Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-12-26 09:58:19

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

iClass SR / r10 and sim 2

Hi All,

I've run into a bit of pickle with attempting to run a sim 2 against a couple of r10 readers.

Let me give you the run down.

-Chinese proxmark easy clone..(This could be the very reason why it is failing, however I am running 3.0.1.227) Switching between multiple builds of official and ice made little difference.

-R10 readers with a mixture of Goldclass and unmarked HID(They all flash green once authorized), also have seen a couple of SE reader. From what I understand Goldclass are re branded r10 readers with HS/elite keys, but iscs also sell an SE version

-Cards are a mix of SR and unmarked (SR meaning they include both payloads, legacy and sio)

-Permuted master key does not authenticate b 06+ (Confirms that I am working with HS/elite or I have the wrong key)

-Attempting to attack a couple of readers fail to collect any CSN's.

-No data when running a trace post sim. (Would this indicate the sim is failing on the pm3?)

Couple of questions

- I remember reading that Rev B/C have some issues when attempting to simulate, but I am not sure if SE readers are also vulnerable? (I've also read the r10 rev C was eol back in 2013)

- Is there way to know if the pm is running the sim2? Flashing lights? (It currently lights up "A" until you hit the button)

- I have read a couple of conflicting posts on running the sim 2 where it can take mere 10 seconds but also up to 10m to collect CSN's?

Cheers in advance

Offline

#2 2017-12-26 10:23:33

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

I tested one pm3 easy clone,  and all kinds of simulation against reader was ridduculous.  Even with antenna deadon reader antenna, it a had bad success rates.  1-5% of the tries I got something that could resemble a auth attempt.  This was with offical pm3 v3.0.1

I have not tried the latest fixes on iceman fork on a pm3 easy clone.

With a "original" pm3 easy from manufacture (@proxgrind) it was better,  but still,  sim wasn't great.  I also got some feedback from someone saying the newer readers has protection against simulation,  which I'n not sure on how it works if true.  The 15 csns for SIM 2, in offical pm3 was blacklisted apparently.  You can look in iceman fork for new ones.


If you capture (sniff / sim) a authentication and post it I can do some tests on it which I need for my idea with identification using a trace only. 


How to know if SIM2 is running?   Look at your output,  it says

#db# Going into attack mode, 15 CSNS sent


When sim2 is working it shouldn't take longer than 10sec.  However, sometimes the reader is in rollover-mode,  using two different keys,  leading to the fail of sim2.  You can use sim4 in icemanfork to see if that one works better.  But the 10min sim2 execution could be depended on bad pm3 easy clone aswell.  Hard to tell, since posters usually doesn't know but HF voltage around 15v or lower usually indicates a clone model.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2017-12-27 08:32:30

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

Awesome mate, you've given me some hope.

I'll give it a whirl tonight with the ice, worst case would be I need to organize a pm3 dev kit in place of the easy?



By the way here are my measurements for the hf. Is it expected to drop so much when the card is placed on the back?


Measurement without card

Measuring HF antenna, press button to exit
#db# 31301 mV

Measurement with card

Measuring HF antenna, press button to exit
#db# 18327 mV

Measurement with card on the back

pm3 --> hf tune
Measuring HF antenna, press button to exit
#db# 13009 mV


Also when testing sim 2/4 on the latest iceman, the pm is only sending out 9 CSN's?

Starting the sim 2 attack
#db# Going into attack mode, 9 CSNS sent
#db# Simulating CSN 010a0ffff7ff12e0
Waiting for a response from the proxmark...
#db# Button pressed
Don't forget to cancel its operation first by pressing on the button
Mac responses: 0 MACs obtained (should be 9) FAIL

Regardless if I fail or succeed I'll also attempt to capture some auths for ya. I'll keep you posted


