Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-07-04 17:33:05

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Starting with Iclass

Hi,

I am starting to try understand more of Iclass, i have got a tag to test and I would like to know if  I am in the good way trying to work with Proxmark.
I am really sorry for the newbies questions.. I am just starting with this

I have read and got it

CSN: 42 20 71 04 08 00 12 e0
CC: 50 52 4f 58 4a 43 4d 30
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
Crypt: Non secured page
RA: Read access not enabled
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-FF
AA2: blocks 100-1F
AppIA: ff ff ff ff ff ff ff ff
: Possible iClass (legacy tag)


iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |          0 | Rdr | 0a                                                              |     | ACTALL
              0 |             0 | Rdr | 0a                                                             |     | ACTALL
          720 |          720 | Tag | 0f                                                              |     |
          720 |          720 | Rdr | 0c                                                             |     | IDENTIFY
          720 |          720 | Rdr | 0a                                                             |     | ACTALL
        1440 |        1440 | Tag | 0f                                                              |     |
        1440 |        1440 | Rdr | 0c                                                             |     | IDENTIFY
        4496 |        4496 | Tag | 08  24  8e  00  01  40  02  5c  52  de           |  ok |
        4496 |        4496 | Rdr | 81  08  24  8e  00  01  40  02  5c                |     | SELECT
        7552 |        7552 | Tag | 42  20  71  04  08  00  12  e0  5f  37           |  ok |
        7552 |        7552 | Rdr | 88  02                                                       |     | READCHECK[Kd](2)
      10096 |      10096 | Tag | 50  52  4f  58  4a  43  4d  30                       |  ok |
      10096 |      10096 | Rdr | 0c  01  fa  22                                              |  ok | READ(1)
      13152 |      13152 | Tag | ff  ff  ff  fe  7f  1f  7f  2c  bb  b2                    |  ok |
      13152 |      13152 | Rdr | 0c  05  de  64                                              |  ok | READ(5)
      16208 |      16208 | Tag | ff  ff  ff  ff  ff  ff  ff  ff  ea  f5                          |  ok |

I was working with mifare and there are ways to get the keys with proxmark, is there a similar way to do the same with Iclass? or do I need to get a reader and sniff communication?

Offline

#2 2017-07-04 20:41:36

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Starting with Iclass

That appears to be a very unique credential.

According to the value that you read back for block 1, your chip ...
1) Has all blocks assigned to Application 1.
2) Block 6 is write-protected (read only).
3) The Kc and Kd keys are locked and cannot be modiified.

These are very unusual/uncommon  settings. Is that some kind of special configuration card?
HID does not normally lock the keys. As a result I would guess that that particular credential does NOT use the HID Master Authentication key.
For learning purposes, I would suggest that you start out by analyzing a more common iclass credential.

Regarding your last question .....
No, none of the iclass keys (authentication, encryption, diversified) are ever transmitted over the air and therefore cannot be sniffed. The keys are stored in internal memory and are only used for calculations that occur within the CPU (or SAM for iClass SE).

Offline

#3 2017-07-04 21:15:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

I suspect a minor bug lurking around here,  the output looks suspicious low for the higher limit 1F...

AA2: blocks 100-1F

And given Carl55's answer, I recon there is more information that could have been printed for the "hf iclass reader" command.
And I guess I need to read some picopass datasheet to understand more of the information revealed from block1

Offline

#4 2017-07-05 09:17:41

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

Answers,
CARL55, it is an access control tag, so i don't know if it is so special, for me it is  big_smile.
If I can't sniff communication between reader and tag, so... is there a way to clone such tag? I have read that someone skipped the read protection of a PIC to read the key. but this is not practical for me.
So it is an IClass but not HID?  I tried with this master key 3F90EBF0910F7B6F but failed.

