Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi Guys,
I have acquired the master key and tried it with ContactLessDemoVC using following commands
Select Card: 80A60000
Load key: 808200F008+<myMasterKey>
Authenticate: 808800F0
Read Block 6: 80B0000600
and got the block data return with FFFFFFFFFFFFFFFF, which looks promising.
read block 1and 5, it returns different value
80B0000100 > 12FFFFFF7F1FFF3C
80B0000500 > FFFFFF0006FFFFFF
I believe key is correct, otherwise it won't allow me to authenticate and read block info.
But, when I tried to use pm3 to dump data, it failed
pm3 --> hf iclass dump k <myMasterKey>
Authing with diversified key: <diversified key>
Authentication error
Authing with diversified key: <diversified key>
Authentication error
and then I tried it "r" option on
pm3 --> hf iclass dump k <myMasterKey> r
Authing with raw key: <myMasterKey>
Authentication error
Authing with raw key: <myMasterKey>
Authentication error
Additional test, is this key is high security, not standard/old encryption?
pm3 --> hf iclass dump k <myMasterKey> e
High security custom key (Kcus):
z0 = 7a96610952461105
y0 = cc98d4c3035b2157
Authing with diversified key: 706d74da4d0c9df9
Authentication error
High security custom key (Kcus):
z0 = 7a96610952461105
y0 = cc98d4c3035b2157
Authing with diversified key: 706d74da4d0c9df9
Authentication error
I admit that I know only few about iclass command usage in pm3, even a bit hard to understand the help info.
Could anyone pointing me to the right direction?
Thank you in advance
Last edited by brantz (2017-06-02 17:07:31)
Offline
A read block command will return all F's if that block contains F's or if you are not properly authenticated.
Offline
A read block command will return all F's if that block contains F's or if you are not properly authenticated.
Hi marshmellow,
not sure, but when I read block 1and 5, it returns different value
80B0000100 > 12FFFFFF7F1FFF3C
80B0000500 > FFFFFF0006FFFFFF
Last edited by brantz (2017-06-02 16:52:15)
Offline
Blocks 1 and 5 are not protected. (Can always be read.)
Offline
I would say that you are using your acquired masterkey the wrong way since you get auth-errors.
The iclass category on this forum is full on hints, instructions on what to do with the leaked key
Offline
According to the Block5 data (FFFFFF0006FFFFFF) that you posted you have an iClass SE credential that contains an SIO data object for the access control payload.
That particular credential does NOT use the HID legacy Master Authentication key. It uses a new "SE" authentication key that is not currently known.
Since we don't know the key, one way to read the block data of an SE card is as follows:
1. Authenticate with App2 using the known App2 authentication key. (The App2 key is the same for both legacy and SE credentials.)
2. Write an epurse (Blk2) value of 0 (e.g. FFFFFFFF0000FFFF). This will prevent any reader updates to the epurse during future authentications.
3. Sniff a legitimate authentication sequence between the card and an SE reader. Note the 32-bit nonce and mac values that were used.
4. Since Block 2 will never change, you can now do a replay attack using the captured nonce and mac. This will allow you to authenticate with the SE card.
5. After a valid authentication, all of the App1 block data of the SE credential can now be read.
Offline
Thank you guys for all your replies, I'll definitely do more research on this, and then come back with an update. cheers
Offline
Pages: 1