Proxmark 3 and iClass troubleshooting

w32.n01 · 2016-08-31 16:37:41

Starting a new thread at the recommendation of iceman.

So I'm having trouble getting any of this to work.

hf class snoop

doesn't appear to work at all - I have tried holding the antenna in various positions (between card and reader, above, to the side, at different distances, etc..). The proxmark just sits there until I press the button and then I get:

#db# cancelled_a          
#db# 1 0 0          
#db# 20 f0 0

hf iclass sim 2

will correctly acquire responses, but then subsequently fail to crack anything. So, thinking that the initial csns were maybe off, I modified the code to use the 126 malicious csns from here, and although the proxmark appears to send all 126 csns, it only appears to collect 63 per "run" - so I again modified the code to run half of them at a time and then spliced the resulting MACs into a single file, but still no luck on recovering a key. Loclass states that it should work with any csns (providing they're the right format), but I'm still not having any luck.

Can someone (please) help point me in the right direction, or let me know some first places to start troubleshooting?

Thanks!

marshmellow · 2016-08-31 18:22:46

the sim attack can only crack elite gen1 iClass tags. what type of tags do you have?

w32.n01 · 2016-08-31 19:38:40

I'm not sure, how would I test for that? Googling the designators on the back of the card has been pretty fruitless so far.

When I read the card using the PM3, I'm seeing that it's coding is: ISO 14443-2 B/ISO 15693.

EDIT: I performed a "hf search" and it returns:

CSN: XX XX XX XX XX XX XX XX       
CC: XX XX XX XX XX XX XX XX           
	Mode: Application [Locked]          
	Coding: ISO 14443-2 B/ISO 15693          
	Crypt: Secured page, keys not locked          
	RA: Read access not enabled          
  Mem: 16 KBits/16 App Areas (255 * 8 bytes) [1F]          
	AA1: blocks 06-12          
	AA2: blocks 13-FF          

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

But I don't know how to tell which generation that is?

Last edited by w32.n01 (2016-08-31 20:03:58)

w32.n01 · 2016-08-31 20:36:47

UPDATE: Based on the specs here: https://www.hidglobal.com/sites/default/files/resource_files/iclass-se-card-ds-en.pdf

It would appear that I have a "next-generation" card, which by definition wouldn't be "gen 1", so I'll table the sim attack for the time being. Thank you, marshmellow, for the info!

I'm still wondering about the snoop question - does anyone know if this works on "next-generation" setups, or is this only for gen 1 as well? Looking through the code doesn't immediately reveal this answer.

marshmellow · 2016-08-31 21:47:01

after a snoop a `hf list iclass` would be needed to output what it captured.

snoop requires a very strong antenna to be successful.

but with the encryption and authentication methods of the picopass chips being what they are i don't think a snoop will get you very far.

marshmellow · 2016-08-31 21:59:29

btw to my knowledge there are multiple iclass tag types:
classic (gen1)
classic Elite (custom access keys per company)
SR (classic compatible SE tags)
SR Elite (same as SR but with custom access keys per company)
SE (NOT Classic compatible - Gen 2)
SE Elite (same as SE but with custom access keys per company)
SEOS (not really sure... - Gen 3?)

Go_tus · 2016-10-30 14:27:15

I have modified source code to handle read command len 4 from the reader. would it be useful?

Omikron · 2017-01-25 06:04:16

Go_tus wrote:

I have modified source code to handle read command len 4 from the reader. would it be useful?

Yes, it would definitely be useful! Have you already submitted the patch?

iceman · 2017-01-25 09:02:34

The hf iclass loclass works on cards_readers which is configured for elite/highSecurity.

The name nomenclature is so confusing in the iclass work. What you get is the AA1 (MKc) for that particular card on that system.

The SE/SR credentials stored onto card inside Application1, has nothing to do with the hf iclass loclass MKc .
With AA1, you can dump the data from Application 1. The SE/SR credentials store inside is usually encrypted with 3des (another key HID transport key).

Dot.Com · 2017-02-01 19:10:35

marshmellow wrote:

btw to my knowledge there are multiple iclass tag types:
classic (gen1)
classic Elite (custom access keys per company)
SR (classic compatible SE tags)
SR Elite (same as SR but with custom access keys per company)
SE (NOT Classic compatible - Gen 2)
SE Elite (same as SE but with custom access keys per company)
SEOS (not really sure... - Gen 3?)

(DESFIRE)

marshmellow · 2017-02-11 15:16:18

Seos chips are chips that can emulate desfire, but it is not desfire.

Proxmark3 community

Announcement

#1 2016-08-31 16:37:41

Proxmark 3 and iClass troubleshooting

#2 2016-08-31 18:22:46

Re: Proxmark 3 and iClass troubleshooting

#3 2016-08-31 19:38:40

Re: Proxmark 3 and iClass troubleshooting

#4 2016-08-31 20:36:47

Re: Proxmark 3 and iClass troubleshooting

#5 2016-08-31 21:47:01

Re: Proxmark 3 and iClass troubleshooting

#6 2016-08-31 21:59:29

Re: Proxmark 3 and iClass troubleshooting

#7 2016-10-30 14:27:15

Re: Proxmark 3 and iClass troubleshooting

#8 2017-01-25 06:04:16

Re: Proxmark 3 and iClass troubleshooting

#9 2017-01-25 09:02:34

Re: Proxmark 3 and iClass troubleshooting

#10 2017-02-01 19:10:35

Re: Proxmark 3 and iClass troubleshooting

#11 2017-02-11 15:16:18

Re: Proxmark 3 and iClass troubleshooting

Board footer