Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-08-13 05:52:40

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Unprogrammed iClass cards/fobs

I am looking at purchasing some iClass fobs from eBay but I am unsure if I will get programmed or non-programmed iClass tags.

What is the difference between them and if they arrived non-programmed, is it possible for me to program them with or without the master keys?

Offline

#2 2018-08-13 16:24:48

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 145

Re: Unprogrammed iClass cards/fobs

kchung wrote:

I am looking at purchasing some iClass fobs from eBay but I am unsure if I will get programmed or non-programmed iClass tags.

The keyfobs that you get will depend on the part number. If the fifth digit of the part number is a "P" then the fobs will already have been programmed. If the fifth digit is a "C" then the fob is "Configured" which means that Blocks 7,8 and 9 will still need to be programmed with the access control data payload. Block 6 will also need to be modified if you want to utilize encryption for the access control payload or if you need to embed a PIN.


kchung wrote:

What is the difference between them ?

The difference between the two types of fobs is simply what is programmed in blocks 6-9.
Below are two example dumps, the first one is from a factory programmed credential and the second one is a "Configured" credential.

Blk   Stored Value    Decrypted Value
00  DC71D500F8FF12E0  ----------------
01  12FFFFFF7F1FFF3C  ----------------
02  FEFFFFFFFFFFFFFF  ----------------
03  FFFFFFFFFFFFFFFF  ----------------
04  FFFFFFFFFFFFFFFF  ----------------
05  FFFFFFFFFFFFFFFF  ----------------
06  030303030003E017  ----------------
07  B91061FD1D6DE91C  0000000004E201D7
08  2AD4C8211F996871  0000000000000000
09  2AD4C8211F996871  0000000000000000
0A  FFFFFFFFFFFFFFFF  ----------------
0B  FFFFFFFFFFFFFFFF  ----------------
0C  FFFFFFFFFFFFFFFF  ----------------
0D  FFFFFFFFFFFFFFFF  ----------------
0E  FFFFFFFFFFFFFFFF  ----------------
0F  FFFFFFFFFFFFFFFF  ----------------
10  FFFFFFFFFFFFFFFF  ----------------
11  FFFFFFFFFFFFFFFF  ----------------
12  FFFFFFFFFFFFFFFF  ----------------
13  FFFFFFFFFFFFFFFF  ----------------
14  FFFFFFFFFFFFFFFF  ----------------
15  FFFFFFFFFFFFFFFF  ----------------
16  FFFFFFFFFFFFFFFF  ----------------
17  FFFFFFFFFFFFFFFF  ----------------
18  FFFFFFFFFFFFFFFF  ----------------
19  FFFFFFFFFFFFFFFF  ----------------
1A  FFFFFFFFFFFFFFFF  ----------------
1B  FFFFFFFFFFFFFFFF  ----------------
1C  FFFFFFFFFFFFFFFF  ----------------
1D  FFFFFFFFFFFFFFFF  ----------------
1E  FFFFFFFFFFFFFFFF  ----------------
1F  FFFFFFFFFFFFFFFF  ----------------

Blk   Stored Value    Decrypted Value
00  E298E500F7FF12E0  ----------------
01  12FFFFFFF91FFF3C  ----------------
02  FEFFFFFFFFFFFFFF  ----------------
03  FFFFFFFFFFFFFFFF  ----------------
04  FFFFFFFFFFFFFFFF  ----------------
05  FFFFFFFFFFFFFFFF  ----------------
06  000000000000E014  ----------------
07  FFFFFFFFFFFFFFFF  ----------------
08  FFFFFFFFFFFFFFFF  ----------------
09  FFFFFFFFFFFFFFFF  ----------------
0A  FFFFFFFFFFFFFFFF  ----------------
0B  FFFFFFFFFFFFFFFF  ----------------
0C  FFFFFFFFFFFFFFFF  ----------------
0D  FFFFFFFFFFFFFFFF  ----------------
0E  FFFFFFFFFFFFFFFF  ----------------
0F  FFFFFFFFFFFFFFFF  ----------------
10  FFFFFFFFFFFFFFFF  ----------------
11  FFFFFFFFFFFFFFFF  ----------------
12  FFFFFFFFFFFFFFFF  ----------------
13  FFFFFFFFFFFFFFFF  ----------------
14  FFFFFFFFFFFFFFFF  ----------------
15  FFFFFFFFFFFFFFFF  ----------------
16  FFFFFFFFFFFFFFFF  ----------------
17  FFFFFFFFFFFFFFFF  ----------------
18  FFFFFFFFFFFFFFFF  ----------------
19  FFFFFFFFFFFFFFFF  ----------------
1A  FFFFFFFFFFFFFFFF  ----------------
1B  FFFFFFFFFFFFFFFF  ----------------
1C  FFFFFFFFFFFFFFFF  ----------------
1D  FFFFFFFFFFFFFFFF  ----------------
1E  FFFFFFFFFFFFFFFF  ----------------
1F  FFFFFFFFFFFFFFFF  ----------------
kchung wrote:

If they arrived non-programmed is it possible for me to program them with or without the master keys?

Programming a "Configured" credential requires knowledge of the cards Diversified key since the cryptographic signature used during a block write operation can only be calculated using that credentials Kdiv.
Since Kdiv is calculated using the Master Authentication Key and the credential CSN you will definitely need the key in order to program the fob. However, since the legacy iclass master key is readily available on the internet that should not be an issue.

Offline

#3 2018-08-28 18:06:34

seanedu
Contributor
From: Toronto,Canada
Registered: 2017-04-12
Posts: 81

Re: Unprogrammed iClass cards/fobs

Hi,everyone,I am on the same boat with kchung,I like to also buy some iclass fob from ebay as well,but know which fob to order,configured or programmed fob,what carl55 mentioned was,if I understood correctly,configured fob can be re written if I know the hid mater key,does that also mean that programmed fob can't be re written?I like some one to point out to me to be cleared,so far I've learned a lot about iclass still so complicated to me,but I still read a lot on the forum to reach up to clone iclass fob with pm3,thanks in advance...

Last edited by seanedu (2018-08-28 18:07:34)

Offline

Board footer

Powered by FluxBB