Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-04-10 20:24:56
- mb
- Contributor
- Registered: 2017-04-06
- Posts: 6
Writing Abitrary ID to iClass SE Elite Card
After a doing a lot of reading here and of the various research papers and blog posts frequently referenced in the forum, I am able to clone iClass SE Elite cards onto other iClass cards. (Thanks for that!) The one thing I have yet to figure out is how to write an arbitrary ID on to a card without having possession of the original card. I know from the research papers that the block I want to write is TDES encrypted, and that is a different key than the HID master (or in this case, Elite) auth key. A couple of questions:
1. Is the TDES key used to encrypt block 7 the same across all iClass SE installations, regardless of Elite, or would it be unique for each Elite deployment?
2. Is there a way to recover this key using the PM3, like loclass? Or do I need to try something like the ICSP method? (Do newer SE readers still expose this interface? I haven't pulled one off the wall yet.)
Thanks!
Offline
#2 2017-04-11 01:02:52
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Writing Abitrary ID to iClass SE Elite Card
1. It's the same.
2. I never tried obtaining the key using the PM3.
The ICSP method only applies to iCLASS readers with a specific hardware version. The vulnerability was in the PIC18F452.
Newer SE readers use the LPC1227.
Offline
#3 2017-04-11 06:02:41
- mb
- Contributor
- Registered: 2017-04-06
- Posts: 6
Re: Writing Abitrary ID to iClass SE Elite Card
Thanks. At least I know I don't need to target a device from my organization. That should make this at least a little easier. Are the keys the same between legacy iClass and SE as well? If so, perhaps I can find an old vulnerable reader.
Offline
#4 2017-04-11 06:32:31
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Writing Abitrary ID to iClass SE Elite Card
There is only one iCLASS / iCLASS SE TDES key AFAIK.
You're looking for a Rev A. Try your luck on eBay first.
In your first post you mentioned being able to write an 'arbitrary ID'. It's worth nothing that iCLASS credentials support PACS formats up to 143bits (Blocks 7-9).
Offline
#5 2017-04-11 20:36:23
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Writing Abitrary ID to iClass SE Elite Card
yeah, the transport key is not released, if you can hack the rev A reader you will get it following the instructions
Offline
#6 2017-04-13 22:22:43
- mb
- Contributor
- Registered: 2017-04-06
- Posts: 6
Re: Writing Abitrary ID to iClass SE Elite Card
Thanks, I will try to hunt one of those readers down. By arbitrary I mean "known valid ID #"
Offline
#7 2017-04-14 01:07:12
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Writing Abitrary ID to iClass SE Elite Card
they are really rare now.
Offline
#8 2017-04-25 04:45:20
- mb
- Contributor
- Registered: 2017-04-06
- Posts: 6
Re: Writing Abitrary ID to iClass SE Elite Card
Got this working. A big thanks to 0xFFFF, iceman, marshmellow, and carl55. You guys are awesome! Truly amazing work on the tooling and understanding these protocols.
Last edited by mb (2017-04-25 04:47:19)
Offline
Pages: 1