Edit 1:
Auth Capture

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |      30529 | Rdr |41  77  b6  7d  41  77  b5  7e  41  77  b5  7e  41  77  b6  7d   |     |
            |            |     |41  78  b6  7d  42  78  b6  7c  42  78  b6  7b  42  78  b6  7c   |     |
            |            |     |42  78  b5  7c  43  78  b5  7c  43  79  b6  9f  8f  86  82  80   |     |
            |            |     |7f  80  7f  7d  7e  7e  7e  7e  7e  7e  7e  7e  7e  7e  7e  7d   |     |
            |            |     |7e  7e  7d  7c  7d  7d  7d  7d  7d  7d  7d  47  2b  65  ac  7c   |     |
            |            |     |3c  73  b5  7f  3e  74  b6  7f  3e  74  b6  7f  3f  74  b5  7f   |     |
            |            |     |3f  75  b5  7e  3f  75  b6  7e  40  76  b6  a0  8f  86  81  7f   |     |
            |            |     |7f  7f  7d  7e  7d  7d  7e  7d  7e  7e  7e  7d  7e  7e  7d  7d   |     |
            |            |     |7d  7d  7c  7c  7c  7c  7d  7d  7d  7d  7d  47  2a  66  ac  7c   |     |
            |            |     |3c  73  b5  7f  3e  74  b6  7f  3f  74  b6  7f  3f  75  b6  7f   |     |
            |            |     |3f  75  b5  7e  40  75  b6  7e  40  76  b6  7e  40  76  b6  7e   |     |
            |            |     |40  75  b6  7d  40  76  b6  7e  41  76  b6  7f  41  77  b6  7d   |     |
            |            |     |41  77  b6  7d  41  77  b6  7d  41  77  b6  a0  8f  86  82  80   |     |
            |            |     |7f  7f  7f  80  80  7e  80  80  81  7f  82  7f  7f  7f  7f  7f   |     |
            |            |     |7f  7d  7c  7c  7c  7d  7d  7d  7d  7e  7d  47  2a  67  ac  7c   |     |
            |            |     |3b  73  b5  7f  3d  74  b6  7f  3f  74  b6  7f  3f  74  b6  7f   |     | ?
pm3 -->

Last edited by s0prise (2017-12-27 09:11:32)

Offline

#4 2017-12-27 09:50:16

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

Your HF voltage is good.  You should be able to get some good reads and even sim with it. Still, the "easy" needs to be real close to reader antenna when sim.

I forgot that the iclass sniff isn't the best.  Can you simulate your card instead and take the tracelog from that?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2017-12-27 09:51:22

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

You might need to use offical pm3 lastest source for sniff.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2017-12-28 02:18:13

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

I just realized I didn't cross check the my cards blocks with the spoofing_iclass_rev.pdf

  Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
        AA1: blocks 06-12
        AA2: blocks 13-1F
        OTP: 0xFFFF

So that would mean having AA1 in blk 06-12 indicates that this card only contains a single SIO access payload?

Offline

#7 2017-12-28 09:21:18

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

I don't know how many SIO object a tag has?  But from what I have read of Carl55,  one seems to be enough for it to work smile
Have you tried dumping your cards?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2017-12-28 09:59:32

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

Unable to dump the cards as the hid master key fails to auth sad


At least I have now verified the key!! Been successful with a dump of some fresh 200x cards

Are the rumors true about there being multiple master keys (picopass,hid,etc) in addition to custom elite/hs?

I'll continue to keep trying dif pm builds with the ol sim, but in case I collect nothing what would you recommend as a replacement to my chinese pm3 easy?

Last edited by s0prise (2017-12-28 10:00:49)

Offline

#9 2017-12-28 11:34:32

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

There is a few default masterkeys for picopass etc.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#10 2017-12-29 07:45:41

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

s0prise wrote:

Unable to dump the cards as the hid master key fails to auth sad
At least I have now verified the key!! Been successful with a dump of some fresh 200x cards

don't quite follow you there, which card failed to authenticate? your new ones or the card you trying to read the content?

If you're talking about your existing card, don't think the kiwicon key would work, since the company bothered to install SE readers around the property.

Although one thing I'm not really 100% clear about is, I've seen some buildings installed SE readers, Gold Class readers and Unbranded HID readers mixed as you described. Does that mean the system is running SE or Elite/HSec? Can GoldClass readers run in SE mode? If not why they bother installing SE readers and mix them? ( assuming SE readers are more expensive)

Offline

#11 2017-12-29 08:33:48

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

The card which I am trying to dump/read is failing to authenticate. The kiwikey does work for the new cards I purchased.


HID are only selling SE readers, and appear to have been doing so for quite a while which might explain why they have a mixture.

Reading off the HOT they can be configured with the key sets below;

Keyset (Select one option)
0 - Standard v1 - Supports credentials with default HID keys, including iCLASS and iCLASS SR.
2 - Standard v2 - Supports credentials with default HID keys, not including iCLASS and iCLASS SR.
E - HID Elite - Supports credentials with HID Elite keys, including iCLASS and iCLASS SR, and/or Mobile IDs. Key reference (ICE or MOB) required at time of order.

