Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-12-26 09:58:19
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
iClass SR / r10 and sim 2
Hi All,
I've run into a bit of pickle with attempting to run a sim 2 against a couple of r10 readers.
Let me give you the run down.
-Chinese proxmark easy clone..(This could be the very reason why it is failing, however I am running 3.0.1.227) Switching between multiple builds of official and ice made little difference.
-R10 readers with a mixture of Goldclass and unmarked HID(They all flash green once authorized), also have seen a couple of SE reader. From what I understand Goldclass are re branded r10 readers with HS/elite keys, but iscs also sell an SE version
-Cards are a mix of SR and unmarked (SR meaning they include both payloads, legacy and sio)
-Permuted master key does not authenticate b 06+ (Confirms that I am working with HS/elite or I have the wrong key)
-Attempting to attack a couple of readers fail to collect any CSN's.
-No data when running a trace post sim. (Would this indicate the sim is failing on the pm3?)
Couple of questions
- I remember reading that Rev B/C have some issues when attempting to simulate, but I am not sure if SE readers are also vulnerable? (I've also read the r10 rev C was eol back in 2013)
- Is there way to know if the pm is running the sim2? Flashing lights? (It currently lights up "A" until you hit the button)
- I have read a couple of conflicting posts on running the sim 2 where it can take mere 10 seconds but also up to 10m to collect CSN's?
Cheers in advance
Offline
#2 2017-12-26 10:23:33
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
I tested one pm3 easy clone, and all kinds of simulation against reader was ridduculous. Even with antenna deadon reader antenna, it a had bad success rates. 1-5% of the tries I got something that could resemble a auth attempt. This was with offical pm3 v3.0.1
I have not tried the latest fixes on iceman fork on a pm3 easy clone.
With a "original" pm3 easy from manufacture (@proxgrind) it was better, but still, sim wasn't great. I also got some feedback from someone saying the newer readers has protection against simulation, which I'n not sure on how it works if true. The 15 csns for SIM 2, in offical pm3 was blacklisted apparently. You can look in iceman fork for new ones.
If you capture (sniff / sim) a authentication and post it I can do some tests on it which I need for my idea with identification using a trace only.
How to know if SIM2 is running? Look at your output, it says
#db# Going into attack mode, 15 CSNS sentWhen sim2 is working it shouldn't take longer than 10sec. However, sometimes the reader is in rollover-mode, using two different keys, leading to the fail of sim2. You can use sim4 in icemanfork to see if that one works better. But the 10min sim2 execution could be depended on bad pm3 easy clone aswell. Hard to tell, since posters usually doesn't know but HF voltage around 15v or lower usually indicates a clone model.
Offline
#3 2017-12-27 08:32:30
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
Awesome mate, you've given me some hope.
I'll give it a whirl tonight with the ice, worst case would be I need to organize a pm3 dev kit in place of the easy?
By the way here are my measurements for the hf. Is it expected to drop so much when the card is placed on the back?
Measurement without card
Measuring HF antenna, press button to exit
#db# 31301 mVMeasurement with card
Measuring HF antenna, press button to exit
#db# 18327 mVMeasurement with card on the back
pm3 --> hf tune
Measuring HF antenna, press button to exit
#db# 13009 mVAlso when testing sim 2/4 on the latest iceman, the pm is only sending out 9 CSN's?
Starting the sim 2 attack
#db# Going into attack mode, 9 CSNS sent
#db# Simulating CSN 010a0ffff7ff12e0
Waiting for a response from the proxmark...
