Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-05-30 14:47:54

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Cloning an iclass card

Hello I try to clone an iclass card that is not protect but without result
After typing

hf iclass sim 2

I have this

#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# Button pressed                 
Mac responses: 0 MACs obtained (should be 15)          
Saved data to 'iclass_mac_attack-10.bin'

and 

Performed full crack in 1141.844971 seconds          
Error, we are missing byte 0, custom key calculation will fail...          
Error, we are missing byte 1, custom key calculation will fail...          
Error, we are missing byte 2, custom key calculation will fail...          
Error, we are missing byte 3, custom key calculation will fail...          
Error, we are missing byte 4, custom key calculation will fail...          
Error, we are missing byte 5, custom key calculation will fail...          
Error, we are missing byte 6, custom key calculation will fail...          
Error, we are missing byte 7, custom key calculation will fail...          
Error, we are missing byte 8, custom key calculation will fail...          
Error, we are missing byte 9, custom key calculation will fail...          
Error, we are missing byte 10, custom key calculation will fail...          
Error, we are missing byte 11, custom key calculation will fail...          
Error, we are missing byte 12, custom key calculation will fail...          
Error, we are missing byte 13, custom key calculation will fail...          
Error, we are missing byte 14, custom key calculation will fail...          
Error, we are missing byte 15, custom key calculation will fail...          
High security custom key (Kcus):          
Std format    = 2d210c604803363b          
Iclass format = 0018cbc09545e0a3          
Failed to verify calculated master key (k_cus)! Something is wrong.          
proxmark3> 

Offline

#2 2017-05-30 15:10:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

Too little information,

Some questions comes to mind;  which system are you targetting?  Have you correctly identified it? Do you understand the commands your are trying to run?

Offline

#3 2017-05-30 15:15:54

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

Thank you for answering
I use proxmark3 and here is the info of the map

proxmark3> hf search
CSN: XX XX XX XX XX XX XX XX           
CC: e3 54 ff ff fe ff ff ff           
	Mode: Personalization [Programmable]          
	Coding: ISO 14443-2 B/ISO 15693          
	Crypt: Secured page, keys not locked          
	Crypt: Non secured page          
	RA: Read access not enabled          
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]          
	AA1: blocks 06-FF          
	AA2: blocks 100-1F          
Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

Last edited by bouzdeck (2017-05-30 21:32:15)

Offline

#4 2017-05-30 15:31:23

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

and

proxmark3> hf iclass loclass f iclass_mac_attack.bin
Bruteforcing byte 1          
Bruteforcing byte 0          
Bruteforcing byte 69          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 000b0ffff7ff12e0          
The CSN requires > 3 byte bruteforce, not supported          
CSN = 00040e08f7ff12e0          
HASH1 = 7802000045014545          
The CSN requires > 3 byte bruteforce, not supported          
CSN = 00090d05f7ff12e0          
HASH1 = 7b03000045014545          
Bruteforcing byte 122          
Bruteforcing byte 4          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 000a0c06f7ff12e0          
Bruteforcing byte 125          
Bruteforcing byte 5          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 000f0b03f7ff12e0          
Bruteforcing byte 116          
Bruteforcing byte 6          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 00080a0cf7ff12e0          
Bruteforcing byte 119          
Bruteforcing byte 7          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 000d0909f7ff12e0          
Bruteforcing byte 118          
Bruteforcing byte 8          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 000e080af7ff12e0          
Bruteforcing byte 105          
Bruteforcing byte 9          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 00030717f7ff12e0          
Bruteforcing byte 32          
Bruteforcing byte 10          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 003c06e0f7ff12e0          
Bruteforcing byte 99          
Bruteforcing byte 11          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 0001051df7ff12e0          
Bruteforcing byte 98          
Bruteforcing byte 12          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 0002041ef7ff12e0          
Bruteforcing byte 101          
Bruteforcing byte 13          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 0007031bf7ff12e0          
Bruteforcing byte 92          
Bruteforcing byte 14          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 00000224f7ff12e0          
Bruteforcing byte 95          
Bruteforcing byte 15          
Bruteforcing byte 0          
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN          
CSN = 00050121f7ff12e0          
Performed full crack in 1135.060059 seconds          
Error, we are missing byte 0, custom key calculation will fail...          
Error, we are missing byte 1, custom key calculation will fail...          
Error, we are missing byte 2, custom key calculation will fail...          
Error, we are missing byte 3, custom key calculation will fail...          
Error, we are missing byte 4, custom key calculation will fail...          
Error, we are missing byte 5, custom key calculation will fail...          
Error, we are missing byte 6, custom key calculation will fail...          
Error, we are missing byte 7, custom key calculation will fail...          
Error, we are missing byte 8, custom key calculation will fail...          
Error, we are missing byte 9, custom key calculation will fail...          
Error, we are missing byte 10, custom key calculation will fail...          
Error, we are missing byte 11, custom key calculation will fail...          
Error, we are missing byte 12, custom key calculation will fail...          
Error, we are missing byte 13, custom key calculation will fail...          
Error, we are missing byte 14, custom key calculation will fail...          
Error, we are missing byte 15, custom key calculation will fail...          
High security custom key (Kcus):          
Std format    = 2d210c604803363b          
Iclass format = 0018cbc09545e0a3          
Failed to verify calculated master key (k_cus)! Something is wrong.          
proxmark3> 

