Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#201 2015-11-14 19:16:27

Piorun
Contributor
Registered: 2015-01-29
Posts: 57

Re: iClass is coming...

I checked the code and I think my 'fix' does not work because I need to fill 'emulator' table :

		} else if((simulationMode == MODE_FULLSIM || simulationMode == MODE_EXIT_AFTER_MAC) && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){
			//Read block
			uint16_t blk = receivedCmd[1];
			//Take the data...
			memcpy(data_generic_trace, emulator+(blk << 3),8);
			//Add crc

PM3 needs to response to "Unknown command  (len=4): c 5 de 64", so what I should put in sector 5 (this is attack mode 2 so I don't have any card dump yet).

-- update --
I found http://martin.swende.se/blog/Elite-Hacking.html that  sector 5 is "Application Issuer Area" (publicly readable) .
Should I read it from the card  or rather use some generic value for 'sim 2' attact like this ?
#db#      05: ff ff ff ff ff ff ff ff

Last edited by Piorun (2015-11-14 19:31:58)

Offline

#202 2015-11-17 03:29:59

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: iClass is coming...

Read the forum about the HID icalss decoding and understand we need the master key to read and write the icalss fob.

My question is:
What kind of blank card or fob is needed to copy the icalss 2k fob?


Thanks in advance.

Offline

#203 2015-11-17 06:58:28

osaka
Member
Registered: 2010-02-12
Posts: 9

Re: iClass is coming...

Lenox wrote:

Read the forum about the HID icalss decoding and understand we need the master key to read and write the icalss fob.

My question is:
What kind of blank card or fob is needed to copy the icalss 2k fob?


Thanks in advance.

You need good quality picopass cards.

Offline

#204 2015-11-23 02:24:23

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: iClass is coming...

osaka wrote:

You need good quality picopass cards.


new.jpg

Is this the type of fob (picopass) you are  talking about?

Last edited by Lenox (2015-11-23 02:25:27)

Offline

#205 2015-11-25 04:31:43

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: iClass is coming...

Piorun wrote:

PM3 needs to response to "Unknown command  (len=4): c 5 de 64", so what I should put in sector 5 (this is attack mode 2 so I don't have any card dump yet).

-- update --
I found http://martin.swende.se/blog/Elite-Hacking.html that  sector 5 is "Application Issuer Area" (publicly readable) .
Should I read it from the card  or rather use some generic value for 'sim 2' attact like this ?
#db#      05: ff ff ff ff ff ff ff ff

Try to run " hf icalss sim 2" on reader (RP40 SE) , get "Unknown command received from reader (len=4)".
I am using the latest 2.5.0.

Offline

#206 2015-11-30 09:56:07

swseansw
Contributor
From: CN
Registered: 2015-11-30
Posts: 4

Re: iClass is coming...

sad
Following the page: http://martin.swende.se/blog/PM3-development.html
I also got the following result:

[== Undefined ==]
proxmark3> hf iclass sim 2 
#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# Unknown command received from reader (len=4): c 1 fa 22 ff fe 5f 2 1c                 
#db# Unknown command received from reader (len=4): c 1 fa 22 ff fe 5f 2 1c    

Tried on with pm3-bin-2.5.0

Offline

#207 2016-03-08 10:12:34

capecode
Contributor
Registered: 2015-11-18
Posts: 31

Re: iClass is coming...

I also followed the instruction from http://martin.swende.se/blog/PM3-development.html

After issued the command "hf iclass sim 2", nothing happened on my PM3.  I waited for a minute or two and then preseed button and received this message :

#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...         
Don't forget to cancel its operation first by pressing on the button         
#db# Button pressed                 
Mac responses: 0 MACs obtained (should be 15)         
Saved data to 'iclass_mac_attack-2.bin'         
proxmark3>

Is this right?  Would "hf iclass sim 2" work with standard iClass cards (not elite)?

Offline

#208 2016-05-16 03:54:57

Aliendennis
Contributor
Registered: 2016-04-04
Posts: 29

Re: iClass is coming...

Dead topic. Haha. So is anyone working on Iclass elite now ?

I have all the things needed as said in this topic. Omnikey, Iclass SE reader, PM3, working Iclass cards, rewritable bank Iclass cards. I got a lot of data collected from my country itself.

So guys lets do this ?

Offline

#209 2016-05-16 07:50:28

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: iClass is coming...

>So is anyone working on Iclass elite now ?

IClass elite is done a long time ago.