#db# Button pressed
Don't forget to cancel its operation first by pressing on the button
Mac responses: 0 MACs obtained (should be 9) FAILRegardless if I fail or succeed I'll also attempt to capture some auths for ya. I'll keep you posted
Edit 1:
Auth Capture
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 30529 | Rdr |41 77 b6 7d 41 77 b5 7e 41 77 b5 7e 41 77 b6 7d | |
| | |41 78 b6 7d 42 78 b6 7c 42 78 b6 7b 42 78 b6 7c | |
| | |42 78 b5 7c 43 78 b5 7c 43 79 b6 9f 8f 86 82 80 | |
| | |7f 80 7f 7d 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7d | |
| | |7e 7e 7d 7c 7d 7d 7d 7d 7d 7d 7d 47 2b 65 ac 7c | |
| | |3c 73 b5 7f 3e 74 b6 7f 3e 74 b6 7f 3f 74 b5 7f | |
| | |3f 75 b5 7e 3f 75 b6 7e 40 76 b6 a0 8f 86 81 7f | |
| | |7f 7f 7d 7e 7d 7d 7e 7d 7e 7e 7e 7d 7e 7e 7d 7d | |
| | |7d 7d 7c 7c 7c 7c 7d 7d 7d 7d 7d 47 2a 66 ac 7c | |
| | |3c 73 b5 7f 3e 74 b6 7f 3f 74 b6 7f 3f 75 b6 7f | |
| | |3f 75 b5 7e 40 75 b6 7e 40 76 b6 7e 40 76 b6 7e | |
| | |40 75 b6 7d 40 76 b6 7e 41 76 b6 7f 41 77 b6 7d | |
| | |41 77 b6 7d 41 77 b6 7d 41 77 b6 a0 8f 86 82 80 | |
| | |7f 7f 7f 80 80 7e 80 80 81 7f 82 7f 7f 7f 7f 7f | |
| | |7f 7d 7c 7c 7c 7d 7d 7d 7d 7e 7d 47 2a 67 ac 7c | |
| | |3b 73 b5 7f 3d 74 b6 7f 3f 74 b6 7f 3f 74 b6 7f | | ?
pm3 -->Last edited by s0prise (2017-12-27 09:11:32)
Offline
#4 2017-12-27 09:50:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
Your HF voltage is good. You should be able to get some good reads and even sim with it. Still, the "easy" needs to be real close to reader antenna when sim.
I forgot that the iclass sniff isn't the best. Can you simulate your card instead and take the tracelog from that?
Offline
#5 2017-12-27 09:51:22
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
You might need to use offical pm3 lastest source for sniff.
Offline
#6 2017-12-28 02:18:13
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
I just realized I didn't cross check the my cards blocks with the spoofing_iclass_rev.pdf
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
OTP: 0xFFFFSo that would mean having AA1 in blk 06-12 indicates that this card only contains a single SIO access payload?
Offline
#7 2017-12-28 09:21:18
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
I don't know how many SIO object a tag has? But from what I have read of Carl55, one seems to be enough for it to work 
Have you tried dumping your cards?
Offline
#8 2017-12-28 09:59:32
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
Unable to dump the cards as the hid master key fails to auth 
At least I have now verified the key!! Been successful with a dump of some fresh 200x cards
Are the rumors true about there being multiple master keys (picopass,hid,etc) in addition to custom elite/hs?
I'll continue to keep trying dif pm builds with the ol sim, but in case I collect nothing what would you recommend as a replacement to my chinese pm3 easy?
Last edited by s0prise (2017-12-28 10:00:49)
Offline
#9 2017-12-28 11:34:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
There is a few default masterkeys for picopass etc.
Offline
#10 2017-12-29 07:45:41
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
Unable to dump the cards as the hid master key fails to auth
At least I have now verified the key!! Been successful with a dump of some fresh 200x cards
don't quite follow you there, which card failed to authenticate? your new ones or the card you trying to read the content?
If you're talking about your existing card, don't think the kiwicon key would work, since the company bothered to install SE readers around the property.
Although one thing I'm not really 100% clear about is, I've seen some buildings installed SE readers, Gold Class readers and Unbranded HID readers mixed as you described. Does that mean the system is running SE or Elite/HSec? Can GoldClass readers run in SE mode? If not why they bother installing SE readers and mix them? ( assuming SE readers are more expensive)
Offline
#11 2017-12-29 08:33:48
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
The card which I am trying to dump/read is failing to authenticate. The kiwikey does work for the new cards I purchased.
HID are only selling SE readers, and appear to have been doing so for quite a while which might explain why they have a mixture.
Reading off the HOT they can be configured with the key sets below;
Keyset (Select one option)
0 - Standard v1 - Supports credentials with default HID keys, including iCLASS and iCLASS SR.
