iClass is coming...

marshmellow · 2014-12-19 16:47:56

I too appreciate your contributions Holiman.

holiman · 2015-02-22 19:42:21

Thanks!

I am now implementing full-sim (I have also implemented decrypt, but you need the hid decryption key which is not checked in with the code). That requires the tag (the ARM) to calculate MAC. I did some quick tests yesterday (was in a bit of a hurry), it took about 2ms for the tag to answer with the MAC - carl55 said it needs to be around ~300us. So the time there needs to be shaved with almost an order of magnitude.

I think there are some easy time savings (such as disabling a wait in there). Also, I implemented loclass without any optimizations - aiming for a pure reference implementation, so there are probably some time which can be saved there, but in order to succeed I believe I need to alter the MAC algorithm and do the 24 zeroes in one go, or something. It's an interesting problem, for sure..

carl55 · 2015-02-23 00:18:38

Holiman,
The Inside Secure datasheet states that the PicoPass transponder (used in iclass cards) responds to a "SELECT" authentication command with its calculated MAC in 330 microseconds. I had tried (unsuccessfully)a few months ago to build an iclass simulation/spoofer circuit. I couldn't get it to work since my microcontroller took around 3 milliseconds to calculate the MAC which was longer than the iclass reader was willing to wait for the response.

I have since redesigned my circuit to use a CPLD to perform the cipher algorithm which brought my MAC calculation time down to approximately 4 microseconds. My simulation/spoofer circuit now works properly and is able to interract with an iclass reader just like a standard iclass card/fob.

After reading your post above, I decided to run several test cases today with my circuit whereby I varied the authentication response time. My testing indicated that a Revision C R10 iclass reader allowed a response time of up to approximately 2.4 milliseconds before it stopped working.

Bottom Line: If you got the Proxmark3 ARM calculation time down to 2 milliseconds then it looks like that should be acceptable. Nice Work!!

holiman · 2015-02-25 22:11:50

carl55 wrote:

Bottom Line: If you got the Proxmark3 ARM calculation time down to 2 milliseconds then it looks like that should be acceptable. Nice Work!!

That's great! Looks like we'll have full simulation on proxmark then! I'm at a ski resort now, coding a bit in the evenings. I have created an optimized version of the MAC-calculation which runs in about 1/3 of the time compared to the original, and is more easily embeddable. I haven't compared in on ARM, only on my laptop. And I haven't measured the pm3 with a DSO either, that'll have to wait until I'm back at home. The new code is in github/loclass at the moment, not yet implemented in pm3 .

holiman · 2015-02-26 21:13:19

I've now done some measurements on the ARM-side. Purely doing the old MAC calculation before optimizations took 1832 uS per MAC, so 1.8 ms. The optimized version runs in 562 us, so I estimate that we could get a response out within 700 us at least.

Edit: This has now been committed to github. I haven't tested the simulation with the new code yet, it'll have to wait a few more days.

Last edited by holiman (2015-02-26 21:27:15)

holiman · 2015-03-02 01:18:02

More progress.. After the timing was removed as a potential issue, I had a doh-moment where I realized that I've been using the wrong MAC-calculation. The tag needs to feed an additional 32 zeroes into the cipher - I hadn't done that, trying to use the reader-MAC instead of the tag-MAC.

I added another MAC-calculation function into loclass for that, will commit to proxmark also soon. I also figured that for the tag-mac, I can perform the MAC calculation in two steps, first feeding the cipher with the tag challenge (which I know as soon as we start simulating), then reusing the cipher state and feeding the reader nonce and the 32 zeroes in real time.

On my computer, I get these numbers:

Std: 0.433230
Opt: 0.117461
----
[+] Testing tag MAC
[+] opt tag-mac calc equals tag-mac calc : OK!
[+] 2-step opt tag-mac calc equals tag-mac calc : OK!
1-step tag MAC std = 5aa2af92
1-step tag MAC opt = 5aa2af92
2-step tag MAC opt = 5aa2af92

Std:    0.543462
Opt:    0.142796
2s-Opt: 0.084912

The function which gave ~2ms on ARM was Std (0.43ms on my laptop). It increased to 0.54 ms with the additional zeroes, but the two-step version went down to 0.08ms, so the execution time is down to a fifth of the original.

I'll test the sharp code against a reader tomorrow.

iceman · 2015-03-02 10:48:49

You are good, Holiman!

holiman · 2015-03-02 22:21:54

Finally...

