Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi,
I have concluded that this tag is an Elite iClass as the standard master key failed to authenticate. Thus, I have performed:
(1) hf iclass sim 2 --> successful
(2) hf iclass loclass f loclass/iclass_dump.bin --> successful and got Kcus(Custom key)
[+] -- High security custom key (Kcus) --
[+] Standard format = 8fa250c3cb6xxxxx
[+] iClass format = 5b7c62c491cxxxxx
[Questions]
From my understanding, the custom key(Kcus) (a) needs to be reverse permuted using "hf iclass permute r <Kcus>" AND (2) the diversified key needs to be calculated using Custom Key(Kcus) and CSN. Any advice on how to calculate the diversified key would be appreciated !
Thank you
Offline
The credentials diversified key (Kd) is calculated for you when you execute the "dump" command.
hf iclass dump k 5b7c62c491cxxxxx e
The PM3 calculated value of Kd will show up in Block 3 of the dumped data.
Offline
Thanks for your reply ! I tried it per your suggestion, but it still failed to authenticate. I have also reversed the permuted key using "hf iclass permute r 5b7c62c491cxxxxx" and tried to authenticate with this key, but also failed. Any suggestion would be appreciated !
----------------------------------------------------
pm3 --> hw version
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
bootrom: master/v3.1.0-87-g905d297-dirty-suspect 2019-04-20 06:06:29
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 169916 bytes (32%) Free: 354372 bytes (68%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hf search
[!] timeout while waiting for reply.
#db# unknown command:: 0x03bc
CSN: 26 CF 37 02 F9 FF 12 E0
CC: 8C 87 FF FF 13 F5 FF FF
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
[+] Crypt: Secured page, keys not locked
[!] RA: Read access not enabled
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
OTP: 0xFFFF
KeyAccess:
Read A - Kd or Kc
Read B - Kd or Kc
Write A - Kc
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: EA F5 FF FF FF FF FF FF
[!] : Possible iClass (NOT legacy tag)
[+] Valid iClass Tag (or PicoPass Tag) Found
pm3 --> hf iclass dump k 5b7c62c491cxxxxx
[+] retry to select card
[!] failed authenticating with debit key
pm3 --> hf iclass dump k 5b7c62c491cxxxxx e
[+] retry to select card
[!] failed authenticating with debit key
Offline
Pages: 1