Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-08-16 12:20:55

rayway99
Contributor
Registered: 2018-04-08
Posts: 20

iClass Legacy

Hi,

I am using a ElecHouse EASY PM3 , and got a few questions on iClass legacy

pm3 --> hw version
[[[ Cached information ]]]

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:32
      os: iceman/master/ice_v3.1.0-787-g192aa9ab 2018-04-08 11:49:37
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 237727 bytes (45%) Free: 286561 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

1) somehow for my PM3 i need to run a " readblk " before running the " dump " command, otherwise I will get authentication error
      is there an apparent reason this happened ( happened multiple times on different iclass card I have)?

pm3 --> hf iclass dump k <key>
CSN  | 52 5A 8E 01 F8 FF 12 FF
CCNR | 10 EB FF FF FF FF FF FF
authing with diversified key: 75 4E D3 50 3F 1D B4 FF
authentication error

hf iclass readblk b 08 k <key>
block 08: XX XX XX XX XX XX XX XX

hf iclass dump k <key>
...
saving dump file - 19 blocks read
saved 152 bytes to binary file iclass_tagdump-525a8e01f8ff12ff.bin

2) for the CSN, the command " hf iclass clone f iclass_tagdump-525a8e01f8ff12ff.bin b 06 l 1A k <key> " would not change it, as it is stored in block[00]
    is the CSN similar to the UID in MiFare card where it will be used for authentication or it depends on the access control system?
    the card being written now has block 5-12 Identical to the original card, with block 0-4 of different values
         is this considered as a full clone or not?

3) what does CCNR stands for? I have a iClass card whose values seem to change over-time when I read it off PM3

4) how do I know when to use "b 06 l 1A" or just "b 06 l 09" from the "hf iclass reader 1" command output?

CSN: A7 8E 67 01 F8 FF 12 E0
    CC: FE FF FF FF FF FF FF FF
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Secured page, keys not locked
        RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-12
        AA2: blocks 13-1F
        OTP: 0xFFFF
...
 App IA: FF FF FF FF FF FF FF FF
      : Possible iClass (legacy tag)
Valid iClass Tag (or PicoPass Tag) Found

Thanks in advance
#(I did read thru all the iClass threads here but I guess iClass is a very different species which seems a lot complicated than the rest to me)

Last edited by rayway99 (2018-08-16 12:23:29)

Offline

Board footer

Powered by FluxBB