Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-06-26 13:34:19

yukihama
Contributor
Registered: 2018-05-13
Posts: 37

Any progress on Iclass SE?

Hi dear friends, are there any progress on iclass SE clone?
My buidling is relativly new and using iclass SE system. I read my iclass keyfob and showing "NOT Legacy Card". I can get format key by "sim". But dump is  not successful with the format key I got, which is sure the system is not HS. I am sure you know what I am talking about,LOL


Is there anything I can contribute to cracking icalss SE system, financialy or technically? LOLlolololo

BR

Last edited by yukihama (2018-06-26 13:39:30)

Offline

#2 2018-06-27 15:30:03

gmsuz
Contributor
Registered: 2017-10-24
Posts: 6

Re: Any progress on Iclass SE?

I happened to come across my friend residence is using iclass SE card.

CSN: 51 A2 7F 02 F9 FF 12 E0
    CC: FF FF FF FF 71 FA FF FF
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Secured page, keys not locked
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-12
        AA2: blocks 13-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
App IA: FF FF FF 00 06 FF FF FF
      : Possible iClass (NOT legacy tag)

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search


The reader is a Iclass SE.
hf iclass sim 2 was completed and lolcass was able to extract a Key verified ok!

However the key was not able to dump the iclass SE card.

I did my read up and understood that the difference between legacy and SE is blk 6 to 12 is protected by SIO and the data is unique to the card CSN. There is no point copying it to another card.

I am just wondering why the veriifed key is unable to dump the iclass SE card.

Can someone enlightened me.

Offline

#3 2018-06-28 05:33:14

yukihama
Contributor
Registered: 2018-05-13
Posts: 37

Re: Any progress on Iclass SE?

gmsuz wrote:

I happened to come across my friend residence is using iclass SE card.

CSN: 51 A2 7F 02 F9 FF 12 E0
    CC: FF FF FF FF 71 FA FF FF
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
        Crypt: Secured page, keys not locked
        RA: Read access not enabled
  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-12
        AA2: blocks 13-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
App IA: FF FF FF 00 06 FF FF FF
      : Possible iClass (NOT legacy tag)

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search


The reader is a Iclass SE.
hf iclass sim 2 was completed and lolcass was able to extract a Key verified ok!

However the key was not able to dump the iclass SE card.

I did my read up and understood that the difference between legacy and SE is blk 6 to 12 is protected by SIO and the data is unique to the card CSN. There is no point copying it to another card.

I am just wondering why the veriifed key is unable to dump the iclass SE card.

Can someone enlightened me.


you are on the same boat with me now,LOL 
how can we make this done? no news yet from the gurus^_^

Offline

#4 2018-06-30 15:26:19

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 139

Re: Any progress on Iclass SE?

If you are unable to dump the contents of the high security/Elite SE credential then it is probably due to one of the following problems:
1. The extracted Kcus key is wrong or it is NOT a high security/Elite credential.
2. The calculated diversified key (Kdiv) is wrong.

Assuming that your SE system actually is a high security/Elite system, the diversified key that was calculated probably is wrong.
The calculation of Kdiv is straightforward for 99% of the various CSN values. However, there are "special case" CSN values that involve a slight change to the Kdiv algorithm. I myself have experienced a few CSN values in the past that appeared to yield an incorrect Kdiv when calculated.
I don't have any hard data at this point but I do plan on doing some more extensive testing in the near future.
If possible, you could try a different credential with a different CSN and see if it experiences the same problem.

A high security/Elite iClass SE system is actually less secure than the standard security SE which uses the new "SE" master authentication key.
If you have recovered Kcus you should be able to read the contents of the SE credential. However, if it were a standard security system then you could only read the contents of the credential by capturing the MAC and nonce from a legitimate authentication sequence and then using that information to replay the authentication sequence. I have done this many times and it seems to work fine. Unfortunately, until someone is able to uncover HIDs new Master SE authentication key we are not able to directly read the contents of a standard security SE credential.

Offline

#5 2018-07-03 07:42:00

yukihama
Contributor
Registered: 2018-05-13
Posts: 37

Re: Any progress on Iclass SE?

Hi  Carl
awesome, you are genuis....I just finished my final exam and have heaps of time and spare engergy to focus on SE follwing 2months....Is there any i can contribute to your work on SE?  Can I contact you by email?  I am sure this forum has iclass staff watching on us LOL

Offline

#6 2018-07-24 12:27:25

brantz
Contributor
Registered: 2014-03-19
Posts: 36

Re: Any progress on Iclass SE?

carl55 wrote:

If you are unable to dump the contents of the high security/Elite SE credential then it is probably due to one of the following problems:
1. The extracted Kcus key is wrong or it is NOT a high security/Elite credential.
2. The calculated diversified key (Kdiv) is wrong.

Hi Carl,
I have mentioned this to you before, with the exact correct HS key, PM3 is still not able to read SE credential.
I reckon SE credential decode on HID reader is a bit different from what PM3 does.

Offline

Board footer

Powered by FluxBB