Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-11-20 11:15:36

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

JCM-Tech grey keyfob

I have been working on this tag for a long time but I have not achieved anything yet.

It is completely invisible to proxmark3, I have not managed to connect with this tag in any way.

According to the website of the manufacturer is 13.56 but I do not know if it will take some kind of configuration to "wake up" this tag.

Does anyone know her? Do you know anything about her?

FWcqRWc.jpg

8Alclw1.jpg

thzSr6a.png

Offline

#2 2019-10-16 16:12:47

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

Well, after a long time trying to get my Proxmark3 to communicate with this type of tag, messageing me the other day with iceman, he suggested that it could be an iclass.

Applying that idea.

if we use the "hf iclass reader 1" command we get the following result:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 66 39 19 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)

At the moment it is only the beginning ... there is still a long way to go to find out if this type of tag can be cloned.

Thanks Iceman!

Last edited by dipolin (2019-10-16 16:13:35)

Offline

#3 2019-10-16 18:24:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

smile it came as a surprise to me aswell. I was totally convinced it was LF.

Anyway, the unprogrammed keys you sent me does not use the keys in the leaked standard key.

Offline

#4 2019-10-16 18:24:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

And I am moving this thread over to iClass section.

Offline

#5 2019-10-16 18:34:27

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

I was looking for the thread hehehe big_smile  for a moment I thought they had deleted it.

The tags are pre-programmed at the factory. It is only record or canceled the tag in the access control.

Offline

#6 2019-10-18 10:55:58

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

iceman wrote:

smile it came as a surprise to me aswell. I was totally convinced it was LF.

Anyway, the unprogrammed keys you sent me does not use the keys in the leaked standard key.


I have a question about what you say about programmed and unprogrammed tags.

I have read the tag before programmed it:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 73 F3 13 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)
pm3 -->

and after programmed it in access control:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 73 F3 13 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)
pm3 -->

The result is the same, I do not see that any value has been altered.

What do you mean about not use the keys in the leaked standard key?

Sorry.... hmm I'm so lost with the iClass tag...

Last edited by dipolin (2019-10-18 10:57:18)

Offline

#7 2019-10-18 16:01:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

The unprogrammed was what the bag of the tags had you sent me written upon.   
The known default keys doesn't work.

Offline

#8 2019-10-18 17:39:44

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: JCM-Tech grey keyfob

1. there is more data on the tag than you can see with the 'Iclass reader' command.
2. It is not even necessary to alter any tag data when a tag is 'programmed' to an ACS. It is possible that the data is just read and changes are made to the ACS database only.

Offline

#9 2019-10-18 20:01:43

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: JCM-Tech grey keyfob

Your tag is NOT an iClass tag. However, it is definitely a PicoPass chip based on having a CSN vendor code that is assigned to Inside Secure. Even though iClass uses the Picopass chip the CSN is NOT within the range assigned to HID for iClass use.
iClass tags have a CSN value of XXXXXXXXXXFF12E0.

The "hf iclass reader" command will read the unprotected blocks of data in order to obtain as much information as possible without having to authenticate.
The "unprotected" data blocks do not normally change during programming.
That is why the data shown did not change.
Since the PM3 does not know the authentication key it could not read the "protected" data blocks that were likely changed during the programming process.

Offline

#10 2019-10-18 22:56:05

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

carl55 wrote:

Your tag is NOT an iClass tag. However, it is definitely a PicoPass chip based on having a CSN vendor code that is assigned to Inside Secure. Even though iClass uses the Picopass chip the CSN is NOT within the range assigned to HID for iClass use.
iClass tags have a CSN value of XXXXXXXXXXFF12E0.

The "hf iclass reader" command will read the unprotected blocks of data in order to obtain as much information as possible without having to authenticate.
The "unprotected" data blocks do not normally change during programming.
That is why the data shown did not change.
Since the PM3 does not know the authentication key it could not read the "protected" data blocks that were likely changed during the programming process.

carl55, you just gave me a good technical lesson, I was not familiar with both the iClass and Picopass protocols. I am very familiar with Temic tags and I was completely unaware of the complexity of these tags.

I think I'm going to catch up, That's news to me.

Thank you very much everyone for the messages! smile

Last edited by dipolin (2019-10-18 22:56:46)

Offline

#11 2020-07-21 15:18:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

So I revisited this system.  Reader EVOPROX
The rework of the iCLASS code, gives a better more stable read.

The tag is as Carl points out,  a  Picopass and not inside the HID range.  And its AA1 area is marked as taken all.
There is no AA2 space.     Which means it can be used for certain config cards.    Its key is still unknown.  I will try to sniff that traffic and see I can get the diversified key out.