I've not been active here for a while but regarding "Unknown command" that's really a misnomer. The protocol handler for iclass expects a few different packets, when something else arrives which it does not handle it prints that. It should instead say "Unhandled command" or "Not implemented command".. So to anyone with problems; after a failure, do a 'hf iclass list' , which will print out the commands and responses.

To be clear: the protocol printout _may_ contain partial or full information to reverse the key. But since it failed  (0 MACs obtained) , probably not . Without that trace, it's very difficult to know what failed.

Offline

#210 2016-05-16 07:53:41

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: iClass is coming...

Piorun wrote:

I did the 'fix'

if((simulationMode == MODE_FULLSIM || simulationMode == MODE_EXIT_AFTER_MAC) && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4){

and can obtain 15 MACs

proxmark3> hf icla sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# CSN: 00 0b 0f ff f7 ff 12 e0
#db# RDR:  (len=09): 05 cf 57 30 21 5f xx xx xx
#db# Simulating CSN 00040e08f7ff12e0
#db# CSN: 00 04 0e 08 f7 ff 12 e0
#db# RDR:  (len=09): 05 6f f0 ee f8 24 xx xx xx
...
#db# Simulating CSN 00050121f7ff12e0
#db# CSN: 00 05 01 21 f7 ff 12 e0
#db# RDR:  (len=09): 05 9f 65 d0 03 8e xx xx xx
#db# Done...
Mac responses: 15 MACs obtained (should be 15)
Saved data to 'iclass_mac_attack-1.bin'
proxmark3>

how ever  the  brute force attack doesn't work

proxmark3> hf iclass loclass f iclass_mac_attack-2.bin
Bruteforcing byte 1
Bruteforcing byte 0
Bruteforcing byte 69
1234567891011
...
42452462472482492502512522532542550 Failed to recover 3 bytes using the following CSN
CSN = 000b0ffff7ff12e0
The CSN requires > 3 byte bruteforce, not supported
CSN = 00040e08f7ff12e0
HASH1 = 7802000045014545
The CSN requires > 3 byte bruteforce, not supported
CSN = 00090d05f7ff12e0
HASH1 = 7b0300004501xxxx

sad

The bruteforcer expects a certain format on the save-file, don't remember offhand, but it includes the malicious CSN:s used. It then calculates the bruteforce based on those. Have you used a different set of MAC:s than the ordinary attack-MACs ? Because´00040e08f7ff12e0' is not one of the original CSNs, it seems.

[EDIT] Sorry, my bad; https://github.com/Proxmark/proxmark3/blob/master/client/cmdhficlass.c#L120 it actually is. Are you sure it's an elite and not a standard?

Offline

#211 2016-05-28 09:05:53

Aliendennis
Contributor
Registered: 2016-04-04
Posts: 29

Re: iClass is coming...

'hf iclass sim 2' <- attack reader, get dump

Got the iclass iclass_mac_attack-1.bin
Mac responses: 0 MACs obtained (should be 15)

Got this. I do not know whether this is right or wrong.

'hf iclass loclass f <file>' <- bruteforce dump

hf iclass loclass t - got the key.
hf iclass loclass f - take like ages

'hf iclass dump <key> e' <- dump tag with elite key <key>

hf iclass dump f [FILE ?] k [KEY ?] [CSN ?] [CC ?] e/r ?

'hf iclass eload <dumpfile>' <- load data into pm3

Have not gone into this step yet.

'hf iclass sim 3' <-- full simulation of the dumped tag.

Have not gone into this step yet.

Hopefully I am on the right track. Can someone validate it ?

Offline

#212 2016-06-14 08:20:24

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: iClass is coming...

I believe that len=4  command 0x0C, its a read or identify, we have to reply with ACSN.
as c 1 fa 22 ff fe 5f 2 1c => c 1 fa 22 the actual data from the reader
the reader sent read command 0x0C request to read block 1.

Last edited by Go_tus (2016-06-14 08:30:01)

Offline

#213 2016-08-31 13:52:02

w32.n01
Contributor
Registered: 2016-08-18
Posts: 5

Re: iClass is coming...

EDIT - started a new thread as advised.

Last edited by w32.n01 (2016-08-31 16:38:29)

Offline

#214 2016-08-31 16:29:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: iClass is coming...

I suggest you start a new thread instead.

Offline

#215 2016-11-11 05:53:11

jramb0
Contributor
Registered: 2016-11-07
Posts: 25

Re: iClass is coming...

I am also getting the same when running hf iclass sim 2

proxmark3> hf iclass sim 2
#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...         
Don't forget to cancel its operation first by pressing on the button         
#db# Button pressed         
Mac responses: 0 MACs obtained (should be 15)

Offline

Board footer

Powered by FluxBB