Ok we can see the tag 2 training is failing at the read block 4 stage. It doesn’t even bother with the password.
This might be more complicated.
What is the value of block 4 on each tag. It might also be some sort of derivation scheme that requires specific data be programmed in that block per UID. It means more brute forcing unfortunately.
Ah, I got a message that the character limit was exceeded.
Hy from my side👋
Is there a solution to this problem. ?
I would like to use my xSIID, is this possible or if easyer with an other implant witch is the way to go?
Thx for any respons✌️
After personally examining one of these locks, their NFC version specifically, the only way would be to brute force the pwd ack. This means using a proxmark3 to do emulation and run a lua script through all the possible combinations. You’d also need some way to detect success, like a computer vision system to watch for a green LED vs red.
The pwd ack is only 2 bytes so it would only take testing 65536 values to arrive at a solution… but once a few are cracked I think the derivation scheme could be discovered.
Ok for my understanding is is also not possible to clone an existing tag to a magic 1k?
Easyer solution would be to use something like this
Yeah, until someone cracks the molock validation algorithm, it’s not something we can clone (yet?)
Have one ordered should arrive next week, i give feedback.
To be clear we just need someone familiar with lua scripting for proxmark to create a way to break and clone stuff for mo-lock NFC. The hurdle right now is just a two byte PWD_ACK response from the chip and I think we can get a script together that will let either me or the public at large create the correct response for their xSIID, NExT, or xNT to work with mo-lock NFC.
could have been😂
Hallo Luca,
vielen Dank für deine Anfrage. So gerne ich dir an dieser auch Stelle helfen würde,
es ist uns leider nicht möglich, auf derartige Kundenwünsche einzugehen. Ich selbst
finde dein Vorhaben sehr interessant und würde es begrüßen, dich in dem Vorhaben
zu unterstützen - aber leider sind mir durch die Entwicklungsabteilung an der Stelle
die Hände gebunden. Tut mir wirklich sehr leid.
Mit freundlichen Grüßen
René
motogadget Support Team
just for the record
this is the on sniff
[usb] pm3 --> hf 14a sniff
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 850
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 850 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
2244 | 4612 | Tag |44 00 | |
30880 | 35648 | Rdr |50 00 57 cd | ok | HALT
203792 | 204784 | Rdr |52(7) | | WUPA
206036 | 208404 | Tag |44 00 | |
244544 | 247008 | Rdr |93 20 | | ANTICOLL
248196 | 254084 | Tag |88 04 fa 96 e0 | |
299472 | 309936 | Rdr |93 70 88 04 fa 96 e0 c8 2e | ok | SELECT_UID
311188 | 314708 | Tag |04 da 17 | ok |
347760 | 350224 | Rdr |95 20 | | ANTICOLL-2
351412 | 357300 | Tag |1a ba 10 90 20 | |
402704 | 413232 | Rdr |95 70 1a ba 10 90 20 41 79 | ok | SELECT_UID-2
414420 | 418004 | Tag |00 fe 51 | ok |
498992 | 503760 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
562276 | 583076 | Tag |04 fa 96 e0 1a ba 10 90 20 48 00 00 e1 10 12 00 e3 63 | ok |
616592 | 621296 | Rdr |30 04 26 ee | ok | READBLOCK(4)
622548 | 643412 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
672768 | 680928 | Rdr |1b 0f df 4b 2e 79 ee | ok | PWD-AUTH KEY: 0x0FDF4B2E
682180 | 686852 | Tag |4c 02 74 d2 | ok |
6198512 | 6199568 | Rdr |26(7) | | REQA
6200756 | 6203124 | Tag |44 00 | |
6229376 | 6234144 | Rdr |50 00 57 cd | ok | HALT
6401456 | 6402448 | Rdr |52(7) | | WUPA
6403700 | 6406068 | Tag |44 00 | |
6442032 | 6444496 | Rdr |93 20 | | ANTICOLL
6445700 | 6451588 | Tag |88 04 fa 96 e0 | |
6496752 | 6507216 | Rdr |93 70 88 04 fa 96 e0 c8 2e | ok | SELECT_UID
