----------------------------------------------------
pm3 --> hw version
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
bootrom: master/v3.1.0-87-g905d297-dirty-suspect 2019-04-20 06:06:29
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 169916 bytes (32%) Free: 354372 bytes (68%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf search
[!] timeout while waiting for reply.
#db# unknown command:: 0x03bc
CSN: 26 CF 37 02 F9 FF 12 E0
CC: 8C 87 FF FF 13 F5 FF FF
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
[+] Crypt: Secured page, keys not locked
[!] RA: Read access not enabled
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
OTP: 0xFFFF
KeyAccess:
Read A - Kd or Kc
Read B - Kd or Kc
Write A - Kc
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: EA F5 FF FF FF FF FF FF
[!] : Possible iClass (NOT legacy tag)
[+] Valid iClass Tag (or PicoPass Tag) Found
pm3 --> hf iclass dump k 5b7c62c491cxxxxx
[+] retry to select card
[!] failed authenticating with debit key
pm3 --> hf iclass dump k 5b7c62c491cxxxxx e
[+] retry to select card
[!] failed authenticating with debit key
The PM3 calculated value of Kd will show up in Block 3 of the dumped data.
]]>I have concluded that this tag is an Elite iClass as the standard master key failed to authenticate. Thus, I have performed:
(1) hf iclass sim 2 --> successful
(2) hf iclass loclass f loclass/iclass_dump.bin --> successful and got Kcus(Custom key)
[+] -- High security custom key (Kcus) --
[+] Standard format = 8fa250c3cb6xxxxx
[+] iClass format = 5b7c62c491cxxxxx
[Questions]
From my understanding, the custom key(Kcus) (a) needs to be reverse permuted using "hf iclass permute r <Kcus>" AND (2) the diversified key needs to be calculated using Custom Key(Kcus) and CSN. Any advice on how to calculate the diversified key would be appreciated !
Thank you
]]>