Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-05-18 06:34:45

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

The VINGCARD algorithm is very interesting

After a long time of analysis, the 1K algorithm is very simple:

UID+1 sector password

FCC8526B    CC01D828220470FF0869C80D00F40410
5CE40646    DC0F2418F60E70FF08697C5954606C00
6C02506B    BC059212E00370FF086948245002B013
ECB31446    BC01231F240870FF0869E80CA8619803
ECAA8C6B    FC0A7A28CC0A70FF0869589508B1FC3F
EC72B86B    BC056228E80F70FF0869E847001DA880
2C1A8469    DC0D2A13040F70FF0869D025341FFC72
BCCF7B6B    EC06DF279B0170FF0869704990F9EB26
EC6DA169    7C055D26C10070FF086938444A041320
CC177E69    8C0DB71C1E0370FF08695CA331293072
AC8BA669    2C0FEB24660F70FF08698C9C893CA46B
AC837769    BC037320370F70FF086998212E0D0D48
6C56B469    DC0EA61D440770FF0869E061BCA0186F
8CA38969    7C0DB322890E70FF0869C071A05B2328
423718C5    C20A5715B80870FF0869922B4D49D011
1C02A069    8C0D7212B00E70FF0869A0174C02409C
1C067A69    AC0056101A0F70FF086918011806D003
FC739A69    BC0853279A0C70FF08690C7B4519781A
4C707069    9C022019E00A70FF0869480B40B1504E
1C20A369    7C0FA014130D70FF0869041B2029A50E
4CCB0F46    2C0D0B16CF0370FF0869743D6F206900
6C47361E    9C003710E60B70FF0869B001B648E010
7C294946    1C066913490670FF0869142C7D315D21
ECE9F81D    EC0E492E480970FF08696CCF13A64816
3CB3C16B    8C020321810B70FF0869E80852780B99
8C1A671E    7C0FAA12170D70FF08694083441EF63D
AC4F501E    7C0BDF16300C70FF0869E874286FC044
8CF80F46    5C04681DDF0270FF0869E821C0CA7C0B
7CB6421E    DC099619E20570FF086924497A1DD602
2CFB0F46    0C0A3B17AF0270FF0869541B6F74FB04

I don't think I made a calculation error.

Offline

#2 2021-05-20 18:50:15

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: The VINGCARD algorithm is very interesting

Could you explain what you have done?

Offline

#3 2021-05-23 01:54:11

nock
Contributor
Registered: 2019-12-11
Posts: 15

Re: The VINGCARD algorithm is very interesting

Hotel-key-card wrote:

After a long time of analysis, the 1K algorithm is very simple:

UID+1 sector password

FCC8526B    CC01D828220470FF0869C80D00F40410
5CE40646    DC0F2418F60E70FF08697C5954606C00
6C02506B    BC059212E00370FF086948245002B013
ECB31446    BC01231F240870FF0869E80CA8619803
ECAA8C6B    FC0A7A28CC0A70FF0869589508B1FC3F
EC72B86B    BC056228E80F70FF0869E847001DA880
2C1A8469    DC0D2A13040F70FF0869D025341FFC72
BCCF7B6B    EC06DF279B0170FF0869704990F9EB26
EC6DA169    7C055D26C10070FF086938444A041320
CC177E69    8C0DB71C1E0370FF08695CA331293072
AC8BA669    2C0FEB24660F70FF08698C9C893CA46B
AC837769    BC037320370F70FF086998212E0D0D48
6C56B469    DC0EA61D440770FF0869E061BCA0186F
8CA38969    7C0DB322890E70FF0869C071A05B2328
423718C5    C20A5715B80870FF0869922B4D49D011
1C02A069    8C0D7212B00E70FF0869A0174C02409C
1C067A69    AC0056101A0F70FF086918011806D003
FC739A69    BC0853279A0C70FF08690C7B4519781A
4C707069    9C022019E00A70FF0869480B40B1504E
1C20A369    7C0FA014130D70FF0869041B2029A50E
4CCB0F46    2C0D0B16CF0370FF0869743D6F206900
6C47361E    9C003710E60B70FF0869B001B648E010
7C294946    1C066913490670FF0869142C7D315D21
ECE9F81D    EC0E492E480970FF08696CCF13A64816
3CB3C16B    8C020321810B70FF0869E80852780B99
8C1A671E    7C0FAA12170D70FF08694083441EF63D
AC4F501E    7C0BDF16300C70FF0869E874286FC044
8CF80F46    5C04681DDF0270FF0869E821C0CA7C0B
7CB6421E    DC099619E20570FF086924497A1DD602
2CFB0F46    0C0A3B17AF0270FF0869541B6F74FB04

I don't think I made a calculation error.

Hi, can you please explain the key diversification algo for how the Sector 1 A/B keys are calculated from the UID?

Offline

#4 2021-05-23 22:51:48

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

Re: The VINGCARD algorithm is very interesting

Onisan wrote:

Could you explain what you have done?

