Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi all,
I'm currently trying to replace the master key on an iClass r90 reader (standard).
Has anyone successfully flashed the EEPROM to replace the key? If so, please point me in the right direction.
According to HID technical support, they don't allow end users to program the master key in any of their readers. They say they manage the keys for all clients.
Thanks,
Kevin
Offline
Please refer to the "Dismantling iClass and iClass Elite" whitepaper.
Page6:
The write command takes as input a block number n, an eight-byte payload p and a MAC of the payload MAC(k, n · p). When successful, it writes p in memory and it returns a copy of p for verification purposes. This command has the side effect of resetting the internal state of the cipher. In addition, when the block number n corresponds to the address where a cryptographic key k is stored, the payload is XORed to the previous value instead of overwriting it, i.e., it assigns k := k ⊕ p. Therefore, in order to update a key k to k' the reader must issue a write command with k ⊕ k' as payload. In this way the card will store k ⊕ k ⊕ k' = k' as the new key. On the one hand, this particular key update procedure has the special feature that in case an adversary eavesdrops a key update he is unable to learn the newly assigned key, provided that he does not know k.
Offline
Please refer to the "Dismantling iClass and iClass Elite" whitepaper.
Nevermind. This is for the card... not the reader. I misread your question.
Offline
Kevin,
It is not clear to me why you would want to do such a thing but it is possible.
Although HID technical support would never acknowledge this, the HID master authentication key (standard security) can be overwritten using a special configuration card.
I believe that this feature is used by HID during the last stage of manufacturing where they need to install the "official" Master keys. All of their readers are manufactured in the Phillipines and I would assume that they have the manufacturer build, test, and deliver the hardware using a "Dummy" or "default" set of keys so as to discourage counterfeit products from being built and sold overseas. The "true" master keys are only installed by HID personnel here in the USA just prior to delivery to their authorized distributors.
If you reverse engineer the PIC 18F452 code in any RevA iclass readers you will find a 32-bit password that is needed to overwrite the Master authentication key. This password is used in a configuration card that overwrites the Master authentication key. It is NOT used in a configuration card that installs a high security (Elite) authentication key. To my knowledge, HID does not distribute this "special" configuration card to anyone. It can however be created yourself using a little knowledge obtained through reverse engineering the iclass reader code.
I have successfully demonstrated overwriting the standard security master authentication key on several iclass readers including the R10,R40 and R90 using this configuration card method so I know it is possible.
You can also replace the standard master authentication key by modifying the EEPROM and Flash code in the reader if you know the proper memory locations to change. I have demonstrated this on a Revision A RW300 reader since I have a copy of the binary EEPROM and Flash images for an RW300 reader and I know the proper memory locations to change. The key is stored in both EEPROM and Flash so you will need to change both locations. The "Heart of Darkness" paper by Milosch Meriac describes how to obtain the EEPROM and Flash images from a Revision A RW300/400 iclass reader.
.
Last edited by carl55 (2014-12-26 18:54:26)
Offline
Do you have an email address I can contact you at, or can you email me at: mitnick@gmail.com
Thanks,
Kevin
Offline