ICEMAN "I suspect a minor bug lurking around here,  the output looks suspicious low for the higher limit 1F..."
Do you want me to make any other test over the key to try to catch the bug?


 
proxmark3> hf iclass loclass f iclass_mac_attack.bin
Bruteforcing byte 1
Bruteforcing byte 0
Bruteforcing byte 69
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 000b0ffff7ff12e0
The CSN requires > 3 byte bruteforce, not supported
CSN = 00040e08f7ff12e0
HASH1 = 7802000045014545
The CSN requires > 3 byte bruteforce, not supported
CSN = 00090d05f7ff12e0
HASH1 = 7b03000045014545
Bruteforcing byte 122
Bruteforcing byte 4
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 000a0c06f7ff12e0
Bruteforcing byte 125
Bruteforcing byte 5
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 000f0b03f7ff12e0
Bruteforcing byte 116
Bruteforcing byte 6
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 00080a0cf7ff12e0
Bruteforcing byte 119
Bruteforcing byte 7
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 000d0909f7ff12e0
Bruteforcing byte 118
Bruteforcing byte 8
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 000e080af7ff12e0
Bruteforcing byte 105
Bruteforcing byte 9
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 00030717f7ff12e0
Bruteforcing byte 32
Bruteforcing byte 10
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 003c06e0f7ff12e0
Bruteforcing byte 99
Bruteforcing byte 11
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 0001051df7ff12e0
Bruteforcing byte 98
Bruteforcing byte 12
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 0002041ef7ff12e0
Bruteforcing byte 101
Bruteforcing byte 13
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 0007031bf7ff12e0
Bruteforcing byte 92
Bruteforcing byte 14
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 00000224f7ff12e0
Bruteforcing byte 95
Bruteforcing byte 15
Bruteforcing byte 0
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542550Failed to recover 3 bytes using the following CSN
CSN = 00050121f7ff12e0

Performed full crack in 856.479980 seconds
Error, we are missing byte 0, custom key calculation will fail...
Error, we are missing byte 1, custom key calculation will fail...
Error, we are missing byte 2, custom key calculation will fail...
Error, we are missing byte 3, custom key calculation will fail...
Error, we are missing byte 4, custom key calculation will fail...
Error, we are missing byte 5, custom key calculation will fail...
Error, we are missing byte 6, custom key calculation will fail...
Error, we are missing byte 7, custom key calculation will fail...
Error, we are missing byte 8, custom key calculation will fail...
Error, we are missing byte 9, custom key calculation will fail...
Error, we are missing byte 10, custom key calculation will fail...
Error, we are missing byte 11, custom key calculation will fail...
Error, we are missing byte 12, custom key calculation will fail...
Error, we are missing byte 13, custom key calculation will fail...
Error, we are missing byte 14, custom key calculation will fail...
Error, we are missing byte 15, custom key calculation will fail...

High security custom key (Kcus):
Std format    = 2d210c604803363b
Iclass format = 0018cbc09545e0a3
Failed to verify calculated master key (k_cus)! Something is wrong.

Offline

#5 2017-07-05 10:48:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

Well,  the app_limit byte in block1 seems to indicate a value of 0xFF,  which is invalid for your tag.  But it doesn't seem to matter.
We just to print those stuff.


http://www.orangetags.com/wp-content/do … 20V1-0.pdf

Note:
For 2KS pages, if Applications Limit equals to 1Fh or more, the
application area is made up of 26  blocks protected by Debit Key. If
Applications Limit equals to 05h or less, the application area is made up of 26
blocks protected by Credit Key

Offline

#6 2017-07-05 10:51:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

I've pushed a minor fix for some other output in 'hf iclass reader' command to icemanfork.

The app_limit, I guess should have been set to  dec 26,  according to your configurated 0xFF value in the output.  Not quite sure,  does Carl55 have input?

Offline

#7 2017-07-05 11:34:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

if @drakospart wouldn't mind testing it out?   (don't forget compile/flash)

Offline

#8 2017-07-05 14:48:02

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Starting with Iclass

The fact that the Application limit field is set to 0xFF does not really bother me since that is the default value of an uninitialized credential.
It would appear to me that the card in question might have been programmed in the field and not at the HID factory. IF that is true then the authentication key that is being used to calculate the diversified key may not be the HID Master key. It could still be using the PicoPass default key which would explain why the MAC attack software failed.
What bothers me is that Block 6 is write protected. I didn't think that the HID iClass Programmer Application (CP400 or CP1000) gave the user the option to change that value but I could be wrong.

Offline

#9 2017-07-05 16:21:25

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

Sorry, it took me a while to instal github, compiler.. and then compile.
Here is a partial result

pm3 --> hf iclass reader
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1c
CSN: 42 20 71 04 08 00 12 E0
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1c
CSN: 42 20 71 04 08 00 12 E0
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
Readstatus:00
Quitting...

