Extraction of your provider's MK01

The following procedure allows you to extract the hidden data present in SECA smart cards.

E.g. Mk01 on provider 01!

What you need:-

A Phoenix type interface set to 3.5 MHz
CardMasterPlus
Trappolone (To be able to quickly create a signature to sign commands with)
CocDec35 (for a brute force attack on the first 3 bytes)
MKFindV3.0 (to save time)
Progoff (an alternative to MKFind)
Mosc2000 (to calculate the CW of the MK01 you are searching for).

Before proceeding you must read all of this document carefully, and understand it well before proceeding, since it is necessary to write data to your smart card and an error could damage the card!

Here is a resume of the procedures we are about to do:-

1) Create MK02 on provider 00 to allow us to add data to the smart card.

2) Read the records contained in the card with Card Master.

3) Identify the hidden record that contains the MK01 and the record that precedes it.

4) Identify the provider of the previous record and write a key (say MK02) onto that provider using the key we created on Provider 00

5) Using the MK02 of this provider and after having noted the previous contents (hoping that you know them) overwrite the previous record to the MK01 that we are looking for with eight 0x90 (i.e. 90 90 90 90 90 90 90 90 ).
6) Using CardMasterPlus re-read the records and then read the plain records and the last 5 bytes of the key of MK01 are found in the first part that record.
7) Then with CocDec35 use the brute force method to find the first three bytes of MK01 that you still do not know. The time taken for only 3 bytes is far less than that of all eight.. ... AND THERE IS YOUR MK01 IN THE CLEAR.

8) At which point restore the records that I had written 90 90 90 90 90 90 90 to with the original using the MK02 of the provider of that record.

9) Then using the MK02 of provider Sega 00 00 we will cancel the MK02 used to write the 90 90 90 90 90 90 90 90 record which we have just restored.

10) Finally we will cancel the MK02 that we had created ourselves on provider 00 00.

Pay great attention to the procedure to create and/or re-write the records or MK of the smart card being very careful not to make a mistake.

Point 1 - The search and creation of MK02 on provider 00 00 Sega

Creating an MK02 on provider 00 00 SECA allows us to add, modify and to cancel the data of the providers present on the smart card.

It is possible to do this using the manual method following the procedure described in the documentation written from Ctower and now it is also possible to do this automatically using a program such as MKFind 3.0 or Progoff.

However, reading Ctower's document gives a much clearer understanding on how the actual programming of the card works so that we can write & restore the records via the back door method (point 4, point 5, point 8, point 9).

Alternatively insert your Smart card into the Phoenix and use MKFind 3.0

Start up MKFind and go to the config menu to set the correct Com port then Press 'connect'

Select 02 in the drop down menu menu " Use key number " and then press the "Create Key" button.

After a minute or two MKFind finds the MK02 of provider 00 00. The generated MK02 is displayed place of the XX XX XX XX XX XX XX XX, taking note of it, as it will be of use later, click 'disconnect' on the file menu.
End of part 1.

Start Card Master Plus. After having set the correct COM port from the menu you press the Connect Button and the "Records" button .

In the main window the records contained in yours smart card will be displayed.

Now highlight all the text in the window making sure you slid up to the top of the window to get all records. Copy & paste these records into an empty notepad document.
Disconnect & exit from CardMasterPlus.

We now have to identify the record of your hidden Mk01 and the record that precedes it.
End of point 2
Point 3 - Identification of the hidden MK01 record and the previous record.

Having copied the records generated in CardMasterPlus we now need to analyse them to find MK01 on Provider 01

