52梯控论坛

 找回密码
 立即注册
搜索
查看: 3198|回复: 19
打印 上一主题 下一主题

这个挑战对我来说太大了,求大神帮助

[复制链接]
跳转到指定楼层
楼主
发表于 2020-12-6 07:28:51 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
当前对我家的电梯梯控系统感了兴趣,仗着自习喜欢在电脑上折腾些东西,就买了个PM6读写器,谁知道读出来的数据竟然是加密的,哪位大神能告知我密文解密算法,让我也找一下楼层和日期,享受一下破解的乐趣。
0扇区:
0A 1F 84 0C 9D 08 04 00 02 D1 14 61 4D 8A A7 1D
00 1B 00 00 00 74 84 00 00 00 00 00 00 00 00 00
00 1C 00 00 00 23 A5 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
1扇区:
82 3E E8 1F 12 E0 90 19 25 28 8E 17 16 2C 92 5E
1A 30 96 46 37 5C 45 23 22 38 9E 27 26 3C A2 33
2A 40 A6 2F 2E 44 AA 33 32 48 AE 37 36 4C B2 3B
18 2B D2 74 8F 2E FF 07 80 00 18 2B D2 74 8F 2E
2扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
3扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
4扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
5扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
6扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
7扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
8扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
9扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
10扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
11扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
12扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
13扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
14扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
15扇区:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF

点评

我来看看,学习一下!  发表于 2022-5-18 16:32
沙发
发表于 2020-12-6 07:51:43 | 只看该作者
你这可是康拓1的变种,锤子可以做
回复 支持 反对

使用道具 举报

板凳
 楼主| 发表于 2020-12-6 09:31:16 | 只看该作者
如果是AES加密,那么秘钥一定在卡内的非加密区的数据里,并且长度极有可能是16字节,我试了很久,也没找到,由于以前从来没有接触过IC卡,所以还请大神多多指点,谢谢!
回复 支持 反对

使用道具 举报

地板
 楼主| 发表于 2020-12-6 09:47:18 | 只看该作者
www9241307 发表于 2020-12-6 07:51
你这可是康拓1的变种,锤子可以做

锤子机器人给分析的结果如下,但是到期时间明显不对,滚动码位置也不对,经过对比,滚动位竟然是0区1块和2块的非0数据

系统名称  康拓1代-变种 第1扇区-1607129513.18095-chuizi

到期时间
1扇区-1区块-第6-7字节
5C45
明码到期时间:460205

楼号
1扇区-0区块-第7-8字节
9019

楼层
1扇区-0区块-第10-16字节
288E17162C925E

效验
1扇区-1区块-第14字节
3C
如果是00 直接可以延期

滚动位
1扇区-1区块-第13字节
26
如果是00 不需要修改。不是00需要修改用户编号 滚动初始化 发卡计算效验

园区码
1扇区-0区块-第1-3字节
823EE8

功能位
1扇区-0区块-第4字节
1F
10改11通卡代码 或者改20

单元代码
1扇区-0区块-第9字节
25

用户编号
1扇区-0区块-第5-6字节
12E0
滚动码发卡必改

广告信息
康拓部分小区支持M1卡 部分支持FUID卡
发卡注意修改用户编号,滚动初始化,效验算好,实在不行就发卡,目前市场锤子解密器有详细教学
康拓变种含义为:康拓非明码 以密文加密。目前已知康拓 4/4.5/5均是变种

查询成功! 主人机器人最近可能会升级简单系统自动延期功能哦!
回复 支持 反对

使用道具 举报

5#
发表于 2020-12-6 13:24:52 | 只看该作者
路过学习一下
回复 支持 反对

使用道具 举报

6#
发表于 2020-12-6 17:44:26 | 只看该作者
3317948168 发表于 2020-12-6 09:47
锤子机器人给分析的结果如下,但是到期时间明显不对,滚动码位置也不对,经过对比,滚动位竟然是0区1块和 ...

解密后的数据

1扇区:
78 1E 62 10 04 BC 06 06 13 00 00 00 00 00 00 43
00 00 00 27 19 28 AB 00 00 00 00 00 00 00 00 08 28 AB日期码。到期20.05.11
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
18 2B D2 74 8F 2E FF 07 80 00 18 2B D2 74 8F 2E
回复 支持 反对

使用道具 举报

7#
发表于 2020-12-6 17:50:01 | 只看该作者
本帖最后由 www9241307 于 2020-12-7 09:39 编辑
3317948168 发表于 2020-12-6 09:47
锤子机器人给分析的结果如下,但是到期时间明显不对,滚动码位置也不对,经过对比,滚动位竟然是0区1块和 ...

原卡延期一年数据

0 扇区
0 区块:0A1F840C9D08040002D114614D8AA71D
1 区块:001B0000007730000000000000000000
2 区块:001C0000007730000000000000000000
3 区块:FFFFFFFFFFFFFF078069FFFFFFFFFFFF

1 扇区
0 区块:823EE81F12E0901925288E17162C925E
1 区块:1A309646375C452322389E27263CA233
2 区块:2A40A62F2E44AA333248AE37364CB23B
3 区块:182BD2748F2EFF078000182BD2748F2E

发卡延期一年数据

0 扇区
0 区块:5695DA031A08040002D114614D8AA71D
1 区块:001B0000001DCC000000000000000000
2 区块:001C0000001DCC000000000000000000
3 区块:FFFFFFFFFFFFFF078069FFFFFFFFFFFF

1 扇区
0 区块:E7B43E165F72E610719EE40E62A2E855
1 区块:66A6EC3D83D49B1A6EAEF41E72B2F82A
2 区块:76B6FC267ABA002A7EBE042E82C20832
3 区块:44A18C7B0570FF07800044A18C7B0570

上面二个数据你可以都试试可不可用
回复 支持 反对

使用道具 举报

8#
发表于 2020-12-6 18:59:13 | 只看该作者
咋解密的,能否说下
回复 支持 反对

使用道具 举报

9#
发表于 2020-12-6 20:48:30 | 只看该作者
牛叉啊~~学习下~
回复 支持 反对

使用道具 举报

10#
发表于 2020-12-6 22:25:25 来自手机 | 只看该作者
路过学习学习……
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

在线客服

QQ|52梯控│电梯卡延期│电梯卡复制

GMT+8, 2024-11-27 01:34

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表