The info that I read off the original Iclass se card is below, using a proxmark3.
Specifically for this class se card, I want to understand how the serial number is converted into the tag information that is shown below, which was read by the proxmark3.
— proxmark3 scan of the iclass se card:
[=] --------------------- Tag Information ----------------------
[+] CSN: BE 2F 02 12 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: EA FE FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden
[+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden
[+] AIA: FF FF FF 00 06 FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF 7F 1F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] 7F… chip
[=] 1F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A… debit or credit
[=] Read B… debit or credit
--- if anyone has any guidance on this conversion, please let me know.
]]>block# | data |lck| ascii
---------+--------------+---+----------
0/0x00 | 2F 28 E6 2B | 0 | /(.+
1/0x01 | D4 F3 B2 76 | 0 | ...v
2/0x02 | 98 7D 3E 2B | 0 | .}>+
3/0x03 | 9D 5F 7B CF | 0 | ._{.
4/0x04 | 4E 8E FE 92 | 0 | N...
5/0x05 | 05 9D 99 AC | 0 | ....
6/0x06 | 29 55 96 1E | 0 | )U..
7/0x07 | D7 CB F5 98 | 0 | ....
8/0x08 | 44 56 09 26 | 0 | DV.&
9/0x09 | 3F C1 07 E0 | 0 | ?...
10/0x0A | 00 00 00 00 | 0 | ....
This was the dump from a tagit iso 15693 lable. Findafi gave me
[#] NoAFI UID = E0 07 C1 3F 26 09 56 44
[#] AFI = 0 UID = E0 07 C1 3F 26 09 56 44
[#] AFI Bruteforcing done.
Here are my questions
1) is the venor encoding the data prior to putting it in the rfid chip, or is chip encoding the data?
2) if its the latter, is there a utility that can decipher the encoding
3) if its the former, does anyone have a sense of what was used to encode it or a workflow to decode it.
Thanks,
]]>Im wondering if there is any reader/writer to write data into block for iclass SE instead of HID encoder?
Like Omnikey5321 worked on iclass legacy
Long ago I saw one writer(could be pcprox) was able to write data to any block or changing key
Anyone knows about this?
Thanks & stay safe
]]>had some more look at the outputs of the proxmark3 and there are some things which do not make sense.
First I noticed that the blocks AA1 and AA2 are overlapping, AA1 is from 06-FF and AA2 from 100-1F. Yet when I read the whole card with readblk only blocks 00 to 05 have some data in them (its blocks 00, 01, 02 and 05), everything else is filled with 0xFF. As said before blocks with data repeat every 0x20 up to 0xFF (last block being only filled with 0xFF).
When I want to write to the card, I get an Authentiation error. How could I proceed? The content which is storred on the card seems to be written on there without any encryption.
]]>I am new in this forum. Although I have been working on RFID technologies, mainly on transponder side for automotive, now I am working on some home access control devices. I found the same tag as the one described in this thread. I have the last pm3 rdv4 with the latest os and bootroom, but I am afraid I have not your iclass modified code in order to check the data you show.
May I know how I can do the same tests that you have done Iceman? I would like to use the
hf iclass info
hf iclass du
commands for this type of un secured iclass or picopass tag.
Thanks in advance.
]]>Another thing is that hf iclass sim 2 and sim 4 seems not working at all, is it related to my setting or just about the card?
So what I feel confused about is that:
1、Can I get the AA2 keys by only using PM3? If I must use a iclass reader to sniff or scan the card, pls tell me, then I'll just give up.
2、This card has e-purse, can I clone the card and make it work without cloning the e-purse section? (I just want to have access to the locker room, which the institution won't let interns to do)?
Legacy iCLASS is quite broken, and you mention an iCLASS SR card, so I suggest you do some reading on the differences between legacy iCLASS and iCLASS SE/SR.
]]>