Way to determine if UID or data blocks are being used by system

ninjuhhNutz · 2021-12-09 12:57:19

Backstory-

I've been a long time lurker/reader from here and the DT forum. Jumped the gun a good while back and ordered a NeXT implant, thinking that I would be able to clone my work credentials to it. Well, I was half right. I cloned the EM4x05 (fairly certain 4305) easily enough to a T5577 card, but quickly realized that the HID iCLASS Px D8Y card contained iCLASS legacy chip that the NeXT wasn't as friendly with. Long story short, I've manually written blocks 6-9 to a HID iCLASS DL card from redteamtools with no luck on the readers at my job. No response whatsoever. I'm beginning to wonder if the system only looks for the UID or looks for blocks 6-9 AND the UID for authentication. I should add that I had my card replaced a few years ago, (thinking I lost it but simply misplacing it for a few weeks) however, the old card still allows me access. Could be that the cards are preprogrammed and security at my job just enrolls those cards/info under my work credentials? Which limits me to only being able to having that very awkward and confusing (for them) conversation about why I want to enroll my HAND into the database.

I should add that I have a similar post on the DT forum about the actual cloning of the iclass to flexclass so as to not step on any toes.
https://forum.dangerousthings.com/t/hid … 3/12674/23

Is there any actual way for me to determine what the reader is looking for? I haven't brought this idea up to my employer, as security is through a third party company and it just seems like it's going to be a headache and a half to try to pull off.

Thanks in advance!

Last edited by ninjuhhNutz (2021-12-09 14:45:15)

ninjuhhNutz · 2022-02-07 19:14:57

2 months later

Still no progress, though I haven't had much time to focus on it. Anyone?

iceman · 2022-02-07 21:44:35

if you copied block 6-9 to a new card and it didn't work, do you think the reader was configured to read it? or was it configured to read the LF part?

carl55 · 2022-02-08 04:02:11

Based on the information that you provided, I believe that your problem is due to your iclass clone using the wrong authentication key.
You stated in your "DangerousThings" post that you purchased your iclass card from Red Team Tools. https://www.redteamtools.com/iCLASS-RFID-card

That particular card is an uninitialized/unprogrammed credential that gives you extensive programming flexibility if you need it (e.g. for generating configuration cards) but it cannot be used to create iclass credential clones unless you first change the Block 3 key and the block 1 configuration parameters.
These types of iclass cards use the HID factory default authentication key instead of the HID Master Authentication key.

Since the Proxmark3 has knowledge of the factory default key it is able to read and write blocks 6 through 9 as you experienced. However, the reader at your company does not use this key when it attempts to read the credential. It uses the HID Master authentication key. As a result, it will FAIL to read it.

You really should be using a configured/programmed iclass card/fob to make the clone unless you really understand what you are doing. That way you only need to modify blocks 6-9 to make a perfect clone.

iceman · 2022-02-08 17:43:15

Happy to see you back Carl55,

One of these days we all would love to see you over at the discord server too

ninjuhhNutz · 2022-02-11 08:07:40

carl55 wrote:

Based on the information that you provided, I believe that your problem is due to your iclass clone using the wrong authentication key.
You stated in your "DangerousThings" post that you purchased your iclass card from Red Team Tools. https://www.redteamtools.com/iCLASS-RFID-card
That particular card is an uninitialized/unprogrammed credential that gives you extensive programming flexibility if you need it (e.g. for generating configuration cards) but it cannot be used to create iclass credential clones unless you first change the Block 3 key and the block 1 configuration parameters.
These types of iclass cards use the HID factory default authentication key instead of the HID Master Authentication key.
Since the Proxmark3 has knowledge of the factory default key it is able to read and write blocks 6 through 9 as you experienced. However, the reader at your company does not use this key when it attempts to read the credential. It uses the HID Master authentication key. As a result, it will FAIL to read it.
You really should be using a configured/programmed iclass card/fob to make the clone unless you really understand what you are doing. That way you only need to modify blocks 6-9 to make a perfect clone.

Thank you! That actually cleared up what I didn't understand. I wasn't aware the cards came uninitialized. I was getting frustrated thinking I was doing something wrong over and over (other than not realizing the credential was different.)

So I know if I'm understanding properly-
the config block would need to be written to reflect a programmed card and the debit key. THEN write blocks 6-9 and the reader will recognize the chip as programmed?

The block 3 key isn't a "direct write" though, right? I mistakenly wrote the config block to the redteam card to match my work badge...trial and error always ends up with more errors than successes, right? blocks 6-9 already being written to the card, the hex values shouldn't be changed, just the debit key in block 3? I get the feeling I'm both overcomplicating and oversimplifying different parts of this.

Sorry, I'm still learning as reading as much as I can on the subject. And, as we all know, the learning curve is pretty much vertical. Good thing I like a challenge!

