Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-01-05 17:15:27

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

IClass Seos IP ??

Hello guys,

I got to play with our condo new issued cards,
I cant get read on proxmark, that said iclass seos ip is printed on it with sn.

Hf ic .. search commands doesn't work at all, my mct android got another read , attached is a pic.

https://www.dropbox.com/s/uhavyykk4qmwg88/Screenshot_20180105-182135.png?dl=0

Anyone encounter those, insights on how to read and eventually reprogram clone etc..

Couldnt find anything in the forum.

Thanks,


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#2 2018-01-05 17:22:21

iceman
Administrator
Registered: 2013-04-25
Posts: 4,936
Website

Re: IClass Seos IP ??

??? your pic shows a 14A tag...  Why don't you test those commands instead?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2018-01-05 19:32:43

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

I did try 14A commands, i get nothing.. for some reason the card wont read with original condo reader for while after proxmark test, kind of lock down mode ?! I am running your build for now , should i give a try on original build ?


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#4 2018-01-05 21:03:27

iceman
Administrator
Registered: 2013-04-25
Posts: 4,936
Website

Re: IClass Seos IP ??

you need distance for 14a between tag & reader.  iClass is also sensitive.

but of course, you should try offical pm3 firmware.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2018-01-05 21:03:36

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

iClass SEOS has nothing to do with iClass but the name. A bit like Bluetooth Low Energy and Bluetooth smile
SEOS is built on top of an ISO14443A JCOP card.

Offline

#6 2018-01-06 12:13:17

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Oh good to know, I was suspecting something like that, Physical inspection (flashlight lol) shows high-frequency antenna (Square) with normal chip size, I have ubertooth somewhere, any pointer how to get into the card with it ?


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#7 2018-01-06 17:30:05

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

Sorry for the confusion. BLE and Bluetooth were just a comparison point: when you look at BLE the protocol it's completely different from Bluetooth. They only share the name.

It's the same for iClass and SEOS: the protocol to interact with them is completely different. But SEOS is not BLE (even though there is a BLE module hat can be added to the readers and an app to allow using a phone instead of a badge), it's RFID ISO14443A while iClass is built on top of ISO15693. Same frequency of 13.56MHz but different modulation and protocol.

To interact with a SEOS badge you need to use "hf 14a" command set instead of "hf iclass".
I haven't found any publication yet about the SEOS protocol. Maybe that's something I will publish later if I find some time to add the commands to the pm3

Offline

#8 2018-01-06 20:03:24

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Great work, I will play with tag tomorrow, will try to snoop around as well.
I see your point, they made application for this type which use BLE or NFC, attached
https://www.dropbox.com/s/tmoo0d3wort4z70/Screenshot_20180107-003923.png?dl=0
Thatsaid, I will appreciate any help on it, perhaps we can get raw data commands from valid communication to program, decode,etc..as it is promised to be a step up replacement for many areas of rfid.
Let me know how can I help , I got tag, proxmark,chameleon mini,omnikey,hacked,arc to test with.


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#9 2018-01-06 22:55:36

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

Thanks for the offer. I already know/understand most of the SEOS protocol and I know how to decode it when it's snooped. It's just a matter of taking time to turn that knowledge into C code for the proxmark in a meaningful command set smile

Offline

#10 2018-01-07 09:02:55

iceman
Administrator
Registered: 2013-04-25
Posts: 4,936
Website

Re: IClass Seos IP ??

whenever you feel like sharing what the SIO blob decoded structure looks like, then that would be helpful.  It should be ASN1 based.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2018-01-08 11:53:58

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

I wish jump will help out on this smile i really want this nailed and that can be added to proxmark demoded cards


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#12 2018-01-08 12:01:37

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Btw Iceman build is not working properly for 14a commands , it keep crashing .. sniff is not working, proxmark goes unresponsive . Just a feedback


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#13 2018-01-08 12:23:41

iceman
Administrator
Registered: 2013-04-25
Posts: 4,936
Website

Re: IClass Seos IP ??

Only 14a sniff?  I used it yesteday, works like a charm.  however  "hf mf sniff" seems weird to me


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2018-01-08 12:38:47

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Somehow i believe it is hardware related, rdv2 got the issue while original proxmark doesn't replicate the issue .. just tested it again


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#15 2018-01-20 12:32:05

AmmonRa
Contributor
Registered: 2017-04-14
Posts: 7

Re: IClass Seos IP ??

I have an unused "Seos IP" card, any one know how to interact with the card? i.e. read data

hf 14a info
UID : XX XX XX XX           
ATQA : 00 01         
SAK : 20 [1]         
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         
ATS : 05 78 77 80 02 9C 3A           
       -  TL : length is 5 bytes         
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)         
       - TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]         
       - TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)         
       - TC1 : NAD is NOT supported, CID is supported         
Answers to magic commands: NO

Offline

#16 2018-01-20 15:11:05

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

You need to know the AES encryption key that has been configured in order to talk to read the data.

Offline

#17 2018-01-20 16:05:39

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Sniff or snoop the key out, the harder part would be emulating it or to find card that accept custom uid following same seos protocol, is your reader iclass se ?


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#18 2018-01-20 16:08:06

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

It seems you're not familiar with SEOS protocol if you think the key can be sniff'd.
Emulating SEOS with a proxmark is trivial though

Offline

#19 2018-01-20 16:14:34

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: IClass Seos IP ??

Ah, so it is encrypted key that changes over each read type ?
The iclass se reader which they use to read seos card here, send same series of commands and didn't notice changes on raw data with same card read so had the assumption of fixed key, atlease same fixed key per card uid ..

Please elaborate on how seos works? It would be interesting to nail it.


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#20 2018-01-20 16:25:27

jump
Contributor
Registered: 2015-04-29
Posts: 57

Re: IClass Seos IP ??

There are still some pieces that I'm missing about this protocol and I'm still working on getting the complete picture.

The card and the reader share a pair of AES keys. One of them is being used along with robust RNG on both sides to negotiate a session key. The only thing that is transmitted is the index of the key to use for this session key negotiation. The session key is not transmitted.
So yes in theory it's possible to sniff and get the keys from there but the complexity of the attack is too high (2**129)

Offline

Board footer

Powered by FluxBB