Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-02-01 07:01:31

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

UID Chinese Mifare classic did not work with door lock brand Tengo

Hello,

I have experience to clone several Mifare classic 1k cards to chinese Mifare UID changeable with success. I found some issue when I was trying to clone Mifare classic 1k card which came together with the reader brand Tengo. You can find link here http://www.tengolock.com/en/displayprod … oID=364086
I could clone successfully but when I was trying to present cloned card to this kind of reader, Nothing response evenr LED blink or beep sound. It seems the reader did not detect the present card. I assume that the mifare classic came with the door lock reader may be produce specially or have some trigger embedded inside the card to let the reader active before read mifare classic card presented.
Is there anyone experience this kind of problem?

Thank you.

Offline

#2 2017-02-01 13:32:00

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Maybe the SAK is different and the reader checks that?

Offline

#3 2017-02-01 19:03:06

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

readers can be configured to detect clones, but i'm not sure if that is your issue or if it is something else.

if you could post a hf mf sniff or a hf 14a snoop of a valid card transaction with the reader, or even the transaction between the clone and the reader we might learn more.

Offline

#4 2017-02-01 19:24:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

If you tried the latest source from Github, there is some changes regarding the possibility for readers to detect pm3 simulating a card.

Follow @marshmellow's suggestion first,  then you can even try the "hf 14a sim x" to see what the reader does.

Offline

#5 2017-02-06 18:59:44

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hello All,

Sorry to the delay. I just have a chance to test with the reader. This time is other reader but the same behavior.
Regarding marshmellow suggestion I use hf mf sniff to capture data in 2 cases.
1) Master Mfare card (Original)
I have got

-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
..............>
received trace len: 2812 packages: 6         
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x08         
RDR(0):04 00           
TAG(1):62 d9 0c 85 32           
RDR(2):08 b6 dd           
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x08         
RDR(3):04 00           
TAG(4):62 d9 0c 85 32           
RDR(5):93 70 62 d9 0c 05           
TAG(6):08 b6 dd           
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x08         
RDR(7):01           
TAG(8):04 00           
RDR(9):62 d9 0c 85 32           
TAG(10):93 70 62 d9 0c           
RDR(11):08 b6 dd

2) Cloned UID mifare card
I have got

-------------------------------------------------------------------------
Executing command.
Press the key on the proxmark3 device to abort both proxmark3 and client.
Press the key on pc keyboard to abort the client.
-------------------------------------------------------------------------
............>
received trace len: 118 packages: 1         
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x88         
RDR(0):04 00           
TAG(1):02           
RDR(2):88 be 59           
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x88         
RDR(3):04 00           
TAG(4):62 d9 0c 85 32           
RDR(5):88 be 59           
..>
received trace len: 122 packages: 1         
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x88         
RDR(6):04 00           
TAG(7):62 d9 0c 85 32           
RDR(8):88 be 59           
tag select uid:62 d9 0c 85  atqa:0x0004 sak:0x88         
RDR(9):04 00           
TAG(10):62 d9 0c 85 32           
RDR(11):88 be 59           

***You will see SAK is different. The Original Mifare Card is 08, The Cloned Mifare Card is 88.
I though this is the reason why cloned one is not working BUT please see the first row of data dump from both cards

1) Master Mfare card (Original)

62d90c8532880400c185149451203411
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff

2) Cloned UID mifare card

62d90c8532880400c185149451203411
00000000000000000000000000000000
00000000000000000000000000000000
ffffffffffffff078069ffffffffffff

***You will see 8804 which I though it is SAK=88 and ATQA=0004. There are the same value on both cards and I think the cloned should work but not.

Do you know why this case happened? Does the cloned card work if I change SAK from 88 to 08?

Thank you.

Offline

#6 2017-02-06 19:49:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

I agree,  test changing SAK from 0x88 -> 0x08 in your clone block0.

Offline

#7 2017-02-07 17:26:45

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hello,

I have changed SAK from 0x88 to 0x08 then I can unlock the door smile
Do you know the reason why SAK 0x88 of original Mifare card appear as 0x80 when card interacting with the reader?
Is this a kind of "Anti-Clone" scheme?

Thank you.

Offline

#8 2017-02-07 20:00:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

On original NXP mifare classic tag s50 (1k) the uid + bcc + sak +ataq is there.  But on clones like fudan etc it might not be the case.  See block0 and UID as ok, but the rest is up for grabs.

Offline

#9 2017-02-08 03:21:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.

Offline

#10 2017-02-09 06:23:14

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hello,

Thank you so much wink

Offline

#11 2017-02-13 09:32:57

ltq1990
Contributor
Registered: 2017-01-12
Posts: 25

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hi OP, I have had the same problem before, except the clone one can be used only once then became useless and the reader wouldn't respond anymore, I compared the data of the clone with the original one and found the same thing you discovered...

Offline

#12 2017-02-13 09:59:03

ltq1990
Contributor
Registered: 2017-01-12
Posts: 25

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

marshmellow wrote:

Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.

Can you educate me how to change the SAK sectir on a Chinese UID card?

Offline

#13 2017-11-07 22:42:01

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

UID 1k     PASS B
62B18C44  73C4D9419595
735CE4E7  0269E1EE9595
53BB8D60  62FAD8759595
F3504260  826553759595
A3479860  324EDD759595
C3BA8D60  D2FBD8759595
collect for analysis samples tengo pass B

Offline

#14 2017-11-07 22:46:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

all keyb ends with 0x9595,  so some kind of key-gen for the first 4bytes.  Could be related with UID, 
didn't you have the KEYA also?