#./proxmark3 /dev/pm3-1 
proxmark3> hf iclass eload f iclass_tagdump-f3162e00f8ff12e0.bin 
	Mode: Application [Locked]          
	Coding: ISO 14443-2 B/ISO 15693          
	Crypt: Secured page, keys not locked          
	RA: Read access not enabled          
	Mem: 2 KBits ( 32 * 8 bytes)          
	AA1: blocks 6-18          
	AA2: blocks 19-          
Sent 256 bytes of data to device emulator memory          
proxmark3> hf iclass sim 3
#db# Simulating CSN f3162e00f8ff12e0                 
#db# Button pressed                 
#db# Done...

.... And BEEP goes the reader, flashing the green led.

Committed to master : https://github.com/Proxmark/proxmark3/c … 42ddfe5d79

asper · 2015-03-03 09:19:14

N.1 !

iceman · 2015-03-03 09:56:43

übermaster!

holiman · 2015-03-03 18:07:08

Thank you!

marshmellow · 2015-04-01 15:13:47

Great work with all the iclass stuff holiman. thanks.

quick question, when simulating what does "Unknown command from reader (len=4): c 5 de 64 44 44 44 44 44 mean?

that is all i get from one iclass reader when attempting a sim. if i try a serial number outside xxxxxxxxCxFF12E0 it doesn't respond at all, but with one that matches that mask it gives the above output.

holiman · 2015-04-01 16:03:27

What 'sim' operation are you using ?
The 'unknown command' is a misnomer, it's more like "unhandled command". If you're simming csn, and not fullsim, it will say this when e.g. the reader tries to authenticate or read data.
Here's an excerpt from one of my readings:

     19008 |     19008 | Rdr | 0c  01  fa  22                           |     | READ(1)
     22064 |     22064 | Tag | 12  ff  ff  ff  7f  1f  ff  3c  8c  87   |     |
     22064 |     22064 | Rdr | 0c  02  61  10                           |     | READ(2)
     25120 |     25120 | Tag | fe  ff  ff  ff  ff  ff  ff  ff  55  74   |     |
     25120 |     25120 | Rdr | 0c  03  e8  01                           |     | READ(3)
     28176 |     28176 | Tag | ff  ff  ff  ff  ff  ff  ff  ff  ea  f5   |     |
     28176 |     28176 | Rdr | 0c  04  57  75                           |     | READ(4)
     31232 |     31232 | Tag | ff  ff  ff  ff  ff  ff  ff  ff  ea  f5   |     |
     31232 |     31232 | Rdr | 0c  05  de  64                           |     | READ(5)

What you're seeing is READ(5) (0C: read, 05: block, DE 64: CRC)

Last edited by holiman (2015-04-01 16:05:08)

marshmellow · 2015-04-01 16:06:08

Cool. Thanks. BTW I believe the serial number mask is as I outlined above.

joe · 2015-04-11 16:47:06

pentura_prox wrote:

Sneak preview of what I've been working on....

> hf iclass reader 0
#db#      Selected CSN: 90 e9 74 01 f7 ff 12 e0                 
#db# Readcheck on Sector 2                 
#db#      CC: fa f7 ff ff ff ff ff ff                 
#db# Authenticate                 
#db#      CC: c5 8e a4 00                 
#db# Dump Contents                 
#db#      00: xx xx xx xx f7 ff 12 e0                 
#db#      01: 12 ff ff ff e9 7f ff 3c                 
#db#      02: fa f7 ff ff ff ff ff ff                 
#db#      03: ff ff ff ff ff ff ff ff                 
#db#      04: ff ff ff ff ff ff ff ff                 
#db#      05: ff ff ff ff ff ff ff ff                 
#db#      07: d2 5e ea ba ab 2c 7a 93                 
#db#      08: 2a d4 c8 21 1f 99 68 71                 
#db#      09: 2a d4 c8 21 1f 99 68 71                 
#db#      0a: ff ff ff ff ff ff ff ff                 
#db#      0b: ff ff ff ff ff ff ff ff                 
#db#      0c: ff ff ff ff ff ff ff ff                 
#db#      0e: ff ff ff ff ff ff ff ff                 
#db#      0f: ff ff ff ff ff ff ff ff

Why my output are totally different with.. ?? any one can help. thanks.