Standard Security Keyset Compatibility with these Credentials

Version 1 iCLASS Seos (+ Prox)
iCLASS SE (+ Prox)
iCLASS SR (+ Prox)
iCLASS (+ Prox)
MIFARE Classic (+ Prox)
MIFARE DESFire EV1 (+ Prox)

Version 2
iCLASS Seos (+ Prox)
iCLASS SE (+ Prox)
MIFARE Classic (+ Prox)
MIFARE DESFire EV1 (+ Prox)

On a positive note I noticed that SR has been re branded to simply 'iclass', and still includes dual payload

iCLASS credentials are offered either with or without an encoded SIO. For the SIO encoded option, this card will come with two access
control data payloads: the SIO and iCLASS access control data payload. These credentials provide backward compatibility with currently
deployed systems, maximizing compatibility. iCLASS credentials encoded with SIO should be purchased when the site needs legacy
application support, or when the site plans to eventually migrate to SIO security. iCLASS credentials encoded with SIOs were previously
marketed as iCLASS SR credentials.

iCLASS, SIO
encoded
(Previously called
iCLASS SR)

Increased Security when
reading SIO, maximum
compatibility - works with both
iCLASS and iCLASS SE
readers.

I should be in luck provided the key version of the readers have been configured in version 1.

Unfortunately I am still unsure if sim vs SE reader is at all possible.

Offline

#12 2017-12-29 10:38:51

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

Ok, no problem, I personally wouldn't waste my time on SE readers though.

If you think your sim2 is failing because of the PM easy, i've a PM with  the latest build, you can use my one

just send me an email

ModHex    ifidighdhvhrifededfchihthbhkhrduhehvht

Last edited by Heru (2017-12-29 10:40:09)

Offline

#13 2017-12-30 00:06:36

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

Cheers mate, I'd take you up on that if I hadn't just purchased a rdv2 off rfxsecure.

It looks like all readers can be reprogrammed so I figure they would still be using the SR high security keys, because why else reissue brand new SR 200x cards

Offline

#14 2018-01-08 00:24:02

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

hey s0prise

Any success running sim 2? I 've tried it with the official PM firmware, Apparently it does not work,

I guess I'd try the iceman fork   

@ iceman, when you mention the blacklisting, you mean the official master firmware  blacklisted sim 2 MAC attack?

Offline

#15 2018-01-08 08:38:16

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

Still waiting on the rdv2 to arrive.

When you ran the sim did you see any traffic on the pm log? With my clone I had no traffic which I figured was due to the fake voltage or dodgy antenna.

Offline

#16 2018-01-08 12:04:19

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

did not work at all, my PM was crashed after trying several times. Could be firmware issue, I was expecting at least some traffic, but nothing.

#db# Going into attack mode, 15 CSNS sent                 
#db# Simulating CSN 000b0ffff7ff12e0                 
Waiting for a response from the proxmark...         
Don't forget to cancel its operation first by pressing on the button

Last edited by Heru (2018-01-08 12:12:09)

Offline

#17 2018-01-08 12:26:06

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

I heard rumours HID blacklisted those csn's and I also heard that they implemented some kind of anti-measure against it.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#18 2018-01-08 13:07:29

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

hey iceman. thanks for the info,. much appreciated.

Offline

#19 2018-01-08 13:09:25

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

Rumours doesn't make it truth,  but I would be surprised if HID hasn't changed anything.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#20 2018-01-09 23:18:42

