"iClass Key Extraction – Exploiting the ICSP Interface - 1 October 2011" (page 4)
"iClass Reader (RevA) PIC 18F452/18F6621 RAM Dumper Operating Instructions" (page 5)
Now that I've managed to locate where the master, tdes1 and tdes2 keys are, I'll need to figure out what order they are in.
]]>The reader which worked best for me out of the 3 that I had was the RK10. I also had to compile a custom linux kernel without any of the USB serial drivers which I thought would help.
Now to figure out the offsets!
]]>My original design approach utilized a dedicated microcontroller that was programmed in assembly language. I personally never trusted the FTDI bit-bang approach since it's ability to be precision controlled is constrained by the OS under which it is being run.
Without knowing anything about your specific setup, I would recommend hooking up a hardware logic analyzer to verify that the ICSP command sequence being generated is consistent with the documented approach and that all PIC 18F452 timing requirements are being met.
Feel free to email me directly if you want a copy of my SX28 microcontroller code that successfully implemented this ICSP hack.
modhex hehjighhhheeeefchjhvifhthbhkhrduhehvht
]]>I've spent the past few weeks reading up on the iClass system and as stated in my introduction post, I'd like to get into it a bit more now.
So I purchased some Revision A readers (R10 and R40) with the aim of acquiring the necessary keys. Although I found the master key online (and I think a lot of people have as well) I am still trying to figure out the two 8-byte TDES keys which are also needed to communicate with the card. Besides, I don't want to search for things but rather learn and do things myself.
After reading a few posts on this forum, I realised that because the R10 and R40 types do not have their RS232 Rx and Tx terminals brought out of the potting, I am unable to use the "pic18-iscp" software on GitHub to extract the entire EEPROM contents. The only option I have is to use the FTDI method which is described in this article:
http://blog.opensecurityresearch.com/20 … -keys.html
But it's been a few days now of trying and no matter how many different things I do, I still can't get a successful dump. All I get are zeros.
I've tried the process with a couple of readers, different Vpp voltages, and have even compiled the file with different baud rates. I have tried running the script on an actual Linux machine and a VM with the same results.
Is there someone who can point me in the right direction? I'd appreciate it. Maybe I'm doing something else wrong?
]]>