proxmark3> hf iclass reader 0
#db# Failed to dump config block
Readstatus:16
CSN: 22 0d 99 01 f9 ff 12 e0
CC: ff ff ff ff 4d fa ff ff
#db# Failed to dump config block
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Command execute timeout
#db# Failed to dump config block
#db# Failed to dump config block
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Failed to dump config block
Command execute timeout
#db# Failed to dump config block
#db# Trace full
Readstatus:00
Quitting...
proxmark3>
proxmark3> hf iclass reader 0
Readstatus:0e
CSN: 22 0d 99 01 f9 ff 12 e0
CC: 8c 87 ff ff 4d fa ff ff
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
RA: Read access not enabled
Mem: 2 KBits ( 32 * 8 bytes)
AA1: blocks 6-18
AA2: blocks 19-
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Command execute timeout
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Command execute timeout
Readstatus:00
Quitting...
proxmark3>

midnitesnake · 2015-04-11 23:48:14

Thats because he cracked the HID Application Key 1 (with a bit of guidance). The keys are protected by HID Global lawyers.
He hard-coded the key into his code, but removed the key from public postings - to avoid a legal dilemma; but a bunch of us (who have individually cracked the keys) have banded together to clean/enhance the code and ultimately the proxmark3. Some of us have busy schedules and personal lives at the moment....

The 'heart of darkness' paper from Milosch was used to obtain App Key 1; you need to follow that paper to proceed. If your googling foo is strong, you can also find the key that way also

Last edited by midnitesnake (2015-04-11 23:49:08)

joe · 2015-04-12 15:20:35

midnitesnake wrote:

Thats because he cracked the HID Application Key 1 (with a bit of guidance). The keys are protected by HID Global lawyers.
He hard-coded the key into his code, but removed the key from public postings - to avoid a legal dilemma; but a bunch of us (who have individually cracked the keys) have banded together to clean/enhance the code and ultimately the proxmark3. Some of us have busy schedules and personal lives at the moment....
The 'heart of darkness' paper from Milosch was used to obtain App Key 1; you need to follow that paper to proceed. If your googling foo is strong, you can also find the key that way also

You means standard iclass or high security iclass ?? they are few types in the market.

holiman · 2015-04-12 15:24:02

He means standard. For elite, you can attack the reader with pm3. Please read through this thread, and my blogposts and you will get a better understanding

Gusto-the-bun · 2015-04-19 11:12:24

I am just starting with proxmark, its so powerful, anyway i do have questions, to read card elite contents, first i have to get mac number by hf iclass sim 2 then get the antenna to get the mac number? I have tried it with omnikey 5321 reader i didnt get mac number what did i do wrong?

midnitesnake · 2015-04-19 14:20:54

@Gusto-the-bun: Your going to need the key; to do this you need to perform the reader attack, via card emulation. Once you have the key, you can then read your card.

Gusto-the-bun · 2015-04-19 14:24:42

Bow do i do that please tell me

Gusto-the-bun · 2015-04-19 15:13:20

please tell me how to get the key

holiman · 2015-04-19 16:33:45

@gusto:

holiman wrote:

For elite, you can attack the reader with pm3. Please read through this thread, and my blogposts and you will get a better understanding

If std then find global std key. If elite: attack reader.
Edit: saw that it was elite specified in the question

Last edited by holiman (2015-04-19 16:35:30)

Gusto-the-bun · 2015-04-19 23:59:05

Bow do i do that please tell me

Gusto-the-bun · 2015-04-20 14:24:08

thank you, holiman, I just read the paper on dismantling.iClass and this thread, i get a little more understanding.

et4 · 2015-04-22 14:38:13

Hey guys,

Firstly wow! Such impressive work here, congrats.

I got myself an pm3 and after some firmware frustrations (damn Windows!) I managed to get the key from a reader and can then obviously decrypt an elite card. I do have a stupid question though - how do I get the data onto another card, in the correct (encrypted) format to appear legit?

Many thanks,
Sam.

Gusto-the-bun · 2015-04-22 15:48:13

et4 wrote:

Hey guys,
Firstly wow! Such impressive work here, congrats.
I got myself an pm3 and after some firmware frustrations (damn Windows!) I managed to get the key from a reader and can then obviously decrypt an elite card. I do have a stupid question though - how do I get the data onto another card, in the correct (encrypted) format to appear legit?
Many thanks,
Sam.

