iClass SE / SEOS...

0xFFFF · 2014-05-06 07:39:54

Does anyone have iClass SE readers / writers or associated software etc...?

app_o1 · 2014-05-12 07:34:44

900NNNNAK20000
It was back in February 2012. Are you looking for a specific revision ?

Last edited by app_o1 (2014-05-19 14:29:39)

0xFFFF · 2014-05-12 08:05:16

Not necessarily but at this point in time any information can be useful.

I have been working with a few readers (such as the 900 series). Things I've noticed are that there are conflicting reports from people on what contained within the new SE readers.
From my own research I know that the CLRC663 is being used in the R10SE readers.
carl55 has recently posted that the R40SE is using PicoRead labelled ICs. I was not aware that these IC's supported SEOS, DESFire EV1,...

I have uncovered SNMP keys and salts for the Omnikey readers/programmers at this stage.

app_o1 · 2014-05-12 13:37:08

I will try to find out what IC it is hiding.

It was a SE RevB.x
CORE FW : frw0009

Yours too ?

Last edited by app_o1 (2014-05-12 13:38:59)

carl55 · 2014-05-12 15:22:26

Unfortunately the product sticker for the iClass SE R40 reader that I tore down was misplaced so I don't know the details of the reader. However, I do believe that the part number was 920NNNNAK00000. Below are the top and bottom photos of the circuit board. The PCB is marked as "R40 ARTEMIS 47-0402-01 Rev4"

iClass SE R40 PCB-Front
iClass SE R40 PCB-Back

0xFFFF · 2014-07-03 13:18:20

Thanks for your photos carl55.
I have been busy working on this in my spare time... Which I don't seem to have much of any more.

Here are some happy snaps of my own...

iCLASS SE R10 - 900NTNTEG00000 Rev E
PCB%20Populated%20Bottom.jpg
PCB%20Populated%20Top.jpg

I also have photos of the SE-OSDP modules, different OK5427 readers / programmers.

Things I have discovered...

The R10 contains an 'Artemis SAM', LPC1227 and CLRC663.
The programmers have the same 'Artemis SAM'
Readers contain iCLASS, MIFARE, DESFire, SEOS and other keys

I have acquired all sorts of interesting software, cards and firmware.

There are two types of cards I've seen so far. It looks like there is three in total.
* READER MAPPER
* ELITE PREP
* READER CONFIGURATION

...Still looking at it. I'll report back what I can as I go.

carl55 · 2014-07-03 22:28:11

Thanks for the information. That is very interesting!
So from your photo it looks like the newer RevE iClass SE readers have been redesigned to use the new NXP PR600 chip that integrates both the ARM Cortex microcontroller die and the 13.56 Mhz Contactless transceiver die into a single 100-pin LQFP package.
That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip. That functional integration and the fact that they are solidifying their key storage makes me feel that HID is trying real hard to make it more difficult for us to crack the SE technology.

Keep us informed as you learn more.

0xFFFF · 2014-07-04 15:29:52

carl55 wrote:

That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip.

Good news is that the datasheets on the 100 pin LQFP clearly state that the dies are separate and the pins are broken out.

HID are calling programmers 'encoders' now. The CP1000 appears to be an OK5427 with an 'Artemis SAM'. I don't see why you couldn't use the OK5427 to program cards without the SAM (if you had the know-how).

OK5427 downloads...
http://www.hidglobal.com/drivers?field_ … 513&os=All
I can't see anything useful here... yet.

Encoder downloads...
http://www.hidglobal.com/drivers?field_ … All&os=All
Download the everything on this page. There are plugins / Zip archives (viewable, passworded) with very interesting contents.
You will laugh when you discover the password.

CP1000 Quick start guide...
http://www.hidglobal.com/sites/hidgloba … -in-en.pdf

CP1000 Use case examples...
https://www.hidglobal.com/sites/hidglob … -an-en.pdf

app_o1 · 2014-07-04 15:36:26

+1

Last edited by app_o1 (2014-07-04 15:41:57)

proxmarkzzz · 2014-08-21 15:20:35

Hey 0xFFFF and carl55,

Did any of you two figured out the pin layout of the white-connector-socket on the back? It would be nice to have an overview of all the pins, and where they connect to.

Secondly, could you explain how to remove the epoxy from the readers. What type of chemical is the best approach?

Thanks a lot!

carl55 · 2014-08-21 20:24:21

To answer your question, No, I have not done any mapping of the 30-pin Molex debug connector that is used on the iClass SE readers. Since the reader that I broke down was one of the old original SE readers I didn't spend much time looking at it. I assumed that the newer (RevE) readers have made some major design changes and my time would be better spent looking at one of those when time permits. I have been spending what little time I do have trying to analyze the new iclass Secure Identity Object (SIO) data structure and the modified SE communication sequences.

Regarding your question about how I de-potted the reader ...

The iclass SE readers appear to use two different materials in the encapsulation process. There is one softer type of potting compound that is used around the electronic components and a more rigid (almost crystalized) type of compound that appears to be used to secure it to the plastic case.

I personally did not use any chemicals at all although that may be a better approach if you know what you are doing (I don't).
As the first step, I simply cut off the plastic case and rigid crystalline potting material using a small rotary tool (Dremel) with an abrasive cutoff wheel.
The softer material that surrounds the actual components was then removed using a soldering iron with a small pointed tip. The heat of the soldering tip does not melt the material but it does seem to allow it to be easily chipped away in small pieces. The heat seems to almost make it fracture and crumble so it can be easily carved away. It took me about three to four hours to get the circuit board down to what was shown in the picture in my post above. Believe it or not, the reader actually continued to work until I was about 98% done , before I accidently broke off a small (0402) passive component.

0xFFFF · 2014-08-22 02:08:22

De-potting potted things...

Buy a 1L bottle of acetone from the local hardware store. (You don't really need that much)
Fill a glass container with enough acetone to submerge the potted thing. I use an airtight seal-able glass container.
Remove what you can from the potted thing. e.g. Stickers, plastic outer shell,... (I use a CNC to mill away some of the material)
Place the potted thing in the glass container and place the container somewhere safe - Away from children, heat, light...
Remove the thing 24 hours later. Break off any loose potting compound you can. Most of this can be done by hand and maybe with a little assistance from some hand tools
Depending on the size of the thing and the potting compound used you should be able to get down to the PCB in a day or two. Results vary

Notes for the iCLASS readers I have worked on:
iCLASS R10:
It took over a week to remove the potting compound. In the end the reader was no longer functional. I suspect the acetone destroyed some components. I never looked in to it.

iCLASS R10 SE:
The reader was insanely easy to remove the potting compound and get to the PCB. Just like carl55, I accidentally broke off some components and as a result, the reader did not function correctly. I have since repaired the reader. It only took me 24 hours.

0xFFFF · 2014-08-22 02:12:26

Forgot about the header. The plug you're looking for is the Hirose 30pin .5mm SMD connector. Part number is DF-12-30DS-0.5V
I can work on the pinout but instead I have been working on some VERY interesting HID vulnerabilities.

proxmarkzzz · 2014-08-22 09:14:50

Wow, thank you both for the extensive quick reply!

I'll try my luck then with peeling of the material and throw it in acetone if needed.

Regarding the header, I totally understand that documenting 30 pins is no joy! However, I'm actually mostly interested in two facts.

1. Is UART0 of the LPCxxxx chip (RX, TX, but also if RTS and DTR are available). The last two can force the micro-controller to fall back into ISP serial programming mode.

2. Are the JTAG pins broken out?

The datasheets of the used micro-controllers are publicly available, so If you could verify these two sets of pins, I would be extremely grateful!

Thanks a lot again, best regards.

0xFFFF · 2017-02-15 01:50:52

From%20the%20grave%20128.jpg
...umm. It's been a while.

No surprise, this is a multilayered board. I've sacrificed a reader to make following traces easier...
PCB%20Bottom.jpg
PCB%20Top.jpg
If anyone has any experience with removing the solder mask, I'd like to hear what method(s) you use. Ideally I'm looking for a chemical process.

This IC is going for a swim...
HID%20IC-0048-01B%200813.jpg

Pinout - I'll update as I go.

0xFFFF · 2017-02-15 11:21:44

OK. So the HID IC-0048 -01B 0813 is an INFINEON M8830-B1
DIE%20INFINEON%20M8830-B1.jpg
DIE%20INFINEON%20M8830-B1_2.jpg

Here's a happy snap of the LPC122x...
DIE%20LPC122x.png

...And the 663 that is the other half of the PR600HL...
DIE%20RC663.jpg
DIE%20RC663_2.jpg

The dies are not connected internally. Each individual pin is exposed on the LQFP100.

iceman · 2017-02-15 11:37:42

Impressive bro!

0xFFFF · 2017-02-15 12:25:00

Thanks
I'm glad to get back in to the action again.

I think SWD is on P100 pins 14, 16 & 18. Have a look at the first photo in #15

I think the first column is wrong as these pins were taken from a PDF I found online for the PR601. The pins probably moved between 600 & 601?

            LPC122x pin         600HL pin   P100
SWCLK       PIO0_18             9   ?
SWDIO       PIO0_25             85          14
Reset       PIO0_13             4           18
 
SWCLK alt   PIO0_26             86          16
SWDIO alt   PIO1_2              15  Test pad near U302
 
            PIO0_1              92          7
            PIO0_2              93          9
VDC behind diode                            11, 13
5VDC                                        15, 17
            PIO0_28             89          23
            PIO0_11             2           27
            PIO0_10             1           29

I've updated the pastebin.

