Proxmark3 community

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Understanding iCLASS

I'm quite new to the forum.  Have been reading some writings on iClass clonineg (i.e. Heart of Darkness, Dismantling iClass, iClass Key extraction,  Exposing iClass Key Diversification, etc.).  Though not fully understand everything, roughly got the ideas of iClass cloning.  But I ran into many problems and questions which still puzzle me. 

Found this forum and like to ask for some help on how to start :

1)  Do I really need to dissect RW300/400 reader in order to get a master key?  From what I understand, the master key is shared among all STANDARD iClass readers.  I'm sure the master key has already been extracted and wouldn't it be available somewhere on the internet?

2) I tried running ContactlessDemoVC.exe and CopyClass 0.1.  Both programs gave and APDU error of 0x6983 when I send "authenticate" command.  I ran both programs under Windows XP 32-bits on VMWare, installed with Synchronous API 1.1.1.4.  My reader is Omnikey 5321 V2 Firmware 5.2.  Any suggestions on this?  Would it be possible to read Application Area 1 (Block 6-9) using above programs?

3) I was able to run iClassified and got the information.  What is the meaning of Block 6?

4) I have ordered proxmark 3 but has not arrived yet.  What would be the correct steps in cloning iClass cards?

Thanks in advance for any advise and suggestions.

ericc

Member

Registered: 2015-11-19

Posts: 2

Re: Understanding iCLASS

Thank you for your feedback.
But, if you don't want to help, then don't help...
I don't need this kind of comment in my topic. That is just beyond rude.
I am not looking to make any money. I just lost my pass and was looking to make a new one for free. So I can save the 150$ asked by the gym. Does this make me a criminal?

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Re: Understanding iCLASS

By copy iClass, I meant "cloning" iClass.

0xFFFF

Administrator

From: Vic - Australia

Registered: 2011-05-31

Posts: 632

Re: Understanding iCLASS

The research you've done so far is definitely putting you in the right direction.
Answers to your first post.
1) No, you don't need to dissect readers to obtain the key. It was possibly one of the easier methods for a time.
To my knowledge no one has posted iCLASS keys online. I hope it stays that way.

2) Both applications can read all blocks assuming that you have the correct key. Without it, these applications do not do too much.
Did you select 'OMNIKEY CardMan 5x21-CL 0'?
Are you sure you've got the right key?

3) Information on block 6 is on the web. I'll leave it to you to test your Google Fu.

4) There are a few developers actively working on iCLASS at the moment. Follow the project on Git and keep your Proxmark up to date. If you are not a developer then you might be able to assist as a tester.
Information on cloning iCLASS is in this forum.

jump

Contributor

Registered: 2015-04-29

Posts: 57

Re: Understanding iCLASS

To add a bit of information:
2) IIRC HID pushed new firmware (v5.0+) which blocked writing on App1 area and enforced encryption between the reader and the computer to read that area. I think it also prevents one from downgrading the version.

4) cloning might not be possible if they are using the new storage format which encrypts App1 area with the CSN (I don't remember seeing anything published yet about the algorithms used for that).

BTW, I have a question for you: if you lost your pass, how are you going to clone it?

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Re: Understanding iCLASS

Thank you Administrator and jump for advises and suggestions.

I currently do not have the master key yet.  But just wondering whether APDU error 0x6983 is related to incorrect key or is it because of new firmware blocking it.

Currently, I only have one reader, being Omnikey 5321 V2 with firmware version 5.2.  So, you hinted that it might not be possible to write or clone iClass card with this reader, correct?  What about with proxmark 3?  Or Omnikey 5321 V1?   I have ordered Proxmark 3, which hasn't arrived yet and Omnikey 5321 V1 is readily available on eBay.

Meanwhile, I'll wait until my Proxmark 3 arrive to try some testing.  I'm sure many more questions will arise after trying it.

BTW.  I did not lose my pass.  I think it is another member named ericc on post # 3.

0xFFFF

Administrator

From: Vic - Australia

Registered: 2011-05-31

Posts: 632

Re: Understanding iCLASS

I currently do not have the master key yet.  But just wondering whether APDU error 0x6983 is related to incorrect key or is it because of new firmware blocking it.

I doubt very much that this is a firmware issue.

Currently, I only have one reader, being Omnikey 5321 V2 with firmware version 5.2.  So, you hinted that it might not be possible to write or clone iClass card with this reader, correct?  What about with proxmark 3?  Or Omnikey 5321 V1?   I have ordered Proxmark 3, which hasn't arrived yet and Omnikey 5321 V1 is readily available on eBay.

The Proxmark III is capable of cloning iCLASS credentials.

There is an Omnikey 5321 variant called the CP600. It is capable of programming iCLASS cards. With a bit of persuasion, the programming software didn't require the 'CP600' in order to work.

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Re: Understanding iCLASS

Thank you 0xFFFF for your further comments.

If the APDU error 0x6983 likely caused by an incorrect key, then it would not be possible to clone without the correct key.  I guess this is also the case with Proxmark 3 and CP600.  Is there any ways I can get the key without dissect the old HID readers?

Also, from reading some writings on iClass, I understand that Application Area 1 (block 6-9) can only be read and written when correct key has been authenticate.  But some how the program "iclassified" is able to display Block 6.  So, I imagine the author could go further and read the remaining of the Application Area. 

BTW, if it is not too secret, can you point to where I can get programming software for CP600 (that didn't require CP600 to work)?

0xFFFF

Administrator

From: Vic - Australia

Registered: 2011-05-31

Posts: 632

Re: Understanding iCLASS

If the APDU error 0x6983 likely caused by an incorrect key, then it would not be possible to clone without the correct key.

No.

I guess this is also the case with Proxmark 3 and CP600.  Is there any ways I can get the key without dissect the old HID readers?

Yes, Carl55 has a very interesting thread on the subject.

Also, from reading some writings on iClass, I understand that Application Area 1 (block 6-9) can only be read and written when correct key has been authenticate.  But some how the program "iclassified" is able to display Block 6.  So, I imagine the author could go further and read the remaining of the Application Area.

Are you off by one?

BTW, if it is not too secret, can you point to where I can get programming software for CP600 (that didn't require CP600 to work)?

I do not know of a location where you can download the old software from.
The modern programming software most people are familiar with is called AsureID. Older stuff goes by different names.

capecode

Contributor

Registered: 2015-11-18

Posts: 31

Re: Understanding iCLASS

For the time being, I guess I will have to do more reading on the forum.