Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

You are not logged in.

#1 2014-05-06 07:39:54

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

iClass SE / SEOS...

Does anyone have iClass SE readers / writers or associated software etc...?


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#2 2014-05-12 07:34:44

app_o1
Contributor
Registered: 2013-06-22
Posts: 222

Re: iClass SE / SEOS...

900NNNNAK20000
It was back in February 2012. Are you looking for a specific revision ?

Last edited by app_o1 (2014-05-19 14:29:39)

Offline

#3 2014-05-12 08:05:16

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

Not necessarily but at this point in time any information can be useful.

I have been working with a few readers (such as the 900 series). Things I've noticed are that there are conflicting reports from people on what contained within the new SE readers.
From my own research I know that the CLRC663 is being used in the R10SE readers.
carl55 has recently posted that the R40SE is using PicoRead labelled ICs. I was not aware that these IC's supported SEOS, DESFire EV1,...

I have uncovered SNMP keys and salts for the Omnikey readers/programmers at this stage.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#4 2014-05-12 13:37:08

app_o1
Contributor
Registered: 2013-06-22
Posts: 222

Re: iClass SE / SEOS...

I will try to find out what IC it is hiding.

It was a SE RevB.x
CORE FW : frw0009

Yours too ?

Last edited by app_o1 (2014-05-12 13:38:59)

Offline

#5 2014-05-12 15:22:26

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 114

Re: iClass SE / SEOS...

Unfortunately the product sticker for the iClass SE R40 reader that I tore down was misplaced so I don't know the details of the reader. However, I do believe that the part number was 920NNNNAK00000. Below are the top and bottom photos of the circuit board. The PCB is marked as "R40 ARTEMIS 47-0402-01 Rev4"

iClass SE R40 PCB-Front
iClass SE R40 PCB-Back

Offline

#6 2014-07-03 13:18:20

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

Thanks for your photos carl55.
I have been busy working on this in my spare time... Which I don't seem to have much of any more.

Here are some happy snaps of my own...

iCLASS SE R10 - 900NTNTEG00000 Rev E
PCB%20Populated%20Bottom.jpg
PCB%20Populated%20Top.jpg

I also have photos of the SE-OSDP modules, different OK5427 readers / programmers.

Things I have discovered...

  • The R10 contains an 'Artemis SAM', LPC1227 and CLRC663.

  • The programmers have the same 'Artemis SAM'

  • Readers contain iCLASS, MIFARE, DESFire, SEOS and other keys

I have acquired all sorts of interesting software, cards and firmware.

There are two types of cards I've seen so far. It looks like there is three in total.
* READER MAPPER
* ELITE PREP
* READER CONFIGURATION

...Still looking at it. I'll report back what I can as I go.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#7 2014-07-03 22:28:11

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 114

Re: iClass SE / SEOS...

Thanks for the information. That is very interesting!
So from your photo it looks like the newer RevE iClass SE readers have been redesigned to use the new NXP PR600 chip that integrates both the ARM Cortex microcontroller die and the 13.56 Mhz Contactless transceiver die into a single 100-pin LQFP package.
That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip. That functional integration and the fact that they are solidifying their key storage makes me feel that HID is  trying real hard to make it more difficult for us to crack the SE technology. smile

Keep  us informed as you learn more.

Offline

#8 2014-07-04 15:29:52

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

carl55 wrote:

That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip.

Good news is that the datasheets on the 100 pin LQFP clearly state that the dies are separate and the pins are broken out. smile

HID are calling programmers 'encoders' now. The CP1000 appears to be an OK5427 with an 'Artemis SAM'. I don't see why you couldn't use the OK5427 to program cards without the SAM (if you had the know-how).

OK5427 downloads...
http://www.hidglobal.com/drivers?field_ … 513&os=All
I can't see anything useful here... yet.

Encoder downloads...
http://www.hidglobal.com/drivers?field_ … All&os=All
Download the everything on this page. There are plugins / Zip archives (viewable, passworded) with very interesting contents.
You will laugh when you discover the password.

CP1000 Quick start guide...
http://www.hidglobal.com/sites/hidgloba … -in-en.pdf

CP1000 Use case examples...
https://www.hidglobal.com/sites/hidglob … -an-en.pdf


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#9 2014-07-04 15:36:26

app_o1
Contributor
Registered: 2013-06-22
Posts: 222

Re: iClass SE / SEOS...

+1

Last edited by app_o1 (2014-07-04 15:41:57)

Offline

#10 2014-08-21 15:20:35

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: iClass SE / SEOS...

Hey 0xFFFF and carl55,

Did any of you two figured out the pin layout of the white-connector-socket on the back? It would be nice to have an overview of all the pins, and where they connect to.

Secondly, could you explain how to remove the epoxy from the readers. What type of chemical is the best approach?

Thanks a lot!

Offline

#11 2014-08-21 20:24:21

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 114

Re: iClass SE / SEOS...

To answer your question, No, I have not done any mapping of the 30-pin Molex debug connector that is used on the iClass SE readers. Since the reader that I broke down was one of the old original SE readers I didn't spend much time looking at it. I assumed that the newer (RevE) readers have made some major design changes and my time would be better spent looking at one of those when time permits. I have been spending what little time I do have trying to analyze the new iclass Secure Identity Object (SIO) data structure and the modified SE communication sequences.

Regarding your question about how I de-potted the reader ...