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

Just did a couple quick sim tests with my rdv2 on the offical

  888053744 |  888053744 | Tag | 0f                                                              |     | 
  890762480 |  890762480 | Rdr | 0a                                                              |     | ACTALL
  890762912 |  890762912 | Tag | 0f                                                              |     | 
  893471520 |  893471520 | Rdr | 0a                                                              |     | ACTALL
  893471888 |  893471888 | Tag | 0f                                                              |     | 
  893484288 |  893484288 | Rdr | 0c                                                              |     | IDENTIFY
  893487360 |  893487360 | Tag | 60  e1  e1  ff  fe  5f  02  1c  b1  96                          |  ok | 
  894790624 |  894790624 | Rdr | 0a                                                              |     | ACTALL
  894791072 |  894791072 | Tag | 0f                                                              |     | 
  897499808 |  897499808 | Rdr | 0a                                                              |     | ACTALL
  897500240 |  897500240 | Tag | 0f                                                              |     | 
  897512656 |  897512656 | Rdr | 0c                                                              |     | IDENTIFY
  897515712 |  897515712 | Tag | 60  e1  e1  ff  fe  5f  02  1c  b1  96                          |  ok | 
  897623040 |  897623040 | Rdr | 00                                                              |     | HALT
  909631120 |  909631120 | Rdr | 0a                                                              |     | ACTALL
  909631568 |  909631568 | Tag | 0f                                                              |     | 
  923180496 |  923180496 | Rdr | 0a                                                              |     | ACTALL
  923180864 |  923180864 | Tag | 0f                                                              |     | 
  923193280 |  923193280 | Rdr | 0c                                                              |     | IDENTIFY
  923196336 |  923196336 | Tag | 60  e1  e1  ff  fe  5f  02  1c  b1  96                          |  ok | 
  924499584 |  924499584 | Rdr | 0a                                                              |     | ACTALL
  924500048 |  924500048 | Tag | 0f                                                              |     | 
  933990608 |  933990608 | Rdr | 0a                                                              |     | ACTALL
  933990976 |  933990976 | Tag | 0f                                                              |     | 
  935337536 |  935337536 | Rdr | 0a                                                              |     | ACTALL
  935337968 |  935337968 | Tag | 0f                                                              |     | 
  938046704 |  938046704 | Rdr | 0a                                                              |     | ACTALL
  938047136 |  938047136 | Tag | 0f                                                              |     | 
  940755872 |  940755872 | Rdr | 0a                                                              |     | ACTALL
  940756304 |  940756304 | Tag | 0f                                                              |     | 

I'll have to read up on what the responses 0a/0f/etc mean, but I think I will need to thoroughly re-test until I can successfully collect the mac

Offline

#21 2018-01-10 16:21:20

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 143

Re: iClass SR / r10 and sim 2

That is very interesting. The trace looks correct.
The reader sequence of ACTALL, IDENTIFY followed by the tags response of its anti-collision serial number is the way it is supposed to work. That tag response and CRC are correct and used to work fine with all readers. Perhaps your reader is a newer iClass SE and HID actually has installed a firmware patch to reject that simulated CSN. If so, maybe you can try the attack on a different (older) reader since that should likely work.

Offline

#22 2018-01-10 22:01:32

s0prise
Contributor
Registered: 2017-12-24
Posts: 13

Re: iClass SR / r10 and sim 2

I also forgot to include this part from yesterday's sim log.

Unsure why the reader sent back the 00/halt, however I was attacking a different reader.

 1040946624 | 1040946624 | Rdr | 0a                                                              |     | ACTALL
 1040947056 | 1040947056 | Tag | 0f                                                              |     | 
 1040959456 | 1040959456 | Rdr | 0c                                                              |     | IDENTIFY
 1040962528 | 1040962528 | Tag | 60  e1  e1  ff  fe  5f  02  1c  b1  96                          |  ok | 
 1041069872 | 1041069872 | Rdr | 00                                                              |     | HALT
 1044961568 | 1044961568 | Rdr | 0a                                                              |     | ACTALL
 1044961968 | 1044961968 | Tag | 0f                                                              |     | 
 1047670704 | 1047670704 | Rdr | 0a                                                              |     | ACTALL

Offline

#23 2018-01-14 08:29:38

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

hey, s0prise, How long did you have to hold the device on the readers get some response? Some ppl on this forum claim to hold it only 10 seconds or so, some claim to hold it for up to 5-10 minutes to get some response. 

I have tried attacking number of readers, with icemans sim 4 and the master's sim 2 , none were successful.

there is no response whatso ever from any readears. ( including Goldclass, SE, inner range).

Last edited by Heru (2018-01-14 08:59:43)

Offline

#24 2018-02-03 17:02:48

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

S0prise,  (#20)  looks like you tried running

hf iclass sim 1

that only simulates a CSN (uid)  and nothing more.  No reader will accept it.  As you see in your trace.
If you want to do some more serious simulation,  you will need

hf iclass eload  xxxxxx.bin
hf iclass sim 3

which is a full simulation.  That usually will give you a better trace ,  and even a beep from the reader.


