|
Point 4 - Creation of the Mk02 on a provider.
Now we must create an Mk02 on provider 02, since the record that precedes the Mk01 we wish to find, is found in provider 02.
Here it would be best to refer to the document written by Ctower in order to understand the procedure well and make sure we don't make any mistakes.
We will use the Mk02 we created on Provider (SECA) to create a MK02 key on provider 02.
Let's suppose that the created MK02 on 00 was: 00 4f 56 B0 EF C6 9A D4 and that we want to write the key: 01 02 03 04 05 06 07 08 on Provider 02 (we use a key simple which we can choose).
First of all we have to encrypt the new Mk02 with the Mk02 of provider 00 00, since we will use that key to write tot the card.
If possible use Trappolone for this. Choose the (De)Crypt & Signature option.
Select Crypt and insert the key to encrypt (01 02 03 04 05 06 07 08), in the 'key of Crypt' insert the Mk02 of Provider 00 which you found with MKFind and press Calculate.
It then displays the encrypted MK02 on Provider 02 (01 02 03 04 05 06 07 08) which you need to write to the card.
Point 4 - Write key to the provider.
We now open MKFind3.0 and having set the correct COM port & connected we write the following command in the bottom window to the left of the send button.
C1 40 00 02 16 24 00 11 90 52 B1 49 47 CE 0F 66 0D CB 82 (don't press send yet).
BEFORE PRESSING SEND READS CAREFULLY THE FOLLOWING AND REMEMBER TO CHECK THE AUTOSIGNATURE OPTION
ANALYSIS OF THE COMMAND:
40 C1 = SECA Command (refer to alternative documentation SECA-FAQ)
00 02 = This is the key used to sign the command i.e. Mk02 of Prov 00
16 = This is the the length of the command from "24" to the end of the command including the MK02 signature) in (Hex Refer to CTower's document). However it is always 16 for this command.
24 = nano
00 11 = The ident of provider 02 in the case of this example Cal***+
90 52 = the 52 is to indicate Mk02
b1 49 47 CE 0f 66 0d CB = This is the Mk01 encrypted earlier using Trappolone
82 = The end of the command.
If the record that precedes the MK01 is not found in the Provider 02, you will have to do the following.
For example, if it was in Provider 01, unfortunately you may
have to modify the provider with identifier 00 10
If you want to use another program instead of MKFind always remember to add the signature using Mk02 of Provider 00 to the command (calculating it using Trappolone).
You must NEVER use 90 51, since it corresponds to a MK01 and you would cancel it (What you are looking for!!!!)
50 = MK00
51 = MK01
52 = MK02
5C = Key 0c
5D = Key 0d
5E = key 0e
Check your command carefully and then press SEND. In the main window you will see the response followed by 90 00.
In this case all is OK, disconnect and exit from MKFind.
End of Point 4
Point 5 - Overwriting of the previous record to MK01
At this point, we are ready to overwrite the preceding record of the MK01 which helps us to trap the last five bytes of the MK01 that we want to find.
We can use the same command as used previously to write the Mk02 on the Provider 02 (making reference the commands of Ctower). However it is better to use a utility such as ZapXtractor.
Open ZapXtractor and select the correct COM port (this hidden and found near the bottom bar).
Click on the right of the Card button (up), and the card data will appear. Take note of this data specifically the Ident & PPUA. Then click on the Command Options in the the bottom left of the window.
In the Command window you press the Card Modification button.
At this point, we insert the Provider and the known key, in our example it would be provider 02, known key 02
Alongside the "8" button, we will insert our MK02 created in the preceding point 01 02 03 04 05 06 07 08
(often in the sliding windows menus, data is not presented well; don't worry, however,just make sure you choose the right ones).
In our case, give that we have to overwrite the 0e key, we insert the data alongside the button "modify/add key" and we insert the 0E key (primary) and in a key value, for sake of ease say 90 90 90 90 90 90 90 90
If the preceding record was the PPUA , we will have the PPUA compiled with 90 90 90 90 alongside it.(It often occurs that the preceding record will be the PPUA in provider 01).
At this point, press the "modify / add key" button and then you will see the command to send to the smart card (the
program will do the signature calculation saving a lot of time! Then press Send.
End of point 5
Point 6 - Finding the last 5 bytes of MK01
After having closed ZapXtractor we return to CardMasterPlus and we repeat the same actions made in Point 2, Connect & press 'Records' button. However, this time after we have pressed the "Records" button we will also press the "Dump" button and as if by magic we we find also in the Trappolone Window the last the five bytes of our key we are searching for unencrypted in a Plain Record.
Obviously now we make a note of this data or better still we copy them with the usual ctrl-c into Notepad and then save them!
For Example:
Record 0011 = 5D FF FF FF FF FF FF FF FF 53 00 82
Record 0012 = 5E FF FF FF FF FF FF FF FF 21 00 82
Record 001F = 52 FF FF FF FF FF FF FF FF 49 00 82
Provider 3 .
Provider 4 .
Provider 5 .
Provider 6 .
Provider 7 .
Provider 8 .
Provider 9 .
Provider 10 .
Provider 11 .
Provider 12 .
Provider 13 .
Provider 14 .
Provider 15 .
Done.
Records in plain
Record 0012 = B3 5B E2 4E 36 27 00 81 5E 90 90 90
Done.
B3 5B E2 4E 36 = Is the last 5 bytes of key MK01 in the clear :))))
27 00 81 = The index of Mk01 (the end of Record 13)
5E 90 90 90 = The beginning of record 12 which we overwrote.
Now we must find a word encrypted (CW) with our MK01 for which we are searching.
For this we can use program MOSC2000 and in the Key/Other options we write the CW of say the Mk01 selecting provider and key Index.
Alternatively using MKFind it is possible to type the command C1 5A 01 01 08 in the command window and get the CW of the Mk01 on Provider 01
The choice is yours!!
End of point 6.
Point 7 - Brute force for the first 3 bytes of Mk01
Now having found the last the five bytes of key MK01 we need to find the first three through the brute force method.
This is fast & easy , since in order to find only three bytes the operation takes less than 30 minutes.
You can use either Trappolone or CocDec35.
We will take CocDec35 as an example as that seems faster to me.
You open the CocDec3.5 and go to the SeachKey tab.
In the CW window you write the Crypted Word of the MK01 obtained with the command C1 5A 01 01 08 or found through Mosc2000.
In DW window you write 0000000000000000 and in key to find windows00 00 00 + the five bytes found through CardMasterPlus.
Tick the first three boxes over the 00s as you want to perform a search on these first three bytes then press the Go button.
If you want it is possible to tick the Visualises option and see the keys being tried during the processing, this allows you to see process of the testing operation.
Once it has finished you will see in the right hand window (always assuming that you have executed the instructions of this document scrupulously) your Mk01. There is no point in telling you to take note of it! :))
End of point 7.
|
|
