Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-03-30 12:57:50

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Pen Tester - iClass - Newbie - Headache....

Hi all,

I've had my eye on the Proxmark for a while now, and I've just decided to finally take the plunge. My inital focus is on HID iClass cards as they're most prevalent around enterprises here, and no doubt where I'll be spending most of my time when I start doing engagements. I've spent a few weeks reading all of the usual recommended papers and I've been through the forums..

I think I've got a reasonable understanding of the technology now, but when attempting to 'dive in' I've hit an immediate blocker, and could do with a little help.

Background - I do not know the security model around my own iClass card. I suspect its either 'legacy' or 'SE'. Information from my Proxmark is below.

CSN: XX XX XX XX XX XX XX
CC: XX XX XX XX XX XX XX XX          
	Mode: Application [Locked]          
	Coding: ISO 14443-2 B/ISO 15693          
	Crypt: Secured page, keys not locked          
	RA: Read access not enabled          
  Mem: 16 KBits/16 App Areas (255 * 8 bytes) [1F]          
	AA1: blocks 06-12          
	AA2: blocks 13-FF          

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

I've loaded in the key published by Amm0nRa but with this I get authentication errors:

proxmark3> hf iclass dump f badgedump k 0
Authing with diversified key: xxxxxxxxxxxxxxxxxxx          
Authentication error          
Authing with diversified key: xxxxxxxxxxxxxxxxxxxxx         
Authentication error

This leads me to suspect that either my key is incorrect, or the card uses it's own authentication key, which would suggest it's not a legacy card but instead a SE card.

This is backed up by the proxclone paper I found which shows the iClass SE card as having Application 1 data at blocks 6-12, which aligns with the info I pulled out of my card.

Proxclone

To test this, I attempted to run the simulation attack against a reader.

hf iclass sim 2

However I get no response out of the reader whatsoever, no beeps or anything.

Could someone suggest what I'm doing wrong here? I suspect the issue is now actually my 'master' key is incorrect but google is being extremely unhelpful in finding it, and I'd rather not have to buy hardware specifically just to get the key.

Thanks!

Offline

#2 2017-03-30 14:30:56

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Pen Tester - iClass - Newbie - Headache....

Which country are you talking about ? I have some keys in my former country that i have obtained. Most of them are elite keys.

Every SE reader has its own key. Even with the key, you probably still need to calculate the block 3 based on the CSN of the card.

This is the part where no one have solved it.

Basically, no one has cracked the SE system till date. Carl's document was mostly cloning the legacy/elite card.

No point trying until some kind souls come into pm3 forum and post some papers about it.

Offline

#3 2017-03-30 15:07:51

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Thanks for the quick reply.

The country is the UK - but to start with I think I need to find out if my assumptions around the card security is correct or not.

Am I right in thinking that I need to determine the contents of Block5 to work out the card security? Assuming I can do that, I haven't found a list of Block5 to card type anywhere, does one exist?

Offline

#4 2017-03-30 23:09:14

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Pen Tester - iClass - Newbie - Headache....

You're close IlikeToPlayWithNewToys.
Looks like you're using a permuted key instead of unpermuted.

Offline

#5 2017-03-31 01:56:27

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Pen Tester - iClass - Newbie - Headache....

Block 0: CSN / UID
Block 1: Configuration

Byte  Name                     Description
7     App Limit                Defines the last block of Application Area 1 (Typically 0x12)
6     OTP                      One Time Programmable (Not used, 0xFF)
5     OTP                      One Time Programmable (Not used, 0xFF)
4     Block Write Lock         Can write protect blocks 6 through 12 (Not used, 0xFF)
3     Chip Configuration       Secure or Non-secure (HID uses Secure only, set to 0xF9)
2     Memory Configuration     2 or 16 Application Areas
                               2K/2 0x1F
                               16K/2 0x9F
                               16K/16 0x1F
1     EAS                      Electronic Article Surveillance (Not used by HID)
0     FUSE                     2K Good 0xB4
                               2K Blown 0x34
                               16K Good 0xBC
                               16K Blown 0x3C

Block 2: Stored Value Area (Purse).
Block 3: Key 1 (write only)
Block 4: Key 2 (write only)
Block 5: Application Issuer

Byte	Name
7	App 1
6	Type
5	App 1
4	Identifier
3	App 2
2	Type
1	App 2
0	Identifier

Block 6: Application directory
Block 7-9: PACS data and PIN
Block 10: Password

Offline

#6 2017-03-31 05:22:22

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Pen Tester - iClass - Newbie - Headache....