Offline

#10 2017-07-05 16:34:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

Sweet,  it looks better now.
if you have the AA1 key,  try dumping the card.

to read tag only once

hf iclass reader 1

Offline

#11 2017-07-05 16:38:13

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

I don't have any key big_smile

pm3 --> hf iclass reader 1
Readstatus:1e
CSN: 42 20 71 04 08 00 12 E0
CC: BB B2 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Non secured page
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc

Offline

#12 2017-07-05 16:55:10

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

carl55 wrote:

The fact that the Application limit field is set to 0xFF does not really bother me since that is the default value of an uninitialized credential.
It would appear to me that the card in question might have been programmed in the field and not at the HID factory. IF that is true then the authentication key that is being used to calculate the diversified key may not be the HID Master key. It could still be using the PicoPass default key which would explain why the MAC attack software failed.
What bothers me is that Block 6 is write protected. I didn't think that the HID iClass Programmer Application (CP400 or CP1000) gave the user the option to change that value but I could be wrong.

pm3 --> hf iclass dump k  FEFFFFFFFFFFFFFF
Authing with diversified key: 467dc94b68dcfdf8
Authentication error
Authing with diversified key: 467dc94b68dcfdf8
Authentication error



What is the default key for PicoPass ? I can give it a try

Last edited by drakospart (2017-07-05 17:31:55)

Offline

#13 2017-07-05 17:33:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

hehe.. nice try

Offline

#14 2017-07-05 17:35:09

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

I am  learning.. give me a hint

Offline

#15 2017-07-05 17:51:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

he who seek divine information, searches the dark places

Offline

#16 2017-07-05 17:59:29

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

i am looking for this 808200F008 but looks like i am in divine places looking for dark information, but anyway who knows if it is going to work..  I think this card is not standard configuration.

Offline

#17 2017-07-05 20:03:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Starting with Iclass

the AA1 has been leaked,  so you should be able to find it.   Many hints in the iclass category on the forum.

Offline

#18 2017-07-05 20:17:55

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Starting with Iclass

drakospart,
I re-read all of your earlier posts in this thread. It looks like we may simply be having a problem understanding when to use a permuted key versus an non-permuted key.
Regardless, the PicoPass default keys can be found in the iClass Serial Protocol document. There are always a few copies of that document floating around. That document also explains the concept of key permutation. Selecting the right version of key will depend on whether you are using an OmniKey Reader, an RWxxx reader/writer, or a PM3.
If you simply find a key on Twitter it may (or may not) be in the format you need.

Offline

#19 2017-07-06 09:55:02

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: Starting with Iclass

Carl55, I use only PM3 with Icemanfork.
I tried the twitter key also I tried with the permutation of this key.. but not luck.
About the document IClass Serial Protocol it looks like it disappears of the google view.

Offline

#20 2017-07-06 14:59:47

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Starting with Iclass

Based on the information you sent to me it appears that a slight error was made in your reverse key permutation. Email has been sent.

Offline

#21 2017-07-12 06:11:43

mollusc
Contributor
From: Vic - Australia
Registered: 2017-05-01
Posts: 33

Re: Starting with Iclass

@carl55 I am having trouble finding a copy of the "iClass Serial Protocol" document. Is that the exact title?

Offline

#22 2017-07-12 08:12:22

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Starting with Iclass

I've seen two out there in the wild...
iclass_serial_protocol.pdf
06 - iCLASS Serial Protocol.pdf

Offline

#23 2017-07-12 15:37:38

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Starting with Iclass

@mollusk,
Send me an email if you are still having trouble finding a copy of the document.

modhex(hehjighhhheeeefchjhvifhthbhkhrduhehvht)

Offline

#24 2017-07-13 01:39:38

mollusc
Contributor
From: Vic - Australia
Registered: 2017-05-01
Posts: 33

Re: Starting with Iclass

Thanks carl55! Turns out I was super close to finding the picopass default keys, I literally found a browser tab open this morning that I hadn't looked at yet. The iClass Serial Protocol document is much clearer and also explains the protocols in much more detail. But if anyone is stuck finding the picopass default keys, search for "INSIDE CONTACTLESS Datasheet Hand’IT-2G Compact Flash READER". Note that the document also lists a default "exchange key" which is not relevant to the proxmark.

Offline

Board footer

Powered by FluxBB