IClass card used for laundry credit

Hi everyone.

I have a laundry card that seems to hold the credit for use with the machines. The reason I think the value is on the card rather than a key is that we have to purchase the credit online then tap it to a machine in the laundrette with a top up code. I have no experience using iClass tags and from what I can see they look quite secure. Purely hypothetically speaking. Would it be possible to either directly change the credit value stored on the card? Or make a back up of the card then use it and restore the card to its original state (rolling back to original credit).

Thanks.

I have attached info about the card below.

[=] --------------------- Tag Information ----------------------
[+]     CSN: 59 4A E9 05 09 00 12 E0  uid
[+]  Config: FF FF FF FF 79 1F FF 3C  card configuration
[+] E-purse: FF FF FF FF 51 04 F9 FE  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: 47 49 46 4C 41 53 48 31  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: FF FF FF FF 79 1F FF 3C
[=]          FF.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      79.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 255 ( 0x06 - 0xFF ) - 250 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit or credit
[=]     Read B....... debit or credit
[=]     Write A...... credit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... outside HID range
[+]     Card type.... PicoPass 2K
[usb] pm3 -->                                                                                                                                                                                                       

While we’re happy to help with RFID-related questions, I really don’t think anyone here is going to help you steal money from anyone. There’s a lot of documentation out there, but it’s hard to offer help when we know what you’re (hypothetically) planning to do with it.

1 Like

I do not plan on stealing money at all. I am just curious to the workings of how they store a value on the card and keep it secure. Hypothetically outside of brackets on purpose :). Sorry if this didn’t come across in the initial post but I just want to mess about with it, with no ill intentions. I am still convinced it seems weird that it would be stored as a simple text value on the card so probably not even possible anyways.

Value is probably not stored on the card itself. What’s probably happening is that there’s a code on the card that is considered the “key” in a relational database that stores the values itself.

It’s like how the money you have in a bank account isn’t actually stored on your card, your card is the thing that authorizes you to pay money.

If you wanted to check though, use

hf ic dump --ki 0

Before and after scanning/topping up the card. It looks like the card is not write-locked, though I could be wrong. If nothing happens, replace the 0 with a 1, 2, or 3.

@NinjuhhNutz, any thoughts?

Thanks for the help.

The only thing making me think the value is actually stored on the card is the fact you need a coupon code which they give you on the website and then have to go into the laundry room and scan it to a machine and enter the code to top it up. If it was just a key I don’t see why they couldn’t update the database straight from the website.

I tried the hf ic dump --ki 0, 1, 2 and 3 however nothing worked. I kept getting the following error with each one:

[usb] pm3 --> hf ic dump --ki 3
[+] Using AA1 (debit) key[3] 00 00 00 00 00 00 00 00
[!] AA1 config is >= card size, using card size as AA1 limit
[=] Card has 1 application area. AA1 limit 31 (0x1F)
.
[!!] failed to communicate with card

The output of hf ic managekeys -p produces this so I am not sure if I am missing keys that should be here by default or not…

[usb] pm3 --> hf ic managekeys -p

[=] idx| key
[=] ---+------------------------
[=]  0 | AE A6 84 A6 DA B2 32 78
[=]  1 | 76 65 54 43 32 21 10 00
[=]  2 | F0 E1 D2 C3 B4 A5 96 87
[=]  3 |
[=]  4 |
[=]  5 |
[=]  6 |
[=]  7 |
[=] ---+------------------------

Thanks again :smiley:

There are chips that have “electronic purse” applications. A classic example is the DESFire series of chips, but others have this as well. Basically you define a “purse” application on the card and a chunk of memory is taken and used as a digital purse. Often times the amounts are not encrypted in any way really, just stored in some arbitrary format… but secure keys are needed to increment the purse value (top up) and decrement the purse value (spend). You cannot directly write to the memory space defined as a digital purse application.

Often times these keys are separate and not shared by the equipment… so basically the “top up” machine that accepts cash and puts the value on the card will read the value, display it on the screen, and then control how much can be loaded on the card from there. The top-up process is literally just “add X value” and the card itself handles the actual process of incrementing the value of the purse… the application side in the top-up machine does not actually change the value stored on the card directly.

Likewise, the laundry machines have the “spend” key on them and use that to decrement the purse value some amount. Of course, to keep things secure and separate, the card handles the decrement process as well, until it cannot be decremented enough (not enough funds) and errors. By keeping direct access to the memory contents off limits for a purse application, this approach secures the purse so that if someone grabbed a laundry machine they would not get any cash out of it, and even if they somehow got the key out of it, they could not use that key to steal additional laundry services. It also means the only machine that needs beefed up security is the top-up machine (physical access, digital vulns, protecting the cash, etc.), which is far less expensive to put the effort into that vs all the laundry machines. Finally, the purse application on the chip also reduces costs because the laundry machines don’t need to be networked or connected to some database… it’s really a simple system designed for and around the idea of keeping digital purse applications cheap and affordable to operate.

3 Likes

Wow thank you for the informative response. That seems simple but very effective, just to clarify the top up unit will use the key to change the format of the top up amount for it to be decrypted by the card or just sends the key and the amount seperatly to verify its valid?

Yeah it just goes through an auth process, then once authenticated it just sends an increment command along with a value to add to the purse. It can’t even set a total value for the purse, it can only tell the card how much to add. The card’s purse application is the actual thing changing of the stored value in memory.

Same for the laundry machines but in reverse.

I see. Thank you for explaining, its very interesting :).

1 Like

One of the techniques listed in this video may work. Educational purposes only.
419504_460s

The hackers best friend, or uhh I mean a educators best friend.

2 Likes