Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I have an iClass card (iClass DY). It used the default AA1 key to read/write.
I accidentally wrote on the block 03 which stores "key 1". Now I cannot use the command rdbl or rdbl with the card.
I have got the memory data previously dumped. Is it possible to calculate the new key from the memory data below?
#original data #data written
FF1EB702F8FF12E0
12FFFFFF7F1FFF3C
FEFFFFFFFFFFFFFF
CD6702FC3A13C7F4 => 2A16B3F362FBBB24
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
030303030003E017
EC1113270E6E368C
2AD4C8211F996871
2AD4C8211F996871
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFF
Can someone show how the "diversified key" is calculated from "card's serial number" and "the master key"? Is this process reversible?
Or the tag is finished? Thank you.
Update: I checked the calculation of the diversification key.
kc_id = hash0( DES(id, kc) ); where
kc_id is on block 03
id is on block 00
hash0 is reversible
Theoritically, we should be able to calculate kc? Or did I misunderstand the concept?
Update 2:
2.1) Although I have found the reverse hash0 function definition, I have not found the implementation that help to calculate the master key from id and diversified key. I think, this feature might have been implemented into the loclass?
2.2) I managed to reverse the card to its original state by following the guidline in this threat (http://www.proxmark.org/forum/viewtopic.php?id=7787). Thanks to Student. I can calculate the RAW key E771B10F58E87CD0 from the original and the new data in the block 03.
Last edited by jp (2020-07-30 11:01:34)
Offline
Pages: 1