I've followed and read countless combined threads and articles and videos from both you guys, so a HUGE thanks for reaching out with assistance for us mere mortals that are just learning!

ninjuhhNutz · 2022-02-24 14:29:09

So I finally had a chance to snap a pic of the reader since someone knocked it off the post it was mounted on.

It’s a r-640x-300 reader. So definitely iClass.

The blank card from redteam

[usb] pm3 --> hf ic info

[=] --------------------- Tag Information ----------------------
[+]     CSN: AA 72 82 01 F8 FF 12 E0  uid
[+]  Config: FF FF FF FF 7F 1F FF BC  card configuration
[+] E-purse: FE FF FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key, hidden
[+]      Kc: 00 00 00 00 00 00 00 00  credit key, hidden
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: FF FF FF FF 7F 1F FF BC
[=]          FF.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               BC  fuses
[=]   Fuses:
[+]     mode......... Personalization (programmable)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     AA1 blocks 250 { 0x06 - 0xFF (06 - 255) }
[=]     AA2 blocks 4294967077 { 0x100 - 0x1F (256 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit or credit
[=]     Read B....... debit or credit
[=]     Write A...... credit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

So I'm still in personalization mode. Which means that's probably why the reader isn't picking up the card. reading @carl55 comments about changing the authentication key. It is in fact still using the picopass default key. From what I understand, writing a "true" key to block 3, the HID master key, instead of an xor key will square me away after writing blocks 6-9?

The only thing I'm stuck on (at least I think that's all) is switching the card to application mode. I've read several threads but either I'm missing something or I'm looking for the wrong thing. Any ideas?

Last edited by ninjuhhNutz (2022-02-24 14:34:29)

carl55 · 2022-02-24 19:01:46

To be clear ...
Your card is NOT using the Picopass default authentication key. Those uninitialized iclass cards you obtained use the HID default authentication key. If you buy a configured/programmed iclass card it will use the HID Master authentication key. The picopass default key is only used for non-iclass picopass credentials that have a different CSN range.

That being said ...
Since you are using an uninitialized credential that is still in personalization mode and using the HID default authentication key, you have two options to configure and program the card.
There are two ways to do it since the card handles key updates differently based on which mode the credential is in.

Option 1:
Step 1.
Calculate the new diversified key value using the HID master Authentication key and your CSN.

Step 2.
Write the new "true" diversified key into Block 3

Step 3.
Update the Block 1 configuration to put the card in Application Mode and set the App Limit value.

Step 4.
Write the new Block 6,7,8,9 values obtained from the card being cloned.

Option 2:
Step 1.
Update the Block 1 configuration to put the card in Application Mode and set the App Limit value.

Step 2.
Calculate the existing diversified key value using the HID default authentication key and your CSN.

Step 3.
Calculate the new diversified key value using the HID Master authentication key and your CSN.

Step 4.
Calculate the XOR value of the two diversified key values obtained above and write that value to block 3.

Step 5.
Write the new Block 6,7,8,9 values obtained from the card being cloned.

Below are the values that I calculated based on the CSN that you provided in your post.
(USE AT YOUR OWN RISK!!)

CSN: AA728201F8FF12E0
Kdiv (existing) = 14BF56D60F2C87F5 (Calculated using HID Default App1 Auth Key)
Kdiv (new) = 08F119BE92C3FAE9 (Calculated using HID Master Auth Key)
Kdiv XOR = 1C4E4F689DEF7D1C

FFFFFFFF7F1FFFBC Block 1 (default)
12FFFFFF7F1FFF3C Block 1 (New)

Good Luck!

ninjuhhNutz · 2022-02-25 04:55:56

@carl55 YOU sir, are awesome. I wasn't expecting even half of the response that you gave. I sincerely do appreciate you taking the time and effort to help me out. I just went out to the gate and checked! It works! If you and I are ever in the same area, I owe you quite a few beers!

Now I have one last question (which will probably be several questions haha) , for sake of me truly understanding.

Seeing as I'm quite the rookie, there are things that I'm still unclear on.

The config block...I assume that there's some sort of reference material to get the config block from? Or, is it a set value for personalization vs application?

and the keys. They're calculated using the csn and the current vs desired key. I get the xor function between kdiv(existing) and kdiv(new) to be kdiv(xor) that's written to block 3. The actual calculation to get the kdiv values eludes me, still.

hf ic calcnewkey instruction is a bit fuzzy as I've read several different forum posts and some of them are conflicting (at least to me)

Again, thanks for the help and support!
Do you mind if I take your advice over to the DT forum? Some of those guys have a similar issue and I'd like to help them out with what I learned from you.

Last edited by ninjuhhNutz (2022-02-25 04:58:35)

carl55 · 2022-02-25 18:57:20

The Block 1 Configuration register breakdown is defined in the PicoPass datasheet. That document was removed from the internet after the original iclass keys were hacked. If you send me an email I will forward the document to you.

