Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

RFSec17 · 2017-06-01 22:22:26

Quite possibly, I'm missing something obvious because I've been staring at binary, decimal, and hexadecimal for too long trying to decipher it. I've hit a roadblock and could use the input from others.

To preface this, I've read through a few of the forum posts....
http://www.proxmark.org/forum/viewtopic.php?id=4807
http://www.proxmark.org/forum/viewtopic.php?id=3729
http://www.proxmark.org/forum/viewtopic.php?id=1653

....in regards to card formatting and deciphering different types but have not been able to successfully apply them to this situation.

The context is this: I already know the card format, the binary output, the facility code, and the card number because we own the system and have verified the settings in the access control software as well as captured the wiegand data off of a test lab reader. I can do the math on the binary data to confirm where the facility code is and where the card number is.

But when I take the same credential, scan it through an Omnikey 5321 using iclassified, contactless, or copyclass I'm getting data on block 7 that either doesn't add up to the binary info at all OR (dependent on which software I'm using) gives me a partial - the card info at the end of block 7, but not the facility code. Using iclassified and contactless is the closest I've gotten to getting the whole info for data on block 7. I also have the master key and have implemented it according to the Heart of Darkness paper.

Any insight into what I'm missing? It's driving me nuts that I can't fully figure out how to decipher it fully. I just want to understand where the facility code is in the hex string and what the other info is in there.

P.S. The cards have no parity bits, at least according to the access control software.

iceman · 2017-06-02 08:59:22

As you might already guessed, block 7 might be encrypted or not...

The AA1 key allows you to r/w block7 but is not used for the data encryption of block7. For this you need what they call in posts/papers the HID transport key.

RFSec17 · 2017-06-02 17:37:41

Ahhh, I hadn't heard of a transport key (I skipped right over that one). Thanks for pointing me in the right direction iceman. After a search for the term "transport key" it brought me to this previous post: http://www.proxmark.org/forum/viewtopic.php?id=4733

To your knowledge, has that been leaked online anywhere? I don't know if I'll be able to get my hands on one of the older iClass readers to do a firmware/memory dump. Or can it be extracted from an Omnikey 5321? I read a comment to a post from PenturaLabs blog that said the transport 3DES keys were publicly available. For reference: https://penturalabs.wordpress.com/2014/03/17/iclass-is-not-enough/#comment-4754

It's purely curiosity at this point for me. The odd thing is that I don't believe it is encrypted by the method I used. Using the method listed by kchung from the article "Reverse Engineering HID Master Class Keys" also mentioned here: http://www.proxmark.org/forum/viewtopic.php?id=3807, I am able to see the card ID info on block 7 with just 0s before it. For example: 00-00-00-0f-xx-xx-xx-xx is what I get. The card info is in the last few bytes in the string but I just don't know where the site code would sit in that string because converting any portion of that hex to decimal or vice versa doesn't lead me to the correct facility code.

I also read Carl55's responses in this post: http://www.proxmark.org/forum/viewtopic.php?id=3729 which talks about a "sentinel bit" and an "encryption enable bit" in block 6. I haven't fully grasped that concept yet though.

iceman · 2017-06-02 18:41:43

if you see 0x00 in block 7 its not encrypted. Haven't seen those keys public but they might be in official HID pdf's.

The sentinel bit is where to start decoding as wiegand, ie

-------|wwwwww
00000001011010

where wiegand is 011010 in the above example.

RFSec17 · 2017-06-02 20:06:50

Does anything in the wiegand data dictate what the value of the sentinel bit in block 7 would be? I looked back at the http://www.proxmark.org/forum/viewtopic.php?id=3729 post and can't make sense of the reason for the specific sentinel values. I.e. why it might be a 1, 2 ,3 4, etc.

carl55 · 2017-06-02 21:24:36

The start sentinel is simply a "bit". A bit can ONLY be have a value of "0" or "1". The start sentinel is always a logic 1. Its only purpose in life is to tell the reader where to start looking for the wiegand code. Its position in block 7 will define the specific starting point (and length) of the wiegand code.

RFSec17 · 2017-06-02 22:49:51

I understand now. Thank you for clearing that up, it's been very helpful in my understanding/experimentation.

Proxmark3 community

Announcement

#1 2017-06-01 22:22:26

Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#2 2017-06-02 08:59:22

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#3 2017-06-02 17:37:41

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#4 2017-06-02 18:41:43

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#5 2017-06-02 20:06:50

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#6 2017-06-02 21:24:36

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

#7 2017-06-02 22:49:51

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

Board footer