Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-04-10 20:24:56

mb
Contributor
Registered: 2017-04-06
Posts: 6

Writing Abitrary ID to iClass SE Elite Card

After a doing a lot of reading here and of the various research papers and blog posts frequently referenced in the forum, I am able to clone iClass SE Elite cards onto other iClass cards. (Thanks for that!) The one thing I have yet to figure out is how to write an arbitrary ID on to a card without having possession of the original card.  I know from the research papers that the block I want to write is TDES encrypted, and that is a different key than the HID master (or in this case, Elite) auth key. A couple of questions:
1. Is the TDES key used to encrypt block 7 the same across all iClass SE installations, regardless of Elite, or would it be unique for each Elite deployment?
2. Is there a way to recover this key using the PM3, like loclass? Or do I need to try something like the ICSP method? (Do newer SE readers still expose this interface? I haven't pulled one off the wall yet.)

Thanks!

Offline

#2 2017-04-11 01:02:52

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Writing Abitrary ID to iClass SE Elite Card

1. It's the same.
2. I never tried obtaining the key using the PM3.
The ICSP method only applies to iCLASS readers with a specific hardware version. The vulnerability was in the PIC18F452.
Newer SE readers use the LPC1227.

Offline

#3 2017-04-11 06:02:41

mb
Contributor
Registered: 2017-04-06
Posts: 6

Re: Writing Abitrary ID to iClass SE Elite Card

Thanks. At least I know I don't need to target a device from my organization. That should make this at least a little easier. Are the keys the same between legacy iClass and SE as well? If so, perhaps I can find an old vulnerable reader.

Offline

#4 2017-04-11 06:32:31

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Writing Abitrary ID to iClass SE Elite Card

There is only one iCLASS / iCLASS SE TDES key AFAIK.
You're looking for a Rev A. Try your luck on eBay first.

In your first post you mentioned being able to write an 'arbitrary ID'. It's worth nothing that iCLASS credentials support PACS formats up to 143bits (Blocks 7-9).

Offline

#5 2017-04-11 20:36:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Writing Abitrary ID to iClass SE Elite Card

yeah, the transport key is not released, if you can hack the rev A reader you will get it following the instructions

Offline

#6 2017-04-13 22:22:43

mb
Contributor
Registered: 2017-04-06
Posts: 6

Re: Writing Abitrary ID to iClass SE Elite Card

Thanks, I will try to hunt one of those readers down. By arbitrary I mean "known valid ID #"

Offline

#7 2017-04-14 01:07:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Writing Abitrary ID to iClass SE Elite Card

they are really rare now.

Offline

#8 2017-04-25 04:45:20

mb
Contributor
Registered: 2017-04-06
Posts: 6

Re: Writing Abitrary ID to iClass SE Elite Card

Got this working. A big thanks to 0xFFFF, iceman, marshmellow, and carl55. You guys are awesome! Truly amazing work on the tooling and understanding these protocols.

Last edited by mb (2017-04-25 04:47:19)

Offline

Board footer

Powered by FluxBB