Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-10-03 12:54:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

iclass cloning without masterkey!?

I stumbled upon this little blogpost and github repo. Since I don't know much about iclass I'll need to ask if this is possible?

Blog https://blog.kchung.co/reverse-engineer … ster-keys/
repo: https://github.com/ColdHeat/iclass

Offline

#2 2016-10-04 08:23:41

wintersoldier
Contributor
Registered: 2016-04-17
Posts: 10

Re: iclass cloning without masterkey!?

Yes, you simply use the package iclassified, and you need an omnikey5321.

I did this a few years ago, basically the keys are hidden in ROM under write/execute memory protection - so you can't extract the keys.  However, you simply call which key you want to use ( there are a few default ones, including mifare) and your away.

I was talking to Fran at Defcon, after he was presenting his talk; in his talk he kept talking about paying chinese hackers for the keys.  Brad and I pointed out that it wasn't necessary and all he needed was the omnikey and the iclassified package - its enough with programming skills to write your own program.  Think this is common knowledge now, Ive come across a number of physical-pentesters who can clone iClass keys, you ask them if they know the keys and the answer is "no", they use the omnikey with this / similar software.

Offline

#3 2016-10-04 11:04:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: iclass cloning without masterkey!?

Looking at the source, I don't see how you tell the reader to use a certain key.

Offline

#4 2016-10-04 18:10:09

wintersoldier
Contributor
Registered: 2016-04-17
Posts: 10

Re: iclass cloning without masterkey!?

iceman wrote:

Looking at the source, I don't see how you tell the reader to use a certain key.

iclass/iclass.c

lines 226  -- basically means authenticate with key x21 wink

odd though, I used keys 0x20 (kd) & 0x23 (kc)

Offline

#5 2016-10-04 20:01:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: iclass cloning without masterkey!?

bizarr that you can send a apdu which tells the reader to authenticate with a builtin key.

Offline

#6 2016-10-09 12:06:58

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: iclass cloning without masterkey!?

I have a few of these readers, so are there multiple keys? I tried it with an iClass Tag and it worked perfectly, going to buy a blank and dump the blocks back one by one.

Is the ROM on the same IC? I could prob use a logic analyser and pull the keys being requested from ROM/NV Data

Offline

#7 2016-10-12 07:02:27

wintersoldier
Contributor
Registered: 2016-04-17
Posts: 10

Re: iclass cloning without masterkey!?

Yeah the ROM is protected so you only get zeros back, and the one you sniff from the wires is usually the ones unique to that particular card (the diversified key)

Offline

#8 2016-10-21 06:25:56

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Re: iclass cloning without masterkey!?

I wrote the blog post, hope you liked it.

A few things are that this definitely wasn't common knowledge when I was working on iClass and most people just buy the iClass Cloner from xfpga. The blog post illustrates how you can extract the master key from the xfpga software if you have the USB dongle it comes with or have a recording of it unpacking itself.

It's very difficult to get the vulnerable readers needed to do the Heart of Darkness method these days so the xfpga software is really the simplest choice for testers.

There are multiple keys as illustrated in the Omnikey documentation https://www.hidglobal.com/sites/default … ide_en.pdf

I'm not exactly sure what key 0x20 and 0x23 do specifically but 0x21 is apparently the HID master key stored on the reader.

The real trick is the second secure mode initialization, not simply using the key. For some reason, this causes the reader to glitch and perform authorized actions using the key.

Last edited by kchung (2016-10-21 06:27:05)

Offline

#9 2016-10-21 06:33:51

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: iclass cloning without masterkey!?

Yes! I saw your post, great, great stuff, I'm still kind of hazy on what the master key does? Like I was able to extract all data from an iClass card (Using iclassified & an Omnikey 5321), however apparently you need the HID Masterkey to decrypt block 6 or 7 that contains the site code and card number?

So if you wanted to say, increment your card number, you'd need the HID Master Key to decrypt block 6 or 7, increment, encrypt, then write back to the card?

