Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-08-10 14:54:11

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

I can not read or write unsecured picopass 2k

I put it here because I find the site more like a picopass card 2k

I have bought several 2k picopass cards to try out and the only thing I have achieved so far is to read blocks 0,1 and 2




hf iclass readblk b 00
warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.          
CSN: 30 29 95 04 08 00 12 e0           
Block 00: 30 29 95 04 08 00 12 e0 

Block 01: ff ff ff ff 7f 1f ff ac

Block 02: fe ff ff ff ff ff ff ff

As far as I'm talking about an unsecured card, where we could read and write any position except block 0. However, except blocks 0, 1 and 2, all other readings give me ffffffffffffffff. The attempts of writing, of course everything indicates that they are null


This tells me  hf  iclass reader  0:

CSN: 30 29 95 04 08 00 12 e0           
    CC: fe ff ff ff ff ff ff ff           
  Mode: Personalization [Programmable]          
Coding: ISO 14443-2 B/ISO 15693          
 Crypt: Secured page, keys not locked          
 Crypt: Non secured page          
    RA: Read access not enabled          
   Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]          
   AA1: blocks 06-FF          
   AA2: blocks 100-1F          
 AppIA: ff ff ff ff ff ff ff ff

And  this is the command hf list raw  after  hf search 

  
Recorded Activity (TraceLen = 183 bytes)          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |          0 | Rdr | 0a                                                              |     |           
        432 |        432 | Tag | 0f                                                              |     |           
        432 |        432 | Rdr | 0c                                                              |     |           
       3488 |       3488 | Tag | 26  a5  92  00  01  40  02  1c  27  70                          |     |           
       3488 |       3488 | Rdr | 81  26  a5  92  00  01  40  02  1c                              |     |           
       6544 |       6544 | Tag | 30  29  95  04  08  00  12  e0  cf  67                          |     |           
       6544 |       6544 | Rdr | 88  02                                                          |     |           
       9088 |       9088 | Tag | fe  ff  ff  ff  ff  ff  ff  ff                                  |     |           
       9088 |       9088 | Rdr | 0c  01  fa  22                                                  |     |           
      12144 |      12144 | Tag | ff  ff  ff  ff  7f  1f  ff  ac  3b  b1                          |     |           
      12144 |      12144 | Rdr | 0c  05  de  64                                                  |     |           
      15200 |      15200 | Tag | ff  ff  ff  ff  ff  ff  ff  ff  ea  f5                          |     |

this  is  my proxmark

ootrom: iceman/master/v1.1.0-2055-g4d189095 2017-06-27 11:15:40
os: master/v2.2.0-520-g7f2114d-suspect 2017-06-24 10:36:07
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S256 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes. Used: 192473 bytes (73%). Free: 69671 bytes (27%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

Thank you

Last edited by xugmu (2017-08-10 15:23:54)

Offline

#2 2017-08-14 07:59:13

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: I can not read or write unsecured picopass 2k

Have you tried to read blk 06-09? what's the response?

Offline

#3 2017-08-14 21:19:53

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: I can not read or write unsecured picopass 2k

proxmark3> hf iclass  readblk  b 06
warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.          
CSN: 30 29 95 04 08 00 12 e0           
Block 06: ff ff ff ff ff ff ff ff 
 
proxmark3> hf iclass  readblk  b 07
warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.          
CSN: 30 29 95 04 08 00 12 e0           
Block 07: ff ff ff ff ff ff ff ff 

proxmark3> hf iclass  readblk  b 08
warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.          
CSN: 30 29 95 04 08 00 12 e0           
Block 08: ff ff ff ff ff ff ff ff 
 
proxmark3> hf iclass  readblk  b 09
warning: no authentication used with read, only a few specific blocks can be read accurately without authentication.          
CSN: 30 29 95 04 08 00 12 e0           
Block 09: ff ff ff ff ff ff ff ff

The readings may be correct (after all it is an unpersonalized empty card), the problem is that I can not write to the card to confirm it

I probed with the two keys that come by default in iclass_serial_protocol  but I still can not write  in a card that is supposed to be unsecured

Offline

#4 2017-08-21 04:16:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: I can not read or write unsecured picopass 2k

Afaik, Picopass chips require authentication.  Unsecured may mean the card still uses the picopass default keys.  But you will need to get a successful authentication to read or write any block past 2

Offline

#5 2020-06-25 00:49:15

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: I can not read or write unsecured picopass 2k

Could someone help me to know if what I have is a 2k or 2ks credential?

Thank you

Last edited by xugmu (2020-07-26 18:57:06)

Offline

#6 2020-07-30 23:40:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: I can not read or write unsecured picopass 2k

With my recent findings,  I would say your picopass is configured in non-secure-pagemode.   And also as programmable mode.

Offline

#7 2020-07-31 00:25:17

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: I can not read or write unsecured picopass 2k

That's right. Everything I have done with these cards so far has been in non secure mode.

I hope to keep going and learn how keys are used

Offline

#8 2020-08-02 01:19:28

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: I can not read or write unsecured picopass 2k

Hello, I am trying to start with the topic of keys and it had occurred to me to write two keys in positions 3 and 4 of an uninitialized picopass card.

In the memory of the reader it is supposed that the permutated key must be. The doubt is that I must write in positions 3 and 4 or, rather, what key do I have to diversify to write it in those positions, the permutated key or the key without permute?

I have few blank cards and I hope I am not mistaken

Last edited by xugmu (2020-08-02 10:31:03)

Offline

Pages: 1

Board footer

Powered by FluxBB