[usb] pm3 --> hf iclass info

[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+]     CSN: 9F 92 56 05 09 00 12 E0   (uid)
[+]  Config: FF FF FF FE 7F 1F 7F 2C   (Card configuration)
[+] E-purse: 50 52 4F 58 4A 43 4D 30   (Card challenge, CC)
[+]      Kd: 00 00 00 00 00 00 00 00   (Debit key, hidden)
[+]      Kc: 00 00 00 00 00 00 00 00   (Credit key, hidden)
[+]     AIA: FF FF FF FF FF FF FF FF   (Application Issuer area)
[=] ------ card configuration ------
[+]   Mode: Application (locked)
[+] Coding: ISO 14443-2 B / 15693
[+]  Crypt: Non secured page
[=]     RA: Read access not enabled
[=] App limit 0xFF, OTP 0xFFFF, Block write lock 0xFE
[=]      Chip 0x7F, Mem 0x1F, EAS 0x7F, Fuses 0x2C
[=] ------ Memory ------
[=]     2 KBits/2 App Areas (248 bytes)
[=]     AA1 blocks 250 { 0x06 - 0xFF (06 - 255) }
[=]     AA1 is configured to take all available space
[=] ------ KeyAccess ------
[=]  Kd = Debit key (AA1),  Kc = Credit key (AA2)
[=]      Read A - Kd or Kc
[=]      Read B - Kd or Kc
[=]     Write A - Kc
[=]     Write B - Kc
[=]       Debit - Kd or Kc
[=]      Credit - Kc
[=] ------ Fingerprint ------
[+] PicoPass (CSN is not in HID range)
[+]  Card type : PicoPass 2K

Offline

#12 2020-07-21 19:23:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

Sneaky sneaky, 
Sometimes you can look at the same data and just don't see it.
Sometimes you just get lucky.

Take a closer look at the e-purse.   Normally for un-used tags,  you would see a value with lots of 0xFF.
It didn't strike me first but if you look at it in ascii it becomes clear.

E-purse: 50 52 4F 58 4A 43 4D 30   (Card challenge, CC)


hex                     | ascii
------------------------+-----------------------
50 52 4F 58 4A 43 4D 30 | PROXJMC0

What is it for? Most likely a simple way to identify tags sold by themselfs.

Offline

#13 2020-07-21 19:41:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

Another odd behavior,  normally like a HID reader,  it wants to authentice direct after anti-collision,  ie:  88 02
but the evoprox reader doesnt.  it READS block 02...  ie: 0C 02
And its also here the current simulation breaks for it,  since it doesn't like the answer somehow.


PM3 simulating a keyfob with the first six blocks from a fob. (well not KD / KC...)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------

          0 |       5632 | Rdr |0a                                                                       |     | ACTALL
       9344 |      11392 | Tag |<SOF>                                                                    |     |
    1304608 |    1310240 | Rdr |0a                                                                       |     | ACTALL
    1313952 |    1316000 | Tag |<SOF>                                                                    |     |
    1318176 |    1323808 | Rdr |0c                                                                       |     | IDENTIFY
    1327520 |    1372576 | Tag |53  d2  aa  20  01  40  02  fc  7c  d8                                   |  ok |
    1376704 |    1415104 | Rdr |81  53  d2  aa  20  01  40  02  fc                                       |     | SELECT
    1418816 |    1463872 | Tag |9f  92  56  05  09  00  12  e0  4b  91                                   |  ok |
    1509248 |    1527168 | Rdr |0c  02  61  10                                                           |  ok | READ(2)
    1530880 |    1567744 | Tag |50  52  4f  58  4a  43  4d  30                                           |  ok |


    1597824 |    1603456 | Rdr |0a                                                                       |     | ACTALL
    1607168 |    1609216 | Tag |<SOF>                                                                    |     |
    1611648 |    1617280 | Rdr |0c                                                                       |     | IDENTIFY
    1620992 |    1666048 | Tag |53  d2  aa  20  01  40  02  fc  7c  d8                                   |  ok |
    1670176 |    1708576 | Rdr |81  53  d2  aa  20  01  40  02  fc                                       |     | SELECT
    1712288 |    1757344 | Tag |9f  92  56  05  09  00  12  e0  4b  91                                   |  ok |
    1803136 |    1821056 | Rdr |0c  02  61  10                                                           |  ok | READ(2)
    1824768 |    1861632 | Tag |50  52  4f  58  4a  43  4d  30                                           |  ok |
    1891552 |    1897184 | Rdr |0a                                                                       |     | ACTALL
    1900896 |    1902944 | Tag |<SOF>   

Offline

#14 2020-07-21 19:57:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

Aha,  its not a PicoPass 2KS...  with authentication.   
Its a non-secure picopass without authentication,  which you should be able to read the whole card just like that.

Offline

#15 2020-07-22 09:33:02

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

Amazing! yikes

Very good work! I definitely have to get a new rdv4 proxmark, my old PROXMARK3 DEV KIT is already obsolete.

I find your progress very interesting Chris, I kept working to try to get the password in different ways but every attempt turned out to be a frustration, hence I didn't update my post, there was no progress.

