Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-06-02 19:12:08

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Reader + Software for reading iClass SE cards?

Hi there,

Since PM3 cannot read the actual data (e.g. format, ID, and Facility Code) from an iClass SE card (assuming the use of default keys), is there a recommended/easiest way to read that data?

Presumably you'd need an HID reader with those keys.... would one of the OmniKey readers work for that (since they have a nice USB interface, etc.) or would I need to literally buy an R40 and hook that up to something?

Thanks!

Offline

#2 2019-06-03 15:56:21

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: Reader + Software for reading iClass SE cards?

There are at least two ways to read the access control data from an iclass SE credential. I have not tried using an OmniKey reader but I suspect it would be possible if you were ever able to get ahold of the new SE Master authentication key.

The two ways that I have personal experience with are as follows:

1. Use an iClass SE reader itself to read the credential. You simply have to hook up a 5-16 Vdc power source to the reader and then monitor the two wiegand signal pins with a digital storage oscilloscope or a logic analyzer. The wiegand code that is output will all ow you to obtain the credential format (e..g. 26-bit, 35-bit, etc) , the facility code and the card number. The information necessary to break down this code can be found on this forum or in various places on the internet.

2. The second method involves a slightly more intrusive method but allows access to much more information.
The new SE readers utilize a Secure Access Module (SAM) to perform all of the cryptographic algorithms and to store all of the reader keys. The communication between the main microcontroller and the SAM is done on a high speed serial interface that is accessible via a test pad on the PCB. This test point can be accessed by drilling a small hole through the potting material that encapsulates the reader. If you look at the photos of an R10SE reader PCB that 0xFFFF posted awhile back you can locate TP324 and then solder a wire on it to gain access to the serial data stream that occurs as the credential is being read.
Monitoring the data that flows across this interface allows access to all of the raw SIO data blocks, the MAC codes used during authentication and all of the access control information for the credential.

PCB Photo for R10SE Reader: http://www.proxmark.org/forum/viewtopic.php?id=1994

Example of actual data obtained from SE credential using Method #2 above:

CSN   = 6b16b801fbff12e0
Blk5  = ffffff0006ffffff
Blk2  = fffffffffdffffff
Nonce = 0c239ddd (Auth)
MAC1  = 11f1f097 (Rdr Auth)
MAC2  = 4ade2fd1 (Tag Auth)
Blk2  = fffffffffcffffff (new)
MAC3  = 5dc00ac7 (Blk2 Update)
Blk6  = 3031810401fa223d
Blk7  = a5020500a6088101
Blk8  = 010403030008a717
Blk9  = 85156c9090ff2a53
Blk10 = 32dd06bf2644fad8
Blk11 = f52d396f811774a9
Blk12 = 0205000500000000
Fmt   = 26 bit
Wieg  = 00000000012d3903
Fac   = 150  [H10301]
Card  = 40065

Offline

#3 2019-06-09 02:44:12

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Reader + Software for reading iClass SE cards?

carl55 wrote:

There are at least two ways to read the access control data from an iclass SE credential. I have not tried using an OmniKey reader but I suspect it would be possible if you were ever able to get ahold of the new SE Master authentication key.

The two ways that I have personal experience with are as follows:

1. Use an iClass SE reader itself to read the credential. You simply have to hook up a 5-16 Vdc power source to the reader and then monitor the two wiegand signal pins with a digital storage oscilloscope or a logic analyzer. The wiegand code that is output will all ow you to obtain the credential format (e..g. 26-bit, 35-bit, etc) , the facility code and the card number. The information necessary to break down this code can be found on this forum or in various places on the internet.

2. The second method involves a slightly more intrusive method but allows access to much more information.
The new SE readers utilize a Secure Access Module (SAM) to perform all of the cryptographic algorithms and to store all of the reader keys. The communication between the main microcontroller and the SAM is done on a high speed serial interface that is accessible via a test pad on the PCB. This test point can be accessed by drilling a small hole through the potting material that encapsulates the reader. If you look at the photos of an R10SE reader PCB that 0xFFFF posted awhile back you can locate TP324 and then solder a wire on it to gain access to the serial data stream that occurs as the credential is being read.
Monitoring the data that flows across this interface allows access to all of the raw SIO data blocks, the MAC codes used during authentication and all of the access control information for the credential.

PCB Photo for R10SE Reader: http://www.proxmark.org/forum/viewtopic.php?id=1994

Example of actual data obtained from SE credential using Method #2 above:

CSN   = 6b16b801fbff12e0
Blk5  = ffffff0006ffffff
Blk2  = fffffffffdffffff
Nonce = 0c239ddd (Auth)
MAC1  = 11f1f097 (Rdr Auth)
MAC2  = 4ade2fd1 (Tag Auth)
Blk2  = fffffffffcffffff (new)
MAC3  = 5dc00ac7 (Blk2 Update)
Blk6  = 3031810401fa223d
Blk7  = a5020500a6088101
Blk8  = 010403030008a717
Blk9  = 85156c9090ff2a53
Blk10 = 32dd06bf2644fad8
Blk11 = f52d396f811774a9
Blk12 = 0205000500000000
Fmt   = 26 bit
Wieg  = 00000000012d3903
Fac   = 150  [H10301]
Card  = 40065

Thanks! I really appreciate the help.

