That tells me that your reader is NOT using either of those two Kc authentication keys.
That actually makes sense since I would not expect your Bioscript V-Flex reader to use the same HID AA2 key that all HID developers know. It would only make sense that they load a unique/custom Kc since Bioscript is trying to protect sensitive fingerprint data that is being stored in AA2.
Your question about why the picopass default Kc does not work with blank (from factory, not personalized) tags can also be explained.
There are three types of tags:
1) Uninitialized (Not personalized or programmed). These use the Picopass default keys.
2) Initialized (personalized but NOT programmed). These use the HID default keys.
3) Programmed (personalized and programmed). These use the HID default keys.
HID no longer sells the uninitialized tags. The "blank" tags that they currently sell are actually Initialized but not programmed. I suspect that these are what you tried which is why they would not authenticate using the default PicoPass keys. You can easily tell by looking at the value of the leftmost byte of Block 1 (Application Limit). If it is 0x12 then the credential has already been initialized by HID and no longer uses the PicoPass default Kd or Kc.
]]>4.2.4 Command set summary
READCHECK (1) 88 or 18; 88 or 18; 48 or D8; 88 or 18; 48 or D8
Read data at the sent address to be integrated in the authentication with the key selected :
88 or 28 or 48 : Kd (Debit Key)
and
18 or B8 or D8 : Kc.(Credit Key).
CHECK (1) 05; 05; C5; 05; C5
Authenticate using cryptographic algorithm.
Page 25
CHECK (Security command)
In the authentication procedure, the CHECK instruction response enables the reader to authenticate the
chip.
Challenge in the instruction format is computed by the core algorithm (the CHECK instruction code is not
included in the calculation)
Once the chip is authenticated with Kd, a Kd authentication failure does not reset the rights acquired.
Once the chip is authenticated with Kc or Kd, a Kc authentication failure reset the rights acquired.
P.S.
But i think that the main question is: why the picopass default Kc does not workin with blank (from factory, not personalized) tags?
Maybe the solution lies in the fact that "default picopass Kc" is not "default iclass AA2", since "default picopass Kd" is not "default iclass AA1". Neither "default picopass Kc" nor "default picopass Kd" works for me, but only "default iclass AA1" works. So how can I find the "default iclass AA2"?:)
9 = 1 = parity , 0 0 = mfu, 1 use Credit Key ( if 0 use debit key )
5 = CHECK
Your reader is trying to authenticate.
]]>[+] - High security custom key (Kcus) -
[+] Standard format = da28787db0ff2150
[+] iClass format = 31ad7ebd2f282168
[!] Failed to verify calculated master key (k_cus)! Something is wrong.
However, I failed again - these keys do not fit.
I also tried to set up the pm3 to respond to "PAGESEL(0)".
I uncommented line 1536 in the "iclass.c" and added:
} else if(receivedCmd[0] == ICLASS_CMD_PAGESEL) { // 0x84
//Pagesel
//Pagesel enables to select a page in the selected chip memory and return its configuration block
//Chips with a single page will not answer to this command
// It appears we're fine ignoring this.
//Otherwise, we should answer 8bytes (block) + 2bytes CRC
modulated_response = resp_conf; modulated_response_size = resp_conf_len;
trace_data = conf_data;
trace_data_s
However, after that the reader began to issue an unknown command 0x95:
26259536 | 26293680 | Rdr |84 00 73 33 | ok | PAGESEL(0)
27125328 | 27135008 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94 ed! | ok |
27128480 | 27152464 | Rdr |18 02 | | READCHECK[Kc](2)
27214656 | 27265584 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
27217312 | 27241728 | Rdr |95 a8 ff ff ff 6f d6 eb 53 | | ?
27327344 | 27342752 | Rdr |84 00 73 33 | ok | PAGESEL(0)
28193632 | 28249104 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94 ed! | ok |
28196768 | 28201040 | Rdr |18 02 | | READCHECK[Kc](2)
28282944 | 28314144 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
28285584 | 28290288 | Rdr |95 40 ff ff ff 94 1c 79 1a | | ?
28395600 | 28455216 | Rdr |84 00 73 33 | ok | PAGESEL(0)
29260240 | 29297616 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94 ed! | ok |
29263312 | 29315168 | Rdr |18 02 | | READCHECK[Kc](2)
29349504 | 29362720 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
29352144 | 29404400 | Rdr |95 1b ff ff ff 86 5a 6d ed | | ?
