52梯控论坛

标题: 这个挑战对我来说太大了，求大神帮助 [打印本页]

作者: 3317948168 时间: 2020-12-6 07:28
标题: 这个挑战对我来说太大了，求大神帮助
当前对我家的电梯梯控系统感了兴趣，仗着自习喜欢在电脑上折腾些东西，就买了个PM6读写器，谁知道读出来的数据竟然是加密的，哪位大神能告知我密文解密算法，让我也找一下楼层和日期，享受一下破解的乐趣。
0扇区：
0A 1F 84 0C 9D 08 04 00 02 D1 14 61 4D 8A A7 1D
00 1B 00 00 00 74 84 00 00 00 00 00 00 00 00 00
00 1C 00 00 00 23 A5 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
1扇区：
82 3E E8 1F 12 E0 90 19 25 28 8E 17 16 2C 92 5E
1A 30 96 46 37 5C 45 23 22 38 9E 27 26 3C A2 33
2A 40 A6 2F 2E 44 AA 33 32 48 AE 37 36 4C B2 3B
18 2B D2 74 8F 2E FF 07 80 00 18 2B D2 74 8F 2E
2扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
3扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
4扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
5扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
6扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
7扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
8扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
9扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
10扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
11扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
12扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
13扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
14扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
15扇区：
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF

作者: www9241307 时间: 2020-12-6 07:51
你这可是康拓1的变种，锤子可以做

作者: 3317948168 时间: 2020-12-6 09:31
如果是AES加密，那么秘钥一定在卡内的非加密区的数据里，并且长度极有可能是16字节，我试了很久，也没找到，由于以前从来没有接触过IC卡，所以还请大神多多指点，谢谢！

作者: 3317948168 时间: 2020-12-6 09:47

www9241307 发表于 2020-12-6 07:51
你这可是康拓1的变种，锤子可以做

锤子机器人给分析的结果如下，但是到期时间明显不对，滚动码位置也不对，经过对比，滚动位竟然是0区1块和2块的非0数据

系统名称康拓1代-变种第1扇区-1607129513.18095-chuizi

到期时间
1扇区-1区块-第6-7字节
5C45
明码到期时间：460205

楼号
1扇区-0区块-第7-8字节
9019

楼层
1扇区-0区块-第10-16字节
288E17162C925E

效验
1扇区-1区块-第14字节
3C
如果是00 直接可以延期

滚动位
1扇区-1区块-第13字节
26
如果是00 不需要修改。不是00需要修改用户编号滚动初始化发卡计算效验

园区码
1扇区-0区块-第1-3字节
823EE8

功能位
1扇区-0区块-第4字节
1F
10改11通卡代码或者改20

单元代码
1扇区-0区块-第9字节
25

用户编号
1扇区-0区块-第5-6字节
12E0
滚动码发卡必改

广告信息
康拓部分小区支持M1卡部分支持FUID卡
发卡注意修改用户编号，滚动初始化，效验算好，实在不行就发卡，目前市场锤子解密器有详细教学
康拓变种含义为：康拓非明码以密文加密。目前已知康拓 4/4.5/5均是变种

查询成功! 主人机器人最近可能会升级简单系统自动延期功能哦!

作者: wangchuanchao52 时间: 2020-12-6 13:24
路过学习一下

作者: www9241307 时间: 2020-12-6 17:44

3317948168 发表于 2020-12-6 09:47
锤子机器人给分析的结果如下，但是到期时间明显不对，滚动码位置也不对，经过对比，滚动位竟然是0区1块和 ...

解密后的数据

1扇区：
78 1E 62 10 04 BC 06 06 13 00 00 00 00 00 00 43
00 00 00 27 19 28 AB 00 00 00 00 00 00 00 00 08 28 AB日期码。到期20.05.11
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
18 2B D2 74 8F 2E FF 07 80 00 18 2B D2 74 8F 2E

作者: www9241307 时间: 2020-12-6 17:50
本帖最后由 www9241307 于 2020-12-7 09:39 编辑

3317948168 发表于 2020-12-6 09:47
锤子机器人给分析的结果如下，但是到期时间明显不对，滚动码位置也不对，经过对比，滚动位竟然是0区1块和 ...

