All,
I’ve got an iclass legacy card that is coded with an elite key. I was able to extract the key using a loclass attack, so so far so good.
However, I’ve got a blank iclass card coded with the standard legacy keys. Is there a way I can use the proxmark3 to change key on the card? I’m able to restore the .bin file from my elite card to my non-elite card, but only by using the key currently on the non-elite card. Of course the reader then cannot read the card, since its using the wrong key.
Looking through the help file, dont see anything. Have not flashed with iceman, but could do if this is easier.
Regards,
Jesse
After reading the papers on this format, I’ve realized that I can just use calcnewkey, then overwrite block 3 with new key, and then it’ll be correctly keyed.
1 Like
Hi Laeuchli,
Can you please give an example oglf what old value and new value did you provide to get the required value for block 3? I have already bricked 3 cards and just want to understand your steps.
Cheers.
When you write a new key the card xors this key with the previous key(see the famous paper on the subject of iclass). So you need to use calcnewkey to compute the correct key to write to end up with your desired key. If you know the old key, and the new key, you can compute what the card wrote when you wrote the new key(and this will be your key). Alternatively, you can use calcnewkey to help you out.
That’s all there is to it, from what I remember.
2 Likes
Thanks @laeuchli for your reply. And last thing- in calcnewkey function:
the old key = the masterkey of my standard card(—ki 0 in my case)
The new key = the elite key of my card.
Is that right?
Looking at the script I wrote, this is how I did it.
proxmark3 com6 -c "hf iclass managekeys --ki 7 -k KEYKEYKEYKEY; hf iclass calcnewkey --oki 0 --nki 7 --elite
proxmark3 com6 -c "hf iclass managekeys --ki 7 -k C8B2F9456B8D5897; hf iclass wrbl -b 3 -d "+ key + “–ki 0”