Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-06-01 22:22:26

RFSec17
Contributor
Registered: 2017-06-01
Posts: 5

Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

Quite possibly, I'm missing something obvious because I've been staring at binary, decimal, and hexadecimal for too long trying to decipher it. I've hit a roadblock and could use the input from others.

To preface this, I've read through a few of the forum posts....
http://www.proxmark.org/forum/viewtopic.php?id=4807
http://www.proxmark.org/forum/viewtopic.php?id=3729
http://www.proxmark.org/forum/viewtopic.php?id=1653

....in regards to card formatting and deciphering different types but have not been able to successfully apply them to this situation.

The context is this: I already know the card format, the binary output, the facility code, and the card number because we own the system and have verified the settings in the access control software as well as captured the wiegand data off of a test lab reader. I can do the math on the binary data to confirm where the facility code is and where the card number is.

But when I take the same credential, scan it through an Omnikey 5321 using iclassified, contactless, or copyclass I'm getting data on block 7 that either doesn't add up to the binary info at all OR (dependent on which software I'm using) gives me a partial - the card info at the end of block 7, but not the facility code. Using iclassified and contactless is the closest I've gotten to getting the whole info for data on block 7. I also have the master key and have implemented it according to the Heart of Darkness paper.

Any insight into what I'm missing? It's driving me nuts that I can't fully figure out how to decipher it fully. I just want to understand where the facility code is in the hex string and what the other info is in there.

P.S. The cards have no parity bits, at least according to the access control software.

Offline

#2 2017-06-02 08:59:22

iceman
Administrator
Registered: 2013-04-25
Posts: 4,854
Website

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

As you might already guessed, block 7 might be encrypted or not...

The AA1 key allows you to r/w block7 but is not used for the data encryption of block7.  For this you need what they call in posts/papers the HID transport key.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2017-06-02 17:37:41

RFSec17
Contributor
Registered: 2017-06-01
Posts: 5

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

Ahhh, I hadn't heard of a transport key (I skipped right over that one). Thanks for pointing me in the right direction iceman. After a search for the term "transport key" it brought me to this previous post: http://www.proxmark.org/forum/viewtopic.php?id=4733

To your knowledge, has that been leaked online anywhere? I don't know if I'll be able to get my hands on one of the older iClass readers to do a firmware/memory dump. Or can it be extracted from an Omnikey 5321? I read a comment to a post from PenturaLabs blog that said the transport 3DES keys were publicly available. For reference: https://penturalabs.wordpress.com/2014/03/17/iclass-is-not-enough/#comment-4754

It's purely curiosity at this point for me. The odd thing is that I don't believe it is encrypted by the method I used. Using the method listed by kchung from the article "Reverse Engineering HID Master Class Keys" also mentioned here: http://www.proxmark.org/forum/viewtopic.php?id=3807, I am able to see the card ID info on block 7 with just 0s before it. For example: 00-00-00-0f-xx-xx-xx-xx is what I get. The card info is in the last few bytes in the string but I just don't know where the site code would sit in that string because converting any portion of that hex to decimal or vice versa doesn't lead me to the correct facility code.

I also read Carl55's responses in this post: http://www.proxmark.org/forum/viewtopic.php?id=3729   which talks about a "sentinel bit" and an "encryption enable bit" in block 6. I haven't fully grasped that concept yet though.

Offline

#4 2017-06-02 18:41:43

iceman
Administrator
Registered: 2013-04-25
Posts: 4,854
Website

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

if you see 0x00 in block 7 its not encrypted.   Haven't seen those keys public but they might be in official HID pdf's. 

The sentinel bit is where to start decoding as wiegand, ie

-------|wwwwww
00000001011010

where wiegand is 011010 in the above example.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2017-06-02 20:06:50

RFSec17
Contributor
Registered: 2017-06-01
Posts: 5

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

Does anything in the wiegand data dictate what the value of the sentinel bit in block 7 would be? I looked back at the http://www.proxmark.org/forum/viewtopic.php?id=3729 post and can't make sense of the reason for the specific sentinel values. I.e. why it might be a 1, 2 ,3 4, etc.

Offline

#6 2017-06-02 21:24:36

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 143

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

The start sentinel is simply a "bit". A bit can ONLY be have a value of "0" or "1". The start sentinel is always a logic 1.  Its only purpose in life is to tell the reader where to start looking for the wiegand code. Its position in block 7 will define the specific starting point (and length) of the wiegand code.

Offline

#7 2017-06-02 22:49:51

RFSec17
Contributor
Registered: 2017-06-01
Posts: 5

Re: Stuck Deciphering HID Corp 1000 - Math Doesn't Add Up

I understand now. Thank you for clearing that up, it's been very helpful in my understanding/experimentation.

Offline

Board footer

Powered by FluxBB