原卡延期一年数据

0 扇区
0 区块:0A1F840C9D08040002D114614D8AA71D
1 区块:001B0000007730000000000000000000
2 区块:001C0000007730000000000000000000
3 区块:FFFFFFFFFFFFFF078069FFFFFFFFFFFF

1 扇区
0 区块:823EE81F12E0901925288E17162C925E
1 区块:1A309646375C452322389E27263CA233
2 区块:2A40A62F2E44AA333248AE37364CB23B
3 区块:182BD2748F2EFF078000182BD2748F2E

发卡延期一年数据

0 扇区
0 区块:5695DA031A08040002D114614D8AA71D
1 区块:001B0000001DCC000000000000000000
2 区块:001C0000001DCC000000000000000000
3 区块:FFFFFFFFFFFFFF078069FFFFFFFFFFFF

1 扇区
0 区块:E7B43E165F72E610719EE40E62A2E855
1 区块:66A6EC3D83D49B1A6EAEF41E72B2F82A
2 区块:76B6FC267ABA002A7EBE042E82C20832
3 区块:44A18C7B0570FF07800044A18C7B0570

上面二个数据你可以都试试可不可用

作者: wangchuanchao52 时间: 2020-12-6 18:59
咋解密的，能否说下

作者: 淘气KO 时间: 2020-12-6 20:48
牛叉啊~~学习下~

作者: wp7305 时间: 2020-12-6 22:25
路过学习学习……

作者: www9241307 时间: 2020-12-7 09:40

wangchuanchao52 发表于 2020-12-6 18:59
咋解密的，能否说下

我晕哦！你有锤子工具啊

作者: songheming 时间: 2020-12-7 13:50
小白路过，学习中！

作者: 3317948168 时间: 2020-12-7 19:26

www9241307 发表于 2020-12-6 17:50
原卡延期一年数据

0 扇区

厉害啊，膜拜中，能告诉我解密算法吗？我不是卡匠，不追求延期结果，只是对电梯卡产生了很强的兴趣，谢谢你的大力帮助。另外原卡延期数据肯定不能用了，我拿原卡又刷过几次电梯，产生了新的滚动。发卡数据我会试试，待会就买FUID卡，据说康拓系统对UID和CUID免疫力很强。不过我看到发卡延期一年的数据滚动码并没有重置或者初始化，这样也可以吗？

作者: www9241307 时间: 2020-12-7 23:51
本帖最后由 www9241307 于 2020-12-7 23:52 编辑

3317948168 发表于 2020-12-7 19:26
厉害啊，膜拜中，能告诉我解密算法吗？我不是卡匠，不追求延期结果，只是对电梯卡产生了很强的兴趣，谢谢 ...

你原卡刷过就不能用原卡延期的数据了

作者: anan66 时间: 2020-12-8 08:18
路过学习一下但是一点看不懂

作者: 3317948168 时间: 2020-12-9 06:40
谢谢各位捧场，继续求解密算法，希望大神不吝赐教，万分感谢

作者: 3317948168 时间: 2020-12-13 08:56
大神啊，期待您在到来，谢谢啦

作者: 3317948168 时间: 2020-12-13 08:58

3317948168 发表于 2020-12-7 19:26
厉害啊，膜拜中，能告诉我解密算法吗？我不是卡匠，不追求延期结果，只是对电梯卡产生了很强的兴趣，谢谢 ...

两个数据写卡后都不能用，fuid卡，122u写卡器写的

作者: 3317948168 时间: 2020-12-21 09:08
有没有人知道解密算法啊？？？求救求救

欢迎光临 52梯控论坛 (https://www.52tikong.com/)