2 - Standard v2 - Supports credentials with default HID keys, not including iCLASS and iCLASS SR.
E - HID Elite - Supports credentials with HID Elite keys, including iCLASS and iCLASS SR, and/or Mobile IDs. Key reference (ICE or MOB) required at time of order.
Standard Security Keyset Compatibility with these Credentials
Version 1 iCLASS Seos (+ Prox)
iCLASS SE (+ Prox)
iCLASS SR (+ Prox)
iCLASS (+ Prox)
MIFARE Classic (+ Prox)
MIFARE DESFire EV1 (+ Prox)
Version 2
iCLASS Seos (+ Prox)
iCLASS SE (+ Prox)
MIFARE Classic (+ Prox)
MIFARE DESFire EV1 (+ Prox)On a positive note I noticed that SR has been re branded to simply 'iclass', and still includes dual payload
iCLASS credentials are offered either with or without an encoded SIO. For the SIO encoded option, this card will come with two access
control data payloads: the SIO and iCLASS access control data payload. These credentials provide backward compatibility with currently
deployed systems, maximizing compatibility. iCLASS credentials encoded with SIO should be purchased when the site needs legacy
application support, or when the site plans to eventually migrate to SIO security. iCLASS credentials encoded with SIOs were previously
marketed as iCLASS SR credentials.iCLASS, SIO
encoded
(Previously called
iCLASS SR)Increased Security when
reading SIO, maximum
compatibility - works with both
iCLASS and iCLASS SE
readers.
I should be in luck provided the key version of the readers have been configured in version 1.
Unfortunately I am still unsure if sim vs SE reader is at all possible.
Offline
#12 2017-12-29 10:38:51
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
Ok, no problem, I personally wouldn't waste my time on SE readers though.
If you think your sim2 is failing because of the PM easy, i've a PM with the latest build, you can use my one
just send me an email
ModHex ifidighdhvhrifededfchihthbhkhrduhehvht
Last edited by Heru (2017-12-29 10:40:09)
Offline
#13 2017-12-30 00:06:36
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
Cheers mate, I'd take you up on that if I hadn't just purchased a rdv2 off rfxsecure.
It looks like all readers can be reprogrammed so I figure they would still be using the SR high security keys, because why else reissue brand new SR 200x cards
Offline
#14 2018-01-08 00:24:02
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
hey s0prise
Any success running sim 2? I 've tried it with the official PM firmware, Apparently it does not work,
I guess I'd try the iceman fork
@ iceman, when you mention the blacklisting, you mean the official master firmware blacklisted sim 2 MAC attack?
Offline
#15 2018-01-08 08:38:16
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
Still waiting on the rdv2 to arrive.
When you ran the sim did you see any traffic on the pm log? With my clone I had no traffic which I figured was due to the fake voltage or dodgy antenna.
Offline
#16 2018-01-08 12:04:19
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
did not work at all, my PM was crashed after trying several times. Could be firmware issue, I was expecting at least some traffic, but nothing.
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Last edited by Heru (2018-01-08 12:12:09)
Offline
#17 2018-01-08 12:26:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
I heard rumours HID blacklisted those csn's and I also heard that they implemented some kind of anti-measure against it.
Offline
#18 2018-01-08 13:07:29
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
hey iceman. thanks for the info,. much appreciated.
Offline
#19 2018-01-08 13:09:25
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
Rumours doesn't make it truth, but I would be surprised if HID hasn't changed anything.