The iclass diversified key algorithm is described in the "Dismantling iClass and iClass Elite" paper that was published several years ago. Just do a Google search on the title and you will find the pdf available from several sources.

The Kdiv algorithm has already been implemented in the PM3 firmware for you since it is a fairly complex algorithm. It is also built in to the legacy RWxxx Reader/writers and can be accessed by communicating with the reader using the RS-232 command protocol described in the HID iclass Serial Protocol document.

ninjuhhNutz · 2022-03-01 11:36:37

Firstly, thanks for the pdf's

After reading the picopass datasheet, dismantling iclass, and serial protocol document I think I have a much better understanding.

The new config values

FFFFFFFF7F1FFFBC Block 1 (default)
12FFFFFF7F1FFF3C Block 1 (New)

so all that changed was the app limit and the fuses, correct?

FF -> 12.

0x12 being 18 ...for AA1 blocks 13 {0x06-0x12 (06 - 18) }

to establish the Application Area 1, which uses the Kd in block 3.

and BC -> 3C to blow the fuses and set the card to application mode as opposed to personalization?

Then the Kd for block 3

hf ic calcnewkey --oki 2 --nki 0

my chk cmd had keys ending in:
9687 for ki 2
3278 for ki 0

I think my mixup about the picopass/hid default key was on my end. I have several notepad files with the keys listen and labeled.

I didn't specify csn as the pm3 -h said the pm3 would attempt to read the csn. maybe thats a bad idea?

somehow I tricked myself into steering clear of the calcnewkey cmd thinking it would actually write to the card.

In personalization mode-write the new diversified key to block 3
In application mode-write the xor diversified key to block 3

Then use hf ic wrbl -b 6-9 with the desired values.

Am I on the right track now?

BTW I edited this several times as I was making sure I had what I was thinking in my head actually in the post. Final edit-1300 zulu

Last edited by ninjuhhNutz (2022-03-01 14:04:39)

carl55 · 2022-03-01 15:56:40

That was a vey good summary. It looks like you got everything correct.

ninjuhhNutz · 2022-03-01 16:39:25

The only question I have remaining is about the app limit. Are there different cards/readers/access control systems that utilize a different AAP1 value? If so, a hf ic info should give the last block used in AA1 and then a 0x representing that be written instead? Or is 0x12 pretty standard?

@Admin please mark this thread as solved and again huge thanks to @iceman and @carl55

carl55 · 2022-03-01 21:02:51

As a general rule, HID always allocates the first 18 blocks (0x12) for the Access Control application and assigns all data blocks above 0x12 as belonging to Application 2. The App2 data blocks are used for various functions such as cashless vending, biometric data and other user defined needs.
The Access Control Application in App1 varies in size but it is always allocated 0x12 blocks.
The legacy iclass access control application occupies up to block 0x9, the SE payload goes up to block 0x0C and the SR dual payload occupies up to block 0x10.

The only exception I have ever seen is with configuration cards that are used to load a high security key into the reader. These cards always seem to load the App Limit field to a value of 0x1F in order to fit the somewhat larger key update application into the App1 area.

The uninitialized iclass cards that you purchased come with an App Limit value set to 0xFF. You aren't required to change this value unless you have a need to have a separate App2 area. The normal HID access control payloads (excluding BioClass) really don't care what this value is set to as long as it is 0x12 or above.

ninjuhhNutz · 2022-03-02 01:04:00

That pretty much clears everything up! I can't thank you enough.

Proxmark3 community

Announcement

#1 2021-12-09 12:57:19

Way to determine if UID or data blocks are being used by system

#2 2022-02-07 19:14:57

Re: Way to determine if UID or data blocks are being used by system

#3 2022-02-07 21:44:35

Re: Way to determine if UID or data blocks are being used by system

#4 2022-02-08 04:02:11

Re: Way to determine if UID or data blocks are being used by system

#5 2022-02-08 17:43:15

Re: Way to determine if UID or data blocks are being used by system

#6 2022-02-11 08:07:40

Re: Way to determine if UID or data blocks are being used by system

#7 2022-02-24 14:29:09

Re: Way to determine if UID or data blocks are being used by system

#8 2022-02-24 19:01:46

Re: Way to determine if UID or data blocks are being used by system

#9 2022-02-25 04:55:56

Re: Way to determine if UID or data blocks are being used by system

#10 2022-02-25 18:57:20

Re: Way to determine if UID or data blocks are being used by system

#11 2022-03-01 11:36:37

Re: Way to determine if UID or data blocks are being used by system

#12 2022-03-01 15:56:40

Re: Way to determine if UID or data blocks are being used by system

#13 2022-03-01 16:39:25

Re: Way to determine if UID or data blocks are being used by system

#14 2022-03-01 21:02:51

Re: Way to determine if UID or data blocks are being used by system

#15 2022-03-02 01:04:00

Re: Way to determine if UID or data blocks are being used by system

Quick reply

Board footer