The iclass SE readers appear to use two different materials in the encapsulation process. There is one softer type of potting compound that is used around the electronic components and a more rigid (almost crystalized) type of compound that appears to be used to secure it to the plastic case.

I personally did not use any chemicals at all although that may be a better approach if you know what you are doing (I don't).
As the first step, I simply cut off the plastic case and rigid crystalline potting material using a small rotary tool (Dremel) with an abrasive cutoff wheel.
The softer material that surrounds the actual components was then removed using a soldering iron with a small pointed tip. The heat of the soldering tip does not melt the material but it does seem to allow it to be easily chipped away in small pieces. The heat seems to almost make it fracture and crumble so it can be easily carved away. It took me about three to four hours to get the circuit board down to what was shown in the picture in my post above. Believe it or not, the reader actually continued to work until I was about 98% done , before I accidently broke off a small (0402) passive component.

Offline

#12 2014-08-22 02:08:22

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

De-potting potted things...

  • Buy a 1L bottle of acetone from the local hardware store. (You don't really need that much)

  • Fill a glass container with enough acetone to submerge the potted thing. I use an airtight seal-able glass container.

  • Remove what you can from the potted thing. e.g. Stickers, plastic outer shell,... (I use a CNC to mill away some of the material)

  • Place the potted thing in the glass container and place the container somewhere safe - Away from children, heat, light...

  • Remove the thing 24 hours later. Break off any loose potting compound you can. Most of this can be done by hand and maybe with a little assistance from some hand tools

  • Depending on the size of the thing and the potting compound used you should be able to get down to the PCB in a day or two. Results vary

Notes for the iCLASS readers I have worked on:
iCLASS R10:
It took over a week to remove the potting compound. In the end the reader was no longer functional. I suspect the acetone destroyed some components. I never looked in to it.

iCLASS R10 SE:
The reader was insanely easy to remove the potting compound and get to the PCB. Just like carl55, I accidentally broke off some components and as a result, the reader did not function correctly. I have since repaired the reader. It only took me 24 hours.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#13 2014-08-22 02:12:26

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

Forgot about the header. The plug you're looking for is the Hirose 30pin .5mm SMD connector. Part number is DF-12-30DS-0.5V
I can work on the pinout but instead I have been working on some VERY interesting HID vulnerabilities.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#14 2014-08-22 09:14:50

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: iClass SE / SEOS...

Wow, thank you both for the extensive quick reply!

I'll try my luck then with peeling of the material and throw it in acetone if needed.

Regarding the header, I totally understand that documenting 30 pins is no joy! However, I'm actually mostly interested in two facts.

1. Is UART0 of the LPCxxxx chip (RX, TX, but also if RTS and DTR are available). The last two can force the micro-controller to fall back into ISP serial programming mode.

2. Are the JTAG pins broken out?

The datasheets of the used micro-controllers are publicly available, so If you could verify these two sets of pins, I would be extremely grateful!

Thanks a lot again, best regards.

Offline

#15 2017-02-15 01:50:52

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

From%20the%20grave%20128.jpg
...umm. It's been a while.

No surprise, this is a multilayered board. I've sacrificed a reader to make following traces easier...
PCB%20Bottom.jpg
PCB%20Top.jpg
If anyone has any experience with removing the solder mask, I'd like to hear what method(s) you use. Ideally I'm looking for a chemical process.

This IC is going for a swim...
HID%20IC-0048-01B%200813.jpg

Pinout - I'll update as I go.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#16 2017-02-15 11:21:44

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

OK. So the HID IC-0048 -01B 0813 is an INFINEON M8830-B1
DIE%20INFINEON%20M8830-B1.jpg
DIE%20INFINEON%20M8830-B1_2.jpg

Here's a happy snap of the LPC122x...
DIE%20LPC122x.png

...And the 663 that is the other half of the PR600HL...
DIE%20RC663.jpg
DIE%20RC663_2.jpg

The dies are not connected internally. Each individual pin is exposed on the LQFP100.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#17 2017-02-15 11:37:42

iceman
Administrator
Registered: 2013-04-25
Posts: 3,593
Website

Re: iClass SE / SEOS...

Impressive bro!


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2017-02-15 12:25:00

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

Thanks smile
I'm glad to get back in to the action again.

I think SWD is on P100 pins 14, 16 & 18. Have a look at the first photo in #15

I think the first column is wrong as these pins were taken from a PDF I found online for the PR601. The pins probably moved between 600 & 601?

            LPC122x pin         600HL pin   P100
SWCLK       PIO0_18             9   ?
SWDIO       PIO0_25             85          14
Reset       PIO0_13             4           18
 
SWCLK alt   PIO0_26             86          16
SWDIO alt   PIO1_2              15  Test pad near U302
 
            PIO0_1              92          7
            PIO0_2              93          9
VDC behind diode                            11, 13
5VDC                                        15, 17
            PIO0_28             89          23
            PIO0_11             2           27
            PIO0_10             1           29

I've updated the pastebin.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#19 2017-02-15 13:25:49

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

More information on the SLE88CFX4000P / m8830:
Evaluation Documentation
Datasheet


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#20 2017-02-16 12:09:21

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 473

Re: iClass SE / SEOS...

Can't seem to find where P100 pins 1, 3, 5 & 21 go. Probably nc.
Updated details in posts above.


modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

Board footer

Powered by FluxBB