UID Chinese Mifare classic did not work with door lock brand Tengo

trazodone · 2017-02-01 07:01:31

Hello,

I have experience to clone several Mifare classic 1k cards to chinese Mifare UID changeable with success. I found some issue when I was trying to clone Mifare classic 1k card which came together with the reader brand Tengo. You can find link here http://www.tengolock.com/en/displayprod … oID=364086
I could clone successfully but when I was trying to present cloned card to this kind of reader, Nothing response evenr LED blink or beep sound. It seems the reader did not detect the present card. I assume that the mifare classic came with the door lock reader may be produce specially or have some trigger embedded inside the card to let the reader active before read mifare classic card presented.
Is there anyone experience this kind of problem?

Thank you.

Onisan · 2017-02-01 13:32:00

Maybe the SAK is different and the reader checks that?

marshmellow · 2017-02-01 19:03:06

readers can be configured to detect clones, but i'm not sure if that is your issue or if it is something else.

if you could post a hf mf sniff or a hf 14a snoop of a valid card transaction with the reader, or even the transaction between the clone and the reader we might learn more.

iceman · 2017-02-01 19:24:06

If you tried the latest source from Github, there is some changes regarding the possibility for readers to detect pm3 simulating a card.

Follow @marshmellow's suggestion first, then you can even try the "hf 14a sim x" to see what the reader does.

trazodone · 2017-02-06 18:59:44

Hello All,

Sorry to the delay. I just have a chance to test with the reader. This time is other reader but the same behavior.
Regarding marshmellow suggestion I use hf mf sniff to capture data in 2 cases.
1) Master Mfare card (Original)
I have got

-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
..............>
received trace len: 2812 packages: 6
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x08
RDR(0):04 00
TAG(1):62 d9 0c 85 32
RDR(2):08 b6 dd
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x08
RDR(3):04 00
TAG(4):62 d9 0c 85 32
RDR(5):93 70 62 d9 0c 05
TAG(6):08 b6 dd
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x08
RDR(7):01
TAG(8):04 00
RDR(9):62 d9 0c 85 32
TAG(10):93 70 62 d9 0c
RDR(11):08 b6 dd

2) Cloned UID mifare card
I have got

-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
............>
received trace len: 118 packages: 1
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x88
RDR(0):04 00
TAG(1):02
RDR(2):88 be 59
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x88
RDR(3):04 00
TAG(4):62 d9 0c 85 32
RDR(5):88 be 59
..>
received trace len: 122 packages: 1
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x88
RDR(6):04 00
TAG(7):62 d9 0c 85 32
RDR(8):88 be 59
tag select uid:62 d9 0c 85 atqa:0x0004 sak:0x88
RDR(9):04 00
TAG(10):62 d9 0c 85 32
RDR(11):88 be 59

***You will see SAK is different. The Original Mifare Card is 08, The Cloned Mifare Card is 88.
I though this is the reason why cloned one is not working BUT please see the first row of data dump from both cards

1) Master Mfare card (Original)

62d90c8532880400c185149451203411
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff

2) Cloned UID mifare card

62d90c8532880400c185149451203411
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff

***You will see 8804 which I though it is SAK=88 and ATQA=0004. There are the same value on both cards and I think the cloned should work but not.

Do you know why this case happened? Does the cloned card work if I change SAK from 88 to 08?

Thank you.

iceman · 2017-02-06 19:49:08

I agree, test changing SAK from 0x88 -> 0x08 in your clone block0.

trazodone · 2017-02-07 17:26:45

Hello,

I have changed SAK from 0x88 to 0x08 then I can unlock the door
Do you know the reason why SAK 0x88 of original Mifare card appear as 0x80 when card interacting with the reader?
Is this a kind of "Anti-Clone" scheme?

Thank you.

iceman · 2017-02-07 20:00:09

On original NXP mifare classic tag s50 (1k) the uid + bcc + sak +ataq is there. But on clones like fudan etc it might not be the case. See block0 and UID as ok, but the rest is up for grabs.

marshmellow · 2017-02-08 03:21:15

Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.

trazodone · 2017-02-09 06:23:14

Hello,

Thank you so much

ltq1990 · 2017-02-13 09:32:57

Hi OP, I have had the same problem before, except the clone one can be used only once then became useless and the reader wouldn't respond anymore, I compared the data of the clone with the original one and found the same thing you discovered...

ltq1990 · 2017-02-13 09:59:03

marshmellow wrote:

Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.

Can you educate me how to change the SAK sectir on a Chinese UID card?

Sentinel · 2017-11-07 22:42:01

UID 1k PASS B
62B18C44 73C4D9419595
735CE4E7 0269E1EE9595
53BB8D60 62FAD8759595
F3504260 826553759595
A3479860 324EDD759595
C3BA8D60 D2FBD8759595
collect for analysis samples tengo pass B

iceman · 2017-11-07 22:46:34

all keyb ends with 0x9595, so some kind of key-gen for the first 4bytes. Could be related with UID,
didn't you have the KEYA also?

Sentinel · 2017-11-07 22:58:22

only 2 KEYA :
FFF011223358
FF9F11223358

Sentinel · 2017-11-07 23:01:05

UID 1k   PASS A        PASS B 
62B18C44 FFF011223358  73C4D9419595
735CE4E7 FF9F11223358  0269E1EE9595
53BB8D60 FF9F11223358  62FAD8759595
F3504260 FF9F11223358  826553759595
A3479860 FF9F11223358  324EDD759595
C3BA8D60 FF9F11223358  D2FBD8759595

kevin2008 · 2017-11-08 05:29:34

ltq1990 wrote:

marshmellow wrote:
Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.
Can you educate me how to change the SAK sectir on a Chinese UID card?

http://www.proxmark.org/forum/viewtopic … 5700#p5700

Last edited by kevin2008 (2017-11-08 06:04:37)

Onisan · 2017-11-08 10:29:43

I've found quite a few readers check the SAK now, it's a clever way of detecting clones as it doesn't always relate to the value in Block 0

iceman · 2017-11-08 10:36:22

ATQA / SAK is part any tag identification.. Not sure if its a good way to detect a clone.

