Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
So wrbl writes data using a certain key but how do you write a new key to a given block instead of using the default keys?
Last edited by CFusion (2019-10-24 05:14:40)
Offline
Just insert the new keys on the right place of the block you want to write!
Offline
I'm sorry I don't know what you mean by the 'right place of the block'
you mean:
hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F <insert new key here >?
Offline
first up: Warning. If you write the wrong thing to the config for the sector, you can lock yourself out of the sector.
Mifare Classic is broken into sectors. the number of blocks in each sector depend on the the size of the card and where the sector is on the card. Each sector has x data blocks (e.g. 3) and the last block in the sector holds the A and B keys and the Access Bits.
Sector 0 will have 4 blocks (0,1,2 and 3).
The last block in the sector (3 in this example) holds the keys and the access bits.
<6 byte A key><3 byte access>00<6 byte B key>
e.g.
FFFFFFFFFFFF7f078800FFFFFFFFFFFF
so key A would be FFFFFFFFFFFF, key B would be FFFFFFFFFFFF and the access bits F0788, and the 00 <not used>
I would recommend playing with a magic card first as you can recover if you get it wrong.
If not, take the complete last block in the sector (from a dump), then change just the key bits and leave everything else as is (NOTE: You need the ENTIRE block for the write).
Then it will be a normal write supplying the current key for the write then the new block (that has the new keys in it)
Offline
Thanks for the explanation. I'm still a little unsure of the commands. Should I be using the wrbl or raw or something else to write the keys?
So I tried:
hf 14a raw FFFFFFFFFFFFFF078069d3f7d3f7d3f7
it returned zero bytes but the keys didn't change. Am I doing something wrong?
Offline
I would write the way you would write any other block.
assuming a mifare classic, the wrbl should work.
Do a test write to a non key/access block.
e.g. block 2 (or some other not used data block).
then read it back and make sure it looks ok.
Remember (and I am trying to stress this).
You need to write both keys and the correct access bits all at once. i.e. its an entire block.
So, as an example ***** USE THE ACCESS BITS FROM YOUR SECTOR ******
hf mf wrbl 3 A FFFFFFFFFFFF AAAAAAAAAAAA7f078800BBBBBBBBBBBB
3 : The sector trailer block id for the sector you want to change the keys for.
A : Use the (current) A key
FFFFFFFFFFFF : Current A key (for that sector)
AAAAAAAAAAAA : New A key
BBBBBBBBBBBB : New B key
7f0788 : Access Bits "DONT CHANGE unles you know what you are doing"
00 : Fixed 00
Last edited by mwalker (2019-10-23 04:24:30)
Offline
Woa thanks a lot for the explanation. That clears it up!
Offline
Pages: 1