Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-09-28 20:18:50

chickengun
Contributor
Registered: 2017-09-27
Posts: 7

Trying to read iclass card

Hello,

I got a card to enter a specific room and I was wondering if I am able to see what's on the card or to clone it.

This is what I as a newbie have tried so far on my proxmark3 easy:

It's a hf card:

proxmark3> hw tune    [without card]

Measuring antenna characteristics, please wait.........
# LF antenna: 24.89 V @   125.00 kHz
# LF antenna: 20.21 V @   134.00 kHz
# LF optimal: 24.89 V @   125.00 kHz
# HF antenna: 23.43 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.


proxmark3> hw tune    [with card]

Measuring antenna characteristics, please wait.........
# LF antenna: 24.89 V @   125.00 kHz
# LF antenna: 20.21 V @   134.00 kHz
# LF optimal: 24.89 V @   125.00 kHz
# HF antenna: 17.41 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

It's a iclass card:

proxmark3> hf search u

   CSN: xx xx xx xx xx xx xx xx
    CC: ff ff ff ff fe ff ff ff
  Mode: Personalization [Programmable]
Coding: ISO 14443-2 B/ISO 15693
 Crypt: Secured page, keys not locked
 Crypt: Non secured page
    RA: Read access not enabled
   Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
   AA1: blocks 06-FF
   AA2: blocks 100-1F
 AppIA: xx xx xx xx xx xx xx xx
      : Possible iClass (NOT legacy tag)

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

Unfortunately 'hf iclass sim 2' didn't work:

proxmark3> hf iclass sim 2
#db# Going into attack mode, 15 CSNS sent
#db# Simulating CSN 000b0ffff7ff12e0
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button          [not responding]

Is there anything I can do more to read the data or is the situation beyond remedy? smile

hf iclass loclass t output:

proxmark3> hf iclass loclass t
[+] Testing some internals...
    Bitstream test 1 ok
    Bitstream test 2 ok
[+] Testing MAC calculation...
[+] MAC calculation OK!
[+] Checking if the master key is present (iclass_key.bin)...
[+] Master key not present, will not be able to do all testcases
[+] Testing key diversification with non-sensitive keys...
[+] Testing DES encryption
[+] Testing foo
   csn aaabbbbaaaabeeee
   {csn}    d31d2dd324657e2b
   expected d31d2dd324657e2b
[+] OK
[+] Testing hashing algorithm
[+] Hashing seems to work (9 testcases)
[+] Testing iClass Elite functinality...
[+] Testing hash2

High security custom key (Kcus):
z0   = 456789123456abcd
y0   = 123456789abcdef1

        Hash2

00| f1 36 59 a2 0e 1a 26 1a 2f 60 0b 56 8a 10 35 61
10| bf a1 5b b0 ff 85 68 75 f2 1f 76 8f 0f 74 8f 21
20| 14 7a 55 e6 c8 a9 7e b3 13 0c 5d c9 e1 8d a9 b2
30| a3 56 83 0f 5e 7e de 4f 71 21 d2 6d c1 57 1c 9c
40| 78 2f e4 5f 42 7b 64 30 fa 26 51 76 d3 e0 fb b6
50| 31 9f bf 2f 7e 4f 94 4e bd 4f 75 91 e3 1b eb 44
60| ef 88 6f b8 6c fc 93 0d 69 2c d5 20 3c c1 61 95
70| 43 08 ae 2f fe 13 26 d7 98 0b 34 7b 47 70 a0 a1
[+] Hash2 looks fine...
[+] Testing hash1...
[+] Testing key diversification ...
[+] Iclass key permutation OK!
[+] Testing crack from dumpfile...
Bruteforcing byte 1
Bruteforcing byte 0
Bruteforcing byte 69
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123=> 1: 0x35
=> 0: 0xf1
=> 69: 0x7b
=> 2: 0x59
=> 3: 0xa1
=> 9: 0x60
=> 12: 0x8a
=> 14: 0x25
=> 20: 0xff
=> 33: 0x7a
=> 34: 0x55
=> 35: 0x16
=> 61: 0x57
=> 65: 0x2f
=> 66: 0x64
=> 67: 0x51
=> 89: 0x4f
=> 97: 0x88
=> 98: 0x6f
=> 99: 0xb8
=> 109: 0xc1
=> 102: 0x93
=> 106: 0xd5
=> 108: 0x3c
=> 110: 0x61
=> 4: 0x0d
=> 6: 0x26
=> 7: 0x7f
=> 11: 0x96
=> 15: 0xc1
=> 17: 0xa1
=> 24: 0xf2
=> 25: 0x1f
=> 27: 0x8f
=> 30: 0x8f
=> 31: 0x21
=> 32: 0x14
=> 36: 0xc8
=> 38: 0x7d
=> 39: 0xb3
=> 40: 0x13
=> 41: 0x0c
=> 42: 0x5d
=> 43: 0xc9
=> 44: 0x31
=> 46: 0xa9
=> 47: 0xb2
=> 53: 0x7e
=> 56: 0x71
=> 57: 0x21
=> 59: 0x6d
=> 62: 0x1c
=> 63: 0x9c
=> 68: 0x42
=> 70: 0x64
=> 71: 0x30
=> 72: 0xfa
=> 73: 0x26
=> 74: 0x51
=> 75: 0x76
=> 76: 0xd3
=> 78: 0xfb
=> 79: 0xb6
=> 82: 0xbf
=> 85: 0x4f
=> 86: 0x94
=> 88: 0xbd
=> 91: 0x91
=> 92: 0xe3
=> 94: 0xeb
=> 95: 0x42
=> 100: 0x6c
=> 104: 0x69
=> 105: 0x2c
=> 107: 0x20
=> 111: 0x95
=> 113: 0x08
=> 120: 0x98
=> 121: 0x0b
=> 123: 0x7b
=> 126: 0xa0
=> 127: 0xab
=> 8: 0x18
=> 10: 0x0b
=> 13: 0xc0
=> 18: 0x3b
=> 19: 0xb0
=> 22: 0x28
=> 23: 0x75
=> 26: 0xc6
=> 28: 0x0e
=> 29: 0x74
=> 48: 0xa3
=> 49: 0x56
=> 50: 0x83
=> 51: 0x0f
=> 52: 0x55
=> 54: 0xde
=> 55: 0x45
=> 58: 0xd2
=> 60: 0xc1
=> 64: 0x78
=> 80: 0x31
=> 81: 0x9f
=> 83: 0x2f
=> 84: 0x7e
=> 87: 0xb4
=> 90: 0x75
=> 96: 0x3f
=> 103: 0x0d
=> 112: 0x43
=> 114: 0xa0
=> 115: 0x2f
=> 116: 0xfe
=> 118: 0x26
=> 119: 0xd7
=> 122: 0x34
=> 124: 0x47
=> 101: 0x2c
=> 16: 0xbf
=> 37: 0xa9
=> 93: 0x1b
=> 77: 0xe0
=> 117: 0xb3
=> 45: 0x8d
=> 5: 0x5a
=> 125: 0x70
=> 21: 0x85

Performed full crack in 27.999001 seconds

High security custom key (Kcus):
Std format    = 1cef1cef12356789
Iclass format = 987654321abcdeff
Key verified ok!

Offline

Board footer

Powered by FluxBB