I calculated it and want to verify if it is correct, or if you have a blank card, I am willing to try

Offline

#5 2021-05-23 22:53:55

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

Re: The VINGCARD algorithm is very interesting

nock wrote:
Hotel-key-card wrote:

After a long time of analysis, the 1K algorithm is very simple:

UID+1 sector password

FCC8526B    CC01D828220470FF0869C80D00F40410
5CE40646    DC0F2418F60E70FF08697C5954606C00
6C02506B    BC059212E00370FF086948245002B013
ECB31446    BC01231F240870FF0869E80CA8619803
ECAA8C6B    FC0A7A28CC0A70FF0869589508B1FC3F
EC72B86B    BC056228E80F70FF0869E847001DA880
2C1A8469    DC0D2A13040F70FF0869D025341FFC72
BCCF7B6B    EC06DF279B0170FF0869704990F9EB26
EC6DA169    7C055D26C10070FF086938444A041320
CC177E69    8C0DB71C1E0370FF08695CA331293072
AC8BA669    2C0FEB24660F70FF08698C9C893CA46B
AC837769    BC037320370F70FF086998212E0D0D48
6C56B469    DC0EA61D440770FF0869E061BCA0186F
8CA38969    7C0DB322890E70FF0869C071A05B2328
423718C5    C20A5715B80870FF0869922B4D49D011
1C02A069    8C0D7212B00E70FF0869A0174C02409C
1C067A69    AC0056101A0F70FF086918011806D003
FC739A69    BC0853279A0C70FF08690C7B4519781A
4C707069    9C022019E00A70FF0869480B40B1504E
1C20A369    7C0FA014130D70FF0869041B2029A50E
4CCB0F46    2C0D0B16CF0370FF0869743D6F206900
6C47361E    9C003710E60B70FF0869B001B648E010
7C294946    1C066913490670FF0869142C7D315D21
ECE9F81D    EC0E492E480970FF08696CCF13A64816
3CB3C16B    8C020321810B70FF0869E80852780B99
8C1A671E    7C0FAA12170D70FF08694083441EF63D
AC4F501E    7C0BDF16300C70FF0869E874286FC044
8CF80F46    5C04681DDF0270FF0869E821C0CA7C0B
7CB6421E    DC099619E20570FF086924497A1DD602
2CFB0F46    0C0A3B17AF0270FF0869541B6F74FB04

I don't think I made a calculation error.

Hi, can you please explain the key diversification algo for how the Sector 1 A/B keys are calculated from the UID?


Friend, I’m very sorry, this is only suitable for personal research, not for commercial purposes

Offline

#6 2021-05-24 07:32:53

nock
Contributor
Registered: 2019-12-11
Posts: 15

Re: The VINGCARD algorithm is very interesting

Hotel-key-card wrote:
nock wrote:
Hotel-key-card wrote:

After a long time of analysis, the 1K algorithm is very simple:

UID+1 sector password

FCC8526B    CC01D828220470FF0869C80D00F40410
5CE40646    DC0F2418F60E70FF08697C5954606C00
6C02506B    BC059212E00370FF086948245002B013
ECB31446    BC01231F240870FF0869E80CA8619803
ECAA8C6B    FC0A7A28CC0A70FF0869589508B1FC3F
EC72B86B    BC056228E80F70FF0869E847001DA880
2C1A8469    DC0D2A13040F70FF0869D025341FFC72
BCCF7B6B    EC06DF279B0170FF0869704990F9EB26
EC6DA169    7C055D26C10070FF086938444A041320
CC177E69    8C0DB71C1E0370FF08695CA331293072
AC8BA669    2C0FEB24660F70FF08698C9C893CA46B
AC837769    BC037320370F70FF086998212E0D0D48
6C56B469    DC0EA61D440770FF0869E061BCA0186F
8CA38969    7C0DB322890E70FF0869C071A05B2328
423718C5    C20A5715B80870FF0869922B4D49D011
1C02A069    8C0D7212B00E70FF0869A0174C02409C
1C067A69    AC0056101A0F70FF086918011806D003
FC739A69    BC0853279A0C70FF08690C7B4519781A
4C707069    9C022019E00A70FF0869480B40B1504E
1C20A369    7C0FA014130D70FF0869041B2029A50E
4CCB0F46    2C0D0B16CF0370FF0869743D6F206900
6C47361E    9C003710E60B70FF0869B001B648E010
7C294946    1C066913490670FF0869142C7D315D21
ECE9F81D    EC0E492E480970FF08696CCF13A64816
3CB3C16B    8C020321810B70FF0869E80852780B99
8C1A671E    7C0FAA12170D70FF08694083441EF63D
AC4F501E    7C0BDF16300C70FF0869E874286FC044
8CF80F46    5C04681DDF0270FF0869E821C0CA7C0B
7CB6421E    DC099619E20570FF086924497A1DD602
2CFB0F46    0C0A3B17AF0270FF0869541B6F74FB04

I don't think I made a calculation error.

Hi, can you please explain the key diversification algo for how the Sector 1 A/B keys are calculated from the UID?