6508484 | 6512004 | Tag |04 da 17 | ok |
6544848 | 6547312 | Rdr |95 20 | | ANTICOLL-2
6548500 | 6554388 | Tag |1a ba 10 90 20 | |
6599584 | 6610112 | Rdr |95 70 1a ba 10 90 20 41 79 | ok | SELECT_UID-2
6611316 | 6614900 | Tag |00 fe 51 | ok |
6695120 | 6699888 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
6758404 | 6779204 | Tag |04 fa 96 e0 1a ba 10 90 20 48 00 00 e1 10 12 00 e3 63 | ok |
6812624 | 6817328 | Rdr |30 04 26 ee | ok | READBLOCK(4)
6818580 | 6839444 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
6868960 | 6877120 | Rdr |1b 0f df 4b 2e 79 ee | ok | PWD-AUTH KEY: 0x0FDF4B2E
6878372 | 6883044 | Tag |4c 02 74 d2 | ok |
12395712 | 12396768 | Rdr |26(7) | | REQA
12397956 | 12400324 | Tag |44 00 | |
12426560 | 12431328 | Rdr |50 00 57 cd | ok | HALT
12599216 | 12600208 | Rdr |52(7) | | WUPA
12601460 | 12603828 | Tag |44 00 | |
12639792 | 12642256 | Rdr |93 20 | | ANTICOLL
12643444 | 12649332 | Tag |88 04 fa 96 e0 | |
12694496 | 12704960 | Rdr |93 70 88 04 fa 96 e0 c8 2e | ok | SELECT_UID
12706212 | 12709732 | Tag |04 da 17 | ok |
12742576 | 12745040 | Rdr |95 20 | | ANTICOLL-2
12746228 | 12752116 | Tag |1a ba 10 90 20 | |
12797328 | 12807856 | Rdr |95 70 1a ba 10 90 20 41 79 | ok | SELECT_UID-2
12809060 | 12812644 | Tag |00 fe 51 | ok |
12892912 | 12897680 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
12956196 | 12976996 | Tag |04 fa 96 e0 1a ba 10 90 20 48 00 00 e1 10 12 00 e3 63 | ok |
13010448 | 13015152 | Rdr |30 04 26 ee | ok | READBLOCK(4)
13016404 | 13037268 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
13066608 | 13074768 | Rdr |1b 0f df 4b 2e 79 ee | ok | PWD-AUTH KEY: 0x0FDF4B2E
13076036 | 13080708 | Tag |4c 02 74 d2 | ok |
18579088 | 18580144 | Rdr |26(7) | | REQA
this is a learn sniff
[usb] pm3 --> hf 14a sniff
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 560
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 560 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
2260 | 4628 | Tag |44 00 | |
30816 | 35584 | Rdr |50 00 57 cd | ok | HALT
203152 | 204144 | Rdr |52(7) | | WUPA
205396 | 207764 | Tag |44 00 | |
243792 | 246256 | Rdr |93 20 | | ANTICOLL
247444 | 253332 | Tag |88 04 8e bb b9 | |
298512 | 309040 | Rdr |93 70 88 04 8e bb b9 7e 91 | ok | SELECT_UID
310228 | 313748 | Tag |04 da 17 | ok |
346608 | 349072 | Rdr |95 20 | | ANTICOLL-2
350260 | 356148 | Tag |1a ba 10 90 20 | |
401360 | 411888 | Rdr |95 70 1a ba 10 90 20 41 79 | ok | SELECT_UID-2
413076 | 416660 | Tag |00 fe 51 | ok |
497008 | 501776 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
560308 | 581172 | Tag |04 8e bb b9 1a ba 10 90 20 48 00 00 e1 10 12 00 1e e9 | ok |
614640 | 619344 | Rdr |30 04 26 ee | ok | READBLOCK(4)
620612 | 641476 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
670960 | 679184 | Rdr |1b 51 99 5e 63 4a 37 | ok | PWD-AUTH KEY: 0x51995E63
680372 | 685044 | Tag |4c 02 74 d2 | ok |
18914064 | 18915120 | Rdr |26(7) | | REQA
18916292 | 18918660 | Tag |44 00 | |
18944912 | 18949680 | Rdr |50 00 57 cd | ok | HALT
19116656 | 19117648 | Rdr |52(7) | | WUPA
19118900 | 19121268 | Tag |44 00 | |
19157248 | 19159712 | Rdr |93 20 | | ANTICOLL
19160884 | 19166772 | Tag |88 04 8e bb b9 | |
19211968 | 19222496 | Rdr |93 70 88 04 8e bb b9 7e 91 | ok | SELECT_UID
19223668 | 19227188 | Tag |04 da 17 | ok |
19260080 | 19262544 | Rdr |95 20 | | ANTICOLL-2
19263716 | 19269604 | Tag |1a ba 10 90 20 | |
19314832 | 19325360 | Rdr |95 70 1a ba 10 90 20 41 79 | ok | SELECT_UID-2
19326532 | 19330116 | Tag |00 fe 51 | ok |
19410480 | 19415248 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
19473780 | 19494644 | Tag |04 8e bb b9 1a ba 10 90 20 48 00 00 e1 10 12 00 1e e9 | ok |
19528096 | 19532800 | Rdr |30 04 26 ee | ok | READBLOCK(4)