If you run sim2 against a reader, configured for elite keys,  you could extract it with this attack.

hf iclass sim 2
hf iclass loclass f zzzzzzz.bin 

However,  on offical pm3,  the sim2 will not work on a SE reader or a reader with updated firmware.
in iceman fork,  the sim2  will work against such devices.
there is also a  sim4  in iceman fork,  which targets readers in a rare mode called "key roll mode",  which is when a systemwide keychange has occured and all card needs to be updated with new key.   Hence it alternates between both keys when authenticating. 
Sim 4 will collect the correct data with both keys.

Run time. 
The run time for these commands are very fast.  Some seconds when it works.   If it takes looong time, its usually because something is wrong.

hf iclass sim 2
hf iclass sim 4

冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#25 2018-02-03 17:08:01

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is. 

There is nothing wrong,  its just the reader which is NOT configured for high security/ elite keys...  So the loclass attack will fail,  running a long time,  failing three bytes,,,     Once you see that first message,  just break the execution since the attack will fail.

When this happens,  try collecting a authentication trace and  a list of known default iclass keys and  run it with

hf iclass lookup

inside iceman fork.

The reader most likely uses a old legacy key.   Which there are quite a few....


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#26 2018-02-04 00:10:45

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

ok,  there are differences,  in my attempt to pretend to be a geniue tag when sim, I changed the assumptions for the loclass attack implementation.  I will push a fix for it.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#27 2018-02-06 12:32:46

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

A short demonstration of running  sim 2  against iClass SE r10 reader.

https://youtu.be/m8r5M7KWQpE


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#28 2018-05-16 13:49:28

brantz
Contributor
Registered: 2014-03-19
Posts: 37

Re: iClass SR / r10 and sim 2

iceman wrote:

Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is. 

There is nothing wrong,  its just the reader which is NOT configured for high security/ elite keys...  So the loclass attack will fail,  running a long time,  failing three bytes,,,     Once you see that first message,  just break the execution since the attack will fail.

When this happens,  try collecting a authentication trace and  a list of known default iclass keys and  run it with

hf iclass lookup

inside iceman fork.

The reader most likely uses a old legacy key.   Which there are quite a few....


is it possible the reader is not configured in high security mode, nor using legacy keys. e.g. with customised site key, but authentication method using standard security mode. As this way, key will not be easily extracted using sim 2.

However, if this was true, all credentials will require to be specially programmed. According to "How to order", there is not such option,  only 2 option for credential programming 1. Standard mode 2. Elite mode with customised ICE number

I have seen some credentials, they are not using SIO payload, they are not encrypted with any currently known global master keys, and the sim 2 from the reader (SE R10) can't get a valid calculation.

Last edited by brantz (2018-05-16 13:51:37)

Offline

#29 2018-05-16 14:56:28

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

Do you got a trace from a authentication trace against one of those problematic credentials ?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#30 2018-06-02 12:30:00

brantz
Contributor
Registered: 2014-03-19
Posts: 37

Re: iClass SR / r10 and sim 2

iceman wrote:

Do you got a trace from a authentication trace against one of those problematic credentials ?

This is what I got from the 9 CSNs from your repo.
I'm using a special antenna which preventing me from sniffing comms, so don't have the actual trace for credential auth.