Thanks to your research work you have managed to take another step forward on that tag that for years has been and continues to be a challenge.

Thanks! wink

Offline

#16 2020-07-22 09:53:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

Yeah,  I am adapting the client to deal with tags that are configured to be in non secure mode
Now I understand what those fuses was meant for and its impact.

These tags are just memory tags without any key/authentication needed.   Once the changes are done, you should just be able to dump them w/o problems.

Offline

#17 2020-07-24 21:59:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

So here is a dump.   By the looks like it, it seems to be xored from block 06 and forward

Where 0xE5  might be 0x00.

[=] ------+--+-------------------------+----------
[=]  CSN  |00| FD 33 19 05 09 00 12 E0 |
[=] ------+--+-------------------------+----------
[=]       |01| FF FF FF FE 7F 1F 7F 2C | .......,
[=]       |02| 50 52 4F 58 4A 43 4D 30 | PROXJCM0
[=]       |03| FF FF FF FF FF FF FF FF | ........
[=]       |04| FF FF FF FF FF FF FF FF | ........
[=]       |05| FF FF FF FF FF FF FF FF | ........
[=]       |06| 2E 7E 0A 0A E5 E5 E5 35 | .~.....5
[=]       |07| FF FF FF FF FF FF FF FF | ........
[=]       |08| 69 09 94 02 1A 4E 18 9E | i....N..
[=]       |09| 69 09 94 02 1A E5 E5 24 | i......$
[=]       |0A| E8 1D 38 CB 0F E9 F1 F4 | ..8.....
[=]       |0B| BF 29 0C 09 59 0C C1 B1 | .)..Y...
[=]       |0C| 72 65 A3 5E 9B 22 C1 42 | re.^.".B
[=]       |0D| E5 E7 3B A5 15 82 21 06 | ..;...!.
[=]       |0E| E5 20 9F FA 57 A0 21 60 | . ..W.!`
[=]       |0F| E5 7C 03 08 61 C6 31 53 | .|..a.1S
[=]       |10| E5 F6 93 88 85 A4 17 08 | ........
[=]       |11| E5 03 F7 D9 C7 CA 17 5B | .......[
[=]       |12| E5 5F CB EE 16 E8 E6 06 | ._......
[=]       |13| E5 9B CF 3C 50 0F E6 37 | ...<P..7
[=]       |14| E5 A7 C3 7D 62 2D F6 80 | ...}b-..
[=]       |15| E5 E7 3B A5 15 82 21 06 | ..;...!.
[=]       |16| E5 20 9F FA 57 A0 21 60 | . ..W.!`
[=]       |17| E5 7C 03 08 61 C6 31 53 | .|..a.1S
[=]       |18| E5 F6 93 88 85 A4 17 08 | ........
[=]       |19| E5 03 F7 D9 C7 CA 17 5B | .......[
[=]       |1A| E5 5F CB EE 16 E8 E6 06 | ._......
[=]       |1B| E5 9B CF 3C 50 0F E6 37 | ...<P..7
[=]       |1C| E5 A7 C3 7D 62 2D F6 80 | ...}b-..
[=]       |1D| 0E 5B 2B F8 98 60 B0 B3 | .[+..`..
[=]       |1E| CC 67 CE 0E AA 86 B0 7C | .g.....|
[=]       |1F| 83 A3 33 5F E4 A4 80 09 | ..3_....

Offline

#18 2020-07-25 03:18:26

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 14

Re: JCM-Tech grey keyfob

Simply spectacular! roll

It is possible that the following idea that I expose is the result of my ignorance, but don't hold that against me.

But it could be that from the offset 0x03 to 0x05, the data obtained is FF just like what happens in the Mifare system when we do not know the password and we cannot access the data block?

Last edited by dipolin (2020-07-25 03:18:50)

Offline

#19 2020-07-25 16:45:27

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

No,  it might have a read lock,  but in non-secure page mode,  there is no authentication and memory mapping is different.
See the datasheet for more details.

Offline

#20 2020-07-29 13:17:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

After a rewrite of all code,  dumping and simulating a tag in non-secure-mode is done.  Seamless to the user.

You see below,  I dumped a token,  eloaded it,   simulated with pm3,   presented to the evoprox reader,  and then listed the tracelog.
Interesting to see the dual read of blocks.  You can see which blocks belongs to which group.  It looks like two groups, lets call them A and B.   
Where
A has blocks 9, 13, 14, 15, 16, 17, 18, 19, 20
B has blocks 6, 21, 22, 23, 24, 25, 26, 27, 28


