Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-11-20 11:15:36

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 12

JCM-Tech grey keyfob

I have been working on this tag for a long time but I have not achieved anything yet.

It is completely invisible to proxmark3, I have not managed to connect with this tag in any way.

According to the website of the manufacturer is 13.56 but I do not know if it will take some kind of configuration to "wake up" this tag.

Does anyone know her? Do you know anything about her?

FWcqRWc.jpg

8Alclw1.jpg

thzSr6a.png


"The only certain thing, the insecurity of things"

Offline

#2 2019-10-16 16:12:47

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 12

Re: JCM-Tech grey keyfob

Well, after a long time trying to get my Proxmark3 to communicate with this type of tag, messageing me the other day with iceman, he suggested that it could be an iclass.

Applying that idea.

if we use the "hf iclass reader 1" command we get the following result:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 66 39 19 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)

At the moment it is only the beginning ... there is still a long way to go to find out if this type of tag can be cloned.

Thanks Iceman!

Last edited by dipolin (2019-10-16 16:13:35)


"The only certain thing, the insecurity of things"

Offline

#3 2019-10-16 18:24:12

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: JCM-Tech grey keyfob

smile it came as a surprise to me aswell. I was totally convinced it was LF.

Anyway, the unprogrammed keys you sent me does not use the keys in the leaked standard key.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-10-16 18:24:43

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: JCM-Tech grey keyfob

And I am moving this thread over to iClass section.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2019-10-16 18:34:27

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 12

Re: JCM-Tech grey keyfob

I was looking for the thread hehehe big_smile  for a moment I thought they had deleted it.

The tags are pre-programmed at the factory. It is only record or canceled the tag in the access control.


"The only certain thing, the insecurity of things"

Offline

#6 2019-10-18 10:55:58

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 12

Re: JCM-Tech grey keyfob

iceman wrote:

smile it came as a surprise to me aswell. I was totally convinced it was LF.

Anyway, the unprogrammed keys you sent me does not use the keys in the leaked standard key.


I have a question about what you say about programmed and unprogrammed tags.

I have read the tag before programmed it:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 73 F3 13 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)
pm3 -->

and after programmed it in access control:

pm3 --> hf iclass reader 1
Readstatus:1e
   CSN: 73 F3 13 05 09 00 12 E0
    CC: 50 52 4F 58 4A 43 4D 30
        Mode: Application [Locked]
        Coding: ISO 14443-2 B/ISO 15693
[+]     Crypt: Non secured page
[!]     RA: Read access not enabled
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-1A
        AA2: blocks 1B-1F
        OTP: 0xFFFF

KeyAccess:
        Read A - Kd or Kc
        Read B - Kd or Kc
        Write A - Kc
        Write B - Kc
        Debit  - Kd or Kc
        Credit - Kc
 App IA: FF FF FF FF FF FF FF FF
[+]       : Possible iClass (legacy tag)
pm3 -->

The result is the same, I do not see that any value has been altered.

What do you mean about not use the keys in the leaked standard key?

Sorry.... hmm I'm so lost with the iClass tag...

Last edited by dipolin (2019-10-18 10:57:18)


"The only certain thing, the insecurity of things"

Offline

#7 2019-10-18 16:01:46

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: JCM-Tech grey keyfob

The unprogrammed was what the bag of the tags had you sent me written upon.   
The known default keys doesn't work.


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2019-10-18 17:39:44

piwi
Contributor
Registered: 2013-06-04
Posts: 702

Re: JCM-Tech grey keyfob

1. there is more data on the tag than you can see with the 'Iclass reader' command.
2. It is not even necessary to alter any tag data when a tag is 'programmed' to an ACS. It is possible that the data is just read and changes are made to the ACS database only.

Offline

#9 2019-10-18 20:01:43

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: JCM-Tech grey keyfob

Your tag is NOT an iClass tag. However, it is definitely a PicoPass chip based on having a CSN vendor code that is assigned to Inside Secure. Even though iClass uses the Picopass chip the CSN is NOT within the range assigned to HID for iClass use.
iClass tags have a CSN value of XXXXXXXXXXFF12E0.

The "hf iclass reader" command will read the unprotected blocks of data in order to obtain as much information as possible without having to authenticate.
The "unprotected" data blocks do not normally change during programming.
That is why the data shown did not change.
Since the PM3 does not know the authentication key it could not read the "protected" data blocks that were likely changed during the programming process.

Offline

#10 2019-10-18 22:56:05

dipolin
Contributor
From: Spain - Madrid
Registered: 2017-05-04
Posts: 12

Re: JCM-Tech grey keyfob

carl55 wrote:

Your tag is NOT an iClass tag. However, it is definitely a PicoPass chip based on having a CSN vendor code that is assigned to Inside Secure. Even though iClass uses the Picopass chip the CSN is NOT within the range assigned to HID for iClass use.
iClass tags have a CSN value of XXXXXXXXXXFF12E0.

The "hf iclass reader" command will read the unprotected blocks of data in order to obtain as much information as possible without having to authenticate.
The "unprotected" data blocks do not normally change during programming.
That is why the data shown did not change.
Since the PM3 does not know the authentication key it could not read the "protected" data blocks that were likely changed during the programming process.

carl55, you just gave me a good technical lesson, I was not familiar with both the iClass and Picopass protocols. I am very familiar with Temic tags and I was completely unaware of the complexity of these tags.

I think I'm going to catch up, That's news to me.

Thank you very much everyone for the messages! smile

Last edited by dipolin (2019-10-18 22:56:46)


"The only certain thing, the insecurity of things"

Offline

Board footer

Powered by FluxBB