Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
tried hf iclass chk f no luck
then tried loclass an iclass reader with sim 2 and sim 4
but loclass with these same results endlessly, any help or ideas???:
----------------------------
[=] Bruteforcing byte 1
[=] Bruteforcing byte 0
[=] Bruteforcing byte 69
[!] Failed to recover 3 bytes using the following CSN
[!] CSN = 010a0ffff7ff12e0
[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 0c060cfef7ff12e0
[-] HASH1 = 0204000045014545
[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 1097837bf7ff12e0
[-] HASH1 = 050d000045014545
----------------------------
[=] Bruteforcing byte 6
[=] Bruteforcing byte 14
[=] Bruteforcing byte 0
Last edited by yukihama (2020-11-18 07:20:36)
The system isn't configured in elite / High security if loclass fail.
Whats the output from (hf iclass info)
Have you tried sniffing the traffic between reader/card? save the trace (trace save f)
The system isn't configured in elite / High security if loclass fail.
Whats the output from (hf iclass info)
Have you tried sniffing the traffic between reader/card? save the trace (trace save f)
thanks iceman for your hint,But how can iclass system is not configured in elite / High security nor legacy ?
I tried to dump with both default legacy keys(AEA68 or AFA78) but no luck^_^
read the iclass fob as fpllowing:
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] CSN: XX XX XX 0F XX FF XX XX (uid)
[+] Config: 12 FF FF FF 7F 1F FF 3C (Card configuration)
[+] E-purse: FF FF FF FF 7B FE FF FF (Card challenge, CC)
[+] Kd: 00 00 00 00 00 00 00 00 (Debit key, hidden)
[+] Kc: 00 00 00 00 00 00 00 00 (Credit key, hidden)
[+] AIA: FF FF FF FF FF FF FF FF (Application Issuer area)
[=] ------ card configuration ------
[+] Mode: Application (locked)
[+] Coding: ISO 14443-2 B / 15693
[+] Crypt: Secured page, keys not locked
[=] RA: Read access not enabled
[=] App limit 0x12, OTP 0xFFFF, Block write lock 0xFF
[=] Chip 0x7F, Mem 0x1F, EAS 0xFF, Fuses 0x3C
[=] ------ Memory ------
[=] 2 KBits/2 App Areas (256 bytes)
[=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------ KeyAccess ------
[=] Kd = Debit key (AA1), Kc = Credit key (AA2)
[=] Read A - Kd or Kc
[=] Read B - Kd or Kc
[=] Write A - Kc
[=] Write B - Kc
[=] Debit - Kd or Kc
[=] Credit - Kc
[=] ------ Fingerprint ------
[+] CSN is in HID range
[+] Credential : iCLASS legacy
[+] Card type : PicoPass 2K
Last edited by yukihama (2020-11-18 10:39:43)
They can have their own custom key for their system.
OMG, is there any way to extract their own custom key? do u mean their custom legacy key instead of their custom elite/HS key?
Last edited by yukihama (2020-11-18 11:30:48)
You could try to do the hw attacks to extract it, or sniff and try a large dictionary but I would say it will not work or you could look into replay attack.
yes, that is what I mean.
extract HW reader: not possible to dump epeeRom
Sniff: I will try later but I am afraid of no clue of legacy key it use
try a large dictionary:I guess this custom legacy key start with AEA or AFA, how do you think?
Replay attack: never get deep into it but I heard abt this way for desfire card, any recommended detail documents ?
Thanks Iceman, you are a Genuis
Last edited by yukihama (2020-11-18 12:29:49)
search the forum for it, and I did a video, but since then the client has been updated and the replay command is merged into the read/dump commands. Not too hard to figure out