Unable to read Iclass card serial no. with a +

gmsuz · 2018-07-07 14:22:58

I got this iclass card with a + in front of the serial no. Most of the cards were with an *

The card was able to authenticate on omnikey 5321 with ContactlessDemoVC and iclassified using standard master key.
It was able to read and write on block 6 to 12 except blk 2 and 3. It failed to write the new div key on blk 3 and was unable to authenticate again with the card.

I checked on omnikey workbench it was detected as a 13.56MHz card

On my PM3 RDV2, the card cannot be read and prompted "no known/supported 13.56 MHz tags found"

[ ARM ]
bootrom: iceman/master/ice_v3.1.0-568-ge09d5385 2018-02-14 15:55:18
os: iceman/master/ice_v3.1.0-568-ge09d5385 2018-02-14 15:55:24
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

pm3 --> hf search
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
timeout while waiting for reply.

no known/supported 13.56 MHz tags found

Does anyone knows why PM3 is unable to read this type of card ?

yukihama · 2018-07-19 03:04:59

gmsuz wrote:

I got this iclass card with a + in front of the serial no. Most of the cards were with an *
The card was able to authenticate on omnikey 5321 with ContactlessDemoVC and iclassified using standard master key.
It was able to read and write on block 6 to 12 except blk 2 and 3. It failed to write the new div key on blk 3 and was unable to authenticate again with the card.
I checked on omnikey workbench it was detected as a 13.56MHz card
On my PM3 RDV2, the card cannot be read and prompted "no known/supported 13.56 MHz tags found"
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-568-ge09d5385 2018-02-14 15:55:18
os: iceman/master/ice_v3.1.0-568-ge09d5385 2018-02-14 15:55:24
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
pm3 --> hf search
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
#db# [!] error, uneven octet! (extra bits!) mask 02
timeout while waiting for reply.
no known/supported 13.56 MHz tags found
Does anyone knows why PM3 is unable to read this type of card ?

Hi gmsuz
I got this same problem of reading thin card with "+" printed. I have not got any answer yet.
I guess this is non standard iclass card issued bu HID to prevent us reading^_^

Last edited by yukihama (2018-07-19 03:06:27)

Heru · 2018-07-19 10:31:49

You might have killed the card,

brantz · 2018-07-24 12:18:44

only genuine HID product can read it.

Dot.Com · 2018-10-19 14:20:24

Let me explain a little more about the new HID Iclass cards.

the + Cards are not readable by the current pm3 due to the new mac calculation set by HID to prevent cloning (My assumption).

They kind of discontinued the * cards.

So now what is available in China due to reports is they are left with the + cards or some even * with the new format.

I just ordered 500 cards (legacy) - thin & thick cards - All tested (what is left I guess with one supplier)

I guess this is all that remains out in the market

Last edited by Dot.Com (2018-10-19 14:28:33)

brantz · 2018-11-11 07:23:21

I have plenty of legacy credentials. if anyone wants, ping me

iceman · 2018-11-11 10:22:43

what kind of legacy credentials? You can make a "hf iclass reader" output?

yukihama · 2018-11-16 15:53:51

brantz wrote:

I have plenty of legacy credentials. if anyone wants, ping me

hi what is legacy credentials? I am interested in them please ping me !

brantz · 2018-12-04 12:31:08

iceman wrote:

what kind of legacy credentials? You can make a "hf iclass reader" output?

The configured, unprogrammed legacy credentials, produced before 2017, which can be read by pm3

iceman · 2018-12-04 14:00:18

ok, try the offical pm3 repo, it has some enhancements to the modulation.

yukihama · 2018-12-07 07:02:23

iceman wrote:

ok, try the offical pm3 repo, it has some enhancements to the modulation.

Tried with the latest official pm3 1203 repo, no success with + iclass card....T_T

cocoahooves · 2018-12-08 00:31:36

I also have one of these cards that don't show up with a regular `hf search`.

I can conduct any testing needed.

yukihama · 2018-12-08 03:39:19

cocoahooves wrote:

I also have one of these cards that don't show up with a regular `hf search`.
I can conduct any testing needed.

no way to read or dump any + iclass card. Let's bet on this for 1KUSD LOL....

NYCity25 · 2018-12-08 04:41:50

yukihama wrote:

cocoahooves wrote:
I also have one of these cards that don't show up with a regular `hf search`.
I can conduct any testing needed.

no way to read or dump any + iclass card. Let's bet on this for 1KUSD LOL....

What about iclass ER? not able to read a card. Can you help me

NYCity25 · 2018-12-08 04:45:22

.

Last edited by NYCity25 (2018-12-10 05:36:41)

ericlam2728 · 2019-05-03 17:25:11

brantz wrote:

I have plenty of legacy credentials. if anyone wants, ping me

How do I get in contact with you?

aaronml · 2019-07-01 17:34:54

Dot.Com wrote:

Let me explain a little more about the new HID Iclass cards.
the + Cards are not readable by the current pm3 due to the new mac calculation set by HID to prevent cloning (My assumption).
They kind of discontinued the * cards.
So now what is available in China due to reports is they are left with the + cards or some even * with the new format.
I just ordered 500 cards (legacy) - thin & thick cards - All tested (what is left I guess with one supplier)
I guess this is all that remains out in the market

Interesting — so I just got my hands on a relatively new iClass SE keyfob, which has a "*" on it (not a "+") but isn't detectable/readable on a PM3. Nothing shows up in "hf search".... I'm running on the latest iceman fork release and have had no issues with older, legacy iClass fobs.

I wonder if this is the "some even * with the new format" you were referring to.

