Yale Conexis L1 - can you copy the RFID key ?
ฝัง
- เผยแพร่เมื่อ 27 ก.พ. 2021
- The Yale Conexis L1 is a very popular rfid, bluetooth, zwave etc door lock in the UK. This video has taken ages to put together for many reasons but in it i show you how you can copy the RFID cards that come with the lock. The project isnt finished as at the moment i can replicate a key and open the door but i need to work out how the algorithm works so that i can predict the next value as well as generate my own cards.
Commands used on the proxmark
hf mf auto - to automatically copy the mifare classic card
hf mf rdbl 16 B FFFFFFFFFFFF - to read block 16 with key B
hf mf wrbl 16 B FFFFFFFFFFFF {data} - to write the data to block 16
diff -s -W 70 file1 file2 - to compare files ( useful with the json files to find out if any data changed )
Videos - using a proxmark and a chameleon together • Proxmark and Chameleon...
How to copy mifare classic cards
• Copying Mifare cards w...
How to use the chameleon and the app
• How to use the new Pro...
Thanks Quentyn for all the nice video's. Keep up the good work! 👍
Hi Quentyn,
I only recently found your channel and want to say that your videos are very well made and packed with good information - thank you for those!
I got into some RFID playing around two years ago and think our equipment might look pretty similar, however, I think it might help some people if you could present some of the devices you use and talk about their strengths and weaknesses a bit, just as a idea!
(I, for example, use my PM3RDV4 most often when @home and at my PC but I think it's not optimal to go with android and the RRG termux client, so I tend to grab my chameleon tiny and my Keysy alongside with the LF/HF Signal detector when on the go without a target)
Another idea might be to present your way of thinking / tinkering when presented with different tags, locks and other challenges.
I really appreciate your video editing and presenting style alongside with your nice and methodical procedure when testing something!
I'm curious as to what other videos we might see from you in the future.
Greetings from Germany
This channel is so underrated! Deserve 10* the amount of subs you have, love your videos, keep up the good work :)
thank you i appreciate it !
Nice job QT saw a guy claiming this locks to be unpassable then I stumbled into your video, hope you can get how the algorithm works so that you can predict values
real life got in the way but i am intending to have another look in the coming weeks. The locks are definitely not unpassable though their implementation is better than many.
Great video! I have a very boring question here… can I cut down the key tag (the sticky back, meant for the back of your phone one), to make it smaller? If so, by how much?
I've just aquired a few of these locks and I'm confused about your suggestion for the way the keys work. I have a single RFID tag that paired with all FIVE Yale RFID locks I've installed on the house. If there is some sort of two-way negotiation going on using those block 16/17 writes, how would it account for the situation where you open Lock A (write to block 16), then open Lock B (write to block 17), then open Lock C (overwrite block 16), then go back to open Lock A - there is now no data from Lock A stored on the RFID, but I can confirm this still works and the tag will open any of the five locks at any time in any sequence. So I think there is a flaw in your understanding of how this works.
Oh wow that is interesting! Were you able to get full dumps of your cards? Mine are static encrypted nonce
I've lost my key fob to our Yale lock! Does the key tag itself emit RF and would we be able to track it somehow?
Spent last night poking around at this. I have a Connexis L2, which AIUI is an L1 with the wifi module bundled. It may well have newer firmware on it too given some of the differences observed.
I have a fair few different tags: White keyfobs, black keyfobs, phone stickers and pass cards. The only ones I could get to unlock were 2 of the white keyfobs (using the nested) - none of the stated attacks worked on any of the other cards strangely. I tried sniffing between the lock and the card too, which resulted in CRCs on my PM3. I managed to pull the first slot using MFKey32 on my F0, but never got any of the other slots.
Emulating with the PM3 worked great, though was susceptible to the same issue stated in the video. Emulating with either the F0 or another card seemed to put the lock in some kind of "tamper" mode where not even original cards (which hadn't ever seen the PM3) could be used, or even re-added. Had to factory reset the lot. I'd suggest they've added some tamper resistance, which is good.