One thing I did stumble across was the pcProx Plus reader from RFideas, which claims to support reading actual data from iClass SE cards, even those with Elite keys, as opposed to just CSN.

This is fairly surprising, since my understanding had been that HID didn’t share iClass SE technology with anyone else, which is why most other readers out there that claim to read iClass SE are really only reading the CSN.

I’ve not (yet) purchased one to see if it actually does what it claims to do, but if it does, that might be a bit easier to work with than getting read data directly from an R40, etc.

I’m curious if anyone has already looked at the pcProx Plus reader for “RFID Sec” purposes...

Offline

#4 2019-06-14 02:46:03

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Reader + Software for reading iClass SE cards?

FYI, I am successfully able to read Legacy iClass (and presumably iClass SE also, given the official specs) access data using the pcProx Plus with iClass SE support (RDR-80081AKU).

Might be useful for folks in the future instead of having to modify an R40, etc.

Last edited by aaronml (2019-06-25 17:44:12)

Offline

#5 2019-06-24 07:18:44

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: Reader + Software for reading iClass SE cards?

carl55 wrote:

There are at least two ways to read the access control data from an iclass SE credential. I have not tried using an OmniKey reader but I suspect it would be possible if you were ever able to get ahold of the new SE Master authentication key.

The two ways that I have personal experience with are as follows:

1. Use an iClass SE reader itself to read the credential. You simply have to hook up a 5-16 Vdc power source to the reader and then monitor the two wiegand signal pins with a digital storage oscilloscope or a logic analyzer. The wiegand code that is output will all ow you to obtain the credential format (e..g. 26-bit, 35-bit, etc) , the facility code and the card number. The information necessary to break down this code can be found on this forum or in various places on the internet.

2. The second method involves a slightly more intrusive method but allows access to much more information.
The new SE readers utilize a Secure Access Module (SAM) to perform all of the cryptographic algorithms and to store all of the reader keys. The communication between the main microcontroller and the SAM is done on a high speed serial interface that is accessible via a test pad on the PCB. This test point can be accessed by drilling a small hole through the potting material that encapsulates the reader. If you look at the photos of an R10SE reader PCB that 0xFFFF posted awhile back you can locate TP324 and then solder a wire on it to gain access to the serial data stream that occurs as the credential is being read.
Monitoring the data that flows across this interface allows access to all of the raw SIO data blocks, the MAC codes used during authentication and all of the access control information for the credential.

PCB Photo for R10SE Reader: http://www.proxmark.org/forum/viewtopic.php?id=1994

Example of actual data obtained from SE credential using Method #2 above:

CSN   = 6b16b801fbff12e0
Blk5  = ffffff0006ffffff
Blk2  = fffffffffdffffff
Nonce = 0c239ddd (Auth)
MAC1  = 11f1f097 (Rdr Auth)
MAC2  = 4ade2fd1 (Tag Auth)
Blk2  = fffffffffcffffff (new)
MAC3  = 5dc00ac7 (Blk2 Update)
Blk6  = 3031810401fa223d
Blk7  = a5020500a6088101
Blk8  = 010403030008a717
Blk9  = 85156c9090ff2a53
Blk10 = 32dd06bf2644fad8
Blk11 = f52d396f811774a9
Blk12 = 0205000500000000
Fmt   = 26 bit
Wieg  = 00000000012d3903
Fac   = 150  [H10301]
Card  = 40065

I assume this works only for standard iclass SE SO only credentials.

I'm more interested in how to read iclass SE with elite encryption. pm3 is surely not able to do it.

Possibly create a key rolling card to flash existing R10 reader with expected elite key?

Offline

#6 2019-06-24 16:19:23

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: Reader + Software for reading iClass SE cards?

You are correct. The two methods shown above only work with readers that are matched (keyed the same) as the credential that they are trying to read.
Using a key configuration card to modify the authentication key would allow these methods to be used with Elite credentials.

There is one other way to read Elite SE credentials using a Replay Attack.
If you sniff a legitimate reader/card authentication and obtain the nonce and mac values that were used, those values can then be used to read the SE data blocks using any ISO 15653 device capable of issuing direct PicoPass commands.
I have personally used this approach with a HID RW100 reader/writer to send "ISO Pass-Through" commands that are described in the iclass serial protocol document. I believe the PM3 could also be used but I have not verified this.

Just be aware that an iclass SE reader will attempt to update the e-purse (card challenge) after every authentication. When doing a replay attack you must first set the e-purse of the credential to a value of 0 (e.g. 0xFFFFFFFF0000FFFF). The reader will not try to update the e-purse if it has been decremented to 0. A replay attack using sniffed nonce and mac values will only work if the e-purse remains the same.

Offline

Board footer

Powered by FluxBB