Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-11-18 07:20:01

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

[-] The CSN requires > 3 byte bruteforce, not supported

tried hf iclass chk f no luck

then tried loclass an iclass reader  with sim 2 and sim 4
 
but loclass with these same results endlessly, any help or ideas???:

 ----------------------------
[=] Bruteforcing byte 1
[=] Bruteforcing byte 0
[=] Bruteforcing byte 69


[!] Failed to recover 3 bytes using the following CSN
[!] CSN = 010a0ffff7ff12e0
[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 0c060cfef7ff12e0
[-] HASH1 = 0204000045014545

[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 1097837bf7ff12e0
[-] HASH1 = 050d000045014545

----------------------------
[=] Bruteforcing byte 6
[=] Bruteforcing byte 14
[=] Bruteforcing byte 0

Last edited by yukihama (2020-11-18 07:20:36)

Offline

#2 2020-11-18 08:44:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [-] The CSN requires > 3 byte bruteforce, not supported

The system isn't configured in elite / High security if loclass fail.
Whats the output from (hf iclass info)
Have you tried sniffing the traffic between reader/card?   save the trace (trace save f)

Offline

#3 2020-11-18 10:17:15

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: [-] The CSN requires > 3 byte bruteforce, not supported

iceman wrote:

The system isn't configured in elite / High security if loclass fail.
Whats the output from (hf iclass info)
Have you tried sniffing the traffic between reader/card?   save the trace (trace save f)

thanks iceman for your hint,But how can iclass system is not configured in elite / High security nor legacy ?
I tried to dump with both default legacy keys(AEA68 or AFA78) but no luck^_^

read the iclass fob as fpllowing:

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]     CSN: XX XX XX 0F XX FF XX XX   (uid)
[+]  Config: 12 FF FF FF 7F 1F FF 3C   (Card configuration)
[+] E-purse: FF FF FF FF 7B FE FF FF   (Card challenge, CC)
[+]      Kd: 00 00 00 00 00 00 00 00   (Debit key, hidden)
[+]      Kc: 00 00 00 00 00 00 00 00   (Credit key, hidden)
[+]     AIA: FF FF FF FF FF FF FF FF   (Application Issuer area)
[=] ------ card configuration ------
[+]   Mode: Application (locked)
[+] Coding: ISO 14443-2 B / 15693
[+]  Crypt: Secured page, keys not locked
[=]     RA: Read access not enabled
[=] App limit 0x12, OTP 0xFFFF, Block write lock 0xFF
[=]      Chip 0x7F, Mem 0x1F, EAS 0xFF, Fuses 0x3C
[=] ------ Memory ------
[=]     2 KBits/2 App Areas (256 bytes)
[=]     AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=]     AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------ KeyAccess ------
[=]  Kd = Debit key (AA1),  Kc = Credit key (AA2)
[=]      Read A - Kd or Kc
[=]      Read B - Kd or Kc
[=]     Write A - Kc
[=]     Write B - Kc
[=]       Debit - Kd or Kc
[=]      Credit - Kc
[=] ------ Fingerprint ------
[+] CSN is in HID range
[+] Credential : iCLASS legacy
[+]  Card type : PicoPass 2K

Last edited by yukihama (2020-11-18 10:39:43)

Offline

#4 2020-11-18 11:00:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [-] The CSN requires > 3 byte bruteforce, not supported

They can have their own custom key for their system.

Offline

#5 2020-11-18 11:19:01

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: [-] The CSN requires > 3 byte bruteforce, not supported

iceman wrote:

They can have their own custom key for their system.

OMG, is there any way to extract their own custom key?  do u mean their custom legacy key instead of their  custom elite/HS key?

Last edited by yukihama (2020-11-18 11:30:48)

Offline

#6 2020-11-18 12:04:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [-] The CSN requires > 3 byte bruteforce, not supported

You could try to do the hw attacks to extract it,  or sniff and try a large dictionary but I would say it will not work or you could look into replay attack.
yes, that is what I mean.

Offline

#7 2020-11-18 12:17:31

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: [-] The CSN requires > 3 byte bruteforce, not supported

extract HW reader: not possible to dump epeeRom
Sniff: I will try later but I am afraid of no clue of legacy key it use
try a large dictionary:I guess this custom legacy key start with AEA or AFA,  how do you think?
Replay attack: never get deep into it but I heard abt this way for desfire card,  any recommended detail documents ?

Thanks Iceman, you are a Genuis

Last edited by yukihama (2020-11-18 12:29:49)

Offline

#8 2020-11-18 12:42:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [-] The CSN requires > 3 byte bruteforce, not supported

search the forum for it,  and I did a video,  but since then the client has been updated and the replay command is merged into the read/dump commands.  Not too hard to figure out

Offline

Board footer

Powered by FluxBB