We have tried to write 6-12. All ok.

Key 3 & 4 needs Xor key from the previous card. (Very tricky on this) You could brick your card like how I did mine. Wasted like 100 usd on these.

Keep trying. Make sure when you snoop the reader, do check your voltage on HF. You need some good antennas. Done this a few times using a pm3 easy. Bad bad experience.

Offline

#7 2017-03-31 09:06:18

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Are you implying that the published master key is actually a permuted version of the key 0xFFFF ?

If so, that would make sense as to why I see people struggling to use it directly, and aligns with some tweets I see floating around.

If that's the case, while I'm googling around, would you be able to hint/tell me where the cipher key is to reverse the permutation, or point me at some code which does it?

Offline

#8 2017-03-31 11:37:09

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Pen Tester - iClass - Newbie - Headache....

I think this is enough leak for you. The rest is up to you to find out. smile

Everything you need is in the forum. Find them slowly.

Offline

#9 2017-03-31 11:52:56

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

With the greatest respect - I've been through the forum several times and spent many weeks investigating this, I'm looking for some help in assisting me with my knowledge, 'try harder' isn't very helpful.

Offline

#10 2017-03-31 12:53:21

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Pen Tester - iClass - Newbie - Headache....

Unfortunately it is difficult to believe that you've spent that much time and didn't find the answer about your hid key when it is within the last 20 topics in this section of the forum, and is easily found with the search.

Offline

#11 2017-03-31 12:58:30

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Thank you for the pointer, I've clearly missed something obvious then - I'll revisit the posts and take another look.

Offline

#12 2017-03-31 13:52:33

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

I've been through the posts suggested again - and I'm still coming up short. I see a lot of posts around the algorithms used for calculating the diversified keys stored on the cards, but unless you seem to know 'what' you're looking for, it's like stumbling through a minefield.

Assuming I was correct around the key posted at KiwiCon being diversified already, and assuming that the same KIWIKEY=DES(PLAINTEXT KEY, CIPHERKEY) I started running through the posted DES keys here to obtain the Plaintext key I assume I need, but none of them turned anything up, which is compounded by the fact that I still don't know how to work out if the card is Legacy/Elite/Other.

However I'm still getting no-where, and I have no idea if I'm even on the right path.

Offline

#13 2017-03-31 15:10:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Pen Tester - iClass - Newbie - Headache....

Temper temper,  frustration is the norm when dealing with the proxmark3.   And no,  the standard on the forum to learn it on your own with lots of trail and error.  The PM3 community does not take easy on spoonfeeding.   Its painfully obvious that you have not done your research properly. Read Carl55's iclass pdfs.  Read the boring threads one more time, slowly,  and the next post you will post going to be filled with excitement. 

btw, you have misstaken diversified vs permuted

Offline

#14 2017-03-31 17:06:05

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Perhaps I've misrepresented what I'm looking for  - spoon feeding definitely isn't it, but a trail of breadcrumbs would be useful.

I'd argue that I've done the research, what I haven't done is fully understood everything so even when the answer is staring me in the face I don't realize it, thus the request for a little nudge in the right direction.

Appreciate the nod towards diversified vs permuted keys, this is a new area for me so I'll hunt for a bit more detail.

Offline

#15 2017-03-31 17:29:04

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Right a bit more research shows that I had misunderstood Permutation vs Diversification.

What I'm still unsure of however is the type of cards I'm playing with - so even if I did manage to get the correct permutation, if I'm playing around with non-legacy cards the authentication is going to fail.

Can someone mark my understanding of the following then please:

* The AmmonRa posted information requires permutation to be usable in the Proxmark3, but apart from that can be used for authentication against legacy cards
* Is there post/paper out there which lists the permutation required, or do I need to brute for it?
* Is there a way of me viewing the Block5 information from an iClass card using the Proxmark3 to determine the cards I'm playing with? The following except from a proxclone paper suggests I can, but I can't see a way to view this in the proxmark3?

The iclass reader is able to identify the type of card that it is interacting with by first reading the Application Issuer Data value stored in Block5. The information contained in this data block indicates whether the reader should interpret the data payload as legacy or SIO. It also tells the reader whether Spoofing iClass and iClass SE authentication should be performed using the legacy Master Authentication key or the newer SE authentication key.

