Author @kitsunehunter 2023
This is a reworked text. You find the original text here
The collective notes on iCLASS SR / iCLASS SE / SEOS downgrade attacks.
This document targets both Proxmark3 and Flipper Zero devices.
^Top
Credential - an access token that acts as carrier of a SIO
SIO - Secure Identity Object
PACS - Physical Access Control System
PACS Payload - The binary encoded credential data.
Downgrade attack - Read the PACS payload off a SIO and encode it as a lesser secure legacy format
Omnikey - Official HID desktop reader to read PACS payload off iCLASS SE and SEOS cards
Weaponized reader - "DIY" omnikey reader to perform the same job as the omnikey using a actual HID reader you might find on a wall
NARD / SAM - SIM add-on for Flipper, used with HID SAM to read iCLASS SE and SEOS
SAM - HID Secure Access Module responsible for encoding and decoding PACS payload inside a SIO among others
T5577 - a low frequency multi purpose card. Used as clone card.
^Top
HID iCLASS Credentials tech primer
What does all data on my card mean?!
^Top
There is not much you can do with just a card and a Proxmark3 or Flipper Zero. There is no card-only attack vectors. There are however reader/card vectors but that is outside the scope of this note.
Your iCLASS SR/iCLASS SE/SEOS credential has a SIO (Secure Identity Object) that stores your access control information also known as the PACS payload. We will need to extract the SIO with one of the methods outlined below and write that data onto a Picopass or a T5577.
In short: We are downgrading from a secure credential to a lesser secure legacy format
^Top
Unfortantely not all readers will have iCLASS legacy enabled and your downgrade will not work. The good thing is that most readers are left in their default configuration with iCLASS legacy enabled which allows us to easily take your secure credential and make a logical copy onto a less secure format. We can easily test if the reader is standard keyed and will accept a credential downgrade attack with the steps below.
^Top
For the next steps, you will need a Proxmark3
or Flipper Zero
device.
^Top
Present a standard keyed iCLASS legacy credential at the reader and see if it beeps. If the reader beeps, proceed to Write a downgraded iCLASS legacy credential
Instructions: To check if your legacy credential is standard keyed.
PM3
hf iclass dump --ki 0
if it dumps == standard key
F0
Picopass app > Read card
check if key == standard
^Top
Install HID reader manager and register before proceeding
A Android phone with NFC is recommended for this next step as iPhone can only inspect readers that are bluetooth enabled natively or have a BLE backpack installed as a add-on.
This method of inspection will not work if the reader has a MOB key or ELITE key.
Reader inspection is only possible on official HID readers, not third party readers using HID credentials.
Click use NFC and hold the phone to the reader and follow the prompts. Click on apply template.
Click on the plus button
Click on credentials
Make sure the switch for iCLASS is switched on (blue)
If you have successfully confirmed that iCLASS legacy is switched on then proceed to the next step
^Top
You can verify that the low frequency ProxII is enabled by using one of the following methods:
apps > tools > RFID detector
and make sure RFID symbol is active^Top
Below are two dump files provided for easy testing.
How to restore the dump files on each device.
PM3
hf iclass restore -f hf-iclass-dump.json --ki 0
F0
qflipper > SD card > apps data > picopass
^Top
For Test files if needed.
Instructions: Once you loaded the file and started the simulation. Hold the device to the reader. If it beeps, proceed to Write a downgraded iCLASS legacy credential
PM3
hf iclass eload -f hf-iclass-dump.json
hf iclass sim -t 3
F0
qflipper > SD card > apps data > picopass
drop iclass-flipper.picopass file here and simulate on Flipper
^Top
^Top
encoder.cfg
config file
^Top
Prequisite, you must already have a NARD add-on board and a HID SAM
If not, you can buy a kit from RTA webshop.
Follow these steps:
if credential == iClass
use read picopass
if credential == SEOS
use read 14443A
^Top
OBS! This method involves more technical steps, wiring, and is recommended for advanced users. If this is your first time with RFID technology and downgrade attacks, we suggest any of the two options above.
Prequisite, you will need the following bill of materials (BOM):
The easiest way is to buy a ESPKEY
Follow these steps:
Data 0, Data 1, Ground, Power
to the respective terminals on the ESPKEYIT IS ABSOLUTELY NECESSARY THAT THE READER AND ESPKEY SHARE THE SAME GROUND EVEN IF YOU ARE POWERING ESPKEY AND READER SEPERATELY
192.168.1.1
for the interfacelog.txt
and copy the binary string WITHOUT the preamblehf iclass encode --bin <COPIED BINARY STRING> --ki 0
to encode the PACS payload to a iCLASS legacy card^Top
OBS! Downgrading to a T5577 will only work if reader has low frequency (125 kHz) / Prox II enabled. A good indicator to look out for is the "multiCLASS" sticker on the reader.
^Top
wiegand decode --bin <raw PACS binary>
Below is example syntax, you will use your specific card information gathered in the previous step.
lf hid clone -w c1k48s --fc 69 --cn 69420
lf hid reader
to verify output^Top
save RFID
option此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。