Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-04-23 16:05:32

prox_students
Contributor
Registered: 2019-01-27
Posts: 14

iClass Elite calculating diversified key

Hi,

I have concluded that this tag is an Elite iClass as the standard master key failed to authenticate. Thus, I have performed:

(1) hf iclass sim 2 --> successful
(2) hf iclass loclass f loclass/iclass_dump.bin --> successful and got Kcus(Custom key)

[+] -- High security custom key (Kcus) --         
[+] Standard format    = 8fa250c3cb6xxxxx
[+] iClass format      = 5b7c62c491cxxxxx


[Questions]
From my understanding, the custom key(Kcus) (a) needs to be reverse permuted using "hf iclass permute r <Kcus>" AND (2) the diversified key needs to be calculated using Custom Key(Kcus) and CSN. Any advice on how to calculate the diversified key would be appreciated !


Thank you

Offline

#2 2019-04-23 20:56:04

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: iClass Elite calculating diversified key

The credentials diversified key (Kd) is calculated for you when you execute the "dump" command.
hf iclass dump k 5b7c62c491cxxxxx e

The PM3 calculated value of Kd will show up in Block 3 of the dumped data.

Offline

#3 2019-04-24 10:58:08

prox_students
Contributor
Registered: 2019-01-27
Posts: 14

Re: iClass Elite calculating diversified key

Thanks for your reply ! I tried it per your suggestion, but it still failed to authenticate. I have also reversed the permuted key using "hf iclass permute r 5b7c62c491cxxxxx" and tried to authenticate with this key, but also failed. Any suggestion would be appreciated !

----------------------------------------------------

         
pm3 -->  hw version

Proxmark3 RFID instrument
         

[ CLIENT ]         
client: iceman build for RDV40 with flashmem; smartcard; 
         
bootrom: master/v3.1.0-87-g905d297-dirty-suspect 2019-04-20 06:06:29
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
         

[ Hardware ]           
  --= uC: AT91SAM7S512 Rev B         
  --= Embedded Processor: ARM7TDMI         
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 169916 bytes (32%) Free: 354372 bytes (68%)         
  --= Second Nonvolatile Program Memory Size: None         
  --= Internal SRAM Size: 64K bytes         
  --= Architecture Identifier: AT91SAM7Sxx Series         
  --= Nonvolatile Program Memory Type: Embedded Flash Memory         

         
pm3 --> hf search
[!] timeout while waiting for reply.         
#db# unknown command:: 0x03bc         
   CSN: 26 CF 37 02 F9 FF 12 E0           
    CC: 8C 87 FF FF 13 F5 FF FF           
    Mode: Application [Locked]         
    Coding: ISO 14443-2 B/ISO 15693         
[+]     Crypt: Secured page, keys not locked         
[!]     RA: Read access not enabled         
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]         
    AA1: blocks 06-12         
    AA2: blocks 13-1F         
    OTP: 0xFFFF         

KeyAccess:         
    Read A - Kd or Kc         
    Read B - Kd or Kc         
    Write A - Kc         
    Write B - Kc         
    Debit  - Kd or Kc         
    Credit - Kc         
App IA: EA F5 FF FF FF FF FF FF           
[!]       : Possible iClass (NOT legacy tag)         
         
[+] Valid iClass Tag (or PicoPass Tag) Found
         
pm3 --> hf iclass dump k 5b7c62c491cxxxxx
[+] retry to select card         
[!] failed authenticating with debit key         
pm3 --> hf iclass dump k 5b7c62c491cxxxxx e
[+] retry to select card         
[!] failed authenticating with debit key

Offline

Board footer

Powered by FluxBB