Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-11-11 04:26:02

onebyte
Contributor
Registered: 2017-09-28
Posts: 9

iclass reader, sim 2, custom key

Hi all.

I have rp10 reader (not r10) and pm3(official version, elechouse and easy), but could not run sim 2. Checked forum, iceman said, only with iceman version possible. correct? not with official?

With reading this forum, purpose sim 2 command is to get key from configured reader.

leaked master key is working well with blank iclass fob(legacy), but programmed fob(probably high security? not sure, in Australia), pm3 could not dump data with leaked master key because I do not know custom key. So wanted to get custom key from reader with pm3, failed.

Or should I visited that site and get custom key from that reader only? (bring pm3 and laptop?)

Any help or advice, appreciated. smile

Offline

#2 2018-11-11 10:28:04

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: iclass reader, sim 2, custom key

The 'hf iclass sim 2'  attack,  is a reader attack.  Meaning you use pm3 to simulate a tag in front of a valid reader.   ie you must be near the reader.
If successful,  the sim 2 generates a binfile which is used for "hf iclass loclass" offline attack.   If successful you now have a custom key.

There are however a lots of countermeasures built in the readers,   if sim2 fails on offical,  try iceman sim2,  ... 
I did some video about it long time ago.
https://youtu.be/m8r5M7KWQpE   

It should make things a bit clear


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2018-11-12 02:09:01

onebyte
Contributor
Registered: 2017-09-28
Posts: 9

Re: iclass reader, sim 2, custom key

Thanks Iceman, you mean, with that reader only. I thought all readers have same key values, and with configuration, each reader and iclass fob choose each custom key smile
I tried official sim 2 with my test reader, nothing happened, only error

unknown command received from reader len=4 : c 5 de 64 ff fe 5f 2 1c
unknown command received from reader len=4 : c 0 73 33 ff fe 5f 2 1c

continued... until ctrl-c sad

never tried reader with config fob or touched any other things. Even, with programmed fob, could not get any result with hf search...

Offline

#4 2018-11-12 09:05:11

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: iclass reader, sim 2, custom key

that looks like the output from official repo,   now try flashing / running client from iceman fork...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2018-11-13 00:23:37

onebyte
Contributor
Registered: 2017-09-28
Posts: 9

Re: iclass reader, sim 2, custom key

failed to update for iceman fork(20181027)... flash bootrom, ok. flash fullimage, com found, then... down sad reconnect, same.

With this condition, same result as before. how can I get success with fullimage?

Or should I send you my pm3 if do not mind?

Thanks

Offline

#6 2018-11-13 10:33:13

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: iclass reader, sim 2, custom key

the com port changes when you swap between iceman fork & official.   

The normal process is to do it in one go.

flasher com3 -b bootrom.elf fullimage.elf 

that will solve your flashing,    then afterwards the device will most likely show up on a different comport...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2018-11-14 02:43:30

onebyte
Contributor
Registered: 2017-09-28
Posts: 9

Re: iclass reader, sim 2, custom key

Thanks iceman, great! your hints worked, not exactly, anyway done it(changed com port smile

Then tried with test reader. and found it.

dump for fob, [-] no tag found, even all position changed(up-down, left-right) sad

hw tune result is ok. hf 26.29v with iceman newest. some legacy worked, some hs too, but this hs fob not. is this special you think?

or rdv4 is better?

Thanks again.

Last edited by onebyte (2018-11-14 03:39:01)

Offline

#8 2018-11-14 08:57:07

iceman
Administrator
Registered: 2013-04-25
Posts: 4,945
Website

Re: iclass reader, sim 2, custom key

Its an pm3 easy you have?  They have been known to be bad at iclass simulation.
The question is if sim2 works against the readers.   Hopefully you don't need to buy another pm3 because of that.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2018-11-15 00:05:23

onebyte
Contributor
Registered: 2017-09-28
Posts: 9

Re: iclass reader, sim 2, custom key

I have easy and elechouse rdv togeher, hs programmed one not recognized for both(with reader, good fob), legacy ones well sad wondered this hs fob has special protection against pm3 smile

Thanks, sim 2 solved. smile

Last edited by onebyte (2018-11-15 00:12:05)

Offline

Board footer

Powered by FluxBB