Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-11-08 13:39:15

innocent_ethical
Contributor
Registered: 2018-11-07
Posts: 2

Hello World

Hey everyone,
I am a somewhat beginner ethical hacker and I came across this forum sometime last week. There is a lot of great material here and I am excited to see what our collaboration can bring about. I am extremely interested in the new SEOS cards for HID Readers. I would like to see a way to clone/mimic these cards so that someone can present this to HID, DEFCON, Black Hat, ect. I am hoping someone can update me with a general overview of how far they or others have come in cracking this mechanism of encryption. So far I am tracking that SEOS is the employees ID number encrypted and then has an overlay with an SIO. The rest of my knowledge on it comes from reading the documentation on it and these posts below:

JUMP: "To interact with a SEOS badge you need to use "hf 14a" command set. The card and the reader share a pair of AES keys. One of them is being used along with robust RNG on both sides to negotiate a session key. The only thing that is transmitted is the index of the key to use for this session key negotiation. The session key is not transmitted.
So yes in theory it's possible to sniff and get the keys from there but the complexity of the attack is too high (2**129)"

0xFFFF: "From my own research I know that the CLRC663 is being used in the R10SE readers.
carl55 has recently posted that the R40SE is using PicoRead labelled ICs... The R10 contains an 'Artemis SAM', LPC1227 and CLRC663. The programmers have the same 'Artemis SAM'. Readers contain iCLASS, MIFARE, DESFire, SEOS and other keys...The CP1000 appears to be an OK5427 with an 'Artemis SAM'. I don't see why you couldn't use the OK5427 to program cards without the SAM (if you had the know-how)..."

carl55: " the newer RevE iClass SE readers have been redesigned to use the new NXP PR600 chip that integrates both the ARM Cortex microcontroller die and the 13.56 Mhz Contactless transceiver die into a single 100-pin LQFP package."

links:
http://www.proxmark.org/forum/viewtopic.php?id=1994
http://www.proxmark.org/forum/viewtopic.php?id=5366

Offline

#2 2018-11-08 15:29:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Hello World

Welcome and I suggest you read http://www.proxmark.org/forum/viewtopic.php?id=1125 as an introduction.

Your access rights has been updated.

Offline

Board footer

Powered by FluxBB