Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Came across this forum while doing my research on security of HID cards over the holidays. Got fascinated with recovering iClass firmware and reprogramming it with a different key, without switching to elite mode as configuration card would do. I noticed everyone talks about using Rev A RW300 or RW400 readers for key extraction. Does that stay true if you are using firmware dump method outlined in “Heart of Darkness” paper? I was hoping Rev.A was required only for a ICSP memory dump method?
Have anyone successfully recovered full firmware from B or C version readers?
Offline
It is possible to modify the HID Master authentication key without having to switch to "high security/Elite" mode.
Please read the following thread for a more detailed description of how it is done.
http://www.proxmark.org/forum/viewtopic.php?id=2220
The firmware dump attack outlined in the "Heart of Darkness" paper capitalizes on an inherent design flaw in the PIC18F452 microcontroller which was used in the Revision A version of legacy iclass readers. It is NOT applicable to the newer RevB & RevC iClass readers (or the latest SE readers) since they all use newer PIC microcontrollers that do not suffer from the same vulnerability.
To my knowledge no one has successfully recovered the firmware from a RevB or RevC iclass reader. That being said, there is virtually no advantage to obtaining a copy of the newer firmware since none of the basic algorithms have changed. The basic hashing and MAC cipher algorithms that were reverse engineered and documented in the "Dismantling iClass and iClass Elite" paper are equally applicable to the RevA, RevB and RevC iclass readers.
Offline
Thank you for the reply. Looks like iClass with custom key is not going to work for me. I do have understanding of iClass key diversification, cipher etc. Using libraries like loclass and other open source code we could create a software tool to write iClass cards with custom Master key and custom 3DES key. That would make a system more secure than iClass Elite. From what I understand, iClass hack would require an eavesdrop on a valid transaction, which implies perpetrator has to be very close, while iClass Elite could be hacked from the reader without any card present in less than 5 minutes.
Well, rev.A readers are rare to find and I will need a few of them reprogrammed with a new master key. And if one is broke or stolen in the future, we will be out of luck getting a replacement as rev.A firmware with custom keys are not going to work on rev. C Of course there is still an option to figure out that "Special configuration card" hid uses to set default key. I assume if we can create one, it would work on all revisions
I will probably be better off with a different system, Desfire EV1 seems to be a good candidate so far. Might consider building my own readers, as that way we can store keys on the backend, at secure location far from the doors, and use encrypted communication with a custom built reader which is basically just an ISO 14443a front end while backend MCU does key storage, diversification, encryption/decryption, and Weigand output generation.
That I want is a full control of systems hardware, software and keys without relying on any authorized dealer etc. to manage credentials as every dealer/locksmith in our area is covered in prison tattoos from head to toes. How could you trust those people with safekeeping your encryption keys and knowing info off of every card they ordered for you.
Offline
desfire ev1 is definately a better way to go for security, as long as you lock it up correctly. (just my 2 cents)
Offline
Pages: 1