I get the impression that my reader is in standard mode (not elite). But I do not understand why, in this case, the default PicoPass credit key does not fit. I tried default Kc key with a blank tag (not personalized). The result is also unsuccessful.
Perhaps the frequently mentioned "iClass Serial Protocol Document" will help me somehow. As I did not try, I could not find it in open sources.
Thank you very much, great iceman
]]>sure is, but that doesn't mean you have the right AA2 /kc/credit key. In the dictionary is a default one, which most likely changed when tag gets personalized.
OK. Then, do I understand correctly that the command "hf iclass sim 2" is intended only for obtaining key AA1 (which I already know). And in the current version of the pm3 there is no ready-made solution for obtaining key AA2?
]]>you need the Application2 key (AA2)
Thanks for helping iceman! I thought that AA2 is Kc. Isn't that right? The DS Picopass 2KS V1-0.pdf mentions only two keys (debit and credit). If AA2 is not a credit key, then could you show the resource about AA2 key please?
]]>Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1077-g9fe651c9 2019-03-06 10:42:07
os: iceman/master/ice_v3.1.0-1077-g9fe651c9 2019-03-06 10:42:11
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 237349 bytes (45%) Free
: 286939 bytes (55%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf search
[!] timeout while waiting for reply.
CSN: ** ** ** ** ** ** ** **
CC: F0 FF FF FF FF FF FF FF
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
[+] Crypt: Secured page, keys not locked
[!] RA: Read access not enabled
Mem: 16 KBits/2 App Areas (255 * 8 bytes) [9F]
AA1: blocks 06-12
AA2: blocks 13-FF
OTP: 0xFFFF
KeyAccess:
Read A - Kd or Kc
Read B - Kd or Kc
Write A - Kc
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: FF FF FF FF FF FF FF FF
[+] : Possible iClass (legacy tag)
[+] Valid iClass Tag (or PicoPass Tag) Found
I can write data to the cards using a legal reader through special legal software.
I try to read data from tags using pm3.
I can read Application1 on the tag with leaked masterkey.
pm3 --> hf iclass dump k ****************
.------+--+-------------------------+
CSN |00| ** ** ** ** ** ** ** ** |
------+--+-------------------------+
|01| 12 FF FF FF F9 9F FF 3C | .......<
|02| F0 FF FF FF FF FF FF FF | ........
|03| ** ** ** ** ** ** ** ** | .!......
|04| FF FF FF FF FF FF FF FF | ........
|05| FF FF FF FF FF FF FF FF | ........
|06| 03 03 03 03 00 03 E0 17 | ........
|07| 62 93 53 EF EA 7B 05 B8 | b.S..{..
|08| 2A D4 C8 21 1F 99 68 71 | *..!..hq
|09| 2A D4 C8 21 1F 99 68 71 | *..!..hq
|0A| FF FF FF FF FF FF FF FF | ........
|0B| FF FF FF FF FF FF FF FF | ........
|0C| FF FF FF FF FF FF FF FF | ........
|0D| FF FF FF FF FF FF FF FF | ........
|0E| FF FF FF FF FF FF FF FF | ........
|0F| FF FF FF FF FF FF FF FF | ........
|10| FF FF FF FF FF FF FF FF | ........
|11| FF FF FF FF FF FF FF FF | ........
|12| FF FF FF FF FF FF FF FF | ........
------+--+-------------------------+
[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file iclass_tagdump.bin
But I cannot read data from Application2. Keys in default_iclass_keys.dic not working (pm3 returns FFh of any blocks below 13).
Command "hf iclass sim 2" fails (bad FF at ...).
pm3 --> hf iclass sim 2
[=] Starting iCLASS sim 2 attack (elite mode)
[=] press keyboard to cancel
#db# [+] going into attack mode, 9 CSNS sent
#db# [-] bad FF at 0:4
#db# [-] bad FF at 3:6
[!] timeout while waiting for reply.
#db# [+] button pressed
pm3 -->
Full trace: https://www.sendspace.com/file/bovi6b
At the moment, I am concerned about two questions:
1. Iclass legacy is "Elite" or not? If it is, why i can read Application1 of it on with leaked masterkey? And why command "hf iclass sim 2" fails (bad FF at ...)?
2. If Iclass legacy is NOT "Elite", why i can not read Application2 with Kc from default_iclass_keys.dic?
Thank you very much for any help.
]]>