I've just got one in and was able to grab the 1st key by sniffing, I did notice in the teace that it was looking for magic wakeup command so perhaps that is why you had a tamper condition.
Also, a y chance I could get a dump of your white fobs to test mine with other tags like GDM and UMC?
Doesn’t this all depend on u knowing someone in your circle who has access to your fobs that is 1 untrustworthy and 2 tech savvy and can clone keys couldn’t this same person also steel a key and get one cut to your house ? Maybe surround your self with better people
With regard to your comment at 3:30 about allowing out of sync cards to still work, I would say one argument for totally blocking user access is that typical people are not concerned with security at all and will think nothing about the lock complaining of an out-of-sequence block on their card. That person will just go on about their day and never even consider doing anything about the new unhappy beep noises the lock is making, because it still let them in and that's all they care about. By totally blocking the person from access, it ensures *someone* will be called and that will likely lead to an investigation of some sort. As this affects ingress only, unless this is on the doors to an emergency room or something, it should not be a safety issue - hence fail-secure is ok and likely preferred by customers looking for a door lock with even a modicum of security.
whilst i dont disagree that this is the "best" way around i dont think that this is why they do it. I suspect its so that you dont clone your own card. This forces most people to buy either real cards or to buy slots via the app.
@@QuentynTaylor possibly.. sounds like a worst case compromise for the engineer. Management: "make it so we can use the cheapest crap cards possible but also make it foil those who would try to work around our tricks." .. could have just gone with desfire and that's that.. but I guess this is just annoying enough to work in their favor. Want to review some implantable transponders on your channel?
@@Dangerousthings yes i would agree, the reader cost for desfire would have made the lock un economic. They needed to understand how by obscurity they could use cheap mifare cards but not with the issues. Re transponders yes absolutely - happy to also do collaborations too. Shall we move to chat ? i am on twitter with DM's open if that makes sense ?
Hi Quentyn I don't suppose you have a copy of your dumps anywhere do you? I've asked in Iceman to no avail.
Like your lock mine also won't be used except for exploration - my 2 fobs are new so are static encrypted nonces
Hello Quentyn, do you know if I can use NTAG213 stickers with this lock? or do you happen to know what frequency do the Yale tags operate on?
no its mifare only
@@QuentynTaylor Which tags exactly should work with this lock? I saw many with different memory sizes etc, also some forum posts complaining about them not working.
I'm new to this.
Also how do I add/remove tags via the app? The app is so tragically bad, I can't get the function to to work.
Hi Quentyn
I have three locks and all to the same card after using a chameleon tiny and android to dump my cards and checking each lock uses different blocks
This would explain the use of different loacatiins
Can you tell me why Yale locks won’t accept a mirfare classic 1k and only Yale branded ones ?
Thanks again
i think its so that you have to buy their cards. To be honest i managed to get 2 genuine fobs for £4.99 delivered so they arent that expensive for genuine (from ebay)
Hi, is this ID, IC or something totally different. Thank you
Very interested in your follow up, i currently own 2 of these locks, and have a tag I use on both, Interested to know what is changed when used on day the back door but still allows the front be opened..
Looking to have an implant installed in my hand/wrist, so looking into compatibility before I take the plunge.
that *is* interesting as with no connection between the 2 locks it must be that the 2 blocks that change - either is accepted ?
This is really interesting to me Johny - I have a bunch of these locks, and based on the video, I was wondering whether in fact because of the rolling code, I wouldn't be able to use a tag on multiple locks, but are you saying that in fact this works? Good call to get it right before the implant! :p. I am also curious as to how the coding system works, as there are a couple of use cases where ideally I would like a Yale type lock, but neither their Connexis nor Smart Assure locks fit the application, so if I could understand how the tags are coded, might be able to Arduino something that would be compatible.
@@gavindjharperdid you ever work this out? Thanks
I belive the idea with 16 and 17 write blocks is a security feature.
If somone does manage to copy your key somehow without you knowing as soon as you use the lock (if you do it before them) then there copy is useless.
