Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-11-13 18:24:34

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Rework of 'hf iclass snoop', including jamming option

For those who are interested in iClass research: with PR#884 on official repository comes a working 'hf iclass snoop'.

As a bonus it has an option to jam (prevent) CC updates. If you don't know the advantages of an unchanged CC then this is not for you smile.

Hint: snooping works best with the antenna directly "attached" to the card and positioned between card and reader. Use the B and C LEDs to find the best snooping distance.

Offline

#2 2019-11-14 08:49:32

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Rework of 'hf iclass snoop', including jamming option

piwi wrote:

For those who are interested in iClass research: with PR#884 on official repository comes a working 'hf iclass snoop'.

As a bonus it has an option to jam (prevent) CC updates. If you don't know the advantages of an unchanged CC then this is not for you smile.

Hint: snooping works best with the antenna directly "attached" to the card and positioned between card and reader. Use the B and C LEDs to find the best snooping distance.


can you succesfully do the  "Not legacy iclass card"?  LOL

Offline

#3 2019-12-04 18:35:38

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Rework of 'hf iclass snoop', including jamming option

I have added an '-n' option to 'hf iclass readbl' and 'hf iclass dump' for replaying a NR/MAC pair gathered with 'hf iclass snoop --jam'. Enjoy.

Offline

#4 2019-12-04 18:40:10

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Rework of 'hf iclass snoop', including jamming option

yukihama wrote:

can you succesfully do the  "Not legacy iclass card"?  LOL

Depends. Snooping and replaying NR/MAC should work on every Picopass card. Which doesn't mean that you can create working clones of each and every card.

Offline

#5 2020-10-13 09:02:29

hayabusa
Contributor
From: Australia
Registered: 2019-08-27
Posts: 12

Re: Rework of 'hf iclass snoop', including jamming option

piwi wrote:

I have added an '-n' option to 'hf iclass readbl' and 'hf iclass dump' for replaying a NR/MAC pair gathered with 'hf iclass snoop --jam'. Enjoy.


Hi Piwi

Thanks for your great work.
Im wondered, would you also add this function to writeblk?
it would be nice I think.

cheers

Offline

#6 2020-10-14 10:50:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Rework of 'hf iclass snoop', including jamming option

We are recalculating the MAC for each write cmd w data,  given the diversified key.   I see no possibility to replay it since we don't have the new mac needed.

Offline

#7 2020-10-16 14:49:45

hayabusa
Contributor
From: Australia
Registered: 2019-08-27
Posts: 12

Re: Rework of 'hf iclass snoop', including jamming option

iceman wrote:

We are recalculating the MAC for each write cmd w data,  given the diversified key.   I see no possibility to replay it since we don't have the new mac needed.

Thanks for confirming
cheers smile

Last edited by hayabusa (2020-10-17 23:40:57)

Offline

Board footer

Powered by FluxBB