How did u do that can u please it with me, I first hf iClass sim 2 then hf iClass loclass f iClass-attack-mac.bin
Then I lost

et4 · 2015-04-22 23:52:08

This very informative page should help:
http://martin.swende.se/blog/PM3-development.html

Gusto-the-bun · 2015-04-23 10:02:46

et4 wrote:

This very informative page should help:
http://martin.swende.se/blog/PM3-development.html

thank you, i think i got to the dump key e, but I think I need the key on the blank card, do you know anything about it?,
gustothebun@gmail.com

holiman · 2015-04-23 10:10:45

It is possible to write to a blank card, but you'll need to use an omnikey for the write operation. See http://www.proxmark.org/forum/viewtopic.php?pid=15616#p15616 .

holiman · 2015-04-23 10:14:27

et4 wrote:

I got myself an pm3 and after some firmware frustrations (damn Windows!) I managed to get the key from a reader and can then obviously decrypt an elite card.

Hm, are you sure? See, there are two things with iclass: authentication is one, encryption another. PM3 attacks authentication, so you get the elite authentication key. Then the data on the tag may or may not be encrypted. There is a HID encryption key 'out there', which is used for iclass standard, but it's definitely not included in the proxmark source code.

I suspect that your elite card is not encrypted, as the one I have wasn't (only the std tags I've seen are). Am I correct?

Gusto-the-bun · 2015-04-23 14:42:18

one question holiman, to update the new elite key I need to know the contents on block3 which is the key (master key) on blank non program standard card in order to update to elite k1 right?

carl55 · 2015-04-23 15:38:13

Yes, you do need to know the value of the key stored in Block 3 before you can change it to use an Elite key.

To be clear ...
The master authentication key is NOT stored on an iclass card. The key that is stored in Block 3 of the iclass card is a key that is "diversified" from the authentication key. The diversified key is then used by both the reader and the card to calculate the message authentication code (MAC) that is exchanged during mutual authentication.
Since the diversified key is calculated using the cards CSN, it is "unique" for each card.
A blank card that comes directly from the factory will have a key that has been diversified using the PicoPass "default" authentication key.
A preprogrammed card that has been initialized by HID will contain a key that has been diversified using the HID Master authentication key.

Regarding encryption ...
From what I have been able to learn, iclass cards that are purchased as "initialized" (not programmed), have encryption disabled. Cards that are sold pre-programmed (by HID) have encryption enabled. As a result, the cards that are programmed in the field using the HID programmer do not appear to use encryption whereas cards programmed by HID do seem to use encryption.

et4 · 2015-04-24 07:56:39

holiman wrote:

Hm, are you sure? See, there are two things with iclass: authentication is one, encryption another. PM3 attacks authentication, so you get the elite authentication key. Then the data on the tag may or may not be encrypted. There is a HID encryption key 'out there', which is used for iclass standard, but it's definitely not included in the proxmark source code.
I suspect that your elite card is not encrypted, as the one I have wasn't (only the std tags I've seen are). Am I correct?

I'll double check this afternoon.

holiman · 2015-04-24 20:08:37

Gusto-the-bun wrote:

one question holiman, to update the new elite key I need to know the contents on block3 which is the key (master key) on blank non program standard card in order to update to elite k1 right?

Yes, kind of. If you know the key, you can derive the correct key using the 'dump' command. It will produce output like the following:

CSN: f3 16 2e 00 f8 ff 12 e0 
hash1 = 3e2072474b730421
Pre-fortified 'permuted' HS key that would be needed by an iclass reader to talk to above CSN:
k_sel = dddf56293d6c5897
Pre-fortified key that would be needed by the OmniKey reader to talk to above CSN:
Used key = d961eddeeb1ce6c1
Hash0, a.k.a diversified key, that is computed using Ksel and stored in the card (Block 3):
Div key = e42cd87319895170

So, in this case, 'e42cd87319895170' is what is already stored on block 3. I haven't actually cloned tag to tag myself, as I'm more interested in spoofing using the proxmark. It's very easy to ruin your tag if you don't know what you're doing...

et4 · 2015-04-25 09:11:36

holiman wrote:

I suspect that your elite card is not encrypted, as the one I have wasn't (only the std tags I've seen are). Am I correct?

It looks like it's not encrypted, with data in locations 6-9.

The legitimate card:

-- deleted by moderator --

A blank card:

-- deleted by moderator --

After this a Proxmark light stays on and I need to remove it, quit, and start again. Fairly consistent in that behaviour.