Offline
#20 2018-01-09 23:18:42
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
Just did a couple quick sim tests with my rdv2 on the offical
888053744 | 888053744 | Tag | 0f | |
890762480 | 890762480 | Rdr | 0a | | ACTALL
890762912 | 890762912 | Tag | 0f | |
893471520 | 893471520 | Rdr | 0a | | ACTALL
893471888 | 893471888 | Tag | 0f | |
893484288 | 893484288 | Rdr | 0c | | IDENTIFY
893487360 | 893487360 | Tag | 60 e1 e1 ff fe 5f 02 1c b1 96 | ok |
894790624 | 894790624 | Rdr | 0a | | ACTALL
894791072 | 894791072 | Tag | 0f | |
897499808 | 897499808 | Rdr | 0a | | ACTALL
897500240 | 897500240 | Tag | 0f | |
897512656 | 897512656 | Rdr | 0c | | IDENTIFY
897515712 | 897515712 | Tag | 60 e1 e1 ff fe 5f 02 1c b1 96 | ok |
897623040 | 897623040 | Rdr | 00 | | HALT
909631120 | 909631120 | Rdr | 0a | | ACTALL
909631568 | 909631568 | Tag | 0f | |
923180496 | 923180496 | Rdr | 0a | | ACTALL
923180864 | 923180864 | Tag | 0f | |
923193280 | 923193280 | Rdr | 0c | | IDENTIFY
923196336 | 923196336 | Tag | 60 e1 e1 ff fe 5f 02 1c b1 96 | ok |
924499584 | 924499584 | Rdr | 0a | | ACTALL
924500048 | 924500048 | Tag | 0f | |
933990608 | 933990608 | Rdr | 0a | | ACTALL
933990976 | 933990976 | Tag | 0f | |
935337536 | 935337536 | Rdr | 0a | | ACTALL
935337968 | 935337968 | Tag | 0f | |
938046704 | 938046704 | Rdr | 0a | | ACTALL
938047136 | 938047136 | Tag | 0f | |
940755872 | 940755872 | Rdr | 0a | | ACTALL
940756304 | 940756304 | Tag | 0f | | I'll have to read up on what the responses 0a/0f/etc mean, but I think I will need to thoroughly re-test until I can successfully collect the mac
Offline
#21 2018-01-10 16:21:20
- carl55
- Contributor
- From: Arizona USA
- Registered: 2010-07-04
- Posts: 175
Re: iClass SR / r10 and sim 2
That is very interesting. The trace looks correct.
The reader sequence of ACTALL, IDENTIFY followed by the tags response of its anti-collision serial number is the way it is supposed to work. That tag response and CRC are correct and used to work fine with all readers. Perhaps your reader is a newer iClass SE and HID actually has installed a firmware patch to reject that simulated CSN. If so, maybe you can try the attack on a different (older) reader since that should likely work.
Offline
#22 2018-01-10 22:01:32
- s0prise
- Contributor
- Registered: 2017-12-24
- Posts: 14
Re: iClass SR / r10 and sim 2
I also forgot to include this part from yesterday's sim log.
Unsure why the reader sent back the 00/halt, however I was attacking a different reader.
1040946624 | 1040946624 | Rdr | 0a | | ACTALL
1040947056 | 1040947056 | Tag | 0f | |
1040959456 | 1040959456 | Rdr | 0c | | IDENTIFY
1040962528 | 1040962528 | Tag | 60 e1 e1 ff fe 5f 02 1c b1 96 | ok |
1041069872 | 1041069872 | Rdr | 00 | | HALT
1044961568 | 1044961568 | Rdr | 0a | | ACTALL
1044961968 | 1044961968 | Tag | 0f | |
1047670704 | 1047670704 | Rdr | 0a | | ACTALLOffline
#23 2018-01-14 08:29:38
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
hey, s0prise, How long did you have to hold the device on the readers get some response? Some ppl on this forum claim to hold it only 10 seconds or so, some claim to hold it for up to 5-10 minutes to get some response.
I have tried attacking number of readers, with icemans sim 4 and the master's sim 2 , none were successful.
there is no response whatso ever from any readears. ( including Goldclass, SE, inner range).
Last edited by Heru (2018-01-14 08:59:43)
Offline
#24 2018-02-03 17:02:48
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
S0prise, (#20) looks like you tried running
hf iclass sim 1that only simulates a CSN (uid) and nothing more. No reader will accept it. As you see in your trace.
If you want to do some more serious simulation, you will need
hf iclass eload xxxxxx.bin
hf iclass sim 3which is a full simulation. That usually will give you a better trace , and even a beep from the reader.
