The Mission:
Hello people! Having obtained a ProxMark3, I’ve spent quite a bit of time scouring internet forums in an attempt to clone my apartment card so I can switch to a key fob. This brought me to the Dangerous Things forum. I then discovered the flexClass! So I now have a mission… if I can clone my card to a fob, I’ll be upgrading to the implant.
Unfortunately this is no easy feat. This very forum is littered with posts about people attempting very similar things… without success. I figured I’d begin a thread involving a step by step process.
Get The Hardware:
Here’s a breakdown of the involved hardware:
- ProxMark3 Easy With Iceman Firmware (Not Shown)
- HID iClass Legacy Card x2 (Apartment Access)
- HID iClass Legacy Fob (Blank)
- HID iClass SE R10 Reader
Update The ProxMark3:
To ensure everything was up to date, I got the latest ProxSpace build from https://proxmarkbuilds.org/. I found the website provided the latest official firmware build as a simple Windows installation.
Check The Firmware Version:
command: hw version
Triple checking that the firmware updated successfully to v4.18341. It did.
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:26 ebc6fe650
compiled with............. MinGW-w64 13.2.0
platform.................. Windows (64b) / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... absent
Lua SWIG support.......... present
Python SWIG support....... absent
[ Proxmark3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:03 ebc6fe650
os: Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:15 ebc6fe650
compiled with GCC 12.2.0
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 62% used )Check The HF Antenna:
command: hf tune
Placing the card underneath the ProxMark3’s High Frequency (HF) antenna, I was able to find a sweet spot on the card with a voltage drop of 4,500 mV (14.5V to 10V).
Search For The Card:
command: hf search
I was already aware that my apartment complex card was a HF HID iClass. Thankfully this command confirmed it.
[+] iCLASS / Picopass CSN: 82 D1 42 10 FE FF 12 E0
[+] Valid iCLASS tag / PicoPass tag foundRead The Card:
command: hf iclass info
Ok. reading the card revealed it as an iClass Legacy card. The ProxMark3 gave me a full summary of the card structure.
[=] --- Tag Information ----------------------------------------
[+] CSN: 82 D1 42 10 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: C4 E9 FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- Card configuration --------------------
[=] Raw... 12 FF FF FF 7F 1F FF 3C
[=] 12 ( 18 )............. app limit
[=] FFFF ( 65535 )...... OTP
[=] FF............ block write lock
[=] 7F......... chip
[=] 1F...... mem
[=] FF... EAS
[=] 3C fuses
[=] Fuses:
[+] mode......... Application (locked)
[+] coding....... ISO 14443-2 B / 15693
[+] crypt........ Secured page, keys not locked
[=] RA........... Read access not enabled
[=] PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] 1 books / 1 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read AA1..... debit
[=] Write AA1.... debit
[=] Read AA2..... credit
[=] Write AA2.... credit
[=] Debit........ debit or credit
[=] Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+] CSN.......... HID range
[+] Credential... iCLASS legacy
[+] Card type.... PicoPass 2KUnderstand The HID iClass Structure:
Reading the 2011 journal article “Cryptanalysis of INCrypt32 in HID’s iCLASS™ Systems” teaches me the card’s memory structure. When reading the memory section the ProxMark3 spat out, I can see the card’s 256 bytes of memory have been broken into 32 blocks (0 to 31). As per the article, these blocks do the following:
| Block | Data | Function |
|---|---|---|
| 0 | Card Serial Number | Involved in the anti collision procedure |
| 1 | Configuration Data | Security option, application limit for secured page, and read/write access |
| 2 | Stored Value Area | Electronic purse |
| 3 | Key 1 (Kd) | Secret key (derived from HID's master key & the Card Serial Number) |
| 4 | Key 2 (Kc) | Secret key (derived from HID's master key & the Card Serial Number) |
| 5 | Application Issuer Data | ? |
| 6-18 | Application Area 1 | Data protected by key 1 (Kd) |
| 19-31 | Application Area 2 | Data protected by key 2 (Kc) |
My understanding is that blocks 0 to 2 are used for the card to interact with the reader, and blocks 3 and 4 are used by the reader to ‘unlock’ anything in the application areas. So far I have no idea what block 5 does. I shouldn’t modify blocks 0 to 5 in any way, as general forum consensus suggests changing their values will brick my card.
@philidelphiaChickens’s thread “So You Want To Implant An HID Card” mentions that blocks 6 to 9 are ‘generally’ the non-secure blocks that I can adjust for the purposes of cloning the card.
Attempt To Dump The Whole Card To Memory:
command: hf iclass dump --ki 0
command: hf iclass dump --ki 1
command: hf iclass dump --ki 2
command: hf iclass dump --ki 3
No dice! I was unable to pull any information off the card using any of ProxMark3’s stored keys.
Attempt To Read The Card’s “Block 7” To Memory:
command: hf iclass rdbl --blk 7 --ki 0
command: hf iclass rdbl --blk 7 --ki 1
command: hf iclass rdbl --blk 7 --ki 2
command: hf iclass rdbl --blk 7 --ki 3
Also a fail. None of the stored keys worked for reading the block.
Check With Other Cards:
To ensure the ProxMark3 wasn’t the problem, I did the following:
- The second card: The same results, so neither apartment card can be read.
- The iClass Legacy fob: The dump was successful, as was the individual block reading.
Check The Card Reader:
command: hf iclass sim -t 2
command: hf iclass loclass -f iclass_dump.bin
I took my laptop with the ProxMark3 connected, and ran the sim command with the ProxMark3 up against the HID iClass SE Express R10 reader in my apartment. After a few attempts I was able to complete a loclass attack and get a dump file. Unfortunately the loclass command timed out without providing results.
Currently Stuck:
Bear in mind, up to this point everything I’ve learnt and tried has come from reading forums. It may not seem like much, but I’m pulling myself up by my boot straps.
Some things I need to investigate further are:
- @AustralianElectrical’s thread “Need help cloning HID iClass Legacy”
- The HID iClass Master Key
- The ProxMark3 ‘Check Keys’ command
Can anyone suggest what to try next?