Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-27 08:33:11

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Reading & Writing to Blocks

Hi guys,

I had a question regarding reading and writing to blocks on the the iClass cards.

In a nutshell, in Milosch Meriac's "Heart of Darkness" paper, he demonstrates on page 6 (table 3) that he can read and write to different blocks on the card.

I used the same Omnikey Contactless Demo software and was able to emulate the first few steps in the paper, for example:

-> 80A60000 (select card)
<- 9000 (OK)

-> 808200F008XXXXXXXXXXXXXXXX (load key)
<- 9000 (OK)

-> 808800F0 (authenticate)
<- 9000 (OK)

-> read block 6 80B0000600
<- 030303030003E0179000 (block 6 + OK)

-> read block 7 80B0000700
<- BC8793E20AF06F339000 (block 7 + OK)

However, when I try to write to a block, using the same example in the paper, I get an error.

-> 80D60009080102030405060708 (write block 9)
<- 6986 (error)

Now the interesting thing is that when I used the CopyClass program, which I compiled with the 16-byte TDES key, blocks 7-9 are decrypted.

Does this mean that I need to authenticate using the 16-byte key as well before I attempt to write anything?  That's certainly not the case in Meriac's paper so I am a bit confused.

Thanks.

Last edited by AussieBacon (2019-11-27 08:56:59)

Offline

#2 2019-11-27 14:27:03

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Reading & Writing to Blocks

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

Offline

#3 2019-11-27 18:10:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Reading & Writing to Blocks

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16


The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.

Offline

#4 2019-11-27 23:00:03

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Reading & Writing to Blocks

yukihama wrote:

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

I used the key extracted from a Rev A reader, which is what you're supposed to use to replace the placeholders in the CopyClass software.

Offline

#5 2019-11-27 23:07:46

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Reading & Writing to Blocks

iceman wrote:

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16

Apologies, iceman, I wasn't sure since I thought anything to do with iClass cards goes in this thread.  Please feel free to move if you feel necessary.

iceman wrote:

The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.


I understand and all of that makes sense.  However, my question was more in regards to Meriac's example in his paper.  Specifically, why is it that he was able to write (apparently) to Block 9 as per the following image from his paper and I am not, following those exact steps:

Hod_page-6.jpg

Offline

#6 2019-11-28 09:18:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Reading & Writing to Blocks

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?

Offline

#7 2019-12-03 05:24:10

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Reading & Writing to Blocks

iceman wrote:

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?

Hmm.. I believe that's what I am doing as well.

I am using the 8-byte key he is referring to below.  This is the master key which allows authentication to read the card contents, albeit in encrypted form:
ref_HoD_page_5.jpg


He states that this allows read and write access in the following paragraph:
ref_HoD_page_6.jpg


I have checked with another user on this forum who is having the same issue.

Is anyone able to replicate this?

My test environment is consists of Windows 7, an Omnikey 5321 (FW5.10), and iClass DL cards.

Cheers

Last edited by AussieBacon (2019-12-09 08:31:18)

Offline

#8 2019-12-19 23:58:37

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Reading & Writing to Blocks

Hi everyone,

After much testing, I can confirm that this only works on Windows XP and with the 1.1.14 driver.

Cheers!

Last edited by AussieBacon (2019-12-25 05:54:45)

Offline

#9 2020-03-29 23:31:24

diamondrail
Contributor
Registered: 2017-08-07
Posts: 35

Re: Reading & Writing to Blocks

AussieBacon wrote:

Hi guys,

I had a question regarding reading and writing to blocks on the the iClass cards.

In a nutshell, in Milosch Meriac's "Heart of Darkness" paper, he demonstrates on page 6 (table 3) that he can read and write to different blocks on the card.

I used the same Omnikey Contactless Demo software and was able to emulate the first few steps in the paper, for example:

-> 80A60000 (select card)
<- 9000 (OK)

-> 808200F008XXXXXXXXXXXXXXXX (load key)
<- 9000 (OK)

-> 808800F0 (authenticate)
<- 9000 (OK)

-> read block 6 80B0000600
<- 030303030003E0179000 (block 6 + OK)

-> read block 7 80B0000700
<- BC8793E20AF06F339000 (block 7 + OK)

However, when I try to write to a block, using the same example in the paper, I get an error.

-> 80D60009080102030405060708 (write block 9)
<- 6986 (error)

Now the interesting thing is that when I used the CopyClass program, which I compiled with the 16-byte TDES key, blocks 7-9 are decrypted.

Does this mean that I need to authenticate using the 16-byte key as well before I attempt to write anything?  That's certainly not the case in Meriac's paper so I am a bit confused.

Thanks.


Where do you enter the information?

-> 80A60000 (select card)
<- 9000 (OK)


I loaded the program "Omnikey Contactless Demo software" but did not find any option to input the following. Please show a screenshot?

-> 80A60000 (select card)
<- 9000 (OK)

Offline

Board footer

Powered by FluxBB