I wanted to see what would happen if dropping the e:

-- deleted by moderator --

holiman · 2015-04-25 09:52:04

Well, your 'legitimate card' is encrypted. I think encryption starts at block 7, which contains the wiegand data. Is the pm3 unresponsive after the failed read, or can you get a hf iclass list?

et4 · 2015-04-25 11:50:26

After the hf iclass dump on the legit card the pm3 was responsive. I don't have permanent access to the card so cant try again.

After running the hf iclass dump commands on a blank card (not related at all to the Elite system of the legit card) it starts to get unresponsive.

I'm wondering why you wanted me to put in the auth key when dumping a blank card? The blank cards were purchased online so I'm guessing are either unprogrammed or perhaps iClass standard?

Also, why did you think they are encrypted? Is it because there is nothing in block 3?

Robertz · 2015-04-25 13:10:53

I am a licenced security access control installer.
The data published by user et4 belongs to one of my clients.
The block 07 of the access card that has been published, corresponds to one of the resident in the building.
Whoever you are, you have illegally accessed one of the building card reader. My client has not requested anyone to come and do that...
I also believe that you do not carry the necessary licence for performing such "security activity".
See Part 1, Section 4 of the corresponding legislation.
I took screenshots of your posts and will report this to the NSW Police Force along with CCTV recordings showing you "attacking" a reader.

I am also asking the administrator to kindly remove what the information posted earlier.

holiman · 2015-04-25 13:30:44

@et4, I'll stop answering questions now, unless you can prove that you're legit. And yes, if the dump you posted was a real live system, you did a blunder. However, all you did was expose a custom key, nobody but you know where this system is located. Not really useful info to an attacker, since said attacker can just perform a reader-attack anyway themselves...

And I doubt that 'attacking' a reader is a crime. Possibly it could be viewed as preparation to commit a crime (intrusion), but I guess that would depend on whether you are a pentester or a burglar... And of course; don't take legal advice from the internet seriously...

holiman · 2015-04-25 13:32:27

and hey, @Robertz was the one who disclosed the country that the system in question is located in

Last edited by holiman (2015-04-25 13:32:41)

Robertz · 2015-04-25 13:42:46

holiman wrote:

and hey, @Robertz was the one who disclosed the country that the system in question is located in

I just wanted to make sure he knows that I know... This is a pretty big country. This particular High Security key is unique to that building and has never been used anywhere else (I hope so. You never know with HID...)

That is in the Law, you are not authorize to "install, maintain, repair or service, by physical or electronic means: any security equipment". Then if the person had a licence, I guess it is all right. But that is a private residential building and his "service" was unsolicited.

Robertz · 2015-04-25 13:53:48

How do I contact an admin to have this removed? Can someone give me an email address or contact them for me?
I cannot even edit my own posts...

et4 · 2015-04-25 14:15:32

Yes it seems a few things got mixed up here. Switching between several laptops (needing 32bit windows) and a number of notepad files on the desktop.

If I thought they dumps were from a live system they never would have been posted. I'm not that irresponsible. I can't edit the posts with the forum type so hopefully the admin can do it soon.

I can assure you I know the line between data acquisition and unauthorised access, whether it's our more traditional internal-based work, or physically.

I'm not sure how to prove credibility, without providing information that compromises our work or our client's privacy. Trying to speak generically, if there is a scare or security event at a subsidiary owned by a group, the board may often commission some due diligence to be performed.

Happy to communicate in more detail over PM or email.

I do understand how there would be concern by someone charging for installation of a secure system, knowing of the shortcomings published initially in 2012.

We investigate shortcomings in organisation's assets all the time. This includes their service providers. We're very careful not to cross the line from identification of vulnerability to exploiting it to gain unauthorised access.

Finally, apologies for causing a bit of ruckus within the community. I understand hesitation at providing further assistance. We should still be able to complete what we need to do, it will just take longer through more manual discovery.

et4 · 2015-04-25 14:17:47

Robertz,
I've reported my post requesting to have it removed. I can't do it myself like other forums. Hopefully it won't take too long. Apologies again for mixing up my test data.

holiman · 2015-04-25 15:31:25

@et4: My contact details https://pgp.mit.edu/pks/lookup?op=vindex&search=0x683B438C05A5DDF0

Last edited by holiman (2015-04-25 15:34:44)

holiman · 2015-04-25 15:33:11

And I'm not a moderator, but have emailed one to have the data removed

Last edited by holiman (2015-04-25 15:35:13)

et4 · 2015-04-25 16:13:43

Emailed.