[usb] pm3 --> hf iclass du
[=] Card in non-secure page mode detected
[=] Dumping all available memory, block 3 - 31 (0x1f)
.
[=] ------+----+-------------------------+----------
[=]  CSN  |0x00| EB 12 15 05 09 00 12 E0 |
[=] ------+----+-------------------------+----------
[=]       |0x01| FF FF FF FE 7F 1F 7F 2C | .......,
[=]       |0x02| 50 52 4F 58 4A 43 4D 30 | PROXJCM0
[=]       |0x03| FF FF FF FF FF FF FF FF | ........
[=]       |0x04| FF FF FF FF FF FF FF FF | ........
[=]       |0x05| FF FF FF FF FF FF FF FF | ........
[=]       |0x06| 2E 7E 0A 0A E5 E5 E5 4A | .~.....J
[=]       |0x07| FF FF FF FF FF FF FF FF | ........
[=]       |0x08| 69 C8 94 02 1A 4E 18 89 | i....N..
[=]       |0x09| 69 C8 94 02 1A E5 E5 FB | i.......
[=]       |0x0A| A4 C5 5E 97 42 19 96 0B | ..^.B...
[=]       |0x0B| 6B 06 FD A4 8C 3F 96 C7 | k....?..
[=]       |0x0C| 3E 52 56 E5 DE 5D 66 90 | >RV..]f.
[=]       |0x0D| E5 0B 0A B0 52 6D C7 82 | ....Rm..
[=]       |0x0E| E5 57 A9 C1 6C 93 D7 93 | .W..l...
[=]       |0x0F| E5 93 02 17 AE B1 A7 46 | .......F
[=]       |0x10| E5 1A 62 97 C2 87 B5 A4 | ..b.....
[=]       |0x11| E5 26 06 A4 1D A5 85 63 | .&.....c
[=]       |0x12| E5 72 0A E5 5F DB 85 A1 | .r.._...
[=]       |0x13| E5 8E 7E 3B 69 F9 95 56 | ..~;i..V
[=]       |0x14| E5 CA 12 48 BB 1C 95 6C | ...H...l
[=]       |0x15| E5 0B 0A B0 52 6D C7 82 | ....Rm..
[=]       |0x16| E5 57 A9 C1 6C 93 D7 93 | .W..l...
[=]       |0x17| E5 93 02 17 AE B1 A7 46 | .......F
[=]       |0x18| E5 1A 62 97 C2 87 B5 A4 | ..b.....
[=]       |0x19| E5 26 06 A4 1D A5 85 63 | .&.....c
[=]       |0x1A| E5 72 0A E5 5F DB 85 A1 | .r.._...
[=]       |0x1B| E5 8E 7E 3B 69 F9 95 56 | ..~;i..V
[=]       |0x1C| E5 CA 12 48 BB 1C 95 6C | ...H...l
[=]       |0x1D| 85 7E 75 C7 A1 43 57 EE | .~u..CW.
[=]       |0x1E| 58 8A D9 05 F3 71 27 AB | X....q'.
[=]       |0x1F| 1F D6 7D 5A 32 97 27 74 | ..}Z2.'t
[=] ------+----+-------------------------+----------
[+] saving dump file - 32 blocks read
[+] saved 256 bytes to binary file hf-iclass-EB121505090012E0-dump.bin
[+] saved 32 blocks to text file hf-iclass-EB121505090012E0-dump.eml
[+] saved to json file hf-iclass-EB121505090012E0-dump.json
[?] Try `hf iclass decrypt` to decrypt dump file
[?] Try `hf iclass view` to view dump file

[usb] pm3 --> hf iclass eload f hf-iclass-EB121505090012E0-dump.bin
[+] loaded 256 bytes from binary file hf-iclass-EB121505090012E0-dump.bin
[=] ------------ card -------------
[+]     CSN: EB 12 15 05 09 00 12 E0   (uid)
[+]  Config: FF FF FF FE 7F 1F 7F 2C   (Card configuration)
[+] E-purse: 50 52 4F 58 4A 43 4D 30   (Card challenge, CC)
[+]      Kd: FF FF FF FF FF FF FF FF   (Debit key, hidden)
[+]      Kc: FF FF FF FF FF FF FF FF   (Credit key, hidden)
[+]     AIA: FF FF FF FF FF FF FF FF   (Application Issuer area)
[=] ------ card configuration ------
[+]   Mode: Application (locked)
[+] Coding: ISO 14443-2 B / 15693
[+]  Crypt: Non secured page
[=]     RA: Read access not enabled
[=] App limit 0xFF, OTP 0xFFFF, Block write lock 0xFE
[=]      Chip 0x7F, Mem 0x1F, EAS 0x7F, Fuses 0x2C
[=] ------ Memory ------
[=]     2 KBits (248 bytes)
[=]     Tag has not App Areas
[+] sent 256 bytes of data to device emulator memory
[usb] pm3 --> hf iclass sim 3
[?] Try `hf iclass esave h` to save the emulator memory to file
[usb] pm3 --> 
[#] button pressed

