Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2010-03-07 00:13:46

wrc
Member
Registered: 2009-02-08
Posts: 4

HID iClass. Anyone have experience?

I'm fascinated by the HID iClass cards.  The technology seems very MIFARE-like.  The only way to deal with them that I've found is with Omnikey readers (now HID) and their SyncAPI (Windows/Linux).  It's not very open.

Has anyone done anything with these cards?  I've seen a couple dead-end threads regarding iClass on here before, but I'm hoping maybe a few new people might have something to add or a latent interest

I have a stack of iClass P16K cards with the additional 125Khz Prox chips, so if you're in the US and want one or two through first-class mail, let me know.  If you're not in the US, maybe we can trade cards.

Here's a good overview, "Contactless Developer Guide - 5321-903_A.1.20":  http://www.hidglobal.com/documents/ok_c … _an_en.pdf

I have links to other docs, but none are as useful as that one.

Offline

#2 2010-03-08 05:18:11

Ground Loop
Member
Registered: 2010-01-25
Posts: 15

Re: HID iClass. Anyone have experience?

I've been trying to read iClass cards with the Proxmark3, and having no luck.
I'm using an "HID iClass Px G8L", which is also a dual-standard 125kHz + 13 MHz.  I believe it's a 2K card.
I don't have any to trade, but I'd buy one of your P16K's from you to compare. smile

I can read the 125Khz HID tag just fine.  I also have an HID iClass reader that confirms the exact same value.  Curiously, this value is not found in the UID reported by OmniKey.  It must be some iClass command that fetches it?

As for the ProxMark attempts, the card is an ISO 15693 (Part 2) card.. 26.48 kbps.

I can watch the HID iClass reader scan a MIFARE card using hf 14a snoop & list, but I haven't had any luck using the "hf 15" commands to read this iClass card.  None of the "hf 15" commands return any sensible data, and I have suspicions they don't work at all, since they frequently crash the client.

Is there something similar to 14a snoop & list for 15?

I'm using the trunk version, and have tried both Linux and Windows clients to see.  So far, no "hf 15" luck.  You?

Offline

#3 2010-03-08 07:58:01

Ground Loop
Member
Registered: 2010-01-25
Posts: 15

Re: HID iClass. Anyone have experience?

By the way, that document you posted is very insightful.  It doesn't seem to have quite enough information to go get the iClass card ID (the value the card reader spits out), but close.

It's clear that this is going to require some snooping, either with an iClass reader, or possibly with the OmniKey DLL.  There appear to be some default (yet unpublished) keys involved.

Offline

#4 2010-03-10 02:30:25

wrc
Member
Registered: 2009-02-08
Posts: 4

Re: HID iClass. Anyone have experience?

I haven't gone far with the iClass yet.  I have an Omnikey 5321 that I should be able to use the API with to program when I move down that path.

All of the cards I have come up 0XFF...FF on the Prox 125Khz  I'm not sure if it is programmable through the smartcard interface.  Illuminating the card, I can see two chip packages, one attached to the 13.56Mhz antenna and one to the 125Khz antenna.

Offline

#5 2010-12-30 20:19:25

wrc
Member
Registered: 2009-02-08
Posts: 4

Re: HID iClass. Anyone have experience?

HID iClass got exposed yesterday at 27C3.  Here's the talk:  https://events.ccc.de/congress/2010/Fah … 14.en.html.  Here's more details: http://www.openpcd.org/HID_iClass_demystified

Hey, looks like our henryk was the co-presenter on that one.  Wish I was there!

Last edited by wrc (2010-12-30 20:40:22)

Offline

#6 2011-01-10 23:41:14

n0t
Contributor
Registered: 2008-11-24
Posts: 26

Re: HID iClass. Anyone have experience?

That's good new hopefully we will have something for the Proxmark soon.

Offline

#7 2011-09-15 21:43:25

djmanning
Member
Registered: 2008-09-22
Posts: 11

Re: HID iClass. Anyone have experience?

new write up on iclass research at proxclone.com

http://www.proxclone.com/iClass.html

dj

Offline

#8 2011-10-04 00:14:46

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: HID iClass. Anyone have experience?

I have just posted a second (more recent) paper that describes a very simple method for retrieving iClass keys from a reader. The method is applicable to both standard and high security modes of operation.
http://www.proxclone.com/pdfs/iClass_Key_Extraction.pdf

Offline

Board footer

Powered by FluxBB