Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-10-18 06:10:29
- addy
- Contributor
- Registered: 2016-09-19
- Posts: 16
programming iclass credential that is uninitialized unconfigured
Hi,
I am trying to read write an iclass bosch 16k access sticker (they read as genuine hid iclass from the CSN) that has not been configured. I have been trying to r/w to block 7 but nothing seems to work. I have tried the default pico pass keys and HID keys (see below) but get a 'failed to obtain CC! Tag-select is aborting.' error.
Can someone point out what I am missing?
thanks
pm3 --> hf search u
[!] timeout while waiting for reply.
CSN: xx xx xx 00 FB FF 12 E0
CC: FE FF FF FF FF FF FF FF
[+] Mode: Personalization [Programmable]
Coding: ISO 14443-2 B/ISO 15693
[+] Crypt: Secured page, keys not locked
[!] RA: Read access not enabled
Mem: 32 KBits/3 App Areas (255 * 8 bytes) [FF]
AA1: blocks 06-FF
AA2: blocks 100-FF
OTP: 0xFFFF
KeyAccess:
Read A - Kd
Read B - Kc
Write A - Kd
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: FF FF FF FF FF FF FF FF
[+] : Possible iClass (legacy tag)
[+] Valid iClass Tag (or PicoPass Tag) Found
pm3 --> hf iclass readblk b 07 k AFA785A7DAB33378
[-] failed to obtain CC! Tag-select is aborting... (0)
pm3 --> hf iclass readblk b 07 k 2E12CCD2F662BE76
[-] failed to obtain CC! Tag-select is aborting... (0)
pm3 --> hf iclass readblk b 07 k 5cbcf1da45d5fb4f
[-] failed to obtain CC! Tag-select is aborting... (0)
pm3 -->Last edited by addy (2019-10-18 07:06:49)
Offline
#2 2019-10-18 07:28:47
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: programming iclass credential that is uninitialized unconfigured
picky position with tag and antenna. try different ones until you get the sweetspot
Offline
#3 2019-10-18 23:02:57
- addy
- Contributor
- Registered: 2016-09-19
- Posts: 16
Re: programming iclass credential that is uninitialized unconfigured
picky position with tag and antenna. try different ones until you get the sweetspot
played around with tons of positions without any luck. Thinking maybe the keys I am using are not correct.
Is there a way to verify this?
Offline
#4 2019-10-19 03:53:13
- addy
- Contributor
- Registered: 2016-09-19
- Posts: 16
Re: programming iclass credential that is uninitialized unconfigured
solved. was using the wrong key. but new problem found...
after I got in the card I wrote to block 0. The Keys I have no longer work
pm3 -->
pm3 --> hf search
[!] timeout while waiting for reply.
CSN: 86 2F 2B 00 FB FF 12 E0
CC: FF FF FF FF 4D F7 FF FF
[+] Mode: Personalization [Programmable]
Coding: ISO 14443-2 B/ISO 15693
[+] Crypt: Secured page, keys not locked
[!] RA: Read access not enabled
Mem: 32 KBits/3 App Areas (255 * 8 bytes) [FF]
AA1: blocks 06-FF
AA2: blocks 100-FF
OTP: 0xFFFF
KeyAccess:
Read A - Kd
Read B - Kc
Write A - Kd
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: FF FF FF FF FF FF FF FF
[+] : Possible iClass (legacy tag)
[+] Valid iClass Tag (or PicoPass Tag) Found
pm3 --> hf iclass dump k F0E1D2C3B4A59687 v
[-] failed to obtain CC! Tag-select is aborting... (0)
[-] selecting tag failed
[+] retry to select card
[+] CSN | 86 2F 2B 00 FB FF 12 E0
[+] CCNR | FF FF FF FF 4D F7 FF FF
[+] authing with diversified key: AE 82 7C A9 47 51 3F 8A
[-] authentication error
[!] failed authenticating with debit key
pm3 -->I wrote the following to block 1
hf iclass writeblk b 01 d 12FFFFFF7F1FFF3C k F0E1D2C3B4A59687Question:
How do I calculate the correct new key?
Last edited by addy (2019-10-19 05:11:56)
Offline