[usb] pm3 -->
[usb] pm3 -->
[usb] pm3 --> hf iclass list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 730 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      26112 | Rdr |36  01  00  00  6a  a1                                                   |     | READ4(1)
    1860960 |    1866592 | Rdr |0a                                                                       |     | ACTALL
    1870304 |    1872352 | Tag |<SOF>                                                                    |     |
    1874528 |    1880160 | Rdr |0c                                                                       |     | IDENTIFY
    1883872 |    1928928 | Tag |5d  a2  a2  20  01  40  02  7c  6d  5c                                   |  ok |
    1933056 |    1971456 | Rdr |81  5d  a2  a2  20  01  40  02  7c                                       |     | SELECT
    1975168 |    2020224 | Tag |eb  12  15  05  09  00  12  e0  5d  87                                   |  ok |
    2065472 |    2083392 | Rdr |0c  02  61  10                                                           |  ok | READ(2)
    2087104 |    2132160 | Tag |50  52  4f  58  4a  43  4d  30  fe  fd                                   |  ok |
    2172832 |    2190752 | Rdr |0c  06  45  56                                                           |  ok | READ(6)
    2194464 |    2239520 | Tag |2e  7e  0a  0a  e5  e5  e5  4a  07  96                                   |  ok |
    2475424 |    2493344 | Rdr |0c  09  b2  ae                                                           |  ok | READ(9)
    2497056 |    2542112 | Tag |69  c8  94  02  1a  e5  e5  fb  22  22                                   |  ok |
    2780480 |    2798400 | Rdr |0c  15  5f  74                                                           |  ok | READ(21)
    2802112 |    2847168 | Tag |e5  0b  0a  b0  52  6d  c7  82  ef  ca                                   |  ok |
    2889760 |    2907680 | Rdr |0c  0d  96  e8                                                           |  ok | READ(13)
    2911392 |    2956448 | Tag |e5  0b  0a  b0  52  6d  c7  82  ef  ca                                   |  ok |
    2998592 |    3016512 | Rdr |0c  16  c4  46                                                           |  ok | READ(22)
    3020224 |    3065280 | Tag |e5  57  a9  c1  6c  93  d7  93  b4  71                                   |  ok |
    3108224 |    3126144 | Rdr |0c  0e  0d  da                                                           |  ok | READ(14)
    3129856 |    3174912 | Tag |e5  57  a9  c1  6c  93  d7  93  b4  71                                   |  ok |
    3218080 |    3236000 | Rdr |0c  17  4d  57                                                           |  ok | READ(23)
    3239712 |    3284768 | Tag |e5  93  02  17  ae  b1  a7  46  59  f3                                   |  ok |
    3328064 |    3345984 | Rdr |0c  0f  84  cb                                                           |  ok | READ(15)
    3349696 |    3394752 | Tag |e5  93  02  17  ae  b1  a7  46  59  f3                                   |  ok |
    3436768 |    3454688 | Rdr |0c  18  ba  af                                                           |  ok | READ(24)
    3458400 |    3503456 | Tag |e5  1a  62  97  c2  87  b5  a4  03  05                                   |  ok |
    3545760 |    3563680 | Rdr |0c  10  f2  23                                                           |  ok | READ(16)
    3567392 |    3612448 | Tag |e5  1a  62  97  c2  87  b5  a4  03  05                                   |  ok |
    3654624 |    3672544 | Rdr |0c  19  33  be                                                           |  ok | READ(25)
    3676256 |    3721312 | Tag |e5  26  06  a4  1d  a5  85  63  c0  c4                                   |  ok |
    3764448 |    3782368 | Rdr |0c  11  7b  32                                                           |  ok | READ(17)
    3786080 |    3831136 | Tag |e5  26  06  a4  1d  a5  85  63  c0  c4                                   |  ok |
    3873056 |    3890976 | Rdr |0c  1a  a8  8c                                                           |  ok | READ(26)
    3894688 |    3939744 | Tag |e5  72  0a  e5  5f  db  85  a1  f7  78                                   |  ok |
    3981952 |    3999872 | Rdr |0c  12  e0  00                                                           |  ok | READ(18)
    4003584 |    4048640 | Tag |e5  72  0a  e5  5f  db  85  a1  f7  78                                   |  ok |
    4090848 |    4108768 | Rdr |0c  1b  21  9d                                                           |  ok | READ(27)
    4112480 |    4157536 | Tag |e5  8e  7e  3b  69  f9  95  56  54  b2                                   |  ok |
    4199776 |    4217696 | Rdr |0c  13  69  11                                                           |  ok | READ(19)
    4221408 |    4266464 | Tag |e5  8e  7e  3b  69  f9  95  56  54  b2                                   |  ok |
    4309664 |    4327584 | Rdr |0c  1c  9e  e9                                                           |  ok | READ(28)
    4331296 |    4376352 | Tag |e5  ca  12  48  bb  1c  95  6c  95  cb                                   |  ok |
    4419456 |    4437376 | Rdr |0c  14  d6  65                                                           |  ok | READ(20)
    4441088 |    4486144 | Tag |e5  ca  12  48  bb  1c  95  6c  95  cb                                   |  ok |
[usb] pm3 -->

Offline

#21 2020-07-29 14:51:53

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: JCM-Tech grey keyfob

iceman wrote:

No,  it might have a read lock,  but in non-secure page mode,  there is no authentication and memory mapping is different.
See the datasheet for more details.