19534052 | 19554916 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
19584400 | 19592624 | Rdr |1b 51 99 5e 63 4a 37 | ok | PWD-AUTH KEY: 0x51995E63
19593796 | 19598468 | Tag |4c 02 74 d2 | ok |
and a faild learn sniff
[usb] pm3 --> hf 14a sniff
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 881
[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 881 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
5742464 | 5743520 | Rdr |26(7) | | REQA
11485072 | 11486128 | Rdr |26(7) | | REQA
17226976 | 17228032 | Rdr |26(7) | | REQA
22969680 | 22970736 | Rdr |26(7) | | REQA
28712512 | 28713568 | Rdr |26(7) | | REQA
28714740 | 28717108 | Tag |44 00 | |
28743312 | 28748080 | Rdr |50 00 57 cd | ok | HALT
28915072 | 28916064 | Rdr |52(7) | | WUPA
28917300 | 28919668 | Tag |44 00 | |
28955648 | 28958112 | Rdr |93 20 | | ANTICOLL
28959284 | 28965108 | Tag |88 04 c5 79 30 | |
29010336 | 29020864 | Rdr |93 70 88 04 c5 79 30 7d 5e | ok | SELECT_UID
29022052 | 29025572 | Tag |04 da 17 | ok |
29058400 | 29060864 | Rdr |95 20 | | ANTICOLL-2
29062052 | 29067876 | Tag |32 94 51 80 77 | |
29113120 | 29123584 | Rdr |95 70 32 94 51 80 77 e0 8d | ok | SELECT_UID-2
29124820 | 29128404 | Tag |00 fe 51 | ok |
29208720 | 29213488 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
29214676 | 29235540 | Tag |04 c5 79 32 94 51 80 00 44 00 0f 00 e1 10 ea 00 07 62 | ok |
29269024 | 29273728 | Rdr |30 04 26 ee | ok | READBLOCK(4)
29274980 | 29295844 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
29325296 | 29333520 | Rdr |1b ff ea da 7b ec 23 | ok | PWD-AUTH KEY: 0xFFEADA7B
29386404 | 29387044 | Tag |00(4) | |
47611040 | 47612096 | Rdr |26(7) | | REQA
47613268 | 47615636 | Tag |44 00 | |
47641824 | 47646592 | Rdr |50 00 57 cd | ok | HALT
47813648 | 47814640 | Rdr |52(7) | | WUPA
47815892 | 47818260 | Tag |44 00 | |
47854224 | 47856688 | Rdr |93 20 | | ANTICOLL
47857876 | 47863700 | Tag |88 04 c5 79 30 | |
47908960 | 47919488 | Rdr |93 70 88 04 c5 79 30 7d 5e | ok | SELECT_UID
47920676 | 47924196 | Tag |04 da 17 | ok |
47957040 | 47959504 | Rdr |95 20 | | ANTICOLL-2
47960676 | 47966500 | Tag |32 94 51 80 77 | |
48011776 | 48022240 | Rdr |95 70 32 94 51 80 77 e0 8d | ok | SELECT_UID-2
48023476 | 48027060 | Tag |00 fe 51 | ok |
48107408 | 48112176 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
48113364 | 48134228 | Tag |04 c5 79 32 94 51 80 00 44 00 0f 00 e1 10 ea 00 07 62 | ok |
48167728 | 48172432 | Rdr |30 04 26 ee | ok | READBLOCK(4)
48173668 | 48194532 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
48224016 | 48232240 | Rdr |1b ff ea da 7b ec 23 | ok | PWD-AUTH KEY: 0xFFEADA7B
48285140 | 48285780 | Tag |00(4) | |
66508592 | 66509648 | Rdr |26(7) | | REQA
66510836 | 66513204 | Tag |44 00 | |
66539376 | 66544144 | Rdr |50 00 57 cd | ok | HALT
66711120 | 66712112 | Rdr |52(7) | | WUPA
66713380 | 66715748 | Tag |44 00 | |
66751712 | 66754176 | Rdr |93 20 | | ANTICOLL
66755364 | 66761188 | Tag |88 04 c5 79 30 | |
66806352 | 66816880 | Rdr |93 70 88 04 c5 79 30 7d 5e | ok | SELECT_UID
66818068 | 66821588 | Tag |04 da 17 | ok |
66854432 | 66856896 | Rdr |95 20 | | ANTICOLL-2
66858084 | 66863908 | Tag |32 94 51 80 77 | |
66909120 | 66919584 | Rdr |95 70 32 94 51 80 77 e0 8d | ok | SELECT_UID-2
66920836 | 66924420 | Tag |00 fe 51 | ok |
67004736 | 67009504 | Rdr |30 00 02 a8 | ok | READBLOCK(0)
67010692 | 67031556 | Tag |04 c5 79 32 94 51 80 00 44 00 0f 00 e1 10 ea 00 07 62 | ok |
67065040 | 67069744 | Rdr |30 04 26 ee | ok | READBLOCK(4)
67071012 | 67091876 | Tag |6d 6f 74 6f 67 61 64 67 65 74 2d 6b 65 79 30 30 6a 04 | ok |
67121328 | 67129552 | Rdr |1b ff ea da 7b ec 23 | ok | PWD-AUTH KEY: 0xFFEADA7B
67182436 | 67183076 | Tag |00(4) | |
I just got a couple of “slim keys” from them which are just NFC stickers, as expected.
