Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-19 03:56:56

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Legacy iClass EEPROM dump via FTDI

Hi guys,

I've spent the past few weeks reading up on the iClass system and as stated in my introduction post, I'd like to get into it a bit more now.

So I purchased some Revision A readers (R10 and R40) with the aim of acquiring the necessary keys.  Although I found the master key online (and I think a lot of people have as well)  I am still trying to figure out the two 8-byte TDES keys which are also needed to communicate with the card.  Besides, I don't want to search for things but rather learn and do things myself.

After reading a few posts on this forum, I realised that because the R10 and R40 types do not have their RS232 Rx and Tx terminals brought out of the potting, I am unable to use the "pic18-iscp" software on GitHub to extract the entire EEPROM contents.  The only option I have is to use the FTDI method which is described in this article:

http://blog.opensecurityresearch.com/20 … -keys.html

But it's been a few days now of trying and no matter how many different things I do, I still can't get a successful dump.  All I get are zeros. 

I've tried the process with a couple of readers, different Vpp voltages, and have even compiled the file with different baud rates.  I have tried running the script on an actual Linux machine and a VM with the same results.

Is there someone who can point me in the right direction?  I'd appreciate it.  Maybe I'm doing something else wrong?

Last edited by AussieBacon (2019-11-19 03:58:32)

Offline

#2 2019-11-19 20:04:39

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Legacy iClass EEPROM dump via FTDI

It has been several years since I successfully demonstrated the ability to extract iClass RAM memory via the ICSP interface. It is my recollection that the ICSP interface has very specific timing requirements that if not adhered to properly would likely result in failure.

My original design approach utilized a dedicated microcontroller that was programmed in assembly language. I personally never trusted the FTDI bit-bang approach since it's ability to be precision controlled is constrained by the OS under which it is being run.

Without knowing anything about your specific setup, I would recommend hooking up a hardware logic analyzer to verify that the ICSP command sequence being generated is consistent with the documented approach and that all PIC 18F452 timing requirements are being met.

Feel free to email me directly if you want a copy of my SX28 microcontroller code that successfully implemented this ICSP hack.

modhex hehjighhhheeeefchjhvifhthbhkhrduhehvht

Offline

#3 2019-11-23 08:06:01

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Legacy iClass EEPROM dump via FTDI

Thanks for replying carl55, I've actually just managed to get a successful dump.  It took more effort than I had imagined but the FTDI method worked out finally.

The reader which worked best for me out of the 3 that I had was the RK10.  I also had to compile a custom linux kernel without any of the USB serial drivers which I thought would help.

Now to figure out the offsets!

Offline

#4 2019-11-23 20:29:22

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Legacy iClass EEPROM dump via FTDI

Ok just an update, I've figured out the offsets (I think?) -- going by the two documents floating around that I've read, it was fairly easy looking at the blocked out sections.

"iClass Key Extraction – Exploiting the ICSP Interface - 1 October 2011" (page 4)
"iClass Reader (RevA) PIC 18F452/18F6621 RAM Dumper Operating Instructions" (page 5)

Now that I've managed to locate where the master, tdes1 and tdes2 keys are, I'll need to figure out what order they are in.

Last edited by AussieBacon (2019-11-23 20:53:19)

Offline

#5 2019-11-23 22:24:23

AussieBacon
Contributor
From: Australia & USA
Registered: 2019-11-13
Posts: 11

Re: Legacy iClass EEPROM dump via FTDI

Ok all sorted!

Last edited by AussieBacon (2019-11-27 07:53:06)

Offline

Board footer

Powered by FluxBB