Thanks

Offline

#16 2017-03-31 17:46:32

IlikeToPlayWithNewToys
Contributor
Registered: 2017-03-20
Posts: 15

Re: Pen Tester - iClass - Newbie - Headache....

Replying to myself again to answer my own questions as I've now gathered the information needed.

* The AmmonRa posted information requires permutation to be usable in the Proxmark3, but apart from that can be used for authentication against legacy cards
** Yes, that's correct

* Is there post/paper out there which lists the permutation required, or do I need to brute for it?
** There is code out there to do this Here

* Is there a way of me viewing the Block5 information from an iClass card using the Proxmark3 to determine the cards I'm playing with?
** Not yet determined this - but the dump from a 'legacy' card shows FF FF FF FF FF FF FF FF as Block 5 which the proxmark will show you once authenticated.

Offline

#17 2017-03-31 18:26:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Pen Tester - iClass - Newbie - Headache....

...if you use iceman fork, the hid permutation need is accessable via the analyse hid ...
otherwise you will need that extra software.

and see, your latest post is full with success!  Keep the spirit up!

Offline

#18 2017-04-01 04:52:20

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Pen Tester - iClass - Newbie - Headache....

There's lots of leaks/breadcrumbs in one day.

You will get there I believe. You took weeks.

I took a 1year to solve this and still trying to solve it.

Good luck. smile

Tip: Almost all the thick cards indicated with alphabet before their coding are SE systems. They are indicated by ER, SE, SR or some sort. We never really identify them based on the reader/card except by the part numbers. You can take a screenshot of the reader and card and email me. I could try to help to identify whether it is SE or Legacy. Mostly based on assumption and testing.

Offline

#19 2017-11-07 14:08:45

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Pen Tester - iClass - Newbie - Headache....

the OP is not coming back , Isnt he? lol

Iceman, I have a question for you heheh,

Why did you have to bury this un-perm... command under analyse? Isnt it better to be under the iclass area no?

Now the real question. What is the difference between the key&holiman key? They dont look identical? Can you give me a hint.

Well, I used the both keys on my work badge but unsuccessful, I assume its an Elite or SE, since its one of the top 4.

Offline

#20 2017-11-07 14:40:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Pen Tester - iClass - Newbie - Headache....

if you read up on des keys, how they look like and how iclass uses des keys,  you will find your answer. 
Carl wrote about the iclass way very nice in somewhere of all his great documents.  The hint is: parity.

...and sure, it might be better under iclass,  and making it way to easy for ppl.  As it is now, you will only find it if you are curious enough.
smile

Offline

#21 2017-11-08 04:09:29

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Pen Tester - iClass - Newbie - Headache....

ah ,that is exactly what I thought. thanks chief

Offline

#22 2017-11-15 11:22:43

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Pen Tester - iClass - Newbie - Headache....

today was a very exciting day and a blank iclass card I ordered came.

The funny thing is though, I'm not able to read its blocks with the leaked key.


First I used icemans "analyse hid" command to reverse the key, Then I did following,

hf iclass readblk b 05 k xxxxxxxxxxxxx , still gives me an error. ( authentication error) ,

Also, I read here that the block 0-1 is always readable even without authentication, but in my case

hf iclass readblk b 00 or 01 command does not work.


The particular test card is iclass 2020 ( dual chip ) card, supposedly blank one.


Can someone please give me a hint what Im doing incorrectly?

Thanks for your help

Offline

#23 2017-11-18 05:12:03

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Pen Tester - iClass - Newbie - Headache....

Maybe your blank iclass card is not blank ? Maybe it is a elite not a legacy. Many possibilities.

Read the forum, there are many keys to make an iclass clone work.

You probably have the legacy key leaked in kiwi con. It is not possible with this.

No hint, just keep reading and searching smile

Offline

#24 2017-12-20 04:23:40

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Pen Tester - iClass - Newbie - Headache....

Dot.Com wrote:

Maybe your blank iclass card is not blank ? Maybe it is a elite not a legacy. Many possibilities.

Read the forum, there are many keys to make an iclass clone work.

You probably have the legacy key leaked in kiwi con. It is not possible with this.

No hint, just keep reading and searching smile

Got it working, no worries dude

Offline

Board footer

Powered by FluxBB