Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
does anyone knows what the facility code of key fob indicate?
Last edited by hshk99 (2011-04-18 18:46:04)
Offline
I have recently aquired some HID iClass key fobs, I am interested in conducting emulating iClass key, and I can see the key fob has some sort of code inscribed on it(D1XXX).
I was wondering that if this is unique codes that HID distrubuted to each key fob, and therefore if it would enable them to track down the distribution channel with them.
Last edited by hshk99 (2011-04-29 23:51:50)
Offline
To emulate an iClass keyfob you need to know four things:
1. Is it from a system that is operating in the standard security mode? If so, you are in luck. If not, and it is from an "Elite" or "High Security" system then you are probably out of luck (at least for now).
2. The tag format. You need to know whether it has been programmed using HID's 26-bit (H10301) format or one of the other ones that they use.
3. The tag number. This number is usually printed on the backside of the keyfob or card. The range of this number is dictated by the format being used (e.g. 16 bits for a 26-bit card format).
4. The facility code. This number is not printed on the tag but can be obtained from decoding the wiegand data stream from the card reader. The range of this number is dictated by the format being used (e.g. 8 bits for a 26-bit card format).
If you have all of this information then a standard iClass keyfob can be copied or emulated by using the methods described in the paper presented a few months ago at the 27th Chaos Communication Congress in Berlin.
http://www.openpcd.org/HID_iClass_demystified
Once you have the Standard iClass authentication key it is simply a matter of modifying Block 7 of an iClass credential with the encrypted value of the wiegand data stream of the keyfob (or card) that you are trying to emulate. For example, if you wanted to emulate a 26-bit keyfob with a facility code of "00" and a user code of "0001" you would simply program Block 7 with a 64-bit value of 0x6c9ddbca9dfc2300. Not exactly simple, but certainly possible.
[Note: The 8-digit number printed on the back of the credential is supposedly the vendors "Order Number". This allows HID to maintain a database with all of the applicable information for that credential including such things as format, facility code, order date, purchaser, etc.]
Offline
Pages: 1