Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-04-28 12:34:31

student
Contributor
Registered: 2020-04-28
Posts: 5

Recovering from incorrect entry to block 3

-------Please ignore! I've learnt a fair bit more and edited some of my subsequent replies, leaving it here so that future students can learn from my mistakes!----------
I've bricked over a dozen cards in the process of learning to handle an iclass Elite layout and finally have a working process, thanks to so many posts from carl55 and iceman explaining the same things over and over until even someone like me can figure it out!

I am now trying to 'unbrick' these more as an educational process, and starting with the easiest one, I've saved the key sequence methodically for each card, so this makes it somewhat easier. But am stuck with the very first one.

Here the error I did, was I I did calcnewkey with a card, and then wrote the resulting Xor div key to a new card with different CSN:

calcnewkey on CARD I

 
[usb] pm3 --> hf iclass calcnewkey o AFA7XXXX n B85BXXXX e
[+] CSN  | 09 BA XXXX
[+] CCNR | FF FF FF FF FF FF FF FF
[+] Old div key : 8F 0B XXXX          [A]
[+] New div key : 7D 05 XXXX        [B]
[+] Xor div key : F2 0E B0 XXXX     [C]

Then write Xor div Key [C] to CARD II

hf iclass writeblk b 03 d F2 0E B0 XXXX     [C]  k AFA7XXXX

After reading all the various block3 posts dozens of times, I figured,what I need to do is
a) figure out the correct div keys using calcnewkey on the new card
b) reverse engineer what block 3 value of C implies as div key

for a) I did

[usb] pm3 --> hf iclass calcnewkey o AFA7XXXX n B85BXXXX e
[+] CSN  | AA 92 XXXX
[+] CCNR | FE FF FF FF FF FF FF FF
[+] Old div key : 72 B6 XXXX          [D]
[+] New div key : F6 27 XXXX         [E]
[+] Xor div key : 84 91 XXXX          [F]

for b) I figured, If I XOR D and C, i will get the raw key, so just did it with a calculator, getting 80b8XXXX [G], and test a read and then write what the correct value should have been which is 8491XXXX[F]

So great I now do the following:

[usb] pm3 --> hf iclass rdbl b 03 k 80b8XXXX [G] r
[+] Using raw mode
[+] block 03: FF FF FF FF FF FF FF FF

[usb] pm3 --> hf iclass wrbl b 03 d 8491XXXX [F] k 80b8XXXX[G] r
[+] Using raw mode
[+] Write block 03 successful

It looks like it worked, yet now I can't read it back anymore. Nothing works, and even repeating the steps above to XOR etc does not yield a successful read. What have I done wrong?

Last edited by student (2020-05-01 12:01:06)

Offline

#2 2020-04-29 03:44:22

student
Contributor
Registered: 2020-04-28
Posts: 5

Re: Recovering from incorrect entry to block 3

I've been studying further, and examining an original card in my system, it looks like block 3 has the 'new div key' there rather than the xor div key as I originally though, here is the card outputs:

pm3 shows the raw 'new div key' in block 3 when you do a dump, but that may or may not be how the card actually stores it!
When you do a wrbl, you need to supply XOR of old and new div key, since that is part of how iclass security works, noone can sniff a key during write!

[usb] pm3 --> hf iclass calcnewkey o AFA7XXXX n B85BXXXX e
[+] CSN  | 39 C0 XXXX
[+] CCNR | 92 EA FF FF FF FF FF FF
[+] Old div key : 54 43 XXXX
[+] New div key : D1 77 XXXX
[+] Xor div key : 85 34 XXXX

[usb] pm3 --> hf iclass rdbl b 06 k D177XXXX r
[+] Using raw mode
[+] block 06: 03 03 XXXX

[usb] pm3 --> hf iclass rdbl b 06 k B85BXXXX e
[+] Using elite algo
[+] block 06: 03 03 XXXX

The strange thing is I am managing to write to block 3 on a new non-elite card with the Xor key calculated for that card, and then do a clone with the data  from block 6 to 12 of the original working card using the elite key, and this new non-elite works, despite me writing to block 3 with the XOr key instead of 'new key' .
One needs to write the XOR key as above, and cards can be converted from elite to non-elite by changing what is on block 3

I can't read back or dump these cards though, yet the readers in my system accepts these cards.<-- This turns out that once I do a read successfully on a reader, PM3 is able to read the cards fine again. I think there must be some kind of incorrect key counter inside the tag that needs to be 'reset' and reading it in a reader does this reset command, but I am guessing here.