Thanks.

osaka · 2015-04-25 16:24:45

et4 wrote:

Yes it seems a few things got mixed up here. Switching between several laptops (needing 32bit windows) and a number of notepad files on the desktop.
If I thought they dumps were from a live system they never would have been posted. I'm not that irresponsible. I can't edit the posts with the forum type so hopefully the admin can do it soon.
I can assure you I know the line between data acquisition and unauthorised access, whether it's our more traditional internal-based work, or physically.
I'm not sure how to prove credibility, without providing information that compromises our work or our client's privacy. Trying to speak generically, if there is a scare or security event at a subsidiary owned by a group, the board may often commission some due diligence to be performed.
Happy to communicate in more detail over PM or email.
I do understand how there would be concern by someone charging for installation of a secure system, knowing of the shortcomings published initially in 2012.
We investigate shortcomings in organisation's assets all the time. This includes their service providers. We're very careful not to cross the line from identification of vulnerability to exploiting it to gain unauthorised access.
Finally, apologies for causing a bit of ruckus within the community. I understand hesitation at providing further assistance. We should still be able to complete what we need to do, it will just take longer through more manual discovery.

What a load of crap...

iceman · 2015-04-25 17:54:37

A new user posts something to be testdata,
another new user claims something is indeed a clients original data,
first new user agrees that the testdata is not testdata
other new users joins in,

What are the probabilty that all thoose claims happens in a very very sleepy forum like PM3...
By the looks at it, it seems like the whole of down under PM3 community knows eachother and hangs here silently.

BUT,
instead of just mailing about it ta a forum moderator, the second new user actually managed to let people know that its a proper key.... instead of letting everyone here believe it was testdata and everyone would have forgotten about before it was taken away from a forum moderator....

I feel new users can learn from this ...

Last edited by iceman (2015-04-25 17:55:42)

Proxmark3 community

Announcement

#101 2014-12-19 16:47:56

Re: iClass is coming...

#102 2015-02-22 19:42:21

Re: iClass is coming...

#103 2015-02-23 00:18:38

Re: iClass is coming...

#104 2015-02-25 22:11:50

Re: iClass is coming...

#105 2015-02-26 21:13:19

Re: iClass is coming...

#106 2015-03-02 01:18:02

Re: iClass is coming...

#107 2015-03-02 10:48:49

Re: iClass is coming...

#108 2015-03-02 22:21:54

Re: iClass is coming...

#109 2015-03-03 09:19:14

Re: iClass is coming...

#110 2015-03-03 09:56:43

Re: iClass is coming...

#111 2015-03-03 18:07:08

Re: iClass is coming...

#112 2015-04-01 15:13:47

Re: iClass is coming...

#113 2015-04-01 16:03:27

Re: iClass is coming...

#114 2015-04-01 16:06:08

Re: iClass is coming...

#115 2015-04-11 16:47:06

Re: iClass is coming...

#116 2015-04-11 23:48:14

Re: iClass is coming...

#117 2015-04-12 15:20:35

Re: iClass is coming...

#118 2015-04-12 15:24:02

Re: iClass is coming...

#119 2015-04-19 11:12:24

Re: iClass is coming...

#120 2015-04-19 14:20:54

Re: iClass is coming...

#121 2015-04-19 14:24:42

Re: iClass is coming...

#122 2015-04-19 15:13:20

Re: iClass is coming...

#123 2015-04-19 16:33:45

Re: iClass is coming...

#124 2015-04-19 23:59:05

Re: iClass is coming...

#125 2015-04-20 14:24:08

Re: iClass is coming...

#126 2015-04-22 14:38:13

Re: iClass is coming...

#127 2015-04-22 15:48:13

Re: iClass is coming...

#128 2015-04-22 23:52:08

Re: iClass is coming...

#129 2015-04-23 10:02:46

Re: iClass is coming...

#130 2015-04-23 10:10:45

Re: iClass is coming...

#131 2015-04-23 10:14:27

Re: iClass is coming...

#132 2015-04-23 14:42:18

Re: iClass is coming...

#133 2015-04-23 15:38:13

Re: iClass is coming...

#134 2015-04-24 07:56:39

Re: iClass is coming...

#135 2015-04-24 20:08:37

Re: iClass is coming...

#136 2015-04-25 09:11:36

Re: iClass is coming...

#137 2015-04-25 09:52:04

Re: iClass is coming...

#138 2015-04-25 11:50:26

Re: iClass is coming...

#139 2015-04-25 13:10:53

Re: iClass is coming...