Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-04-13 17:49:01

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Iclass legacy

I have an Proxmark3 Easy (with iceman fork v3.1.0). I have an iclass cards (tags) (as I understand it legacy) and an iclass reader (V-Flex 4G).

Proxmark3 RFID instrument


 [ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-1077-g9fe651c9 2019-03-06 10:42:07
      os: iceman/master/ice_v3.1.0-1077-g9fe651c9 2019-03-06 10:42:11

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 237349 bytes (45%) Free
: 286939 bytes (55%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory


pm3 --> hf search
[!] timeout while waiting for reply.
   CSN: ** ** ** ** ** ** ** **
    CC: F0 FF FF FF FF FF FF FF
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Secured page, keys not locked
[!]     RA: Read access not enabled
 Mem: 16 KBits/2 App Areas (255 * 8 bytes) [9F]
        AA1: blocks 06-12
        AA2: blocks 13-FF
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)

[+] Valid iClass Tag (or PicoPass Tag) Found

I can write data to the cards using a legal reader through special legal software.
I try to read data from tags using pm3.
I can read Application1 on the tag with leaked masterkey.

pm3 --> hf iclass dump k ****************
.------+--+-------------------------+

CSN   |00| ** ** ** ** ** ** ** ** |

------+--+-------------------------+

      |01| 12 FF FF FF F9 9F FF 3C | .......<

      |02| F0 FF FF FF FF FF FF FF | ........

      |03| ** ** ** ** ** ** ** ** | .!......

      |04| FF FF FF FF FF FF FF FF | ........

      |05| FF FF FF FF FF FF FF FF | ........

      |06| 03 03 03 03 00 03 E0 17 | ........

      |07| 62 93 53 EF EA 7B 05 B8 | b.S..{..

      |08| 2A D4 C8 21 1F 99 68 71 | *..!..hq

      |09| 2A D4 C8 21 1F 99 68 71 | *..!..hq

      |0A| FF FF FF FF FF FF FF FF | ........

      |0B| FF FF FF FF FF FF FF FF | ........

      |0C| FF FF FF FF FF FF FF FF | ........

      |0D| FF FF FF FF FF FF FF FF | ........

      |0E| FF FF FF FF FF FF FF FF | ........

      |0F| FF FF FF FF FF FF FF FF | ........

      |10| FF FF FF FF FF FF FF FF | ........

      |11| FF FF FF FF FF FF FF FF | ........

      |12| FF FF FF FF FF FF FF FF | ........

------+--+-------------------------+

[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file iclass_tagdump.bin

But I cannot read data from Application2. Keys in default_iclass_keys.dic not working (pm3 returns FFh of any blocks below 13).
Command "hf iclass sim 2" fails (bad FF at ...).

pm3 --> hf iclass sim 2
[=] Starting iCLASS sim 2 attack (elite mode)
[=] press keyboard to cancel
#db# [+] going into attack mode, 9 CSNS sent
#db# [-] bad FF at 0:4
#db# [-] bad FF at 3:6

[!] timeout while waiting for reply.

#db# [+] button pressed
pm3 -->

Full trace: https://www.sendspace.com/file/bovi6b

At the moment, I am concerned about two questions:
1. Iclass legacy is "Elite" or not? If it is, why i can read Application1 of it on with leaked masterkey? And why command "hf iclass sim 2" fails (bad FF at ...)?
2. If Iclass legacy is NOT "Elite", why i can not read Application2 with Kc from default_iclass_keys.dic?

Thank you very much for any help.

Offline

#2 2019-04-13 17:54:24

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: Iclass legacy

you need the Application2 key (AA2)


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2019-04-13 18:02:05

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

iceman wrote:

you need the Application2 key (AA2)

Thanks for helping iceman! I thought that AA2 is Kc. Isn't that right? The DS Picopass 2KS V1-0.pdf mentions only two keys (debit and credit). If AA2 is not a credit key, then could you show the resource about AA2 key please?