Sentinel · 2017-11-15 22:16:51

UID 1k       PASS A           PASS B 
B3678660  FF9F11223358  C26E0F759595
A288DC75  FF9F11223358  13FD99609595
B3019160  FF9F11223358  C29424759595
A3019160  FF9F11223358  329424759595
13019160  FF9F11223358  A29424759595
03019160  FF9F11223358  929424759595
93938160  FF9F11223358  222214759595
F3558660  FF9F11223358  82100F759595
AEC274F5  FF9F11223358  C7D331B09595
BEE674F5  FF9F11223358  D7EF31B09595

Sentinel · 2017-11-15 22:22:47

it does not matter where the byte in UID located, it will be ported according to the table:

00 - 95
01 - 94
03 - 92
13 - A2 
42 - 53
44 - 41
47 - 4E
50 - 65
53 - 62
55 - 10
5C - 69
60 - 75
62 - 73
67 - 6E
73 - 02
74 - 31
75 - 60
81 - 14
86 - 0F
88 - FD
8C - D9
8D - D8
91 - 24
92 - 23
93 - 22
98 - DD
A2 - 13
A3 - 32
AE - C7
B1 - C4
B3 - C2
BA - FB
BB - FA
BE - D7  
C2 - D3
C3 - D2
DC - 99
E4 - E1
E6 - EF
E7 - EE
F3 - 82
F5 - B0

Sentinel · 2017-11-23 11:39:47

To:trazodone
Please, ask U to post the password A/B from the sector 1 of your tengo cards

Onisan · 2017-11-23 16:55:28

Nice work Sentinel

Last edited by Onisan (2017-11-23 17:00:34)

Onisan · 2017-11-23 16:58:19

Sentinel, small error in the table

60 75
should read

60 95

Sentinel · 2017-11-23 17:40:24

did not understand, where the error is : )
I proceeded from the assumption that 4 bytes of UID are converted into 6 bytes of the password:
wwxxyyzz0000 - aabbccdd9595

Onisan · 2017-11-24 08:47:43

Sentinel,
Maybe I should read the post properly before making comments, I looked at a direct mapping and didn't do it properly, My apologies.
I'll leave the post for context as your last post won't make sense without it :-(

trazodone · 2017-11-24 09:42:27

Hello Sentinel,

I did not log password A/B but I did simple Nest attack to get card data.

Sentinel · 2017-11-24 10:31:31

Thanks for the comments to my research : )
waiting for passwords A & B

trazodone · 2017-11-24 11:28:34

Hello,

I found my record, Both A and B password is all ffffffffffff

Sentinel · 2017-11-24 11:52:41

key ffffffffffff, for sector 0. And for sector 1?

trazodone · 2017-11-24 12:51:24

Yes for all sectors

cantjie · 2023-08-03 02:44:27

Thank you very much Sentinel!

I meet the problem when trying to clone my flat door card.
1. I found my card's sector 1 encrypted with unknown keys. So firstly I tried to brute force the keys with PN532. And I successfully got the keyA. However, after about 0.7M attempts, I failed to find keyB.
2. Just as i was trying more attempts (actually, this may theorically cost thousands of years), I googled the keyA and found this post. I then knew that the KeyB is related to the UID.
3. Although I do not find my UID bytes in reply#21, I find that the lower 4 bits follow the rule: $x+y=5$, where x and y are the lower 4 bits of UID bytes and KeyB bytes.
4. So, this complexity come down to at most (2^(4*4) =)65536 attempts. For me, the KeyB is in this pattern: XAX3X1XF9595, where the X stands for unknow 4 bits.

Finally, after minutes of attempts with my PN532, I got my card's KeyB!

I'd really appreciate your post. Thank you!

Proxmark3 community

Announcement

#1 2017-02-01 07:01:31

UID Chinese Mifare classic did not work with door lock brand Tengo

#2 2017-02-01 13:32:00

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#3 2017-02-01 19:03:06

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#4 2017-02-01 19:24:06

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#5 2017-02-06 18:59:44

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#6 2017-02-06 19:49:08

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#7 2017-02-07 17:26:45

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#8 2017-02-07 20:00:09

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#9 2017-02-08 03:21:15

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#10 2017-02-09 06:23:14

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#11 2017-02-13 09:32:57

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#12 2017-02-13 09:59:03

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#13 2017-11-07 22:42:01

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#14 2017-11-07 22:46:34

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#15 2017-11-07 22:58:22

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#16 2017-11-07 23:01:05

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#17 2017-11-08 05:29:34

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#18 2017-11-08 10:29:43

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#19 2017-11-08 10:36:22

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#20 2017-11-15 22:16:51

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#21 2017-11-15 22:22:47

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#22 2017-11-23 11:39:47

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#23 2017-11-23 16:55:28

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#24 2017-11-23 16:58:19

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#25 2017-11-23 17:40:24

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#26 2017-11-24 08:47:43

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#27 2017-11-24 09:42:27

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#28 2017-11-24 10:31:31

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#29 2017-11-24 11:28:34

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#30 2017-11-24 11:52:41

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#31 2017-11-24 12:51:24

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

#32 2023-08-03 02:44:27

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Board footer