If you run sim2 against a reader, configured for elite keys, you could extract it with this attack.
hf iclass sim 2
hf iclass loclass f zzzzzzz.bin However, on offical pm3, the sim2 will not work on a SE reader or a reader with updated firmware.
in iceman fork, the sim2 will work against such devices.
there is also a sim4 in iceman fork, which targets readers in a rare mode called "key roll mode", which is when a systemwide keychange has occured and all card needs to be updated with new key. Hence it alternates between both keys when authenticating.
Sim 4 will collect the correct data with both keys.
Run time.
The run time for these commands are very fast. Some seconds when it works. If it takes looong time, its usually because something is wrong.
hf iclass sim 2
hf iclass sim 4Offline
#25 2018-02-03 17:08:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is.
There is nothing wrong, its just the reader which is NOT configured for high security/ elite keys... So the loclass attack will fail, running a long time, failing three bytes,,, Once you see that first message, just break the execution since the attack will fail.
When this happens, try collecting a authentication trace and a list of known default iclass keys and run it with
hf iclass lookupinside iceman fork.
The reader most likely uses a old legacy key. Which there are quite a few....
Offline
#26 2018-02-04 00:10:45
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
ok, there are differences, in my attempt to pretend to be a geniue tag when sim, I changed the assumptions for the loclass attack implementation. I will push a fix for it.
Offline
#27 2018-02-06 12:32:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
A short demonstration of running sim 2 against iClass SE r10 reader.
Offline
#28 2018-05-16 13:49:28
- brantz
- Contributor
- Registered: 2014-03-19
- Posts: 50
Re: iClass SR / r10 and sim 2
Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is.
There is nothing wrong, its just the reader which is NOT configured for high security/ elite keys... So the loclass attack will fail, running a long time, failing three bytes,,, Once you see that first message, just break the execution since the attack will fail.
When this happens, try collecting a authentication trace and a list of known default iclass keys and run it with
hf iclass lookupinside iceman fork.
The reader most likely uses a old legacy key. Which there are quite a few....
is it possible the reader is not configured in high security mode, nor using legacy keys. e.g. with customised site key, but authentication method using standard security mode. As this way, key will not be easily extracted using sim 2.
However, if this was true, all credentials will require to be specially programmed. According to "How to order", there is not such option, only 2 option for credential programming 1. Standard mode 2. Elite mode with customised ICE number
I have seen some credentials, they are not using SIO payload, they are not encrypted with any currently known global master keys, and the sim 2 from the reader (SE R10) can't get a valid calculation.
Last edited by brantz (2018-05-16 13:51:37)
Offline
#29 2018-05-16 14:56:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
Do you got a trace from a authentication trace against one of those problematic credentials ?
Offline
#30 2018-06-02 12:30:00
- brantz
- Contributor
- Registered: 2014-03-19
- Posts: 50
Re: iClass SR / r10 and sim 2
Do you got a trace from a authentication trace against one of those problematic credentials ?
This is what I got from the 9 CSNs from your repo.
I'm using a special antenna which preventing me from sniffing comms, so don't have the actual trace for credential auth.