Why do we need the Master Key when we can just flip the card into Secure Mode? What's the point of the Master Key being on there?

Another question is once you have the Master Key, how can you plug it into a Proxmark3? I'm thinking of obtaining the software from xpga and dumping it out like in your blog.

Brings me to yet another question, configuration cards, by the sounds of things these cards require you to switch off the reader, hold the card to the reader and power it on, is this the case? Or can I create a reset card and just walk up to any HID Reader?

Last edited by dylanger (2016-10-21 06:38:15)

Offline

#10 2016-10-22 04:41:54

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: iclass cloning without masterkey!?

Kchung

you working the old iclass or the elite iclass ?

I am very interested in your research.

Offline

#11 2016-10-23 00:01:38

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Re: iclass cloning without masterkey!?

I did all of my research on the old iClass system as that is what I used in my day to day life as a college student. The iClass elite system is much different and you're not really going to be able to get away with using a hardcoded static key in an off the shelf reader but there's enough research out there to figure it out.

I personally have never encountered an iClass elite system so it's not particularly interesting for me but I have done some cursory googling on it.

dylanger:
The master key grants you read/write access to a standard iClass card. Basically, you need the master key in order to write data to blocks 6-9 on an iClass card. Block 7 is usually the only portion you need to write to clone a card though.

If you have the key it basically just becomes read and write operations on blocks on the card. The card system has encryption schemes are various levels (which others have discussed in far greater detail than I could).

You don't need the master key to go into secure mode. Secure mode simply encrypts the communications between the card and the reader. The xfpga software for example doesn't utilize secure mode what so ever, but still allows you to read and clone iClass cards.

Some of the hf iclass commands require you to pass the key in as a parameter which is how you load the key in:
https://github.com/Proxmark/proxmark3/wiki/commands#hf-iclass

Yup, I thought that was the case too but I asked some other members of this forum and apparently that can't be done. For a configuration card to work you must present it to the reader soon after it powers on.

Offline

#12 2016-10-23 21:16:35

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: iclass cloning without masterkey!?

kchung wrote:

I did all of my research on the old iClass system as that is what I used in my day to day life as a college student. The iClass elite system is much different and you're not really going to be able to get away with using a hardcoded static key in an off the shelf reader but there's enough research out there to figure it out.

I personally have never encountered an iClass elite system so it's not particularly interesting for me but I have done some cursory googling on it.

dylanger:
The master key grants you read/write access to a standard iClass card. Basically, you need the master key in order to write data to blocks 6-9 on an iClass card. Block 7 is usually the only portion you need to write to clone a card though.

If you have the key it basically just becomes read and write operations on blocks on the card. The card system has encryption schemes are various levels (which others have discussed in far greater detail than I could).

You don't need the master key to go into secure mode. Secure mode simply encrypts the communications between the card and the reader. The xfpga software for example doesn't utilize secure mode what so ever, but still allows you to read and clone iClass cards.

Some of the hf iclass commands require you to pass the key in as a parameter which is how you load the key in:
https://github.com/Proxmark/proxmark3/wiki/commands#hf-iclass

Yup, I thought that was the case too but I asked some other members of this forum and apparently that can't be done. For a configuration card to work you must present it to the reader soon after it powers on.


What do you mean by present it to the reader soon after it powers on ?

Well if you need some members to ask questions about, you probably have to talk to holiman about it.

Offline

#13 2016-10-24 01:45:31

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Re: iclass cloning without masterkey!?

This is the fastest resource I found online about using a configuration card. The readers are not constantly watching for configuration cards.

https://www.honeywellintegrated.com/documents/Technical%20update%20-%20Smart%20Config%20Cards.pdf

Offline

#14 2016-10-26 04:03:46

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: iclass cloning without masterkey!?

Cheers @kchung your response is much appreciated!

Offline

Board footer

Powered by FluxBB