Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-12-12 20:20:20

prox_students
Contributor
Registered: 2019-01-27
Posts: 20

loclass ERROR

Hello,

I tried sim attack loclass a few times using pm3 rdv4.0 (firmware up to date) which worked for other readers, but this reader shows the following error. Here's the trace:


[usb] pm3 --> hf iclass sim 2
[=] Starting iCLASS sim 2 attack (elite mode)
[=] press Enter to cancel
#db# [+] going into attack mode, 9 CSNS sent
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: d2 .... e0 OK
[+] 9 out of 9 MAC obtained [OK]
[+] saved 216 bytes to binary file iclass_mac_attack-8.bin

[usb] pm3 --> hf iclass sim 4
[=] Starting iCLASS sim 4 attack (elite mode, reader in key roll mode)
[=] press Enter to cancel
#db# [+] going into attack keyroll mode, 9 CSNS sent
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: d2 .... e0 OK
#db# [+] CSN: d2 .... e0 OK
[+] 18 out of 18 MAC obtained [OK]
[+] saved 216 bytes to binary file iclass_mac_attack_keyroll_A.bin
[+] saved 216 bytes to binary file iclass_mac_attack_keyroll_B.bin

[usb] pm3 --> hf iclass loclass f iclass_mac_attack-8.bin
[+] loaded 216 bytes from binary file iclass_mac_attack-8.bin
----------------------------
[=] Bruteforcing byte 1
[=] Bruteforcing byte 0
[=] Bruteforcing byte 69
  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64,
65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80,
81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96,
97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112,
113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,
129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,
145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,
161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,
177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,
193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,
209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,
225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,
241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,  0,


[!] Failed to recover 3 bytes using the following CSN
[!] CSN = 01 0A 0F FF F2 FF 15 E0
[+] time: 105 seconds
[!!] loclass exiting. Try run `hf iclass sim 2` again and collect new data



Does anybody know why this error "Failed to recover 3 bytes using the following CSN" occurs and possible solution to extract the key?

Offline

#2 2019-12-12 20:24:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: loclass ERROR

Not really.
How sure are you that the reader in question was configured to use Elite / High security?

Offline

#3 2019-12-12 20:34:19

prox_students
Contributor
Registered: 2019-01-27
Posts: 20

Re: loclass ERROR

It's definitely not a SE reader. The credential itself it not a SE - the AA2 block 5 was FFFFFFFFFFFFFFFF.

HID Masterkey didn't authenticate the credential either, which leads me to believe the reader could be configured for Elite ? Could you correct me if I'm wrong?

Last edited by prox_students (2019-12-12 20:57:33)

Offline

#4 2019-12-14 16:56:37

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: loclass ERROR

prox_students wrote:

It's definitely not a SE reader. The credential itself it not a SE - the AA2 block 5 was FFFFFFFFFFFFFFFF.

HID Masterkey didn't authenticate the credential either, which leads me to believe the reader could be configured for Elite ? Could you correct me if I'm wrong?

maybe you can write a list of possible iclass keys and make a tool to automatically check each one^_^

Offline

#5 2019-12-14 17:11:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: loclass ERROR

you mean like

hf iclass chk

Offline

#6 2019-12-14 17:14:11

prox_students
Contributor
Registered: 2019-01-27
Posts: 20

Re: loclass ERROR

Sorry my bad. The reader is a SE reader. So far the findings are:

- The reader is a SE reader. Unknown whether it's configured for Elite.
- Sim 2 attack works, but loclass fails.
- Credential is NOT an SE based on AA2 block 5 being FFFFFFFFFFFFFFFF read by RW400.
- PM3 RDV4 iceman fork(latest firmware) does not detect the credential at all at different angles. Antenna functioning well, hf iclass reader tried.

I just found a thread from iceman suggesting to use lookup command  here.

But I am having trouble finding e-purse and mac value as sim 2 & 4 attack only outputs CSN. It's also problematic as my pm3 doesn't detect the tag at all. I've tried other iClass tags and pm3 detect all of them, but this problematic tag. This tag authenticates with the installed reader well, so there's no issue with the tag itself.

Any help would be appreciated !

Offline

#7 2019-12-14 17:47:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: loclass ERROR

The sim 2 itself doesn't mean anything.  Its just collecting data part of the loclass attack.  When you run the offline part, you see if it actually worked.

Right now you seem to speculate much. I would suggest you start reading the datasheets and get started from there.

Offline

Board footer

Powered by FluxBB