Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-06 13:41:52

exc3l
Contributor
Registered: 2019-05-09
Posts: 5

Emulating legacy iClass

Hey everyone,
I've been trying to dump and emulate a legacy iClass card but with no luck.

I managed to get the debit key (using chk default keys) and dump AA1 using

[REDACTED]

But if I am correct this only dumps AA1 and I still need AA2 to fully emulate the card.
I also tried cheking if the credit key is not in the default list, but it seems that it isn't.

However, if I try

hf iclass readblk b BLOCK k KEY

using the DEBIT key for each of the 13-31 blocks I only get "FF FF FF FF FF FF FF FF". When I try any other key this doesn't happen.

Does this mean that the sectors 13-31 are all just F's or am I missing something?

Last edited by exc3l (2019-06-11 09:19:08)

Offline

#2 2019-06-06 17:56:19

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Emulating legacy iClass

The vast majority of legacy iclass credentials do not have any data stored in the AA2 area (usually Blk 0x12-0x1F). The default data value is 0xFFFFFFFFFFFFFFFF for all AA2 data blocks.
I believe that HID primarily uses AA2 to store biometric fingerprint data since the normal access control payload resides in AA1. Normally AA2 is used by third party vendors that need dedicated memory space that can only be accessed by their own Kc key (e.g. cashless vending).

That being said, if you perform a successful authentication (with Kc) and try to read AA2, the actual data as stored will be returned. If you perform a successful authentication (with Kd) then data will be returned but it will always return 0xFFFFFFFFFFFFFFFF regardless of the actual stored data.
Since AA2 is seldom used you can usually get away with only copying the AA1 data blocks. If your credential actually does have something stored in AA2 then you will need to have knowledge of Kc in order to have read and write access to those blocks of data.

Offline

#3 2019-06-07 08:01:57

exc3l
Contributor
Registered: 2019-05-09
Posts: 5

Re: Emulating legacy iClass

Thank you for your support!

carl55 wrote:

That being said, if you perform a successful authentication (with Kc) and try to read AA2, the actual data as stored will be returned.

Okay, and if I'm correct there's no way to get the credit key easily (except for brute-forcing)?

Also, if we say that I don't know the credit key, but AA2 is 'empty', do I need to pad the dump file with 0xFF (ie. to make the file 256 bytes)?
I was tasked with black box testing the access system in our building but whatever I try I can't get any response from the reader.

Last edited by exc3l (2019-06-07 08:02:29)

Offline

#4 2019-06-07 15:03:40

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Emulating legacy iClass

You may not be getting any response from the reader if the reader is waiting for additional input before it processes the entered data and generates a response (e.g. beep/blink).
You didn't specify which reader you are using but if the reader uses a keypad or has a fingerprint sensor then it may be waiting for additional data such as a PIN entry or placement of a finger on the sensor.

As a test case, I copied the data you supplied above to a blank credential and presented it to several of my iclass readers. The cloned credential appeared to work fine so I am not sure why your reader is not responding.
If I decode your data (shown below)it appears that block 9 has the "reserved" PIN data set to all F's. Normally it is set to all 0's but it really shouldn't matter since the formatting information in Block 6 specifies a PIN length value of 0. This would typically indicate that a PIN is not being used.

|06| 030303030003E017
|07| 293392F34D24B706  00000020AC000787  (37-bit wiegand)
|08| 2AD4C8211F996871  0000000000000000
|09| 2BE7393CF8E71D7E  FFFFFFFFFFFF0000

Regarding the AA2 key, the value can be found in several places if you are resourceful. I always find that people are reluctant to post sensitive information on a forum but will usually accommodate an email request.

Offline

#5 2019-06-09 10:40:40

exc3l
Contributor
Registered: 2019-05-09
Posts: 5

Re: Emulating legacy iClass

carl55 wrote:

As a test case, I copied the data you supplied above to a blank credential and presented it to several of my iclass readers. The cloned credential appeared to work fine so I am not sure why your reader is not responding.
If I decode your data (shown below)it appears that block 9 has the "reserved" PIN data set to all F's. Normally it is set to all 0's but it really shouldn't matter since the formatting information in Block 6 specifies a PIN length value of 0. This would typically indicate that a PIN is not being used.

You are correct, there are no pin codes on the readers (which I think are RW100's but I'm not sure).


carl55 wrote:

I copied the data you supplied above to a blank credential and presented it to several of my iclass readers.

The weird thing is that even if I try to emulate a blank card using hf iclass sim 0/1 the reader does not respond.

carl55 wrote:

Regarding the AA2 key, the value can be found in several places if you are resourceful. I always find that people are reluctant to post sensitive information on a forum but will usually accommodate an email request.

Do you mean the leaked iClass master key (ie. 3F90xxxxxxxxxxxx)? This one does not seem to work, which I assume means the cards are high security/elite, correct?
I read up on it and it seems the only effective way to extract the AA2 key is to use a reader attack (which is actually a good thing since tomorrow I will be able to test with our security department if such an attack is detected in our system).

Offline

#6 2019-06-09 16:58:56

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Emulating legacy iClass

exc3l wrote:

The weird thing is that even if I try to emulate a blank card using hf iclass sim 0/1 the reader does not respond.

The sim 0/1 command does not perform any authentication with the reader. Since there is no successful authentication there will be no obvious response from the reader.

exc3l wrote:

Do you mean the leaked iClass master key (ie. 3F90xxxxxxxxxxxx)? This one does not seem to work, which I assume means the cards are high security/elite, correct?

The leaked HID Master authentication key allows access to AA1, not AA2. If you look at your first post it appears that you successfully authenticated with the reader using this leaked key (unpermuted version). Also, since you were able to dump the card data without using the dump command "e" option your credential is definitely not high security/Elite.

exc3l wrote:

I read up on it and it seems the only effective way to extract the AA2 key is to use a reader attack (which is actually a good thing since tomorrow I will be able to test with our security department if such an attack is detected in our system).

You cannot extract the AA2 key (Kc) using the sim 2/loclass reader attack. That attack only allows you to obtain the high security custom authentication key (Kcus) from a reader that has been configured to work in a high security/Elite mode. It will not work with a standard security reader which is what your system appears to use.

Offline

#7 2019-06-09 21:43:30

exc3l
Contributor
Registered: 2019-05-09
Posts: 5

Re: Emulating legacy iClass

I've sent you an email.

Offline

Board footer

Powered by FluxBB