Offline

#4 2019-04-13 18:06:13

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: Iclass legacy

sure is,  but that doesn't mean you have the right AA2 /kc/credit key.   In the dictionary is a default one,  which most likely changed when tag gets personalized.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2019-04-13 18:13:01

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

iceman wrote:

sure is,  but that doesn't mean you have the right AA2 /kc/credit key.   In the dictionary is a default one,  which most likely changed when tag gets personalized.

OK.  Then, do I understand correctly that the command "hf iclass sim 2" is intended only for obtaining key AA1 (which I already know). And in the current version of the pm3 there is no ready-made solution for obtaining key AA2?

Offline

#6 2019-04-13 18:25:57

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: Iclass legacy

correct.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2019-04-13 18:40:10

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

sad

Thank you very much, great iceman smile

Offline

#8 2019-04-24 01:26:13

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

I analyzed the trace and found out that "hf iclass sim 2" is interrupted when the reader sends "PAGESEL(0)". Although in theory it should not do this, since the tag I use is not multi-page.
I tried to change line 1308 in "iclass.c"
from "uint8_t conf_data[10] = {0x12,0xFF,0xFF,0xFF,0x7F,0x1F,0xFF,0x3C,0x00,0x00};"
to     "uint8_t conf_data[10] = {0x12,0xFF,0xFF,0xFF,0xF9,0x9F,0xFF,0x3C,0x00,0x00};"
(set the configuration block as in my tag).
After that, "hf iclass sim 2" worked successfully and the file iclass_mac_attack.bin was created.
I ran "hf iclass loclass f iclass_mac_attack.bin" . The calculation process took about 10 minutes and in the end I got two keys cleared out:

[+] - High security custom key (Kcus) -
[+] Standard format = da28787db0ff2150
[+] iClass format = 31ad7ebd2f282168
[!] Failed to verify calculated master key (k_cus)! Something is wrong.

However, I failed again - these keys do not fit.

I also tried to set up the pm3 to respond to "PAGESEL(0)".
I uncommented line 1536 in the "iclass.c" and added:

  } else if(receivedCmd[0] == ICLASS_CMD_PAGESEL)  {  // 0x84
      //Pagesel
      //Pagesel enables to select a page in the selected chip memory and return its configuration block
      //Chips with a single page will not answer to this command
      // It appears we're fine ignoring this.
      //Otherwise, we should answer 8bytes (block) + 2bytes CRC
      modulated_response = resp_conf; modulated_response_size = resp_conf_len;
      trace_data = conf_data;
      trace_data_s


However, after that the reader began to issue an unknown command 0x95:

   26259536 |   26293680 | Rdr |84  00  73  33                                                           |  ok | PAGESEL(0)
   27125328 |   27135008 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94  ed!                                  |  ok | 
   27128480 |   27152464 | Rdr |18  02                                                                   |     | READCHECK[Kc](2)
   27214656 |   27265584 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok | 
   27217312 |   27241728 | Rdr |95  a8  ff  ff  ff  6f  d6  eb  53                                       |     | ?
   27327344 |   27342752 | Rdr |84  00  73  33                                                           |  ok | PAGESEL(0)
   28193632 |   28249104 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94  ed!                                  |  ok | 
   28196768 |   28201040 | Rdr |18  02                                                                   |     | READCHECK[Kc](2)
   28282944 |   28314144 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok | 
   28285584 |   28290288 | Rdr |95  40  ff  ff  ff  94  1c  79  1a                                       |     | ?
   28395600 |   28455216 | Rdr |84  00  73  33                                                           |  ok | PAGESEL(0)
   29260240 |   29297616 | Tag |12! ff! ff! ff! f9! 9f! ff! 3c! 94  ed!                                  |  ok | 
   29263312 |   29315168 | Rdr |18  02                                                                   |     | READCHECK[Kc](2)
   29349504 |   29362720 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok | 
   29352144 |   29404400 | Rdr |95  1b  ff  ff  ff  86  5a  6d  ed                                       |     | ?

I get the impression that my reader is in standard mode (not elite). But I do not understand why, in this case, the default PicoPass credit key does not fit. I tried default Kc key with a blank tag (not personalized). The result is also unsuccessful.
Perhaps the frequently mentioned "iClass Serial Protocol Document" will help me somehow. As I did not try, I could not find it in open sources.

Last edited by sherhannn79 (2019-10-04 20:29:23)

Offline

#9 2019-04-24 08:35:15

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: Iclass legacy

95,  bin 1001 0101 

9 =   1 = parity , 0 0 = mfu,  1  use Credit Key  ( if 0 use debit key )
5 =   CHECK

Your reader is trying to authenticate.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2019-04-24 12:17:34

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

Strange but PicoPass datasheet does not mention such a command and Bit 4 is used only in READCHECK command:

4.2.4 Command set summary

READCHECK (1) 88 or 18;  88 or 18; 48 or D8; 88 or 18; 48 or D8

Read data at the sent address to be integrated in the authentication with the key selected :
88 or 28 or 48 : Kd (Debit Key)
and
18 or B8 or D8 : Kc.(Credit Key).

CHECK (1) 05; 05; C5; 05; C5
Authenticate using cryptographic algorithm.


Page 25

CHECK (Security command)
In the authentication procedure, the CHECK instruction response enables the reader to authenticate the
chip.
Challenge in the instruction format is computed by the core algorithm (the CHECK instruction code is not
included in the calculation)
Once the chip is authenticated with Kd, a Kd authentication failure does not reset the rights acquired.
Once the chip is authenticated with Kc or Kd, a Kc authentication failure reset the rights acquired.

P.S.
But i think that the main question is: why the picopass default Kc does not workin with blank (from factory, not personalized) tags?
Maybe the solution lies in the fact that "default picopass Kc" is not "default iclass AA2", since "default picopass Kd" is not "default iclass AA1". Neither "default picopass Kc" nor "default picopass Kd" works for me, but only "default iclass AA1" works. So how can I find the "default iclass AA2"?:)

Last edited by sherhannn79 (2019-04-24 16:08:48)

Offline

#11 2019-04-24 16:26:52

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: Iclass legacy

@iceman is right. The undocumented "0x95" sequence is simply a Check command that is attempting to authenticate with AA2 using Kc.
The three authentication attempts that you captured show three nonces (0xa8ffffff, 0x40ffffff, 0xbfffffff) being sent with three MAC signatures (0x6fd6eb53, 0x941c791a, 0x865a6ded).
If you calculate the expected MAC using the known PicoPass default Kc and the known HID Kc you will find that they do not agree with the values obtained in your trace.

That tells me that your reader is NOT using either of those two Kc authentication keys.
That actually makes sense since I would not expect your Bioscript V-Flex reader to use the same HID AA2 key that all HID developers know. It would only make sense that they load a unique/custom Kc since Bioscript is trying to protect sensitive fingerprint data that is being stored in AA2.

Your question about why the picopass default Kc does not work with blank (from factory, not personalized) tags can also be explained.
There are three types of tags:
1) Uninitialized (Not personalized or programmed). These use the Picopass default keys.
2) Initialized (personalized but NOT programmed). These use the HID default keys.
3) Programmed (personalized and programmed). These use the HID default keys.

HID no longer sells the uninitialized tags. The "blank" tags that they currently sell are actually Initialized but not programmed. I suspect that these are what you tried which is why they would not authenticate using the default PicoPass keys. You can easily tell by looking at the value of the leftmost byte of Block 1 (Application Limit). If it is 0x12 then the credential has already been initialized by HID and no longer uses the PicoPass default Kd or Kc.

Last edited by carl55 (2019-04-24 16:29:54)

Offline

#12 2019-04-24 17:38:32

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 50

Re: Iclass legacy

Dear Karl55, very big thanks for the help! But after your answer, I had even more questions smile. In the application for my reader there is a function of "replacing the key of the organization". I think that the reader still knows the default HID Kc. But I still want to be determined in one thing. You mentioned that there is a "known HID Kc". However, not everyone knows it. Can I also join everyone who knows it? smile

Last edited by sherhannn79 (2019-04-24 18:05:10)

Offline

Board footer

Powered by FluxBB