Proxmark3 community

nives

Contributor

Registered: 2016-09-21

Posts: 2

On the IClass card data where is the card number stored?

I'm using an OMNIKEY 5021-CL card reader and I'm getting the Card Serial Number.

Does the Card Serial Number contain the card number?  Number of the card printed on the back. 

I've tried getting it from the serial number but I'm not having any luck.

My understanding is that there is a facility code, parity bits and the card number, but I'm not sure if that is in the Card Serial Number or maybe it's encrypted on the Application area or maybe somewhere else.

Very appreciative of any help anyone can give!

carl55

Contributor

From: Arizona USA

Registered: 2010-07-04

Posts: 175

Re: On the IClass card data where is the card number stored?

The following answer applies to legacy iclass only and NOT to the newer iClass SE technology that uses a Secure Identity Object (SIO) to store the access control information.

The legacy iclass readers do NOT use the manufacturer Card Serial Number (CSN) that is stored in Block 0 for access control. The CSN is only used for calculating the value of the diversified key that is needed to mutually authenticate.
The reader uses information that is stored in Block 7 of the application area 1 of the credential.
The block 7 value is basically the wiegand code data with a start sentinel added to the front of the bit stream.
The access control data may or may not be encrypted. It depends on the value of the "encryption enable" bit that is contained in the Block 6 data.
The Block 7 access control data contains the format length, parity bits, facility code and card number information.

Here are a couple of simple examples:

Format: 26-bit
Fac Code: 001
Card No:  00001
Wiegand: 0x0000000002020002
Block 7: 0x0000000006020002 - Unencrypted (adds a start sentinel to wiegand code)
Block 7: 0xBC8793E20AF06F33 - TDES Encrypted

Format: 26-bit
Fac Code: 255
Card No:  00015
Wiegand: 0x0000000001FE001F
Block 7: 0x0000000005FE001F - Unencrypted (adds a start sentinel to wiegand code)
Block 7: 0x0C782D765375554D - TDES Encrypted

philosophy

Contributor

Registered: 2017-04-05

Posts: 6

Re: On the IClass card data where is the card number stored?

The following answer applies to legacy iclass only and NOT to the newer iClass SE technology that uses a Secure Identity Object (SIO) to store the access control information.

The legacy iclass readers do NOT use the manufacturer Card Serial Number (CSN) that is stored in Block 0 for access control. The CSN is only used for calculating the value of the diversified key that is needed to mutually authenticate.
The reader uses information that is stored in Block 7 of the application area 1 of the credential.
The block 7 value is basically the wiegand code data with a start sentinel added to the front of the bit stream.
The access control data may or may not be encrypted. It depends on the value of the "encryption enable" bit that is contained in the Block 6 data.
The Block 7 access control data contains the format length, parity bits, facility code and card number information.

Here are a couple of simple examples:

Format: 26-bit
Fac Code: 001
Card No:  00001
Wiegand: 0x0000000002020002
Block 7: 0x0000000006020002 - Unencrypted (adds a start sentinel to wiegand code)
Block 7: 0xBC8793E20AF06F33 - TDES Encrypted

Format: 26-bit
Fac Code: 255
Card No:  00015
Wiegand: 0x0000000001FE001F
Block 7: 0x0000000005FE001F - Unencrypted (adds a start sentinel to wiegand code)
Block 7: 0x0C782D765375554D - TDES Encrypted

Good explanation! I have one question.

What exactly is the start sentinel value? I'm having trouble understanding how it applies to different examples of wiegand data

0xFFFF

Administrator

From: Vic - Australia

Registered: 2011-05-31

Posts: 632

Re: On the IClass card data where is the card number stored?

It's a bit.  !0.

Command:        80 B0 00 07 08
Response:       13 91 B7 3A C3 39 6E C8 90 00
Decoded (HEX):  00 00 00 00 06 02 00 07
        (BIN):  110000000100000000000000111
PACS:            10000000100000000000000111

carl55

Contributor

From: Arizona USA

Registered: 2010-07-04

Posts: 175

Re: On the IClass card data where is the card number stored?

