Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-06-02 16:36:18

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Cannot dump data with Masterkey using pm3

Hi Guys,

I have acquired the master key and tried it with ContactLessDemoVC using following commands
Select Card: 80A60000
Load key: 808200F008+<myMasterKey>
Authenticate: 808800F0
Read Block 6: 80B0000600

and got the block data return with FFFFFFFFFFFFFFFF, which looks promising.
read block 1and 5, it returns different value
80B0000100 > 12FFFFFF7F1FFF3C
80B0000500 > FFFFFF0006FFFFFF
I believe key is correct, otherwise it won't allow me to authenticate and read block info.

But, when I tried to use pm3 to dump data, it failed

pm3 --> hf iclass dump k <myMasterKey>
Authing with diversified key: <diversified key>
Authentication error
Authing with diversified key: <diversified key>
Authentication error

and then I tried it "r" option on

pm3 --> hf iclass dump k <myMasterKey> r
Authing with raw key: <myMasterKey>
Authentication error
Authing with raw key: <myMasterKey>
Authentication error

Additional test, is this key is high security, not standard/old encryption? 

pm3 --> hf iclass dump k <myMasterKey> e

High security custom key (Kcus):
z0   = 7a96610952461105
y0   = cc98d4c3035b2157
Authing with diversified key: 706d74da4d0c9df9
Authentication error

High security custom key (Kcus):
z0   = 7a96610952461105
y0   = cc98d4c3035b2157
Authing with diversified key: 706d74da4d0c9df9
Authentication error


I admit that I know only few about iclass command usage in pm3, even a bit hard to understand the help info.

Could anyone pointing me to the right direction?

Thank you in advance

Last edited by brantz (2017-06-02 17:07:31)

Offline

#2 2017-06-02 16:40:39

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Cannot dump data with Masterkey using pm3

A read block command will return all F's if that block contains F's or if you are not properly authenticated.

Offline

#3 2017-06-02 16:51:56

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: Cannot dump data with Masterkey using pm3

marshmellow wrote:

A read block command will return all F's if that block contains F's or if you are not properly authenticated.

Hi marshmellow,

not sure, but when I read block 1and 5, it returns different value
80B0000100 > 12FFFFFF7F1FFF3C
80B0000500 > FFFFFF0006FFFFFF

Last edited by brantz (2017-06-02 16:52:15)

Offline

#4 2017-06-02 17:49:57

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Cannot dump data with Masterkey using pm3

Blocks 1 and 5 are not protected.  (Can always be read.)

Offline

#5 2017-06-02 18:34:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,507
Website

Re: Cannot dump data with Masterkey using pm3

I would say that you are using your acquired masterkey the wrong way since you get auth-errors.

The iclass category on this forum is full on hints, instructions on what to do with the leaked key

Offline

#6 2017-06-02 21:27:22

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Cannot dump data with Masterkey using pm3

According to the Block5 data (FFFFFF0006FFFFFF) that you posted you have an iClass SE credential that contains an SIO data object for the access control payload.
That particular credential does NOT use the HID legacy Master Authentication key. It uses a new "SE" authentication key that is not currently known.

Since we don't know the key, one way to read the block data of an SE card is as follows:
1. Authenticate with App2 using the known App2 authentication key. (The App2 key is the same for both legacy and SE credentials.)
2. Write an epurse (Blk2) value of 0 (e.g. FFFFFFFF0000FFFF). This will prevent any reader updates to the epurse during future authentications.
3. Sniff a legitimate authentication sequence between the card and an SE reader. Note the 32-bit nonce and mac values that were used.
4. Since Block 2 will never change, you can now do a replay attack using the captured nonce and mac. This will allow you to authenticate with the SE card.
5. After a valid authentication, all of the App1 block data of the SE credential can now be read.

Offline

#7 2017-06-03 07:11:24

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: Cannot dump data with Masterkey using pm3

Thank you guys for all your replies, I'll definitely do more research on this, and then come back with an update. cheers

Offline

Pages: 1

Board footer

Powered by FluxBB