Last edited by student (2020-05-01 12:06:53)

Offline

#3 2020-04-29 11:47:55

student
Contributor
Registered: 2020-04-28
Posts: 5

Re: Recovering from incorrect entry to block 3

--- All the below is expected behaviour, my last issue is probably down to me somehow command, lots more to learn and experiment!---

Looking around further with working cards I have, it looks like rdbl and wrbl operations don't actually write the values you supply, but rather XOR them. So in my very first example when I did last

[usb] pm3 --> hf iclass rdbl b 03 k 80b8XXXX [G] r
[+] Using raw mode
[+] block 03: FF FF FF FF FF FF FF FF

The value actually in block 3 is [G]. The strange thing is that given that my next operation

[usb] pm3 --> hf iclass wrbl b 03 d 8491XXXX [F] k 80b8XXXX[G] r
[+] Using raw mode
[+] Write block 03 successful

succeeds, which means that the actual value written to block 3 is [F] XOR [G], yet when I use this as a raw key, it doesn't work. Perhaps I am still missing something on how wrbl works when you supply a raw key?

Last edited by student (2020-05-01 12:09:05)

Offline

#4 2020-07-30 11:37:17

jp
Contributor
Registered: 2018-12-01
Posts: 3

Re: Recovering from incorrect entry to block 3

student wrote:

-------Please ignore! I've learnt a fair bit more and edited some of my subsequent replies, leaving it here so that future students can learn from my mistakes!----------
I've bricked over a dozen cards in the process of learning to handle an iclass Elite layout and finally have a working process, thanks to so many posts from carl55 and iceman explaining the same things over and over until even someone like me can figure it out!

I am now trying to 'unbrick' these more as an educational process, and starting with the easiest one, I've saved the key sequence methodically for each card, so this makes it somewhat easier. But am stuck with the very first one.

Here the error I did, was I I did calcnewkey with a card, and then wrote the resulting Xor div key to a new card with different CSN:

calcnewkey on CARD I

 
[usb] pm3 --> hf iclass calcnewkey o AFA7XXXX n B85BXXXX e
[+] CSN  | 09 BA XXXX
[+] CCNR | FF FF FF FF FF FF FF FF
[+] Old div key : 8F 0B XXXX          [A]
[+] New div key : 7D 05 XXXX        [B]
[+] Xor div key : F2 0E B0 XXXX     [C]

Then write Xor div Key [C] to CARD II

hf iclass writeblk b 03 d F2 0E B0 XXXX     [C]  k AFA7XXXX

After reading all the various block3 posts dozens of times, I figured,what I need to do is
a) figure out the correct div keys using calcnewkey on the new card
b) reverse engineer what block 3 value of C implies as div key

for a) I did

[usb] pm3 --> hf iclass calcnewkey o AFA7XXXX n B85BXXXX e
[+] CSN  | AA 92 XXXX
[+] CCNR | FE FF FF FF FF FF FF FF
[+] Old div key : 72 B6 XXXX          [D]
[+] New div key : F6 27 XXXX         [E]
[+] Xor div key : 84 91 XXXX          [F]

for b) I figured, If I XOR D and C, i will get the raw key, so just did it with a calculator, getting 80b8XXXX [G], and test a read and then write what the correct value should have been which is 8491XXXX[F]

So great I now do the following:

[usb] pm3 --> hf iclass rdbl b 03 k 80b8XXXX [G] r
[+] Using raw mode
[+] block 03: FF FF FF FF FF FF FF FF

[usb] pm3 --> hf iclass wrbl b 03 d 8491XXXX [F] k 80b8XXXX[G] r
[+] Using raw mode
[+] Write block 03 successful

It looks like it worked, yet now I can't read it back anymore. Nothing works, and even repeating the steps above to XOR etc does not yield a successful read. What have I done wrong?

Thank you a lot. I followed you guide to restore my card, and it worked.

After wrote on the block 03, I performed 'hf iclass reader 1' once, and the card was ready with the new key.

Offline

Board footer

Powered by FluxBB