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 40544 | Rdr |0a | | ACTALL
44342944 | 44368272 | Tag |0f! | |
44343392 | 44349616 | Rdr |0c | | IDENTIFY
44390736 | 44436496 | Tag |40 e1! e1! ff! fe 5f! 02 3c! 43 01 | ok |
44393872 | 44439424 | Rdr |0a | | ACTALL
45645136 | 45679008 | Tag |0f! | |
45645600 | 45659936 | Rdr |0c | | IDENTIFY
45692544 | 45747280 | Tag |40 e1! e1! ff! fe 5f! 02 3c! 43 01 | ok |
45695744 | 45749888 | Rdr |0a | | ACTALL
46946752 | 46989728 | Tag |0f! | |
46947216 | 46971296 | Rdr |0c | | IDENTIFY
46994800 | 47057936 | Tag |40 e1! e1! ff! fe 5f! 02 3c! 43 01 | ok |
46997936 | 47032960 | Rdr |81 40 e1 e1 ff fe 5f 02 3c | | SELECT
47041648 | 47057952 | Tag |01 0a! 0f! ff! f7 ff! 12! e0 62 75 | ok |
47044800 | 47045344 | Rdr |0c 05 de 64 | ok | READ(5)
47297504 | 47320048 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
47300608 | 47305984 | Rdr |88 02 | | READCHECK[Kd](2)
47420736 | 47450592 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
47423312 | 47424256 | Rdr |05 e0 e8 c0 98 4b 0c d1 ac | | CHECK
0 | 39648 | Rdr |0a | | ACTALL
236304 | 262512 | Tag |0f! | |
236720 | 244640 | Rdr |0c | | IDENTIFY
284816 | 330768 | Tag |c1 80 c1 ff! fe 5f! 02 9c! 24! 50! | ok |
287952 | 305664 | Rdr |81 c1 80 c1 ff fe 5f 02 9c | | SELECT
331536 | 396256 | Tag |0c! 06! 0c! fe f7 ff! 12! e0 1c 79 | ok |
334624 | 383584 | Rdr |0c 05 de 64 | ok | READ(5)
587200 | 592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
590368 | 643696 | Rdr |88 02 | | READCHECK[Kd](2)
709840 | 723488 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
712480 | 766080 | Rdr |05 cf 72 27 32 9e 56 c7 d4 | | CHECK
0 | 55008 | Rdr |0a | | ACTALL
251680 | 262560 | Tag |0f! | |
252144 | 308896 | Rdr |0c | | IDENTIFY
298960 | 330768 | Tag |e2! 72! 70 ef fe 5f! 02 1c ff! 3a! | ok |
302096 | 305792 | Rdr |81 e2 72 70 ef fe 5f 02 1c | | SELECT
345808 | 396320 | Tag |10 97 83 7b! f7 ff! 12! e0 2d! 21! | ok |
348960 | 384480 | Rdr |0c 05 de 64 | ok | READ(5)
602432 | 658416 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
605536 | 644464 | Rdr |88 02 | | READCHECK[Kd](2)
725776 | 789024 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
728416 | 762880 | Rdr |05 8e 3f f0 ea 51 dc 3f a9 | | CHECK
0 | 41952 | Rdr |0a | | ACTALL
238624 | 262560 | Tag |0f! | |
239088 | 243872 | Rdr |0c | | IDENTIFY
286416 | 330768 | Tag |e2! 52 50! ef fe 5f! 02 7c 1a bf | ok |
289552 | 305936 | Rdr |81 e2 52 50 ef fe 5f 02 7c | | SELECT
333408 | 396256 | Tag |13 97 82! 7a f7 ff! 12! e0 92 a4 | ok |
336496 | 384224 | Rdr |0c 05 de 64 | ok | READ(5)
589712 | 592880 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
592816 | 644480 | Rdr |88 02 | | READCHECK[Kd](2)
713072 | 723488 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
715712 | 762768 | Rdr |05 3f bb d6 f9 7b ef f2 91 | | CHECK
0 | 40544 | Rdr |0a | | ACTALL
237200 | 262560 | Tag |0f! | |
237664 | 243872 | Rdr |0c | | IDENTIFY
284992 | 330768 | Tag |c0! a1 21! ff! fe 5f! 02 fc! d8! cc! | ok |
288128 | 306048 | Rdr |81 c0 a1 21 ff fe 5f 02 fc | | SELECT
332096 | 396320 | Tag |07 0e 0d f9! f7 ff! 12! e0 6b 34 | ok |
335248 | 383840 | Rdr |0c 05 de 64 | ok | READ(5)
588080 | 592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
591248 | 644464 | Rdr |88 02 | | READCHECK[Kd](2)
711488 | 723488 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
714128 | 763392 | Rdr |05 f0 94 d1 d6 2d d6 26 28 | | CHECK
0 | 41184 | Rdr |0a | | ACTALL
237856 | 262560 | Tag |0f! | |
238320 | 243616 | Rdr |0c | | IDENTIFY
