Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2016-08-31 16:37:41

w32.n01
Contributor
Registered: 2016-08-18
Posts: 5

Proxmark 3 and iClass troubleshooting

Starting a new thread at the recommendation of iceman.

So I'm having trouble getting any of this to work.

hf class snoop

doesn't appear to work at all - I have tried holding the antenna in various positions (between card and reader, above, to the side, at different distances, etc..). The proxmark just sits there until I press the button and then I get:

#db# cancelled_a          
#db# 1 0 0          
#db# 20 f0 0 
hf iclass sim 2

will correctly acquire responses, but then subsequently fail to crack anything. So, thinking that the initial csns were maybe off, I modified the code to use the 126 malicious csns from here, and although the proxmark appears to send all 126 csns, it only appears to collect 63 per "run" - so I again modified the code to run half of them at a time and then spliced the resulting MACs into a single file, but still no luck on recovering a key. Loclass states that it should work with any csns (providing they're the right format), but I'm still not having any luck.

Can someone (please) help point me in the right direction, or let me know some first places to start troubleshooting?

Thanks!

Offline

#2 2016-08-31 18:22:46

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Proxmark 3 and iClass troubleshooting

the sim attack can only crack elite gen1 iClass tags.  what type of tags do you have?

Offline

#3 2016-08-31 19:38:40

w32.n01
Contributor
Registered: 2016-08-18
Posts: 5

Re: Proxmark 3 and iClass troubleshooting

I'm not sure, how would I test for that? Googling the designators on the back of the card has been pretty fruitless so far.

When I read the card using the PM3, I'm seeing that it's coding is: ISO 14443-2 B/ISO 15693.


EDIT: I performed a "hf search" and it returns:

CSN: XX XX XX XX XX XX XX XX       
CC: XX XX XX XX XX XX XX XX           
	Mode: Application [Locked]          
	Coding: ISO 14443-2 B/ISO 15693          
	Crypt: Secured page, keys not locked          
	RA: Read access not enabled          
  Mem: 16 KBits/16 App Areas (255 * 8 bytes) [1F]          
	AA1: blocks 06-12          
	AA2: blocks 13-FF          

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

But I don't know how to tell which generation that is?

Last edited by w32.n01 (2016-08-31 20:03:58)

Offline

#4 2016-08-31 20:36:47

w32.n01
Contributor
Registered: 2016-08-18
Posts: 5

Re: Proxmark 3 and iClass troubleshooting

UPDATE: Based on the specs here: https://www.hidglobal.com/sites/default/files/resource_files/iclass-se-card-ds-en.pdf

It would appear that I have a "next-generation" card, which by definition wouldn't be "gen 1", so I'll table the sim attack for the time being. Thank you, marshmellow, for the info!

I'm still wondering about the snoop question - does anyone know if this works on "next-generation" setups, or is this only for gen 1 as well? Looking through the code doesn't immediately reveal this answer.

Offline

#5 2016-08-31 21:47:01

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Proxmark 3 and iClass troubleshooting

after a snoop a `hf list iclass` would be needed to output what it captured.

snoop requires a very strong antenna to be successful. 

but with the encryption and authentication methods of the picopass chips being what they are i don't think a snoop will get you very far.

Offline

#6 2016-08-31 21:59:29

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Proxmark 3 and iClass troubleshooting

btw to my knowledge there are multiple iclass tag types:
classic (gen1)
classic Elite (custom access keys per company)
SR    (classic compatible SE tags)
SR Elite (same as SR but with custom access keys per company)
SE    (NOT Classic compatible - Gen 2)
SE Elite (same as SE but with custom access keys per company)
SEOS (not really sure... - Gen 3?)

Offline

#7 2016-10-30 14:27:15

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: Proxmark 3 and iClass troubleshooting

I have modified source code to handle read command len 4 from the reader. would it be useful?

Offline

#8 2017-01-25 06:04:16

Omikron
Contributor
Registered: 2010-02-12
Posts: 78

Re: Proxmark 3 and iClass troubleshooting

Go_tus wrote:

I have modified source code to handle read command len 4 from the reader. would it be useful?

Yes, it would definitely be useful!  Have you already submitted the patch?

Offline

#9 2017-01-25 09:02:34

iceman
Administrator
Registered: 2013-04-25
Posts: 4,854
Website

Re: Proxmark 3 and iClass troubleshooting

The hf iclass loclass works on cards_readers which is configured for elite/highSecurity.   

The name nomenclature is so confusing in the iclass work.   What you get is the AA1 (MKc) for that particular card on that system.

The SE/SR credentials stored onto card inside Application1, has nothing to do with the hf iclass loclass MKc .
With AA1, you can dump the data from Application 1.  The SE/SR credentials store inside is usually encrypted with 3des (another key HID transport key).


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2017-02-01 19:10:35

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 172
Website

Re: Proxmark 3 and iClass troubleshooting

marshmellow wrote:

btw to my knowledge there are multiple iclass tag types:
classic (gen1)
classic Elite (custom access keys per company)
SR    (classic compatible SE tags)
SR Elite (same as SR but with custom access keys per company)
SE    (NOT Classic compatible - Gen 2)
SE Elite (same as SE but with custom access keys per company)

SEOS (not really sure... - Gen 3?)

   (DESFIRE) smile


You live, you learn.
You give, you take.
You win, you lose.

Offline

#11 2017-02-11 15:16:18

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Proxmark 3 and iClass troubleshooting

Seos chips are chips that can emulate desfire, but it is not desfire.

Offline

Board footer

Powered by FluxBB