Hi Iceman,
just curious, if you loclass the mac_attack.bin file for this card reader, what result will be? will the loclass result show as below???:

----------------------------
[=] Bruteforcing byte 1
[=] Bruteforcing byte 0
[=] Bruteforcing byte 69
  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16,
 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32,
 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64,
 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80,
 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96,
 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112,
113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,
129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,
145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,
161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,
177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,
193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,
209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,
225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,
241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,  0,


[!] Failed to recover 3 bytes using the following CSN
[!] CSN = 010a0ffff7ff12e0
[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 0c060cfef7ff12e0
[-] HASH1 = 0204000045014545

[-] The CSN requires > 3 byte bruteforce, not supported
[-] CSN = 1097837bf7ff12e0
[-] HASH1 = 050d000045014545
.

Last edited by yukihama (2020-07-29 14:52:29)

Offline

#22 2020-07-29 15:42:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

there be nothing since the reader doesn't use authentication.

Offline

#23 2020-07-30 23:31:56

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: JCM-Tech grey keyfob

Authentications aside I think it might be nice to be able to emulate the keyfob to try to get the reader to recognize it

As a curiosity I can say that I have written 50 52 4F 58 4A 43 4D 30 in block 2 of a blank card and the reader does not even blink, which It did before writing in block 2

Offline

#24 2020-07-30 23:42:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: JCM-Tech grey keyfob

I am not sure what you have done or not,  or if you are testing against the same system,  so its just guessing from my side now.

but the tags I have looked at, contains much more than block2 as can be seen in my previous posts.   

And yes, it is very nice to be able to simulate it.

Offline

#25 2020-07-30 23:55:03

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: JCM-Tech grey keyfob

I am testing with the same system, although it has another brand inside ,the keyfob (dump) is identical and the reader only differs in the outer label

The tests I have done are writing, in the original key fob, in different blocks of 2 and 6 ,random bytes, and the reader continues to activate the relay

And on the other hand write in block 2 of a blank card picopass 2k 50 52 4F 58 4A 43 4D 30. In this case the reader stops blinking, which it did with the blank card.In fact it blinks again if I change a single  digit of 50 52 4F 58 4A 43 4D 30 in block 2. Unfortunately the system blinks but does not accept a blank card as valid

To write I am using a picopass reader since the proxmark, in this case, only reads

Last edited by xugmu (2020-07-31 17:40:33)

Offline

#26 2020-07-31 23:27:53

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: JCM-Tech grey keyfob

iceman wrote:

After a rewrite of all code,  dumping and simulating a tag in non-secure-mode is done.  Seamless to the user.

You see below,  I dumped a token,  eloaded it,   simulated with pm3,   presented to the evoprox reader,  and then listed the tracelog.
Interesting to see the dual read of blocks.  You can see which blocks belongs to which group.  It looks like two groups, lets call them A and B.   
Where
A has blocks 9, 13, 14, 15, 16, 17, 18, 19, 20
B has blocks 6, 21, 22, 23, 24, 25, 26, 27, 28


