1-15 keytype B

    uint8_t key_s0a[6] = { 0x01, uid[0], uid[1], uid[2], uid[3], 0x03};
    uint64_t key = 0;
    PrintAndLogEx(INFO, "Sector 0/A key %s\n", sprint_hex(key_s0a, sizeof(key_s0a)));

    PrintAndLogEx(INFO, "Sector B keys");
    for (int i=1; i<16; i++) {
       key_s0a[5] += 4;
       key = bytes_to_num(key_s0a, sizeof(key_s0a));
       ror(&key, i*4);
       PrintAndLogEx(INFO, "%012" PRIx64, key);
    }

Offline

Board footer

Powered by FluxBB