Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-11-27 08:33:11

AussieBacon
Contributor
Registered: 2019-11-13
Posts: 9

Reading & Writing to Blocks

Hi guys,

I had a question regarding reading and writing to blocks on the the iClass cards.

In a nutshell, in Milosch Meriac's "Heart of Darkness" paper, he demonstrates on page 6 (table 3) that he can read and write to different blocks on the card.

I used the same Omnikey Contactless Demo software and was able to emulate the first few steps in the paper, for example:

-> 80A60000 (select card)
<- 9000 (OK)

-> 808200F008XXXXXXXXXXXXXXXX (load key)
<- 9000 (OK)

-> 808800F0 (authenticate)
<- 9000 (OK)

-> read block 6 80B0000600
<- 030303030003E0179000 (block 6 + OK)

-> read block 7 80B0000700
<- BC8793E20AF06F339000 (block 7 + OK)

However, when I try to write to a block, using the same example in the paper, I get an error.

-> 80D60009080102030405060708 (write block 9)
<- 6986 (error)

Now the interesting thing is that when I used the CopyClass program, which I compiled with the 16-byte TDES key, blocks 7-9 are decrypted.

Does this mean that I need to authenticate using the 16-byte key as well before I attempt to write anything?  That's certainly not the case in Meriac's paper so I am a bit confused.

Thanks.

Last edited by AussieBacon (2019-11-27 08:56:59)

Offline

#2 2019-11-27 14:27:03

yukihama
Contributor
Registered: 2018-05-13
Posts: 94

Re: Reading & Writing to Blocks

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

Offline

#3 2019-11-27 18:10:41

iceman
Administrator
Registered: 2013-04-25
Posts: 5,944
Website

Re: Reading & Writing to Blocks

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16


The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-11-27 23:00:03

AussieBacon
Contributor
Registered: 2019-11-13
Posts: 9

Re: Reading & Writing to Blocks

yukihama wrote:

very interesting, pal.
Whats the  16-byte TDES key u used? I dont think you need to decrypted it or encrypted on your level. the reader will do the encryption for you from I understanding FYI.

BR

I used the key extracted from a Rev A reader, which is what you're supposed to use to replace the placeholders in the CopyClass software.

Offline

#5 2019-11-27 23:07:46

AussieBacon
Contributor
Registered: 2019-11-13
Posts: 9

Re: Reading & Writing to Blocks

iceman wrote:

Not really iClass / Proxmark related thread, normally I would move it to Various tools and Utilities http://www.proxmark.org/forum/viewforum.php?id=16

Apologies, iceman, I wasn't sure since I thought anything to do with iClass cards goes in this thread.  Please feel free to move if you feel necessary.

iceman wrote:

The copyclass software still needs to decrypt block7 with the transport key,  nothing that the reader does for you, in order to get weigand out.
Authentication with AA1 key is something else.


I understand and all of that makes sense.  However, my question was more in regards to Meriac's example in his paper.  Specifically, why is it that he was able to write (apparently) to Block 9 as per the following image from his paper and I am not, following those exact steps:

Hod_page-6.jpg

Offline

#6 2019-11-28 09:18:03

iceman
Administrator
Registered: 2013-04-25
Posts: 5,944
Website

Re: Reading & Writing to Blocks

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2019-12-03 05:24:10

AussieBacon
Contributor
Registered: 2019-11-13
Posts: 9

Re: Reading & Writing to Blocks

iceman wrote:

because he has told the reader to authenticate with AA1 key first,  then he wrote to block 9 ?

Hmm.. I believe that's what I am doing as well.

I am using the 8-byte key he is referring to below.  This is the master key which allows authentication to read the card contents, albeit in encrypted form:
ref_HoD_page_5.jpg


He states that this allows read and write access in the following paragraph:
ref_HoD_page_6.jpg


I have checked with another user on this forum who is having the same issue.

Unless I have completely misunderstood which one the AA1 key is.  To my knowledge, there's the HID master key, then 2 other 8-byte keys which when put together as 16-bytes are used to decrypt the information on the card.

Is anyone able to replicate this?

My test environment is consists of Windows 7, an Omnikey 5321 (FW5.10), and iClass DL cards.

Cheers

Offline

Board footer

Powered by FluxBB