Offline

#5 2017-05-30 17:02:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

Thanks for the extra info, still...

If you look at your first post and re-read it.  You didn't obtain any mac responses, hench you can't use loclass.  if it would have aquired the correct number of responses,  you would have to use the correct file.  The question that comes to mind is what are you trying to do?

Mac responses: 0 MACs obtained (should be 15)          
Saved data to 'iclass_mac_attack-10.bin'
proxmark3> hf iclass loclass f iclass_mac_attack.bin

Offline

#6 2017-05-30 17:18:32

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

How to get mac replies

Offline

#7 2017-05-30 17:23:20

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

I try to understand I have successfully copied my mifare badge and  a 125 khz hid card and now try  on my fitness room card
It's just to learn

Offline

#8 2017-05-30 17:25:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

Which leads us back to my first questions and more specifically this one;  do you understand the commands your are trying to run?

Still to little information about what you did when you ran the command

 proxmark3> hf iclass sim 2 

Offline

#9 2017-05-30 17:31:26

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

When i type this command

 hf iclass sim 2 

Nothing happens
When I press the button of the proxmark3 I have it

 Mac responses: 0 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack-10.bin' 

Offline

#10 2017-05-30 17:37:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

hf iclass sim 2 is a reader-based attack.

Offline

#11 2017-05-30 17:41:54

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

Yes but i got 0 mac reply

Last edited by bouzdeck (2017-05-30 17:42:06)

Offline

#12 2017-05-30 17:46:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

What distance did you have between pm3 antenna and reader antenna?

Offline

#13 2017-05-30 17:48:36

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

Is there another solution to copy my card

Offline

#14 2017-05-30 17:50:49

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

Newest-Update-PM3-Proxmark-3-Easy-V3-0-Kits-RFID-Card-UID-T5577-Copier-NFC-Proxmark3.jpg

Offline

#15 2017-05-30 17:52:23

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

# LF antenna: 29.56 V @   125.00 kHz          
# LF antenna: 29.56 V @   134.00 kHz          
# LF optimal: 35.20 V @   129.03 kHz          
# HF antenna: 18.86 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Offline

#16 2017-05-30 18:09:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

I'm afraid I can't help you.

I do wish you good luck in your quest for knowledge.

Offline

#17 2017-05-30 18:30:28

bouzdeck
Contributor
Registered: 2017-05-27
Posts: 15
Website

Re: Cloning an iclass card

thanks a lot for your help

Offline

#18 2017-08-21 08:41:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Cloning an iclass card

... I got several other users who asked about failing with hf iclass sim 2 lately.

Possible reasons to failure:

  • reader not in high/elite mode

  • reader is  revB revC

  • pm3 device fails simulation


First one,   run  hf iclass reader 1   with the latest PM3 offical there should be a row in the end saying if the card is Possible iClass (legacy tag)   which would indicate the system you are looking at doesn't use Elite/High mode.  ergo, it will fail.

Second one,  much harder to look at,  you would have to examine the reader and some how identify which revisions of readers doesn't work with PM3...   I've seen posts with some model numbers on the forum.

Third one,   some other posts and blogs  states the Elechouse revisions (easy and 2)  has a problem with ICLASS SIMULATION.  To verify this you would need to measure when the pm3 and reader are interacting with a third device and analyse the signal traffic.


I'm sure there are more possible reasons for failure  time will tell.

Offline

Board footer

Powered by FluxBB