[usb] pm3 --> hf iclass du
[=] Card in non-secure page mode detected
[=] Dumping all available memory, block 3 - 31 (0x1f)
.
[=] ------+----+-------------------------+----------
[=]  CSN  |0x00| EB 12 15 05 09 00 12 E0 |
[=] ------+----+-------------------------+----------
[=]       |0x01| FF FF FF FE 7F 1F 7F 2C | .......,
[=]       |0x02| 50 52 4F 58 4A 43 4D 30 | PROXJCM0
[=]       |0x03| FF FF FF FF FF FF FF FF | ........
[=]       |0x04| FF FF FF FF FF FF FF FF | ........
[=]       |0x05| FF FF FF FF FF FF FF FF | ........
[=]       |0x06| 2E 7E 0A 0A E5 E5 E5 4A | .~.....J
[=]       |0x07| FF FF FF FF FF FF FF FF | ........
[=]       |0x08| 69 C8 94 02 1A 4E 18 89 | i....N..
[=]       |0x09| 69 C8 94 02 1A E5 E5 FB | i.......
[=]       |0x0A| A4 C5 5E 97 42 19 96 0B | ..^.B...
[=]       |0x0B| 6B 06 FD A4 8C 3F 96 C7 | k....?..
[=]       |0x0C| 3E 52 56 E5 DE 5D 66 90 | >RV..]f.
[=]       |0x0D| E5 0B 0A B0 52 6D C7 82 | ....Rm..
[=]       |0x0E| E5 57 A9 C1 6C 93 D7 93 | .W..l...
[=]       |0x0F| E5 93 02 17 AE B1 A7 46 | .......F
[=]       |0x10| E5 1A 62 97 C2 87 B5 A4 | ..b.....
[=]       |0x11| E5 26 06 A4 1D A5 85 63 | .&.....c
[=]       |0x12| E5 72 0A E5 5F DB 85 A1 | .r.._...
[=]       |0x13| E5 8E 7E 3B 69 F9 95 56 | ..~;i..V
[=]       |0x14| E5 CA 12 48 BB 1C 95 6C | ...H...l
[=]       |0x15| E5 0B 0A B0 52 6D C7 82 | ....Rm..
[=]       |0x16| E5 57 A9 C1 6C 93 D7 93 | .W..l...
[=]       |0x17| E5 93 02 17 AE B1 A7 46 | .......F
[=]       |0x18| E5 1A 62 97 C2 87 B5 A4 | ..b.....
[=]       |0x19| E5 26 06 A4 1D A5 85 63 | .&.....c
[=]       |0x1A| E5 72 0A E5 5F DB 85 A1 | .r.._...
[=]       |0x1B| E5 8E 7E 3B 69 F9 95 56 | ..~;i..V
[=]       |0x1C| E5 CA 12 48 BB 1C 95 6C | ...H...l
[=]       |0x1D| 85 7E 75 C7 A1 43 57 EE | .~u..CW.
[=]       |0x1E| 58 8A D9 05 F3 71 27 AB | X....q'.
[=]       |0x1F| 1F D6 7D 5A 32 97 27 74 | ..}Z2.'t
[=] ------+----+-------------------------+----------
[+] saving dump file - 32 blocks read
[+] saved 256 bytes to binary file hf-iclass-EB121505090012E0-dump.bin
[+] saved 32 blocks to text file hf-iclass-EB121505090012E0-dump.eml
[+] saved to json file hf-iclass-EB121505090012E0-dump.json
[?] Try `hf iclass decrypt` to decrypt dump file
[?] Try `hf iclass view` to view dump file

[usb] pm3 --> hf iclass eload f hf-iclass-EB121505090012E0-dump.bin
[+] loaded 256 bytes from binary file hf-iclass-EB121505090012E0-dump.bin
[=] ------------ card -------------
[+]     CSN: EB 12 15 05 09 00 12 E0   (uid)
[+]  Config: FF FF FF FE 7F 1F 7F 2C   (Card configuration)
[+] E-purse: 50 52 4F 58 4A 43 4D 30   (Card challenge, CC)
[+]      Kd: FF FF FF FF FF FF FF FF   (Debit key, hidden)
[+]      Kc: FF FF FF FF FF FF FF FF   (Credit key, hidden)
[+]     AIA: FF FF FF FF FF FF FF FF   (Application Issuer area)
[=] ------ card configuration ------
[+]   Mode: Application (locked)
[+] Coding: ISO 14443-2 B / 15693
[+]  Crypt: Non secured page
[=]     RA: Read access not enabled
[=] App limit 0xFF, OTP 0xFFFF, Block write lock 0xFE
[=]      Chip 0x7F, Mem 0x1F, EAS 0x7F, Fuses 0x2C
[=] ------ Memory ------
[=]     2 KBits (248 bytes)
[=]     Tag has not App Areas
[+] sent 256 bytes of data to device emulator memory
[usb] pm3 --> hf iclass sim 3
[?] Try `hf iclass esave h` to save the emulator memory to file
[usb] pm3 --> 
[#] button pressed

