Before the mistake:
Initially, dumped able to dump the card with key 4:
[usb] pm3 --> hf iclass dump --ki 4
[+] Using AA1 (debit) key[4] B8 5B 8C E0 A0 D8 B6 BF
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | C3 2A C6 11 FE FF 12 E0 | .*...... | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | FC FF FF FF FF FF FF FF | ........ | | E-purse
[=] 3/0x03 | 21 79 AE 04 D8 8F 08 DB | !y...... | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | ........ | | User / HID CFG
[=] 7/0x07 | E7 D2 3D 7E 3A C7 A9 1A | ..=~:... | | User / Enc Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 10/0x0A | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 11/0x0B | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 12/0x0C | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 13/0x0D | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 14/0x0E | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 15/0x0F | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 16/0x10 | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 17/0x11 | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] 18/0x12 | 3A 66 BD BD 5A 17 74 4B | :f..Z.tK | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[+] saving dump file - 19 blocks read
[+] Saved 152 bytes to binary file `/home/arthur/hf-iclass-C32AC611FEFF12E0-dump-010.bin`
[+] Saved to json file /home/arthur/hf-iclass-C32AC611FEFF12E0-dump-010.json
[?] Try `hf iclass decrypt -f` to decrypt dump file
[?] Try `hf iclass view -f` to view dump file
Following a guide to write blocks on this forum, but somehow my keyboard screw up and without noticing, I wrote the wrong block with wrong data
[usb] pm3 --> hf iclass wrbl --blk 2 -d 94FCFFFFFFFFFFFF --ki 4
[+] Using key[4] B8 5B 8C E0 A0 D8 B6 BF
[+] Wrote block 2 / 0x02 ( ok )
After the mistake:
However, the cards info still pick up as iCLASS LEGACY:
[usb] pm3 --> hf iclass info
[=] --- Tag Information ----------------------------------------
[+] CSN: C3 2A C6 11 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: FF FF FF FF 94 FC FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- Card configuration --------------------
[=] Raw... 12 FF FF FF 7F 1F FF 3C
[=] 12 ( 18 )............. app limit
[=] FFFF ( 65535 )...... OTP
[=] FF............ block write lock
[=] 7F......... chip
[=] 1F...... mem
[=] FF... EAS
[=] 3C fuses
[=] Fuses:
[+] mode......... Application (locked)
[+] coding....... ISO 14443-2 B / 15693
[+] crypt........ Secured page, keys not locked
[=] RA........... Read access not enabled
[=] PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] 1 books / 1 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read AA1..... debit
[=] Write AA1.... debit
[=] Read AA2..... credit
[=] Write AA2.... credit
[=] Debit........ debit or credit
[=] Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+] CSN.......... HID range
[+] Credential... iCLASS legacy
[+] Card type.... PicoPass 2K
[+] Card chip.... NEW Silicon (No 14b support)
But it can never find a key:
[usb] pm3 --> hf iclass chk --vb6kdf
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
🕗 Chunk [4953/5000]
[+] time in iclass chk 66.4 seconds
[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic
[+] Loaded 29 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_default_keys.dic`
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
🕒 Chunk [000/29]
[+] time in iclass chk 0.9 seconds
[usb] pm3 --> hf iclass chk -f iclass_elite_keys.dic --elite
[+] Loaded 729 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_elite_keys.dic`
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
🕘 Chunk [635/729]
[+] time in iclass chk 10.0 seconds
Check key is also impossible:
[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic
[+] Loaded 29 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_default_keys.dic`
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
🕒 Chunk [000/29]
[+] time in iclass chk 0.9 seconds
[usb] pm3 --> hf iclass chk -f iclass_elite_keys.dic --elite
[+] Loaded 729 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_elite_keys.dic`
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
🕘 Chunk [635/729]
[+] time in iclass chk 10.0 seconds
[usb] pm3 --> hf iClass chk --vb6kdf --elite
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
🕛 Chunk [4953/5000]
[+] time in iclass chk 66.4 seconds
[usb] pm3 --> hf iClass chk --vb6kdf
[+] Reading tag CSN / CCNR...
[+] CSN: C3 2A C6 11 FE FF 12 E0
[+] CCNR: FF FF FF FF 94 FC FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
🕓 Chunk [4953/5000]
[+] time in iclass chk 66.4 seconds
Reading block is impossible now:
[usb] pm3 --> hf iclass rdbl --blk 2 --ki 4
[+] Using key[4] B8 5B 8C E0 A0 D8 B6 BF
[usb] pm3 --> hf iclass rdbl --blk 2 --ki 0
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[usb] pm3 --> hf iclass rdbl --blk 2 --ki 0 --elite
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[usb] pm3 --> hf iclass rdbl --blk 2 --ki 4 --elite
[+] Using key[4] B8 5B 8C E0 A0 D8 B6 BF
Dump is not possible as key is sort of unknown:
[usb] pm3 --> hf iclass dump --ki 4
[+] Using AA1 (debit) key[4] B8 5B 8C E0 A0 D8 B6 BF
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 4 --elite
[+] Using AA1 (debit) key[4] B8 5B 8C E0 A0 D8 B6 BF
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 0 --elite
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
Is the tag bricked. Any suggestion to restore the card functionality?