Has anyone seen any iClass SE cards/fobs with the "+" on them instead of a "*"?

Also, what do you mean by "due to the new mac calculation set by HID to prevent cloning"? Do you have any info on this new mac calculation and/or if it would be possible to modify the PM3 firmware to support it?

Ryston · 2019-07-30 01:33:59

aaronml wrote:

Also, what do you mean by "due to the new mac calculation set by HID to prevent cloning"? Do you have any info on this new mac calculation and/or if it would be possible to modify the PM3 firmware to support it?

Take this with big grains of salt but... I interpreted it as:

wrongface_Ryston wrote:

HID claims SIO uses digital signatures, which I assume are used in replacement of the MAC? The signatures supposedly use 'RSA up to 2048 bit' and/or 'ECC up to 512 bit'
https://www.hidglobal.com/sites/default … -ds-en.pdf
I say 'and'... they produced a video that suggests each individual data field is encrypted, then signed, then they are all bundled together and signed. It is unclear if just one or both algorithms are used.
https://www.youtube.com/watch?v=ohEMaD_ … e=youtu.be
I should also note, 0xFFFF and Carl55 appear to have made some progress on this front - but if either have published an open paper on it I have not been able to find it. This gives me hope the solution to this is indeed obtainable.
http://www.proxmark.org/forum/viewtopic.php?id=5194

While not useless information about SIO, the + symbol does not indicate SIO, as pointed out by 0xFFFF bellow... so all of this is barking up the wrong tree.

Last edited by Ryston (2019-08-07 17:39:22)

0xFFFF · 2019-07-30 06:02:19

The solution to this is obtainable.

The '+' symbol indicates that it is programmed iCLASS (non-ISO14443B).
The '*' is for programmed iCLASS/Seos.
See here for more information. I couldn't find anyone referencing it so I'm assuming no one knows about it.

iceman · 2019-07-30 14:24:56

Now, that document could be a nice support function, where you enter the printed text and get out a HID explaintion

Ryston · 2019-07-31 01:49:30

Thank you!

Last edited by Ryston (2019-07-31 02:28:33)

Ryston · 2019-08-13 02:32:38

Working on trying to capture an exchange between one of these cards and a reader (trouble with btooth module talking to pm3 main)
Working on trying to understand the source code so I know how to tweak relevant variables to try stuff... (can barely understand comments, am newb)

... Noticed HID statement that their 14443 implementation deviates from the norm specifically in its anti-collision scheme. Unsure if this is known, suspect it is but post in case it is not. Have no specifics.
http://rfip.eu/papers/hid_iso_standards_smartcards.pdf

Will update again if there are future findings. Will attempt to gather any specific data requested.

ShaShadow's was able to read + denoted cards with v2.5
It did not work for me. (0/15)
User Crazyquark tried reading = denoted cards with v2.5 and similarly was unable to.

Last edited by Ryston (2019-08-13 16:39:37)

aaronml · 2019-08-22 04:39:39

So I was informed recently by someone at HID that the new cards were a result of the chip HID was using being discontinued. The person I spoke to said that the new cards are no longer using PicoPass chips and said that the new chip they are using is confidential. It sounds like they built some type of iCLASS/PicoPass emulator using another chip..... that's how I interpreted it anyhow.

0xFFFF · 2019-08-23 00:06:23

Really? I'm sure I investigated this already.
Time for more die photos!
...

Proxmark3 community

Announcement

#1 2018-07-07 14:22:58

Unable to read Iclass card serial no. with a +

#2 2018-07-19 03:04:59

Re: Unable to read Iclass card serial no. with a +

#3 2018-07-19 10:31:49

Re: Unable to read Iclass card serial no. with a +

#4 2018-07-24 12:18:44

Re: Unable to read Iclass card serial no. with a +

#5 2018-10-19 14:20:24

Re: Unable to read Iclass card serial no. with a +

#6 2018-11-11 07:23:21

Re: Unable to read Iclass card serial no. with a +

#7 2018-11-11 10:22:43

Re: Unable to read Iclass card serial no. with a +

#8 2018-11-16 15:53:51

Re: Unable to read Iclass card serial no. with a +

#9 2018-12-04 12:31:08

Re: Unable to read Iclass card serial no. with a +

#10 2018-12-04 14:00:18

Re: Unable to read Iclass card serial no. with a +

#11 2018-12-07 07:02:23

Re: Unable to read Iclass card serial no. with a +

#12 2018-12-08 00:31:36

Re: Unable to read Iclass card serial no. with a +

#13 2018-12-08 03:39:19

Re: Unable to read Iclass card serial no. with a +

#14 2018-12-08 04:41:50

Re: Unable to read Iclass card serial no. with a +

#15 2018-12-08 04:45:22

Re: Unable to read Iclass card serial no. with a +

#16 2019-05-03 17:25:11

Re: Unable to read Iclass card serial no. with a +

#17 2019-07-01 17:34:54

Re: Unable to read Iclass card serial no. with a +

#18 2019-07-30 01:33:59

Re: Unable to read Iclass card serial no. with a +

#19 2019-07-30 06:02:19

Re: Unable to read Iclass card serial no. with a +

#20 2019-07-30 14:24:56

Re: Unable to read Iclass card serial no. with a +

#21 2019-07-31 01:49:30

Re: Unable to read Iclass card serial no. with a +

#22 2019-08-13 02:32:38

Re: Unable to read Iclass card serial no. with a +

#23 2019-08-22 04:39:39

Re: Unable to read Iclass card serial no. with a +

#24 2019-08-23 00:06:23

Re: Unable to read Iclass card serial no. with a +

Board footer