Offline

#15 2017-11-07 22:58:22

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

only 2 KEYA :
FFF011223358
FF9F11223358

Offline

#16 2017-11-07 23:01:05

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

UID 1k   PASS A        PASS B 
62B18C44 FFF011223358  73C4D9419595
735CE4E7 FF9F11223358  0269E1EE9595
53BB8D60 FF9F11223358  62FAD8759595
F3504260 FF9F11223358  826553759595
A3479860 FF9F11223358  324EDD759595
C3BA8D60 FF9F11223358  D2FBD8759595

Offline

#17 2017-11-08 05:29:34

kevin2008
Contributor
Registered: 2017-10-01
Posts: 12

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

ltq1990 wrote:
marshmellow wrote:

Many current mf classic compatibles allow you to change the sak, and it does not always relate to the memory location in block 0 on genuine cards.

Can you educate me how to change the SAK sectir on a Chinese UID card?

http://www.proxmark.org/forum/viewtopic … 5700#p5700

Last edited by kevin2008 (2017-11-08 06:04:37)

Offline

#18 2017-11-08 10:29:43

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

I've found quite a few readers check the SAK now, it's a clever way of detecting clones as it doesn't always relate to the value in Block 0

Offline

#19 2017-11-08 10:36:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,523
Website

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

ATQA / SAK is part any tag identification..  Not sure if its a good way to detect a clone.

Offline

#20 2017-11-15 22:16:51

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

UID 1k       PASS A           PASS B 
B3678660  FF9F11223358  C26E0F759595
A288DC75  FF9F11223358  13FD99609595
B3019160  FF9F11223358  C29424759595
A3019160  FF9F11223358  329424759595
13019160  FF9F11223358  A29424759595
03019160  FF9F11223358  929424759595
93938160  FF9F11223358  222214759595
F3558660  FF9F11223358  82100F759595
AEC274F5  FF9F11223358  C7D331B09595
BEE674F5  FF9F11223358  D7EF31B09595

Offline

#21 2017-11-15 22:22:47

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

it does not matter where the byte in UID located, it will be ported according to the table:

00 - 95
01 - 94
03 - 92
13 - A2 
42 - 53
44 - 41
47 - 4E
50 - 65
53 - 62
55 - 10
5C - 69
60 - 75
62 - 73
67 - 6E
73 - 02
74 - 31
75 - 60
81 - 14
86 - 0F
88 - FD
8C - D9
8D - D8
91 - 24
92 - 23
93 - 22
98 - DD
A2 - 13
A3 - 32
AE - C7
B1 - C4
B3 - C2
BA - FB
BB - FA
BE - D7  
C2 - D3
C3 - D2
DC - 99
E4 - E1
E6 - EF
E7 - EE
F3 - 82
F5 - B0

Offline

#22 2017-11-23 11:39:47

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

To:trazodone
Please, ask U to post the password A/B from the sector  1 of your tengo cards smile

Offline

#23 2017-11-23 16:55:28

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Nice work Sentinel

Last edited by Onisan (2017-11-23 17:00:34)

Offline

#24 2017-11-23 16:58:19

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Sentinel, small error in the table

60  75
should read

60 95

Offline

#25 2017-11-23 17:40:24

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

did not understand, where the error is : )
I proceeded from the assumption that 4 bytes of UID are converted into 6 bytes of the password:
wwxxyyzz0000 -  aabbccdd9595

Offline

#26 2017-11-24 08:47:43

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Sentinel,
Maybe I should read the post properly before making comments, I looked at a direct mapping and didn't do it properly, My apologies.
I'll leave the post for context as your last post won't make sense without it :-(

Offline

#27 2017-11-24 09:42:27

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hello Sentinel,

I did not log password A/B but I did simple Nest attack to get card data.

Offline

#28 2017-11-24 10:31:31

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Thanks for the comments to my research : )
waiting for passwords A & B

Offline

#29 2017-11-24 11:28:34

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Hello,

I found my record, Both A and B password is all ffffffffffff

Offline

#30 2017-11-24 11:52:41

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

key ffffffffffff, for sector 0. And for sector 1?

Offline

#31 2017-11-24 12:51:24

trazodone
Contributor
Registered: 2015-11-25
Posts: 50

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Yes for all sectors

Offline

#32 2023-08-03 02:44:27

cantjie
Contributor
Registered: 2023-08-01
Posts: 2

Re: UID Chinese Mifare classic did not work with door lock brand Tengo

Thank you very much Sentinel!

I meet the problem when trying to clone my flat door card.
1. I found my card's sector 1 encrypted with unknown keys. So firstly I tried to brute force the keys with PN532. And I successfully got the keyA. However, after about 0.7M attempts, I failed to find keyB.
2. Just as i was trying more attempts (actually, this may theorically cost thousands of years), I googled the keyA and found this post. I then knew that the KeyB is related to the UID.
3. Although I do not find my UID bytes in reply#21, I find that the lower 4 bits follow the rule: $x+y=5$, where x and y are the lower 4 bits of UID bytes and KeyB bytes.
4. So, this complexity come down to at most (2^(4*4) =)65536 attempts. For me, the KeyB  is in this pattern: XAX3X1XF9595, where the X stands for unknow 4 bits.

Finally, after minutes of attempts with my PN532, I got my card's KeyB!

I'd really appreciate your post. Thank you!

Offline

Board footer

Powered by FluxBB