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |      40544 | Rdr |0a                                                                       |     | ACTALL
   44342944 |   44368272 | Tag |0f!                                                                      |     |
   44343392 |   44349616 | Rdr |0c                                                                       |     | IDENTIFY
   44390736 |   44436496 | Tag |40  e1! e1! ff! fe  5f! 02  3c! 43  01                                   |  ok |
   44393872 |   44439424 | Rdr |0a                                                                       |     | ACTALL
   45645136 |   45679008 | Tag |0f!                                                                      |     |
   45645600 |   45659936 | Rdr |0c                                                                       |     | IDENTIFY
   45692544 |   45747280 | Tag |40  e1! e1! ff! fe  5f! 02  3c! 43  01                                   |  ok |
   45695744 |   45749888 | Rdr |0a                                                                       |     | ACTALL
   46946752 |   46989728 | Tag |0f!                                                                      |     |
   46947216 |   46971296 | Rdr |0c                                                                       |     | IDENTIFY
   46994800 |   47057936 | Tag |40  e1! e1! ff! fe  5f! 02  3c! 43  01                                   |  ok |
   46997936 |   47032960 | Rdr |81  40  e1  e1  ff  fe  5f  02  3c                                       |     | SELECT
   47041648 |   47057952 | Tag |01  0a! 0f! ff! f7  ff! 12! e0  62  75                                   |  ok |
   47044800 |   47045344 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
   47297504 |   47320048 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
   47300608 |   47305984 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
   47420736 |   47450592 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
   47423312 |   47424256 | Rdr |05  e0  e8  c0  98  4b  0c  d1  ac                                       |     | CHECK
          0 |      39648 | Rdr |0a                                                                       |     | ACTALL
     236304 |     262512 | Tag |0f!                                                                      |     |
     236720 |     244640 | Rdr |0c                                                                       |     | IDENTIFY
     284816 |     330768 | Tag |c1  80  c1  ff! fe  5f! 02  9c! 24! 50!                                  |  ok |
     287952 |     305664 | Rdr |81  c1  80  c1  ff  fe  5f  02  9c                                       |     | SELECT
     331536 |     396256 | Tag |0c! 06! 0c! fe  f7  ff! 12! e0  1c  79                                   |  ok |
     334624 |     383584 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     587200 |     592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     590368 |     643696 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     709840 |     723488 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     712480 |     766080 | Rdr |05  cf  72  27  32  9e  56  c7  d4                                       |     | CHECK
          0 |      55008 | Rdr |0a                                                                       |     | ACTALL
     251680 |     262560 | Tag |0f!                                                                      |     |
     252144 |     308896 | Rdr |0c                                                                       |     | IDENTIFY
     298960 |     330768 | Tag |e2! 72! 70  ef  fe  5f! 02  1c  ff! 3a!                                  |  ok |
     302096 |     305792 | Rdr |81  e2  72  70  ef  fe  5f  02  1c                                       |     | SELECT
     345808 |     396320 | Tag |10  97  83  7b! f7  ff! 12! e0  2d! 21!                                  |  ok |
     348960 |     384480 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     602432 |     658416 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     605536 |     644464 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     725776 |     789024 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     728416 |     762880 | Rdr |05  8e  3f  f0  ea  51  dc  3f  a9                                       |     | CHECK
          0 |      41952 | Rdr |0a                                                                       |     | ACTALL
     238624 |     262560 | Tag |0f!                                                                      |     |
     239088 |     243872 | Rdr |0c                                                                       |     | IDENTIFY
     286416 |     330768 | Tag |e2! 52  50! ef  fe  5f! 02  7c  1a  bf                                   |  ok |
     289552 |     305936 | Rdr |81  e2  52  50  ef  fe  5f  02  7c                                       |     | SELECT
     333408 |     396256 | Tag |13  97  82! 7a  f7  ff! 12! e0  92  a4                                   |  ok |
     336496 |     384224 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     589712 |     592880 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     592816 |     644480 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     713072 |     723488 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     715712 |     762768 | Rdr |05  3f  bb  d6  f9  7b  ef  f2  91                                       |     | CHECK
          0 |      40544 | Rdr |0a                                                                       |     | ACTALL
     237200 |     262560 | Tag |0f!                                                                      |     |
     237664 |     243872 | Rdr |0c                                                                       |     | IDENTIFY
     284992 |     330768 | Tag |c0! a1  21! ff! fe  5f! 02  fc! d8! cc!                                  |  ok |
     288128 |     306048 | Rdr |81  c0  a1  21  ff  fe  5f  02  fc                                       |     | SELECT
     332096 |     396320 | Tag |07  0e  0d  f9! f7  ff! 12! e0  6b  34                                   |  ok |
