Proxmark3 community

sidion

Member

Registered: 2013-05-22

Posts: 8

Writing iclass tags?

Hello everyone just recently got up and running thanks to some great help over at the linux client area of the forum.

I have figured out what tag i have as my first test tag and it seems to be an iclass, i have successfully read the tag and have the CSN, but this first project was an attempt to clone a tag, i have 2 sample cards (presumably one HF and one LF)  but i do not see and straightforward way to write a CSN to a tag.

Is this functionality possible in the OS: svn 752 2013-07-04 20:51:56 version of the software?
thanks

midnitesnake

Contributor

Registered: 2012-05-11

Posts: 151

Re: Writing iclass tags?

Thanks to Roel & his software iclassified (http://www.proxmark.org/files/Various%20Software/iClass/iclassified.tar.gz).

I have been able to successfully write to an iclass card.  The demo software only appears to work on XP (for me anyway), and needed some tinkering with winscard, in order for it to compile. Most importantly you need the Omnikey 5321 which allows writing to cards.

Will have to try and figure out how to port/update the code to work on Vista+ & linux, but the code is out there...

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

Thanks to Roel & his software iclassified (http://www.proxmark.org/files/Various%20Software/iClass/iclassified.tar.gz).

I have been able to successfully write to an iclass card.  The demo software only appears to work on XP (for me anyway), and needed some tinkering with winscard, in order for it to compile. Most importantly you need the Omnikey 5321 which allows writing to cards.

Will have to try and figure out how to port/update the code to work on Vista+ & linux, but the code is out there...

Hi, may I please ask what types of cards you use to write the clone to?

Also by any chance did you end up updating the code for Windows versions above XP?

Thanks

midnitesnake

Contributor

Registered: 2012-05-11

Posts: 151

Re: Writing iclass tags?

I bought 10x class cards from someone on eBay.

No, the s/w still on XP; Just haven't had the time lately.

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

I bought 10x class cards from someone on eBay.

I had presumed that the standard iclass cards couldn't be written to clone a different iclass card to it?  So I could just buy normal iclass cards on eBay like this one http://www.ebay.com/itm/301584386290 ?

Thanks

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: Writing iclass tags?

You coulld. Need the key, though, unless you already have it. And obviously you cant write a new CSN

midnitesnake

Contributor

Registered: 2012-05-11

Posts: 151

Re: Writing iclass tags?

You don't need to personally know any keys with the Omnikey v5321, they're stored in the devices memory; key slots 20 & 21

Yes, those normal iclass cards will do fine 

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

You coulld. Need the key, though, unless you already have it. And obviously you cant write a new CSN

Hi, Thanks for your reply. I am fairly new to this so please bear with me.

I am wanting to clone an iClass card.  You mention that I can't write a new CSN.  Is this the same as the UID? 

Does the system check the cards CSN?  To clone a card is it necessary to write the new CSN?

Thanks

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: Writing iclass tags?

Uid=csn

I believe most systems would not care about CSN. Do you know if it is std or elite? Different keys...

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

Uid=csn

I believe most systems would not care about CSN. Do you know if it is std or elite? Different keys...

I am not certain but believe it is standard.

I have installed the cardman_synchronous_api_v1_1_1_4.exe & OMNIKEY5x21_V1_2_3_1 drivers/programs on Windows XP.

The OMNIKEY 6321 shows up in Device Manager with driver version: 1.2.9.2

If I open up ContactlessDemoVC.exe the reader will show up as connected and I can see the ATR, UID and card name (ICLASS 2KS).

But if I open iclassified program, it will show:
Connecting to reader: OMNIKEY 6321 0...Failed
Connecting to reader: OMNIKEY 6321-CL 0... Failed
Error: Could not find OMNIKEY Reader

Do you know what may be wrong?  Or any help how I can clone my card?

Thanks a lot.

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

Thanks to Roel & his software iclassified (http://www.proxmark.org/files/Various%20Software/iClass/iclassified.tar.gz).

... and needed some tinkering with winscard, in order for it to compile. ...

Sorry I am not technical enough to understand winscard but do you think this could be the problem causing my Connecting to Reader Failed error?

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

Hi midnitesnake,

I wanted to PM you, but can't find a PM function on this forum?

Thanks for your help with my previous questions.  I am really trying to clone an iclass (PicoPass 2K) card. I know you are busy so I am happy to pay for you for time. 

Currently I have an Omnikey 6321 as http://www.openpcd.org/HID_iClass_demystified seemed to indicate that 5321/6321 were more or less the same but I am happy to buy the Omnikey 5321 if you have more experience with it.

If you are willing to help me either by meetup if in Sydney or Melbourne or by teamviewer if elsewhere, can you please contact me and let me know how much?  My email is: gm121@hotmail.com

Thanks a lot.

lime1

Contributor

Registered: 2015-04-17

Posts: 26

Re: Writing iclass tags?

Hi,

I have made some progress on copying my card but not there yet !

I got an Omnikey 5321 reader and got it connected with iClassified.  I was also able to view the Data blocks output in CopyClass software after entering the Authentication key. 

Here is the output from iClassified from a card that I got from eBay:

Connecting to reader: OMNIKEY CardMan 5x21-CL 0...OK
csn:  f1 6a 1d 01 f8 ff 12 e0
conf: 12 ff ff ff 7f 1f ff 3c
App1: block [06-12]
App2: block [13-1f]
iss:  ff ff ff ff ff ff ff ff
block6: 03 03 03 03 00 03 e0 17

But my problem is now, how do I clone the data to a new card in iClassified?  There is no help or readme file that lists commands.  And I have Googled but can't find any webpage that provides any guidance?

Can anyone please help me on how to clone the card data from one card to another using iClassified?

atwolf

Contributor

Registered: 2015-04-29

Posts: 16

Re: Writing iclass tags?

I have been playing around with writing iclass tags and had some weird results that if anyone could explain would be great.

I have several test cards. some are blank unused that i got from ebay, others are existing cards that were disabled in the backend control system

When I copy block 7 onto a blank card it works.
When I copy block 7 onto the existing card and it failed.
Some docs i read said to copy blocks 6-9 that works on the blank cards but fails on the existing card  but the reader flashes blue for a second.

I then did a full dump of the existing card with the proxmark and found there was some data in blocks 0A to 10.

What I found is that if I set blocks 0A to 10 with all FF's to mirror a blank unused card then the clone would copying blocks 6-9 but if there is the existing data in 0A-10 then the clone failed.

Does anyone know what blocks 0A-10 are on the card?
From my understanding its part of APP1 for these cards with the docs saying app 1 goes 6-12 (11,12 are already all FFs)
But i have no idea what this data might be that causes the clones to fail.
Also as another note block 0C appears static over multiple cards.

carl55

Contributor

From: Arizona USA

Registered: 2010-07-04

Posts: 175

Re: Writing iclass tags?

I believe that you are encountering several different problems that can be attributed to several factors.

First off, unless you know exactly what you are doing you should always copy blocks 6-9 when you are attempting to clone an iclass card. Block 6 contains important formatting and encryption information about the data in the remainder of the data blocks. If you simply copy Block 7 the data may not be read or decrypted correctly when it is read and decoded by the reader. Cards that are programmed at the HID factory appear to always use TDES encryption whereas cards that are sold as "Initialized" and later programmed in the field have encryption disabled. I have found that many of the cards used in Australia fall into the latter category whereas most of the cards used in the United States are encrypted. If you try and copy just Block 7 from a US card to an Australian card then it will likely fail.

Since you mentioned that your reader "flashes blue" it would appear that you are using an iClass SE reader. Most SE readers can read two different types of iclass data payloads, "Legacy" and SIO Enabled (SE)".  Legacy iClass data is stored in blocks 6-9 whereas iClass SIO data is stored in blocks 10-16. Depending on the type of iClass card you have (Legacy, SE, or SR) the data read by the reader will be different. If you read the following paper I have provided a little more information about how the data is stored in these three types of cards.

http://www.proxclone.com/pdfs/Spoofing_iClass.pdf

The bottom line is that when you are cloning iClass cards you need to be aware of what type of reader is being used, what type of card is being cloned, which keyset is being used and whether encryption is being used ..... or you may not be successful.

atwolf

Contributor

Registered: 2015-04-29

Posts: 16

Re: Writing iclass tags?

Hi Carl55

Thanks for the information. I will give that document a read today.
Cloning just block 7 only worked when cloning onto the uninitialized cards.
6-9 was needed for the initialized ones.

I may be barking up the wrong tree here, the readers are SE readers.
Given the behaviour observed could it be possible that in regular use on an official card it is using the SE mode and reading the data in blocks 10-16 but if that data does not exist (blanked out with all FFs) is it possible that the reader is falling back into legacy mode and allowing the clone to work with just the data in blocks 6-9?

Last edited by atwolf (2015-06-24 00:15:48)

carl55

Contributor

From: Arizona USA

Registered: 2010-07-04

Posts: 175

Re: Writing iclass tags?

Yes, your theory is correct. If an iClass SE reader is used to read an iclass SR card containing two data payloads then it will first attempt to read the SIO payload stored in Blocks 10-16. If that read fails (due to corrupted data) then it will attempt to read the legacy iclass payload stored in blocks 6-9. Normally since the two data payloads contain the same card data information a corrupted read would be dealt with automatically by the reader while being totally transparent to the end user.
However, if your card was an SE card and not an SR card then a corrupted SIO payload would result in a read error since it is the "only" data payload stored on an SE card.

atwolf

Contributor

Registered: 2015-04-29

Posts: 16

Re: Writing iclass tags?

Thankyou that helped alot.

They are indeed SR cards and have both payloads.
Deliberately corrupting blocks 10-16 is a nice way to force legacy mode when dealing with an SE system with SR cards.

Now to see if it can be stopped

theyhavelanded

Contributor

Registered: 2015-09-29

Posts: 7

Re: Writing iclass tags?

Hi,

I have made some progress on copying my card but not there yet !

I got an Omnikey 5321 reader and got it connected with iClassified.  I was also able to view the Data blocks output in CopyClass software after entering the Authentication key. 

Here is the output from iClassified from a card that I got from eBay:

Connecting to reader: OMNIKEY CardMan 5x21-CL 0...OK
csn:  f1 6a 1d 01 f8 ff 12 e0
conf: 12 ff ff ff 7f 1f ff 3c
App1: block [06-12]
App2: block [13-1f]
iss:  ff ff ff ff ff ff ff ff
block6: 03 03 03 03 00 03 e0 17

But my problem is now, how do I clone the data to a new card in iClassified?  There is no help or readme file that lists commands.  And I have Googled but can't find any webpage that provides any guidance?

Can anyone please help me on how to clone the card data from one card to another using iClassified?

I am having the same issue. I can get card data but am unsure of what to do next. I also have the correct api installed and driver for the 5321. I can run ContactlessVC.exe and read a tag. But also unsure what to do after that. Thanks for any help.

theyhavelanded

Contributor

Registered: 2015-09-29

Posts: 7

Re: Writing iclass tags?

I can also read the card using iclassified. But no where are there any instructions on how to get the data from blocks 6-9 and write it to another card.

meccan

Contributor

Registered: 2014-02-10

Posts: 23

Re: Writing iclass tags?

I thought I reuse this thread as it is related to the issue I am having.

I dumped an elite card and trying to write it on a factory configured standard security card. Using clone to write block 6-12 is all good.  However, after doing calcnewkey o dumpeliitecardkey n masterkey s newcard-csn and trying to write the XOR key output to block 3 both with the proxmark or the omnikey 6321 it ends in tears. That is the factory configured iclass card is giving me authentication failed (0x6983) and 3 of my brand new cards are now useless. What am I doing wrong here?

Last edited by meccan (2015-11-25 13:33:16)

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Re: Writing iclass tags?

How can I modify main.c of iclassified to write block 6-9 to a card?