Friend, I’m very sorry, this is only suitable for personal research, not for commercial purposes

Hi, if you are wanting to verify your algo, here is a UID: 19b07472 . I can let you know if section 1 is correct or not.

Offline

#7 2021-05-25 09:38:41

fazer
Contributor
Registered: 2019-03-02
Posts: 155

Re: The VINGCARD algorithm is very interesting

Hi Nock, could you check . I use script hf mf uidkeycalcmizip.lua .
|UID|    19b07472   
|---|----------------|---|----------------|---|   
|sec|key A           |res|key B           |res|   
|---|----------------|---|----------------|---|   
|000|  A0A1A2A3A4A5  | 1 |  B4C132439EEF  | 1 |   
|001|  10A22E579055  | 1 |  855E9DE3AC53  | 1 |   
|002|  B2C5BD458B9F  | 1 |  0795804E4633  | 1 |   
|003|  FBC235DD35B9  | 1 |  DE3F0AC622DC  | 1 |   
|004|  28CAC35D5D20  | 1 |  C4613E97598F  | 1 |   
|---|----------------|---|----------------|---|   
###    dumping keys to file   
have a nice day

Offline

#8 2021-05-25 09:50:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: The VINGCARD algorithm is very interesting

UID: 19b07472
A: 09 0B 40 1A F4 05
B: 30 11 E0 28 08 6A

Offline

#9 2021-05-25 11:40:40

fazer
Contributor
Registered: 2019-03-02
Posts: 155

Re: The VINGCARD algorithm is very interesting

Hi Iceman, ok thanks the result is completely different from what I found with the script ??.
Have a good day.

Offline

#10 2021-05-25 11:54:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: The VINGCARD algorithm is very interesting

and that would be because you are running mizip calc...  and I am using ving calc...    Two different algorithms.

Offline

#11 2021-05-25 12:13:28

fazer
Contributor
Registered: 2019-03-02
Posts: 155

Re: The VINGCARD algorithm is very interesting

Re Hello Iceman, indeed with two different algorithms the result cannot be identical, as much for me.
Thanks, have a good day.

Offline

#12 2021-05-26 16:00:41

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

Re: The VINGCARD algorithm is very interesting

fazer wrote:

Hi Nock, could you check . I use script hf mf uidkeycalcmizip.lua .
|UID|    19b07472   
|---|----------------|---|----------------|---|   
|sec|key A           |res|key B           |res|   
|---|----------------|---|----------------|---|   
|000|  A0A1A2A3A4A5  | 1 |  B4C132439EEF  | 1 |   
|001|  10A22E579055  | 1 |  855E9DE3AC53  | 1 |   
|002|  B2C5BD458B9F  | 1 |  0795804E4633  | 1 |   
|003|  FBC235DD35B9  | 1 |  DE3F0AC622DC  | 1 |   
|004|  28CAC35D5D20  | 1 |  C4613E97598F  | 1 |   
|---|----------------|---|----------------|---|   
###    dumping keys to file   
have a nice day



090B401AF40570FF08693011E028086A

Offline

#13 2021-05-26 23:11:17

nock
Contributor
Registered: 2019-12-11
Posts: 15

Re: The VINGCARD algorithm is very interesting

Hotel-key-card wrote:


090B401AF40570FF08693011E028086A

Yes that's correct.

Last edited by nock (2021-05-26 23:11:39)

Offline

#14 2021-05-27 01:40:59

Hotel-key-card
Contributor
Registered: 2020-06-27
Posts: 10

Re: The VINGCARD algorithm is very interesting

nock wrote:
Hotel-key-card wrote:


090B401AF40570FF08693011E028086A

Yes that's correct.


THANKS

Offline

#15 2021-09-05 11:33:56

SAS
Contributor
Registered: 2020-06-29
Posts: 4

Re: The VINGCARD algorithm is very interesting

Hi, Hotel-Key Card,
Would you mind share how to find/calculate just for the Key-A(0)---> "09" of the last sample :
UID: 19b07472
A: "09" 0B 40 1A F4 05
B: 30 11 E0 28 08 6A

Thank you
SAS

Offline

#16 2022-05-12 03:04:40

adelie
Contributor
Registered: 2021-10-26
Posts: 6

Re: The VINGCARD algorithm is very interesting

Is this algorithm going to be integrated into the proxmark3 client?
It would be really good to be able to check this sort of dynamically generated key automatically with "hf mf autopwn", for example.

Also I would very much like to hear your process for discovering the algorithm used here.  I doubt I could understand it, but maybe if I read it 200 times!

Offline

#17 2022-10-20 15:49:58

fazer
Contributor
Registered: 2019-03-02
Posts: 155

Re: The VINGCARD algorithm is very interesting

Good evening, I noticed that in the blk -1 there are always these same values on the cards that I have & if this value 7B0026882688000000000000000000000 & taken into account for the calculation of the keys.
Thanks, have a good day.

Offline

Board footer

Powered by FluxBB