     335248 |     383840 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     588080 |     592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     591248 |     644464 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     711488 |     723488 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     714128 |     763392 | Rdr |05  f0  94  d1  d6  2d  d6  26  28                                       |     | CHECK
          0 |      41184 | Rdr |0a                                                                       |     | ACTALL
     237856 |     262560 | Tag |0f!                                                                      |     |
     238320 |     243616 | Rdr |0c                                                                       |     | IDENTIFY
     285376 |     330784 | Tag |c2  92  d0  ee! fe  5f! 02  9c! 19  a1                                   |  ok |
     288528 |     306048 | Rdr |81  c2  92  d0  ee  fe  5f  02  9c                                       |     | SELECT
     332496 |     396320 | Tag |14! 96! 84! 76  f7  ff! 12! e0  83  c8                                   |  ok |
     335648 |     384112 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     588752 |     592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     591920 |     644848 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     712560 |     723408 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     715120 |     762768 | Rdr |05  74  ea  6c  80  a1  0a  9d  cc                                       |     | CHECK
          0 |      41824 | Rdr |0a                                                                       |     | ACTALL
     238480 |     262560 | Tag |0f!                                                                      |     |
     238944 |     244000 | Rdr |0c                                                                       |     | IDENTIFY
     286400 |     330832 | Tag |c2  b2! 30! ee! fe  5f! 02  fc! 8f  23                                   |  ok |
     289600 |     305920 | Rdr |81  c2  b2  30  ee  fe  5f  02  fc                                       |     | SELECT
     333440 |     396256 | Tag |17! 96! 85  71! f7  ff! 12! e0  a4  76                                   |  ok |
     336528 |     384224 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     589744 |     592880 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     592848 |     644096 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     712720 |     723424 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     715296 |     763776 | Rdr |05  40  48  ba  35  fc  62  f1  d3                                       |     | CHECK
          0 |      44256 | Rdr |0a                                                                       |     | ACTALL
     240928 |     262496 | Tag |0f!                                                                      |     |
     241328 |     244512 | Rdr |0c                                                                       |     | IDENTIFY
     289296 |     330832 | Tag |b9  f8  e1! ee! fe  5f! 02  dc  21! 42!                                  |  ok |
     292496 |     305680 | Rdr |81  b9  f8  e1  ee  fe  5f  02  dc                                       |     | SELECT
     336096 |     396256 | Tag |ce  c5! 0f! 77! f7  ff! 12! e0  59! e2!                                  |  ok |
     339184 |     383584 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     591760 |     592944 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     594928 |     644080 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     714784 |     723424 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     717360 |     763648 | Rdr |05  35  6e  eb  1c  f7  da  6e  71                                       |     | CHECK
          0 |      41440 | Rdr |0a                                                                       |     | ACTALL
     238096 |     262512 | Tag |0f!                                                                      |     |
     238512 |     244640 | Rdr |0c                                                                       |     | IDENTIFY
     286608 |     330768 | Tag |5a! 4b! 10  ff! fe  5f! 02  5c! af! d7!                                  |  ok |
     289744 |     306192 | Rdr |81  5a  4b  10  ff  fe  5f  02  5c                                       |     | SELECT
     333856 |     396256 | Tag |d2! 5a! 82! f8  f7  ff! 12! e0  b7! 78!                                  |  ok |
     336944 |     384624 | Rdr |0c  05  de  64                                                           |  ok | READ(5)
     590576 |     592928 | Tag |ff! ff! ff! ff! ff! ff! ff! ff! ea  f5!                                  |  ok |
     593728 |     644464 | Rdr |88  02                                                                   |     | READCHECK[Kd](2)
     713968 |     723488 | Tag |fe  ff! ff! ff! ff! ff! ff! ff!                                          |  ok |
     716608 |     762640 | Rdr |05  e5  b6  d0  65  b2  56  90  12                                       |     | CHECK

Last edited by brantz (2018-06-02 12:34:41)

Offline

#31 2018-06-04 13:31:55

Heru
Contributor
Registered: 2017-10-08
Posts: 76

Re: iClass SR / r10 and sim 2

iceman wrote:

Some people has asked me when the hf iclass sim 2 collected all data successfully but the hf iclass loclass attack fails, why this is. 

There is nothing wrong,  its just the reader which is NOT configured for high security/ elite keys...  So the loclass attack will fail,  running a long time,  failing three bytes,,,     Once you see that first message,  just break the execution since the attack will fail.

Hi dear iceman:

I've got the exact same situation, but but but, when you say "-->  failing three bytes,,,     Once you see that first message,  just break the execution since the attack will fail."""

I was actually keep running even the initial loclass attack appears to fail. However, in the end it, it actually gives a key.

Is it suppose to print out a random iclass key even after failing?

Unfortunately, I cannot test righ now because I no longer have the fob on me to test.

Last edited by Heru (2018-06-04 13:39:58)

Offline

#32 2018-06-04 13:57:34

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: iClass SR / r10 and sim 2

yes,  it will always print out the results.   That key is mostly garbarge.  Depends on amount of failed recovery bytes.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB