Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-02-20 15:35:35

WorcsTech
Contributor
Registered: 2018-11-21
Posts: 4

iClass Legacy Credenitials

I have been trying to write some iClass cards, I have iClassified up an running and can write the correct information to Block 7 for the Facility Code and Card Number.

I have 4 cards that I just enter the read Hex value
Example
44bit Hex 20059809e8
Facility 204
Card Number 1268

iClassified will happily write 0x059809e8 as the last 8 digits of Block 7 to 4 of the Picopass 2K cards that I already have and the reader will read the information back correctly, great I thought.

So I purchased some more cards as i thought I had iClass card writing sorted. When I write the same info to the new Picopass 2K cards they cannot be read so I am totally confused.

Both types of cards a Picopass cards and H10301 format cards. The new cards that I purchased came programmed with some credentials from the supplier, these can be read fine by an iClass reader.

I am thinking that the 4 cards that I have and can write directly to Block 7 and work may have not be initialized at HID so I can write these values directly and they work fine. Maybe the new cards, have been initialized and I cannot just write the 44bit Hex value to Block 7 of the card.

I wanted to try using the encrypt function on Proxmark to prove this theory. I thought if I enter the 44bit Hex value and encrypt it and then try writing this value to block 7 via iClassified it might work.

I have come across a small problem though, when I run the iClass encrypt or decrypt the values, it asks for the "iclass_decryptionkey.bin" to be in the working directory. Where do i find this file, its not on my machine and a Google search didn't turn anything up. I understand it contains the MasterKey, which I already have and the Diversification key which I already have.

Any guidance would be much appreciated....

Offline

#2 2019-02-20 18:24:03

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: iClass Legacy Credenitials

I see several potential issues with the information you posted above.

1. The 44-bit hex value that you provided is only applicable for a HID Prox card and not an iClass card.
The start sentinel arrangement for an iclass card is different than what is used in a HID Prox card.

2. The parity information in your hex code appears to be wrong for an H10301 format. The reader doesn't care if it is wrong but the backend controller usually does.

3. You are writing an unencrypted value into Block 7 without verifying whether encryption is enabled or not. The value in block 6 will determine if the data payload should be encrypted or not.
If you are not sure, you should always duplicate blocks 6,7,8,and 9 when cloning a card. That way all of the card formatting and encryption information is carried along to the new card. If you only write block 7 then you risk having the reader mis-interpret the data.

Your iclass credential should be as follows:

Format: 26-bit (H10301)
Fac Code = 204
Card No. = 1268
Block 7 Value = 00000000059809E9 (unencrypted)
Block 7 Value = 199A445896227307 (encrypted)

As far as I know, all pre-programmed iclass credentials supplied by HID have encryption enabled.
All credentials sold as initialized/unprogrammed have encryption disabled by default. However, I am not sure whether the HID iClass programmer provides the ability to re-enable encryption when these cards are finally programmed in the field.

FYI:  The HID master DES/TDES encryption keys have not been publically released as far as I know. They were originally recovered several years ago using the hacking technique outlined in the "Heart of Darkness" paper.

Offline

#3 2019-02-20 19:07:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: iClass Legacy Credenitials

... the legacy standard key is all over internet,   the hid transport key is also there if you know where to look.

Offline

#4 2019-02-21 14:02:45

WorcsTech
Contributor
Registered: 2018-11-21
Posts: 4

Re: iClass Legacy Credenitials

carl55 Many thanks for your response, I may have missed some of the lead zero's out..

I tried copying Block 6 thru 9 from the card that I had working to the cards that were not working.

Block 6 had a pretty similar value but was not identical, also blocks 8 & 9 were set with FFFFFFFFFFFFFFFF whereas the working card had 0000000000000000. I change Blocks 6 thru 9 to replicate the working card and it all works fine now.

Block 1 and 2 were slightly different but that does not seem to affect anything.

I am able to write Block 7 unencrypted after making the changes to Block 6. You truly are a genius, I had not thought about changing the other blocks...

The Master KeyDES/TDES is available from Ammora/T0py (on Twitter), I think the guy who published is called and like iceman said the HID transport keys are on the net too, they were a bit trickier to find though...

Thanks for your help once again....

Offline

#5 2019-06-20 02:04:18

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass Legacy Credenitials

iceman wrote:

... the legacy standard key is all over internet,   the hid transport key is also there if you know where to look.


Any advice/hints on where to look? smile

Feel free to email me privately as well

Offline

Board footer

Powered by FluxBB