writing directly to block 3 is a big no no! ask me how I know
I’m not saying it’s impossible to recover from, as there are a few threads over on the proxmark forum I’ve read about reverse engineering the Kd-which is the debit key-aka block 3. It just honestly seemed like more work than it was worth for me (seeing as it was one of several blank cards that I had to experiment with)
@philidelphiaChickens he won’t be able to read or write any blocks or dump now, right? Changing the Kd by manually writing it to match the other credential creates a snafu when trying to authenticate via UID/master key. Or, did I misunderstand what I was reading?
Yep. You should be able to get info from some of the functions of the card. It seems that you messed with the sections of the card that are needed to access individual blocks, which is why you’re not getting more detailed info.
i figured i try copy every block . looked promising when i started backwards and everything was writing and i would double check and they all copied. its just when i got to 2 it started failing
even if im able to read the card using other info commands you think the card is dead?
and if i try another card u recoomend i stay awat from blocks 1-3 , even if 3 was able to write ?
so blocks 0-5 don’t need to be cloned onto the new card ?
and the cloned card will have the same permissions like the original is what im understanding
so only data needing to be cloned are blocks 6 and above ?
definitely stay away from 0-5 like @philidelphiaChickens suggested. I learned the hard way as well. There may come a time that I can successfully play around and not smoke check the card, but that time is not now or soon as far as I can see.
I don’t recall asking or seeing it asked, but did the reader respond at all to the cloned card after you wrote 6-9?
i cloned blocks 6-9 and the data was identical
but when i went to the reader this morning the reader didn’t recognize any data like my original so i figured i copy more blocks starting backwards from 18 to 1 and it was writing them all succesfully till i hit block 2 and it stated failing to write.
it wrote blocks 5-4-3 without issues but i never tried it on the reader after each block. i figured i try when i copy each one not knowing modifying some blocks destroys them.
i get another blank tomorrow and try writing only blocks 6-18 and see if that clones my original card because just cloning 6-9 didn’t do so
block 2 failed as I understand, because you can only decrement the e-purse, which is your block 2 data
I suspect that if you had started with 3 (assuming that 2 would fail anyways) as soon as you changed the debit key, you wouldn’t have been able to write any blocks after that.
hf ic info works because you’re not actually using the keys to process the command. rdbl, wrbl, and dump all use the key, which you unintentionally changed by writing to block 3, which now won’t authenticate, which is what’s causing your “failed to communicate with card”
Hopefully that makes it all a little more clear? I know it can get a little foggy at times.
Don’t get discouraged. The more you read and more you screw up, the more you’ll learn. I’m still getting there myself. If you’re feeling brave, the picopass datasheet goes into much more detail about how the keys work and quite a bit more. I don’t remember reading anything about SE (as it doesn’t apply to what I’m currently working on) but, I’m sure there’s info out there. Not a guide or tutorial, as I haven’t come across a successful SE clone or heard of it, but there is still information that will help you understand it better.
I know Fuck all about these cards, but curious how well you know the system administrators?
Can you just get your implant enrolled? (when you get a FlexClass)
or at the very least, can you view the backend software and see what is displayed when you swipe your card on an access door?
How do the flexclass cards come? If they come unitialized then won’t they be using HID factory default authentication key instead of the HID master authentication key? Which is apparently what my problem is atm. I have a couple more cards otw for more experimenting.
If they come with arbitrary values in blocks 6-9 and have the correct config, it sounds doable. Since the UID isn’t what’s actually read, it matters very little in terms of enrolling as opposed to the recommended blocks 6-9
ok so my first attempt failed . like everyone mentioned the card died and the reader didn’t read anything when i tried scanning the cloned card. but i wont give up . i purchased some other blank picopass 2k cards. when i run the command line hf ic info it confirms the card type as picopass 2k cards. but when i run the hf ic dump --ki 0 hoping to see the block colums i dont get them . i get the message in the picture.
and when i try to run the hf ic wrbl -b command lines it say writing failed .
did i need to to do an extra step to see the blocks?
is this not the same card type even if it clearly says its a picopass card 2K?
maybe theres another command line to see my blocks.
any help would be great