285376 | 330784 | Tag |c2 92 d0 ee! fe 5f! 02 9c! 19 a1 | ok |
288528 | 306048 | Rdr |81 c2 92 d0 ee fe 5f 02 9c | | SELECT
332496 | 396320 | Tag |14! 96! 84! 76 f7 ff! 12! e0 83 c8 | ok |
335648 | 384112 | Rdr |0c 05 de 64 | ok | READ(5)
588752 | 592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
591920 | 644848 | Rdr |88 02 | | READCHECK[Kd](2)
712560 | 723408 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
715120 | 762768 | Rdr |05 74 ea 6c 80 a1 0a 9d cc | | CHECK
0 | 41824 | Rdr |0a | | ACTALL
238480 | 262560 | Tag |0f! | |
238944 | 244000 | Rdr |0c | | IDENTIFY
286400 | 330832 | Tag |c2 b2! 30! ee! fe 5f! 02 fc! 8f 23 | ok |
289600 | 305920 | Rdr |81 c2 b2 30 ee fe 5f 02 fc | | SELECT
333440 | 396256 | Tag |17! 96! 85 71! f7 ff! 12! e0 a4 76 | ok |
336528 | 384224 | Rdr |0c 05 de 64 | ok | READ(5)
589744 | 592880 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
592848 | 644096 | Rdr |88 02 | | READCHECK[Kd](2)
712720 | 723424 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
715296 | 763776 | Rdr |05 40 48 ba 35 fc 62 f1 d3 | | CHECK
0 | 44256 | Rdr |0a | | ACTALL
240928 | 262496 | Tag |0f! | |
241328 | 244512 | Rdr |0c | | IDENTIFY
289296 | 330832 | Tag |b9 f8 e1! ee! fe 5f! 02 dc 21! 42! | ok |
292496 | 305680 | Rdr |81 b9 f8 e1 ee fe 5f 02 dc | | SELECT
336096 | 396256 | Tag |ce c5! 0f! 77! f7 ff! 12! e0 59! e2! | ok |
339184 | 383584 | Rdr |0c 05 de 64 | ok | READ(5)
591760 | 592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
594928 | 644080 | Rdr |88 02 | | READCHECK[Kd](2)
714784 | 723424 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
717360 | 763648 | Rdr |05 35 6e eb 1c f7 da 6e 71 | | CHECK
0 | 41440 | Rdr |0a | | ACTALL
238096 | 262512 | Tag |0f! | |
238512 | 244640 | Rdr |0c | | IDENTIFY
286608 | 330768 | Tag |5a! 4b! 10 ff! fe 5f! 02 5c! af! d7! | ok |
289744 | 306192 | Rdr |81 5a 4b 10 ff fe 5f 02 5c | | SELECT
333856 | 396256 | Tag |d2! 5a! 82! f8 f7 ff! 12! e0 b7! 78! | ok |
336944 | 384624 | Rdr |0c 05 de 64 | ok | READ(5)
590576 | 592928 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea f5! | ok |
593728 | 644464 | Rdr |88 02 | | READCHECK[Kd](2)
713968 | 723488 | Tag |fe ff! ff! ff! ff! ff! ff! ff! | ok |
716608 | 762640 | Rdr |05 e5 b6 d0 65 b2 56 90 12 | | CHECKLast edited by brantz (2018-06-02 12:34:41)
Offline
#31 2018-06-04 13:31:55
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: iClass SR / r10 and sim 2
Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is.
There is nothing wrong, its just the reader which is NOT configured for high security/ elite keys... So the loclass attack will fail, running a long time, failing three bytes,,, Once you see that first message, just break the execution since the attack will fail.
Hi dear iceman:
I've got the exact same situation, but but but, when you say "--> failing three bytes,,, Once you see that first message, just break the execution since the attack will fail."""
I was actually keep running even the initial loclass attack appears to fail. However, in the end it, it actually gives a key.
Is it suppose to print out a random iclass key even after failing?
Unfortunately, I cannot test righ now because I no longer have the fob on me to test.
Last edited by Heru (2018-06-04 13:39:58)
Offline
#32 2018-06-04 13:57:34
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: iClass SR / r10 and sim 2
yes, it will always print out the results. That key is mostly garbarge. Depends on amount of failed recovery bytes.
Offline
Pages: 1