iclass reader, sim 2, custom key

onebyte · 2018-11-11 04:26:02

Hi all.

I have rp10 reader (not r10) and pm3(official version, elechouse and easy), but could not run sim 2. Checked forum, iceman said, only with iceman version possible. correct? not with official?

With reading this forum, purpose sim 2 command is to get key from configured reader.

leaked master key is working well with blank iclass fob(legacy), but programmed fob(probably high security? not sure, in Australia), pm3 could not dump data with leaked master key because I do not know custom key. So wanted to get custom key from reader with pm3, failed.

Or should I visited that site and get custom key from that reader only? (bring pm3 and laptop?)

Any help or advice, appreciated.

iceman · 2018-11-11 10:28:04

The 'hf iclass sim 2' attack, is a reader attack. Meaning you use pm3 to simulate a tag in front of a valid reader. ie you must be near the reader.
If successful, the sim 2 generates a binfile which is used for "hf iclass loclass" offline attack. If successful you now have a custom key.

There are however a lots of countermeasures built in the readers, if sim2 fails on offical, try iceman sim2, ...
I did some video about it long time ago.
https://youtu.be/m8r5M7KWQpE

It should make things a bit clear

onebyte · 2018-11-12 02:09:01

Thanks Iceman, you mean, with that reader only. I thought all readers have same key values, and with configuration, each reader and iclass fob choose each custom key
I tried official sim 2 with my test reader, nothing happened, only error

unknown command received from reader len=4 : c 5 de 64 ff fe 5f 2 1c
unknown command received from reader len=4 : c 0 73 33 ff fe 5f 2 1c

continued... until ctrl-c

never tried reader with config fob or touched any other things. Even, with programmed fob, could not get any result with hf search...

iceman · 2018-11-12 09:05:11

that looks like the output from official repo, now try flashing / running client from iceman fork...

onebyte · 2018-11-13 00:23:37

failed to update for iceman fork(20181027)... flash bootrom, ok. flash fullimage, com found, then... down reconnect, same.

With this condition, same result as before. how can I get success with fullimage?

Or should I send you my pm3 if do not mind?

Thanks

iceman · 2018-11-13 10:33:13

the com port changes when you swap between iceman fork & official.

The normal process is to do it in one go.

flasher com3 -b bootrom.elf fullimage.elf

that will solve your flashing, then afterwards the device will most likely show up on a different comport...

onebyte · 2018-11-14 02:43:30

Thanks iceman, great! your hints worked, not exactly, anyway done it(changed com port

Then tried with test reader. and found it.

dump for fob, [-] no tag found, even all position changed(up-down, left-right)

hw tune result is ok. hf 26.29v with iceman newest. some legacy worked, some hs too, but this hs fob not. is this special you think?

or rdv4 is better?

Thanks again.

Last edited by onebyte (2018-11-14 03:39:01)

iceman · 2018-11-14 08:57:07

Its an pm3 easy you have? They have been known to be bad at iclass simulation.
The question is if sim2 works against the readers. Hopefully you don't need to buy another pm3 because of that.

onebyte · 2018-11-15 00:05:23

I have easy and elechouse rdv togeher, hs programmed one not recognized for both(with reader, good fob), legacy ones well wondered this hs fob has special protection against pm3

Thanks, sim 2 solved.

Last edited by onebyte (2018-11-15 00:12:05)

NYCity25 · 2018-11-23 00:46:00

]

Last edited by NYCity25 (2019-10-26 14:59:58)

Proxmark3 community

Announcement

#1 2018-11-11 04:26:02

iclass reader, sim 2, custom key

#2 2018-11-11 10:28:04

Re: iclass reader, sim 2, custom key

#3 2018-11-12 02:09:01

Re: iclass reader, sim 2, custom key

#4 2018-11-12 09:05:11

Re: iclass reader, sim 2, custom key

#5 2018-11-13 00:23:37

Re: iclass reader, sim 2, custom key

#6 2018-11-13 10:33:13

Re: iclass reader, sim 2, custom key

#7 2018-11-14 02:43:30

Re: iclass reader, sim 2, custom key

#8 2018-11-14 08:57:07

Re: iclass reader, sim 2, custom key

#9 2018-11-15 00:05:23

Re: iclass reader, sim 2, custom key

#10 2018-11-23 00:46:00

Re: iclass reader, sim 2, custom key

Board footer