Provider 0 .
Record 0001 = 01 00 00 00 00 00 00 00 00 00 80 E0
Record 0002 = 00 0B 08 00 2C 00 11 B3 FC 68 D4 E0
Record 0003 = F0 FF FF FF FF FF FF FF FF 31 00 80
Record 0004 = 50 FF FF FF FF FF FF FF FF 54 00 C0
Record 0005 = 02 D6 E4 B0 F8 00 00 00 00 00 00 E0
Record 001B = 53 FF FF FF FF FF FF FF FF 92 00 80
Provider 1 .
Record 0006 = 00 00 00 00 00 F3 3C 00 00 00 00 D1
Record 0007 = F0 FF FF FF FF FF FF FF FF EF 00 81
Record 0008 = 50 FF FF FF FF FF FF FF FF F3 00 C1
Record 0009 = 00 00 00 00 00 00 00 0B 00 00 00 91
Record 000A = 5C FF FF FF FF FF FF FF FF FC 00 81
Record 000F = 5D FF FF FF FF FF FF FF FF 41 00 81
Record 0010 = 5E FF FF FF FF FF FF FF FF 90 00 81
Record 0013 = 51 FF FF FF FF FF FF FF FF 27 00 81
Record 0014 = 51 FF FF FF FF FF FF FF FF 4A 00 C1
Record 0015 = 00 01 3B 09 83 00 00 AA 47 00 00 B1
Record 0016 = 00 02 71 B3 2F 00 00 2F 2A 00 00 B1
Record 0017 = 00 1A B2 E9 22 00 00 3A 2A 00 00 B1
Record 0018 = 00 0B 62 FA 21 00 03 EB FA 00 00 B1
Record 0019 = 00 03 93 2F 02 00 00 13 BE 00 00 B1
Record 001C = 00 05 E7 8B 00 00 00 13 CE 00 00 B1
Record 001D = 52 FF FF FF FF FF FF FF FF 49 00 81
Record 001E = 00 08 39 A6 00 00 00 84 4C 00 00 B1
Provider 2 .
Record 000B = F0 FF FF FF FF FF FF FF FF DF 00 82
Record 000C = 50 FF FF FF FF FF FF FF FF 0B 00 C2
Record 000D = 00 00 06 00 00 00 00 00 00 00 00 92
Record 000E = 5C FF FF FF FF FF FF FF FF 64 00 82
Record 0011 = 5D FF FF FF FF FF FF FF FF 53 00 82
Record 0012 = 5E FF FF FF FF FF FF FF FF 2C 00 82
Record 001F = 52 FF FF FF FF FF FF FF FF 49 00 82
Provider 3 .
Provider 4 .... etc etc

We must firstly identify the record that contains the MK01 of Provider 01

The first byte must be 51 = MK01, provider 01
and last byte = 81 which is primary key on Provider 01

These can be quickly identified in Record 0013:

Record 0013 = 51 FF FF FF FF FF FF FF FF 27 00 81

FF FF FF FF FF FF FF FF is the the hidden MK01!!!

Now that we have found the record of MK02, we must now find the records preceding it, which in this case is not the one immediately above it (this only happens sometimes), but most probably the 12th record which in this case was found in Provider 02.

Provider 1 .
Record 0006 = 00 00 00 00 00 F3 3C 00 00 00 00 D1
Record 0007 = F0 FF FF FF FF FF FF FF FF EF 00 81
Record 0008 = 50 FF FF FF FF FF FF FF FF F3 00 C1
Record 0009 = 00 00 00 00 00 00 00 0B 00 00 00 91
Record 000A = 5C FF FF FF FF FF FF FF FF FC 00 81
Record 000F = 5D FF FF FF FF FF FF FF FF 41 00 81
Record 0010 = 5E FF FF FF FF FF FF FF FF 90 00 81
Record 0013 = 51 FF FF FF FF FF FF FF FF 27 00 81 <--- Mk01
Record 0014 = 51 FF FF FF FF FF FF FF FF 4A 00 C1
Record 0015 = 00 01 3B 09 83 00 00 AA 47 00 00 B1
Record 0016 = 00 02 71 B3 2F 00 00 2F 2A 00 00 B1
Record 0017 = 00 1A B2 E9 22 00 00 3A 2A 00 00 B1
Record 0018 = 00 0B 62 FA 21 00 03 EB FA 00 00 B1
Record 0019 = 00 03 93 2F 02 00 00 13 BE 00 00 B1
Record 001C = 00 05 E7 8B 00 00 00 13 CE 00 00 B1
Record 001D = 52 FF FF FF FF FF FF FF FF 49 00 81
Record 001E = 00 08 39 A6 00 00 00 84 4C 00 00 B1
Provider 2 .
Record 000B = F0 FF FF FF FF FF FF FF FF DF 00 82
Record 000C = 50 FF FF FF FF FF FF FF FF 0B 00 C2
Record 000D = 00 00 06 00 00 00 00 00 00 00 00 92
Record 000E = 5C FF FF FF FF FF FF FF FF 64 00 82
Record 0011 = 5D FF FF FF FF FF FF FF FF 53 00 82
Record 0012 = 5E FF FF FF FF FF FF FF FF 2C 00 82 <--- previous record
Record 001F = 52 FF FF FF FF FF FF FF FF 49 00 82
Provider 3 . etc etc
This means that I myself create an Mk02 on Provider 02 in order to be able to modify record 12 which happens to be Key 0E of Provider 02.

(5E = key 0e, FF....FF is the hidden 0E key, 2C 00 82 is the index for Provider 02)

The 0E Key is a known key, therefore we don't have any problems to restore it after its been overwritten.

Therefore we may move onto creating an Mk02 on Provider 02.
End of point 3

BACK TO GAZERS DIGITAL WORLD

To next part of provider's MK01