|
Point 9 - Restoration of the record previous to the record of the MK01
In order to delete the Mk02 of the provider of the previous record repeat the commands in section4 writing a value of FF FF FF FF FF FF FF FF to MK02 using the 00 MK02 of provider 00 (SECA).
End of point 9.
Point 10 - Erasure of the MK02 of provider 00 (SECA).
You re-open MKFind and after connecting choose the the button "Remove Key" to delete the MK02 you created.
End of point 10.
OND***tal Summary
So to summarise, (this is for advanced users) the way to extract your MK01 for provider 1 is as follows.
1) Write a key (say MK02) to Provider 00 as usual to allow access.
2) List the records using either CardMasterPlus or Version 3.1 or higher of MKFind
3) Identify the MK01 on Provider 1 record ( i.e. Record n 51 xx xx xx xx xx xx xx xx 81).
4) Write to record (n-1) the value of 90 90 90 90 90 90 90 90 encrypted with the key generated in stage 1) and using nano 24 to modify the provider you are writing to & sign with Mk02 on Provider 00.
e.g. C1 40 02 00 LN 24 xx xx 5x 9x (90 90 90 90 90 90 90 90 encrypted with MK02 Prov 00) + (Sig MK02 Prov 00)
Where xx xx is the ident of the provider record (n-1) is located in.
N.B. This works easily if the record (n-1) starts 5x and ends either 8x or Cx. However, there have been cases where the record starts 0x and ends either Dx or Ex. I'm still working on this one.
5) Using CardMasterPlus or MKFind 3.1 do another list records followed by a 'dump' The last 5 bytes shown in the clear in record (n-1) are the last 5 bytes of your MK01
6) Use Brute force on the unknown 3 bytes.
7) So there you have it,
Have fun Gazer :>)
|
|