If you think of the wiegand code as a string of binary data then the iclass start sentinel is simply a logic 1 bit that is appended to the binary wiegand data stream that is to be stored in Block 7 of the credential.
If you number the bits from 1-to-N with 1 being the lsb and N being the msb, then the start sentinel will always be placed at bit position 27 for a 26-bit credential, at position 35 for a 34-bit credential, at position 38 for a 37-bit credential, etc.
The start sentinel is used to tell the reader where the the actual wiegand code starts. The reader basically reads Block 7 and looks (left to right) for the first bit that is a logic 1. When a logic 1 is encountered, it will then know that all of the bits to the right of that bit comprise the actual wiegand code that contains the access control information.

4333333333322222222221111111111000000000 (Bit# msb-lsb)
0987654321098765432109876543210987654321

0000000000000SPFFFFFFFFCCCCCCCCCCCCCCCCP (26-bit H10301 format)
00000SPFFFFFFFFFFFFFFFFCCCCCCCCCCCCCCCCP (34-bit H10306 format)
00SPFFFFFFFFFFFFFFFFCCCCCCCCCCCCCCCCCCCP (37-bit H10304 format)

S = Start Sentinel
P = Parity
F = Facility Code
C = Card Nmmber

philosophy

Contributor

Registered: 2017-04-05

Posts: 6

Re: On the IClass card data where is the card number stored?

Thanks 0xFFFF and carl55. I fully understand it now and was able to reproduce it in my lab.

Thanks for the help!

0xFFFF

Administrator

From: Vic - Australia

Registered: 2011-05-31

Posts: 632

Re: On the IClass card data where is the card number stored?

This is probably unnecessary but for the sake of driving this thing home....
Note that the PACS data is random 1's and 0's.

63 bit card...
 101011111001010101001110000110111000001101011000010110100111001
 Block 07
 	Decoded (HEX):   D7CAA70DC1AC2D39
 	        (BIN):   1101011111001010101001110000110111000001101011000010110100111001
 	PACS:             101011111001010101001110000110111000001101011000010110100111001
 Block 08
 	Decoded (HEX):   0000000000000000
 Block 09
 	Decoded (HEX):   FFFFFFFFFFFFFFFF

64 bit card...
 0101011111001010101001110000110111000001101011000010110100111001
 Block 07
 	Decoded (HEX):   57CAA70DC1AC2D39
 	(BIN):           0101011111001010101001110000110111000001101011000010110100111001
 	PACS:            0101011111001010101001110000110111000001101011000010110100111001
 Block 08
 	Decoded (HEX):   0000000000000001
 Block 09
 	Decoded (HEX):   FFFFFFFFFFFFFFFF

65 bit card...
 1 0101011111001010101001110000110111000001101011000010110100111001
 Block 07
 	Decoded (HEX):   57CAA70DC1AC2D39
 	        (BIN):   0101011111001010101001110000110111000001101011000010110100111001
  	PACS:            0101011111001010101001110000110111000001101011000010110100111001
 Block 08
 	Decoded (HEX):   0000000000000003
 	        (BIN):   0000000000000000000000000000000000000000000000000000000000000011
 	PACS:                                                                           1
 Block 09
 	Decoded (HEX):   FFFFFFFFFFFFFFFF

143 bit card... (largest possible)
 101011001100111 1111101011010101110101001011100000000111110011100101101111001001 0010101001010001100110001110111010100011110011001101011001110000
 Block 07
 	Decoded (HEX):   2A5198EEA3CCD670
 	        (BIN):   0010101001010001100110001110111010100011110011001101011001110000
 	PACS:            0010101001010001100110001110111010100011110011001101011001110000
 Block 08
 	Decoded (HEX):   FAD5D4B807CE5BC9
 	        (BIN):   1111101011010101110101001011100000000111110011100101101111001001
 	PACS:            1111101011010101110101001011100000000111110011100101101111001001
 Block 09
 	Decoded (HEX):   FFFFFFFFFFFFD667
 	        (BIN):   1111111111111111111111111111111111111111111111111101011001100111
 	PACS:                                                             101011001100111