So they have to copy the key and then use it before you do and even if they do that, as soon as you get home and notice your key isn't working youll very likely reset they key making there copy unesable.
Seems much better then if physical key if it was copied as you would be able to use that without anyone knowing.
Hi, first i would like to say Thank You for your videos! Im trying to clone a ISO15693 Tag-IT 2k card. What hardware should i buy? Proxmark 3 or ChameleonMini Rev G By ProxGrind? And is any way i can do it? Because i have dig alot in internet and the informations about ISO15693 are not alot. Thnx in advise
well the proxmark should do it but the learning curve will be steep
@@QuentynTaylor thnx Quentry. Are any difference in functionality between the proxmark3 rdv4.01 and the easy one? Because I ordered the easy model.
New subscriber ... Been into locksports for years and I just got into playing around with RFID fobs. I needed one for my hid fob and had no problem. I notice after trying to copy a friend fob I had an issue with his Keri series fob but the 22 key digital smart card rfid reader writer machine with HD display from Amazon wouldn't read or write it. Could you if possible do a video on the best handheld machine for fobs and the type of fob. Can I use a chameleon proxmark on a smart phone or tablet ? Appreciate the channel and info... 😎🤘🏼✌🏼 From NYC-USA🗽🇵🇷
i dont have any Keri locks to hand but they are LF fobs so you will need to use the proxmark ( using the lf command set) and have a look at the indala or hid commands they should copy onto a t55xx card quite easily
Hey Sir is it possible to rewrite high tag 2 if possible how can u assist
you may not be able to re write but you should be able to copy it - its a low frequency card so you will need the proxmark using the lf command sets
How about non branded RFID cards, can you use them instead of the expensive Yale ones.
yes you can
@@QuentynTaylor thanks for the reply. Do you know which ones as I purchased a few and had luck. Thanks.
@@johnholllander its not the cards any 1k s50 card will do if all you want to do is replicate
It seems like that mitigation is purely against card duplication, rather than actual security.
If you clone someone's key you've got permanent access to the premises until the user regains access, and performs a reset. Whilst it's not as surrupticious as a clone that doesn't disable the main key it is still gaining access to a building, particularly concerning say if... Tourists are targeted.
Grab the card info, send/sell the card and location information via the internet to folk in the tourist's country. They've a week to clear out your house, you return and you've no access either.
indeed i cant disagree with that, if i get access to your card for a few minutes i can replicate it and then once used yours is invalid.
So your advice is that you should have the tag and then a phone backup and a second ingress point. Shame as I had wanted to streamline and do away with keys where possible and use a RFID wrist implant(s)
well nothing stops you from registering 2 tags officially and then cloning one of them onto your wrist implant ? however i would definitely suggest a 2nd ingress point with a key
Hi. I’ve recently bought a PM3 and have the same door on my house so was curious to view your video. Could the door be reading and writing? i.e. shifting from byte 16 to 17 when it detects the key number? That would explain why the genuine one would then not work, the byte address would be wrong!?
i have the dumps and each time 16 changes then 17, what i want to ascertain is - are the values predictable ? or does it just write something random to 16 or 17 ( alternating) and store the result in the lock so that you can't use copies ?
Can you make a new card for this lock
This is a potentially fascinating physical DoS attack here.... But one question that springs to mind is, is this a fully writable card (i.e like magic)?
yes the card i used was a magic card
@@QuentynTaylor yeah I’ve bought a couple of the yale cards on eBay
@@QuentynTaylor Well I was rather thinking of the Yale cards themselves but I answered that question by getting hold of a couple of Yale branded cards from ebay - about 2 quid each and doing an analysis of them via proxmark. Now saving up for a lock to muck about with.
@@TsiolkovskySportingLocks happy to do some tests if you want to exchange images ? if you want to talk via DM twitter is the best place to find me
Hi, I bought the Same lock, I was wondering can I buy a RFID Ring that I can use for this door lock, and if so anyone know where I can get them. thanks.
i think just a standard mifare classic should work ? not sure if you can get them in ring format but if you can it should work
Did you manage to find a ring? Also after the same for my Conexis.
