Not sure if this is supposed to be in the projects category or support, but here goes…
Please help!
So I’ve been messing with an iCLASS Legacy fob trying to clone my issued card ID. I was successful finding the key and changing block 7, which worked for access control. However, we also have lunch accounts attached to the ID, which didn’t work with the clone. I was trying to get it working, and found that the next most obvious differences between my issued ID and the fob were the debit key and ePurse blocks; so I decided to write them and see what happens.
The end goal here is to find out if I can clone to a flexCLASS and not have to take my ID with me. I don’t have an implant yet though, hence the fob.
I wrote block 2 (ePurse/Card Challenge), and it didn’t seem to change anything important, which makes sense to me. But when I wrote block 3 (Debit key), I stopped being able to actually read anything on the card. The good news is I know what I overwrote it with, but if I use that value as the key in pm3, I still can’t authenticate.
Right now, I’m just trying to restore the fob to a functioning condition. If that’s not possible, I can get another iCLASS chip, I’d just prefer to fix this one. If you know how to get access to the chip back, please let me know!
OLD Key: AEA684A6DAB23278
NEW Key: UNKNOWN!!!
OLD Block 2: FEFFFFFFFFFFFFFF
NEW Block 2: 59F4FFFFFFFFFFFF (I don’t think this block is what caused the problem.)
OLD Block 3: E1EB107FD67BBC62
NEW Block 3: FC6C8BBE550710A9
[usb] pm3 --> hf ic dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | 74 BE 14 03 F9 FF 12 E0 | t....... | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | EC FF FF FF FF FF FF FF | ........ | | E-purse
[=] 3/0x03 | E1 EB 10 7F D6 7B BC 62 | .....{.b | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | access credential | | User / Cred
[=] 7/0x07 | access credential | | User / Cred
[=] 8/0x08 | access credential | | User / Cred
[=] 9/0x09 | access credential | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file hf-iclass-74BE1403F9FF12E0-dump.bin
[+] saved 19 blocks to text file hf-iclass-74BE1403F9FF12E0-dump.eml
[+] saved to json file hf-iclass-74BE1403F9FF12E0-dump.json
[?] Try `hf iclass decrypt -f` to decrypt dump file
[?] Try `hf iclass view -f` to view dump file
// VALUE OF KEY INDEX 0 IS AEA684A6DAB23278
[usb] pm3 --> hf ic wrbl -b 2 -d 59F4FFFFFFFFFFFF --ki 0
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[+] Wrote block 2/0x02 successful
[usb] pm3 --> hf ic wrbl -b 3 -d FC6C8BBE550710A9 --ki 0
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[+] Wrote block 3/0x03 successful
[usb] pm3 --> hf ic wrbl -b 2 -d 2DF4FFFFFFFFFFFF --ki 0
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[-] Writing failed
[usb] pm3 --> hf ic dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card
[usb] pm3 --> hf search
[-] Searching for iCLASS / PicoPass tag...
[+] iCLASS / Picopass CSN: 74 BE 14 03 F9 FF 12 E0
[+] Valid iCLASS tag / PicoPass tag found
[usb] pm3 --> hf ic dump -k AEA684A6DAB23278
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card
[usb] pm3 --> hf ic info
[=] --------------------- Tag Information ----------------------
[+] CSN: 74 BE 14 03 F9 FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: FF FF FF FF 59 F4 FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF 7F 1F FF 3C
[=] 12..................... app limit
[=] FFFF ( 65535 )...... OTP
[=] FF............ block write lock
[=] 7F......... chip
[=] 1F...... mem
[=] FF... EAS
[=] 3C fuses
[=] Fuses:
[+] mode......... Application (locked)
[+] coding....... ISO 14443-2 B / 15693
[+] crypt........ Secured page, keys not locked
[=] RA........... Read access not enabled
[=] PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] 1 books / 1 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A....... debit
[=] Read B....... credit
[=] Write A...... debit
[=] Write B...... credit
[=] Debit........ debit or credit
[=] Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+] CSN.......... HID range
[+] Credential... iCLASS legacy
[+] Card type.... PicoPass 2K
I later also tried using key FC6C8BBE550710A9 (new value of block 3) to no avail.
As a side note, if anyone has tips on how to find the credit key, please do let me know! I figure that’s what I’m looking for now.