Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Solution to avoid bricking cards (91AE) #50

Open
Amperstrand opened this issue Dec 4, 2024 · 1 comment
Open

Solution to avoid bricking cards (91AE) #50

Amperstrand opened this issue Dec 4, 2024 · 1 comment

Comments

@Amperstrand
Copy link

If you try to reset the card with the wrong keys, you will get an 91AE error.

What many users try to do is try the same key again and again. Then they might try some other key again and again. Eventually they loose track of which cards they have tried, and I think this process eventually bricks the card.

If you want to reset the card, the card is already programmed and when read, the card will give off a c and a p value. These values can be decrypted with K1 to get the UID of the card.

Instead of trying to wipe the card, the user should first check if they have the right keys. If they check with the card, they get the 91AE error. If they try to decrypt the UID with K1 based on the c and p values read from the card, they can make sure they have the right key before wiping. This extra check could be done by this app just before wiping, and if the key is wrong, the user should get a warning that they are very likely trying to wipe the card with the wrong keys.

I implemented a simple proof of concept for this because I am looking through json files with keys to recover bolt cards and I am not quite sure which json file is for which card: https://amperstrand.github.io/boltcard-proxy/recover.html

@Amperstrand
Copy link
Author

actually the above might not quite work: K1 is the issuer key, so it might be the same for many cards if the keys are derived in a deterministic way.

You would probably need one of the other keys too to check that they match the card.

But either way, it should be easy to first check that you are likely to have the correct key before trying to wipe the card. If you brute force against the card it will brick, but if you brute force on a computer first, you can figure out which key to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant