Closed geekman closed 5 years ago
0xBB is a indicator that the iclass demodulation failed. One of those strange quirks in the source code when debug messages are printed to the trace log with intention.
May I suggest you use RRG/Iceman repo for your device. https://github.com/rfidresearchgroup/proxmark3
It has gotten some iClass love.
I'm trying to dump some iClass cards, and I have managed to create dumps with the standard key so far, except for one particular card, which proxmark has difficulty reading completely:
It seems that block
0xD
fails to read, causing thedump
command to stop short.My attempts to use
readblk
to read0xD
also fail, but I am able to read the remaining blocks from0xE
onwards till0x1F
.I thought it was some kind of RF problem, so I tried using
hf list iclass
, and I saw the same data being returned consistently across the read commands, CRC also said OK, but yet the command "failed":Digging into the source led me to
sendCmdGetResponseWithRetries
where it happened to be checking for0xBB
inresp[7]
, which is what the traces show.I am not an expert in the iClass air protocol, but I believe that the card is returning 8 bytes, as expected because each block is 8 bytes. The last 2 bytes are what I am assuming is the CRC.
In this case, it looks like there is a bug in the error checking logic?