Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-11-10 23:57:38

ryanr775
Contributor
Registered: 2020-11-10
Posts: 5

Can't clone iClass card, multiple failures.

Hi all,
I'm having an issue cloning an iClass DP XT card.
I'm running a PM3 RDV4 with current Iceman fork.

=] Using UART port /dev/tty.usbmodemiceman1
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗ 
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗     ❄️  iceman@icesql.net
  ██║     ██║ ╚═╝ ██║█████╔╝    https://github.com/rfidresearchgroup/proxmark3/
  ╚═╝     ╚═╝     ╚═╝╚════╝  Release v4.9237 - Ice Coffee ☕


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/release (git) 
  compiled with Clang/LLVM Apple LLVM 12.0.0 (clang-1200.0.32.21) OS:OSX ARCH:x86_64

 [ PROXMARK3 RDV4 ]
  external flash:                  present
  smartcard reader:                present

 [ PROXMARK3 RDV4 Extras ]
  FPC USART for BT add-on support: absent

 [ ARM ]
  bootrom: RRG/Iceman/master/release (git) 
       os: RRG/Iceman/master/release (git) 
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 288908 bytes (55%) Free: 235380 bytes (45%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Here are the steps I've completed (by following the cheat sheet)
1) Reverse Permuted key. From what I have gathered, when using the master key, it will always come out the same, so the card doesn't even have to be on the reader, in theory.
2) hf iclass reader. I let this run, and I assume once it finds the card I am to press the button to stop it, allowing more commands

+]    CSN: F6 6B 9B 02 XX XX XX XX 
[+]     CC: FF FF FF FF ED FB FF FF 
[+]     Mode: Application [Locked]
[+]     Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Secured page, keys not locked
[!] ⚠️      RA: Read access not enabled
[=]     Block write lock: ff
[=]     EAS: ff
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
    AA1: blocks 06-12
    AA2: blocks 13-1F
    OTP: 0xFFFF
    KeyAccess:
    Read A - Kd or Kc
    Read B - Kd or Kc
    Write A - Kc
    Write B - Kc
    Debit  - Kd or Kc
    Credit - Kc
[+]  App IA: FF FF FF 00 06 FF FF FF 
[+]       : Possible iClass - SE credential tag
[+]       : Tag is iClass, CSN is in HID range

3) dump iclass card (again, using a static key that is given when you permute the master key, I'm using the unpermuted key on this step.
This is where I run into my first set of issues,

[usb] pm3 --> hf iclass dump k AFA785­A7D­AB3­3378

[!] ⚠️  ERROR: Credit Key is incorrect length

At this point, I re searched for the card and tried the same command again, getting a different error.

[usb] pm3 --> hf iclass dump k AFA785A7DAB33378
[!] ⚠️  failed authenticating with debit key

With that failing, I decided to try and move onto the next step without dumping the key (makes no sense, I know)

[usb] pm3 --> hf iclass rdbl b 07 k AFA785A7DAB33378
[!!] ? failed to authenticate and read block

I assume this is because it wasn't dumped.

At this point, I used loclass and the iclass_dump.bin file to get the kcus key. This is the part where I was totally stumped.

I used the kcus key in both permuting it and just using that as the key for the dump, neither of those worked either, though.

At this point, I'm completely stumped with what to do, I've searched every forum post I've seen about the either credit key being the incorrect length, the debit key failing to unauthenticated, and the read block failing as well.

Any advice from anyone here?

Also, while not related to cloning and Prox, the iclass key has the numbers on it which identify it, is there a way to reverse those to get the info I need?  I'm not dead set on using Proxmark to determine the key, but that's what I've been researching and found to be most effective.

Offline

#2 2020-11-11 01:08:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Can't clone iClass card, multiple failures.

you seem to suffer from odd white space characters...   

And let me recommend you try the latest master from the repo instead of the release since its beginning to be a bit old

Offline

#3 2020-11-25 23:37:53

ryanr775
Contributor
Registered: 2020-11-10
Posts: 5

Re: Can't clone iClass card, multiple failures.

Hi Iceman sorry about the delay in response. I did download the master and replace it with the git version, but I'm still facing the same issues still. I get an authentication failure. I've tried HF iclass sim 2 and have the bin file from that, as well as hf iclass sim 4. Based on the data, I do not believe it's an elite system rather it is a legacy iclass system. I've tried to brute force data from the bin files and it fails each time. I'm really having an issue trying to figure out what I'm doing wrong or what the correct steps are. I see the cheat sheets, but beyond that I have no idea why it performs the way it does. Is there a write up that goes very in-depth on the iclass systems? I've read every forum post I could find that shares my issues, but still have nothing. Is AFA785­A7D­AB3­3378 the correct key to use to dump, or am I missing something?
Thanks

Offline

#4 2020-11-26 00:12:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Can't clone iClass card, multiple failures.

It seems to be using the latest key tech.  No legacy / legacy elite will work.

 Possible iClass - SE credential tag

Offline

#5 2020-11-26 17:45:47

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Can't clone iClass card, multiple failures.

Just to notice this: It is possible for HID to provide reader and cards with a changed key. These are "user defined iClass card" or however they call it. They are rare, but exists. If you are sure this is a legacy card, you might have some of this rare modified versions...
In this case: The keys are simple not known.

Edit: The provided key is the un-permuted master key.

Last edited by Jason (2020-11-26 17:48:25)

Offline

#6 2020-11-27 12:45:32

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: Can't clone iClass card, multiple failures.

Jason wrote:

Just to notice this: It is possible for HID to provide reader and cards with a changed key. These are "user defined iClass card" or however they call it. They are rare, but exists. If you are sure this is a legacy card, you might have some of this rare modified versions...
In this case: The keys are simple not known.

Edit: The provided key is the un-permuted master key.

Hi Jason
I just ran into a system as u just described. Do u have any idea how to recover the un-permuted master key? thanks

Offline

#7 2020-11-30 10:32:30

Jason
Contributor
Registered: 2016-07-21
Posts: 55

Re: Can't clone iClass card, multiple failures.

yukihama wrote:

Do u have any idea how to recover the un-permuted master key?

Of course! As it was done for the first time: Reverse engineer the reader firmware big_smile
Not the answer you might want, but in fact the only way (so far...).
For iClass not the encryption if faulty, the reader firmware was the problem. So the master key gets leaked.
Without leaking this specific key again, I can't see any chance here.

Offline

Board footer

Powered by FluxBB