Proxmark3 community

AussieBacon

Contributor

From: Australia & USA

Registered: 2019-11-13

Posts: 11

Reading & Writing to Blocks

Hi guys,

I had a question regarding reading and writing to blocks on the the iClass cards.

In a nutshell, in Milosch Meriac's "Heart of Darkness" paper, he demonstrates on page 6 (table 3) that he can read and write to different blocks on the card.

I used the same Omnikey Contactless Demo software and was able to emulate the first few steps in the paper, for example:

-> 80A60000 (select card)
<- 9000 (OK)

-> 808200F008XXXXXXXXXXXXXXXX (load key)
<- 9000 (OK)

-> 808800F0 (authenticate)
<- 9000 (OK)

-> read block 6 80B0000600
<- 030303030003E0179000 (block 6 + OK)

-> read block 7 80B0000700
<- BC8793E20AF06F339000 (block 7 + OK)

However, when I try to write to a block, using the same example in the paper, I get an error.

-> 80D60009080102030405060708 (write block 9)
<- 6986 (error)

Now the interesting thing is that when I used the CopyClass program, which I compiled with the 16-byte TDES key, blocks 7-9 are decrypted.

Does this mean that I need to authenticate using the 16-byte key as well before I attempt to write anything?  That's certainly not the case in Meriac's paper so I am a bit confused.

Thanks.

Last edited by AussieBacon (2019-11-27 08:56:59)

yukihama

Contributor

Registered: 2018-05-13

Posts: 133

Re: Reading & Writing to Blocks

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Reading & Writing to Blocks

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16

The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.

AussieBacon

Contributor

From: Australia & USA

Registered: 2019-11-13

Posts: 11

Re: Reading & Writing to Blocks

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

I used the key extracted from a Rev A reader, which is what you're supposed to use to replace the placeholders in the CopyClass software.

AussieBacon

Contributor

From: Australia & USA

Registered: 2019-11-13

Posts: 11

Re: Reading & Writing to Blocks

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16

Apologies, iceman, I wasn't sure since I thought anything to do with iClass cards goes in this thread.  Please feel free to move if you feel necessary.

The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.

I understand and all of that makes sense.  However, my question was more in regards to Meriac's example in his paper.  Specifically, why is it that he was able to write (apparently) to Block 9 as per the following image from his paper and I am not, following those exact steps:

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Reading & Writing to Blocks

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?

AussieBacon

Contributor

From: Australia & USA

Registered: 2019-11-13

Posts: 11

Re: Reading & Writing to Blocks

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?

Hmm.. I believe that's what I am doing as well.

I am using the 8-byte key he is referring to below.  This is the master key which allows authentication to read the card contents, albeit in encrypted form:

He states that this allows read and write access in the following paragraph:

I have checked with another user on this forum who is having the same issue.

Is anyone able to replicate this?

My test environment is consists of Windows 7, an Omnikey 5321 (FW5.10), and iClass DL cards.

Cheers

Last edited by AussieBacon (2019-12-09 08:31:18)

AussieBacon

Contributor

From: Australia & USA

Registered: 2019-11-13

Posts: 11

Re: Reading & Writing to Blocks

Hi everyone,

After much testing, I can confirm that this only works on Windows XP and with the 1.1.14 driver.

Cheers!

Last edited by AussieBacon (2019-12-25 05:54:45)

diamondrail

Contributor

Registered: 2017-08-07

Posts: 35

Re: Reading & Writing to Blocks

Hi guys,

I had a question regarding reading and writing to blocks on the the iClass cards.

In a nutshell, in Milosch Meriac's "Heart of Darkness" paper, he demonstrates on page 6 (table 3) that he can read and write to different blocks on the card.

I used the same Omnikey Contactless Demo software and was able to emulate the first few steps in the paper, for example:

-> 80A60000 (select card)
<- 9000 (OK)

-> 808200F008XXXXXXXXXXXXXXXX (load key)
<- 9000 (OK)

-> 808800F0 (authenticate)
<- 9000 (OK)

-> read block 6 80B0000600
<- 030303030003E0179000 (block 6 + OK)

-> read block 7 80B0000700
<- BC8793E20AF06F339000 (block 7 + OK)

However, when I try to write to a block, using the same example in the paper, I get an error.

-> 80D60009080102030405060708 (write block 9)
<- 6986 (error)

Now the interesting thing is that when I used the CopyClass program, which I compiled with the 16-byte TDES key, blocks 7-9 are decrypted.

Does this mean that I need to authenticate using the 16-byte key as well before I attempt to write anything?  That's certainly not the case in Meriac's paper so I am a bit confused.

Thanks.

Where do you enter the information?

-> 80A60000 (select card)
<- 9000 (OK)

I loaded the program "Omnikey Contactless Demo software" but did not find any option to input the following. Please show a screenshot?

-> 80A60000 (select card)
<- 9000 (OK)