Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Used pm3 easy(iceman fork) working well for all other types. Can read iClass legacy and blank, well (with leaked key).
Tried to read programmed iClass fob, on the back, number and ER. no *, no + mark. only number(serial number or site number) and ER.
It is not identified or recognized by pm3. iClass dump command with leaked key, nothing, only displayed below:
---------------------------
-no tag found...
---------------------------
Changed position of fob, and height... all failed. same, no tag found message.
Got mac attack file, with sim 2 from reader. calculation failed, too.
--------------------------------------------------------
Failed to recover 3 bytes using the following CSN
CSN = ......
error, we are missing byte 0-15, custom key calculation will fail...
standard format = ...
iclass format = ...
Failed to verify calculated master key! something is wrong.
--------------------------------------------------------
I am not sure it is high security, installed some months ago, but with leaked legacy key and dump command, even not recognized. Just think it is high security and newer fob, not readable. If it is legacy one, why not recognized? or if it is newer one, how can I read it and get key with sim?
appreciate in advance, if any advice or hints for me.
Thanks.
Last edited by onebyte (2019-01-17 10:53:03)
Offline
Could be your pm3 easy is too weak or noisy to hear the tiny antenna in the keyfob.
Or is the keyfob dead?
Offline
AFAIK, 205x fobs normally will not have + symbol on the back. ER indicates it's programmed with SIO. Credentials produced after 4th quarter 2017 will not be read by pm3, no matter what model it is.
In addition, it's a popular trend for the recent installed readers, suppliers will use Customer Key instead or elite or standard key. In this way, it uses legacy authentication method with customer key. The benefits are 1. No need to sign elite program with HID, 2. Control your own key entirely and change it at anytime you like, 3. it's not cracked yet
Last edited by brantz (2019-01-18 04:53:07)
Offline
Thanks for kind answer. so it is impossible to clone newer iclass whatever model it is? Or any pm3 software version or any other device for it? Even I have custom key for another fob and reader, but iclass fob not readable...
And about getting key from reader, I used iclass sim 2 command, if it is not working, is there any other way? I do not think so. I tried sim 2 for reader several times, but all failed to get custom key with it.
Tested fob is genuine, working one, not broken or dead.
Offline
If you can't get key, it means the reader is configured in legacy authentication mode.
To understand it a bit more, there are 3 keys involved,
- Authentication key - initial communication with credentials, 2 algos - legacy or elite
- SO key - encrypt access control bits and app2, while using SO, access bits are not stored on blk 7-9
- TDES key - encrypt blk 7-9
Then it has following scenarios with different combinations
SO Only:
Authentication key + SO key + TDES key
SR+SO:
Authentication key + TDES key
All 3 keys can be customized
Depends on when the credentials produced, in your case, if you have the customer key but pm3 can't read the credential, you will need a HID produced reader and load the customer key to get the access bits.
Please note: all above information is based on my investigation, it could be wrong. If anyone knows better, please help to correct
Last edited by brantz (2019-01-18 21:58:41)
Offline
What is HID produced reader? is it normal iclass reader? I do not think so... That reader can get any custom key and read fob? Or you mean normal reader.
I have iclass reader and high security fobs for test, but pm3 can not read that fobs(new ones). Even I know custom key for this fob and reader, pm3 could not clone it. Any good idea? I never heard HID sells iclass cloner.
Offline
Pages: 1