Just to clarify how this is working when you try to enroll (and use) a new legit NFC chip;
The problem here is that both the PWD_AUTH password and PWD_ACK are calculated values (aka derived keys) that a programmer sets on the tags before shipping. The good news is, because there is no secure channel for NTAG2x chips, we can get the calculated password from the reader itself. Frankly I don’t know why they bother to even randomize this, but whatever.
So, all we need to do is figure out how the PWD_ACK is calculated, or we need to just create a brute force LUA script to allow NFC implants to be programmed with the expected correct PWD_ACK for mo-lock locks.
In testing my own small set of 4 legit tags, I found something interesting…
UID PWD ACK
----------------------------
049cb76aba1090 0825CFE0 6f03
045dea6aba1090 69EF1FEF 6f03
04097a1aba1090 68AF0B95 4c02
04dc633aba1090 FB787DD0 4c02
The ACK for 2 tags are identical, and the ACK for the other 2 are also identical.
I did try to enroll another transponder with a set pwd based on lock output with both of those ACK values but it didn’t work… however that lead me to notice something else. The UIDs of the tags I have are very close together, meaning they probably came off the safe serialized wafer. I would bed the algorithm used to derive the ACK values is rather simpllistic given the difference in bytes between all 4 UIDs is small.
If we can continue to add to this list through sniffing, it might become possible to crack the derivation scheme.
Failing that, I would take a LUA script that just brute forces the PWD_ACK (it’s only two bytes after all) and set about pre-programming a bunch of xNT chips as “mo-lock compatible” and ship them with the PWD and PWD_ACK values so it could be re-programmed at will by the owner.
Just as a side note… unless it wasn’t clear, this situation perfectly illustrates to me how a security mechanism is only as secure as its weakest link. In this scenario, the password length of NTAG2xx chips is 4 bytes (32 bits), however because the communication channel the chips use is not secured, we are really left with a 2 byte security mechanism in the PWD_ACK response… and that might not even be a consideration for some implementations which would basically ignore the ACK value as long as the PWD_AUTH command returned successfully.
• 32 bits = 4,294,967,296 combinations
• 16 bits = 65,536 combinations
That makes it pretty clear that brute forcing the PWD_ACK response with a script shouldn’t be all that difficult… i just don’t know LUA well enough to write the script. Let’s break it down…
• 65535 combinations * a generous 3 seconds per attempt = 196605 seconds
• 196605 seconds / 60 = 3276.75 minutes
• 3276.75 minutes / 60 = 54.6125 hours
So basically 3 days to run through absolutely every possible combination of PWD_ACK responses. Not bad I’d say.
Interestingly, Iceman made a video a couple months ago about how to use the pm3 client using python, lua, c, and others. I might try to do it in python, unless there is some reason you know of that it needs to be in lua??
hm. But when I try what he did, I get
$ ./02run_test.sh
Traceback (most recent call last):
File "/home/miststlkr/workspace/proxmark3/client/experimental_lib/example_py/./test.py", line 3, in <module>
import pm3
File "/home/miststlkr/workspace/proxmark3/client/pyscripts/pm3.py", line 15, in <module>
import _pm3
ImportError: /home/miststlkr/workspace/proxmark3/client/experimental_lib/example_py/_pm3.so: undefined symbol: bf_generate
It’ll need some poking, but it look promising based on his video.
The thing that needs to happen is being able to control the emulation mode such that the emulated tag can appear and disappear from the reader field between attempts.
The other thing that will be needed is probably some kind of simple machine vision method that points a camera at the lock’s LED and looks for a green color blink, then takes a screenshot of the script to get the PWD_ACK being used.
Anyone know any very simple open source libraries that can do simple color detection in real-time and launch some sort of command line executable that can do the screen capture and save it to a jpg or whatever?
Just for my understanding how did u get/ wher to find the ACK value?
im still learning just try to unterstand… unfortunately my knowledge isnt enough to help whit any of this.
List
UID PWD ACK
----------------------------
049cb76aba1090 0825CFE0 6f03
045dea6aba1090 69EF1FEF 6f03
04097a1aba1090 68AF0B95 4c02
04dc633aba1090 FB787DD0 4c02
04da171aba1090 51995E63 ????
0495701aba1090 0FDF4B2E ????