[usb] pm3 -->
[usb] pm3 -->
[usb] pm3 --> hf iclass list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 730 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO15693 / iCLASS - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      26112 | Rdr |36  01  00  00  6a  a1                                                   |     | READ4(1)
    1860960 |    1866592 | Rdr |0a                                                                       |     | ACTALL
    1870304 |    1872352 | Tag |<SOF>                                                                    |     |
    1874528 |    1880160 | Rdr |0c                                                                       |     | IDENTIFY
    1883872 |    1928928 | Tag |5d  a2  a2  20  01  40  02  7c  6d  5c                                   |  ok |
    1933056 |    1971456 | Rdr |81  5d  a2  a2  20  01  40  02  7c                                       |     | SELECT
    1975168 |    2020224 | Tag |eb  12  15  05  09  00  12  e0  5d  87                                   |  ok |
    2065472 |    2083392 | Rdr |0c  02  61  10                                                           |  ok | READ(2)
    2087104 |    2132160 | Tag |50  52  4f  58  4a  43  4d  30  fe  fd                                   |  ok |
    2172832 |    2190752 | Rdr |0c  06  45  56                                                           |  ok | READ(6)
    2194464 |    2239520 | Tag |2e  7e  0a  0a  e5  e5  e5  4a  07  96                                   |  ok |
    2475424 |    2493344 | Rdr |0c  09  b2  ae                                                           |  ok | READ(9)
    2497056 |    2542112 | Tag |69  c8  94  02  1a  e5  e5  fb  22  22                                   |  ok |
    2780480 |    2798400 | Rdr |0c  15  5f  74                                                           |  ok | READ(21)
    2802112 |    2847168 | Tag |e5  0b  0a  b0  52  6d  c7  82  ef  ca                                   |  ok |
    2889760 |    2907680 | Rdr |0c  0d  96  e8                                                           |  ok | READ(13)
    2911392 |    2956448 | Tag |e5  0b  0a  b0  52  6d  c7  82  ef  ca                                   |  ok |
    2998592 |    3016512 | Rdr |0c  16  c4  46                                                           |  ok | READ(22)
    3020224 |    3065280 | Tag |e5  57  a9  c1  6c  93  d7  93  b4  71                                   |  ok |
    3108224 |    3126144 | Rdr |0c  0e  0d  da                                                           |  ok | READ(14)
    3129856 |    3174912 | Tag |e5  57  a9  c1  6c  93  d7  93  b4  71                                   |  ok |
    3218080 |    3236000 | Rdr |0c  17  4d  57                                                           |  ok | READ(23)
    3239712 |    3284768 | Tag |e5  93  02  17  ae  b1  a7  46  59  f3                                   |  ok |
    3328064 |    3345984 | Rdr |0c  0f  84  cb                                                           |  ok | READ(15)
    3349696 |    3394752 | Tag |e5  93  02  17  ae  b1  a7  46  59  f3                                   |  ok |
    3436768 |    3454688 | Rdr |0c  18  ba  af                                                           |  ok | READ(24)
    3458400 |    3503456 | Tag |e5  1a  62  97  c2  87  b5  a4  03  05                                   |  ok |
    3545760 |    3563680 | Rdr |0c  10  f2  23                                                           |  ok | READ(16)
    3567392 |    3612448 | Tag |e5  1a  62  97  c2  87  b5  a4  03  05                                   |  ok |
    3654624 |    3672544 | Rdr |0c  19  33  be                                                           |  ok | READ(25)
    3676256 |    3721312 | Tag |e5  26  06  a4  1d  a5  85  63  c0  c4                                   |  ok |
    3764448 |    3782368 | Rdr |0c  11  7b  32                                                           |  ok | READ(17)
    3786080 |    3831136 | Tag |e5  26  06  a4  1d  a5  85  63  c0  c4                                   |  ok |
    3873056 |    3890976 | Rdr |0c  1a  a8  8c                                                           |  ok | READ(26)
    3894688 |    3939744 | Tag |e5  72  0a  e5  5f  db  85  a1  f7  78                                   |  ok |
    3981952 |    3999872 | Rdr |0c  12  e0  00                                                           |  ok | READ(18)
    4003584 |    4048640 | Tag |e5  72  0a  e5  5f  db  85  a1  f7  78                                   |  ok |
    4090848 |    4108768 | Rdr |0c  1b  21  9d                                                           |  ok | READ(27)
    4112480 |    4157536 | Tag |e5  8e  7e  3b  69  f9  95  56  54  b2                                   |  ok |
    4199776 |    4217696 | Rdr |0c  13  69  11                                                           |  ok | READ(19)
    4221408 |    4266464 | Tag |e5  8e  7e  3b  69  f9  95  56  54  b2                                   |  ok |
    4309664 |    4327584 | Rdr |0c  1c  9e  e9                                                           |  ok | READ(28)
    4331296 |    4376352 | Tag |e5  ca  12  48  bb  1c  95  6c  95  cb                                   |  ok |
    4419456 |    4437376 | Rdr |0c  14  d6  65                                                           |  ok | READ(20)
    4441088 |    4486144 | Tag |e5  ca  12  48  bb  1c  95  6c  95  cb                                   |  ok |
[usb] pm3 -->



I had not read this post in its entirety

I deduce that the proxmark is capable of simulating a keyfob of this system so that the controller accepts it in memory and activates the relay.

In this way we could also know why a blank card written with the same data does not work.

Offline

#27 2020-08-02 13:56:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Offline

#28 2020-08-02 23:17:43

xugmu
Contributor
Registered: 2016-06-22
Posts: 24

Re: JCM-Tech grey keyfob

I look forward to the possibility of dumping and simulating an unsecured card.

It seems to me right now the only possible way to try to create a card that is accepted by the system

Offline

#29 2021-01-26 15:30:25

makoy
Contributor
Registered: 2021-01-25
Posts: 3

Re: JCM-Tech grey keyfob

Hello,

I am new in this forum. Although I have been working on RFID technologies, mainly on transponder side for automotive, now I am working on some home access control devices. I found the same tag as the one described in this thread. I have the last pm3 rdv4 with the latest os and bootroom, but I am afraid I have not your iclass modified code in order to check the data you show.

May I know how I can do the same tests that you have done Iceman? I would like to use the

hf iclass info
hf iclass du

commands for this type of un secured iclass or picopass tag.

Thanks in advance.

Offline

Board footer

Powered by FluxBB