@@gregtunney3779 I didn't , I got confused. I didn't know what to do so, I was just making do with the sticker on the back of my phone for now. I still want to get the ring it would make it more convenient, #FirstWorldProblems 😊
I'm looking to integrate a ring, but can I pair a new ring directly to a conexis l1 or do I need hardware to replicate an existing yale fob?
The real question is are you using one of these locks on your home or a diamond/3 star cylinder?
No I am not, it's not the electronics but the physical build I don't trust
So can it be hacked without having access to that key I use this lock on my main door I'm thinking should I remove and put away
not as far as i am aware. Note that the attack here could also be carried out on a regular keyed lock. If someone has access to your key they can copy it - if its a physical key or an RFiD tag .
I mean without having access to any of my smart keys
@@davidgibson6696 without access to the key i dont believe i can open the lock ( without resorting to destructive entry)
That's very interesting I would love to see a video if ever possible via trying to open up from the outside without having a copy key
Any update on new attacks
HOW do you transfer keys to a new smart phone please mate
HI Jason, to a new smart phone i think you just need to login and pull them down ?
So wouldn't they need the original card so it can be cloned
you would need the original card but the copy protection is more to do with preventing non purchased tags from being used
Can someone recommend a book that would let me dive into this world RFID
best bet is to watch a few videos, get a proxmark, get some cards and have fun ?
To me the whole point of rf tags is using one on multiple locks. So this completely defeats the purpose? I still need a separate tag for every lock? What a nonsense.
rfid discordchannel?
can someone share me the invite for it
have a chat with herrmann1001
on twitter
by the way its discord.gg/QfPvGFRQxH
@@QuentynTaylor thanks a lot
It’s irrelevant anyway I use this lock and as soon as one of the tags would go missing the lock would be reset and all the tags reprogrammed before anybody even had a chance to play with it?
I mean I would physically reset the lock and reprogram
actually the tag wouldnt need to go missing, see latest video someone would only need to be near it for a few seconds to copy. Now the original tag would stop working ( once the copy had been used) but how many would realise that the reason it wasnt working was due to it being cloned ?
@@QuentynTaylor I think it’s far fetched to imagine somebody trying to copy a tag while I’ve still got it, and when your tag doesn’t work you’ll have to reset lock anyway to reprogram. How sophisticated do you think burglars are? They’ll just blow torch your pvc if anything
@@Marclee78 true in most domestic setting i cant imagine many attackers go to the hassle of copying the key as 99% of burglaries are opportunistic. However in the video that drops at 12UK time today i show how to copy the card with an inexpensive device meaning that if your card / fob was out of your sight for more than a few minutes an attacker with the right kit could copy and open the lock. At least with a physical key picking or key replication takes skill, now its just a case of pressing 2 buttons.
You don’t have to reset the lock to reprogram a fob. One of the best things about the lock is that you can remove individual keys from the app. So if you wanted to lock your partner out you just remove their cards/fobs and send the action to the lock via Bluetooth. If any of mine stopped working I would delete and reprogram that individual tag (as they’re all named).
Does this mean that the lock supports only one genuine key ? No way to have 2 keys for the lock seems a little surprising
No sorry I should have made it clearer you can have several genuine keys attached to the same lock. You can even have virtual keys that you can send mobile phone to mobile phone that work via Bluetooth.
@@QuentynTaylor Still not clear to me how the genuine keys don't disable each other as your chameleon does... Must be more to it than just block 16-17 being rewritten. Probably other info/algorithm present IMHO
@@db69bb The genuine keys don't disable each other as they're not copies of each other. The lock sees the chameleon and the real key as replicants of each other but one of them is out of sync with the lock.
@@QuentynTaylor Clear, understood. Thanks for the video and explanations. Enjoy
I guess this means the lock has a memory indexed on UID, so copying on UID changeable card/fob might work