0xFFFF · 2017-02-15 13:25:49

More information on the SLE88CFX4000P / m8830:
Evaluation Documentation
Datasheet

0xFFFF · 2017-02-16 12:09:21

Can't seem to find where P100 pins 1, 3, 5 & 21 go. Probably nc.
Updated details in posts above.

innocent_ethical · 2018-11-08 15:49:05

Any updates on this forum???

Last edited by innocent_ethical (2018-12-04 12:55:28)

yukihama · 2018-11-16 16:05:50

innocent_ethical wrote:

Any updates to this forum??
6

it is impossible task to duplicate te iclass SIO cards. Time to giveup bro....

brantz · 2018-12-04 12:29:32

yukihama wrote:

innocent_ethical wrote:
Any updates to this forum??
6

it is impossible task to duplicate te iclass SIO cards. Time to giveup bro....

mate, just you don't know doesn't mean it's not possible, it's out there for a while already.

yukihama · 2018-12-05 14:49:15

brantz wrote:

yukihama wrote:
innocent_ethical wrote:
Any updates to this forum??
6

it is impossible task to duplicate te iclass SIO cards. Time to giveup bro....
mate, just you don't know doesn't mean it's not possible, it's out there for a while already.

Thanks Pal, but according to Carl55 and Iceman, the SIO iclass card are no way to copy or crack.

Any clues to share^_^I am grateful to your kind guidance^_^

iceman · 2018-12-05 15:10:55

its just not solved right now, is what I belive @brantz is saying. Doesn't mean it will remain unsolved...

brantz · 2018-12-14 11:14:33

yukihama wrote:

brantz wrote:
yukihama wrote:

it is impossible task to duplicate te iclass SIO cards. Time to giveup bro....
mate, just you don't know doesn't mean it's not possible, it's out there for a while already.

Thanks Pal, but according to Carl55 and Iceman, the SIO iclass card are no way to copy or crack.
Any clues to share^_^I am grateful to your kind guidance^_^

Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment

Yeah, you are right, in this case, it's not really duplicating, it's program one with the same information.

Last edited by brantz (2018-12-14 11:15:50)

yukihama · 2018-12-16 02:40:07

brantz wrote:

Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment

Basically, to open any iclass door, just power off the door power and the door is unlocked...LOL

brantz · 2019-01-15 01:34:40

Yeah, you are very right and very humorous

yukihama wrote:

brantz wrote:

Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment

Basically, to open any iclass door, just power off the door power and the door is unlocked...LOL

aaronml · 2019-06-20 05:12:42

Question — since the iClass SE readers all now contain the "Artemis SAM", presumably the key material is no longer stored in the firmware but rather in the SAM? Obviously that makes it that much harder to dump the keys, but just curious.

0xFFFF · 2019-06-20 05:40:28

Answer — SLE88 / SAM is in all iClass SE readers. The keys you are looking for are stored on it. The security offered by this change is as good as the implementation.
Dumping the firmware gives a few answers but not the keys you're looking for. So it's probably not worth your time and effort.
More information on the SAM (in card form) here - https://www.hidglobal.com/products/embedded-modules/iclass-se/sio-processor
...Or you can just pop open a reader and mount the SLE88 IC on to something with a PC/SC interface.

aaronml · 2019-06-20 08:00:44

0xFFFF wrote:

Answer — SLE88 / SAM is in all iClass SE readers. The keys you are looking for are stored on it. The security offered by this change is as good as the implementation.
Dumping the firmware gives a few answers but not the keys you're looking for. So it's probably not worth your time and effort.
More information on the SAM (in card form) here - https://www.hidglobal.com/products/embedded-modules/iclass-se/sio-processor
...Or you can just pop open a reader and mount the SLE88 IC on to something with a PC/SC interface.

Thanks!
Good to know

aaronml · 2019-06-21 19:21:46

Another interesting question..... is anyone here familiar with the "iClass SE Seos Profile" readers, that apparently exclusively support Seos?

I'm curious if there is a way to reset/downgrade those readers to support normal iClass SE (and other HF technologies) also. Looking at HID docs they have their own separate type of config cards also, not sure how/if that complicates things.....

0xFFFF · 2019-06-25 00:21:14

They are capable. There are a few ways to reconfigure them. The most common method is using a configuration card.

The configuration cards change due to the firmware, existing configuration, etc...

aaronml · 2019-06-25 04:25:22

0xFFFF wrote:

They are capable. There are a few ways to reconfigure them. The most common method is using a configuration card.
The configuration cards change due to the firmware, existing configuration, etc...

Interesting... I figured it would be something config-card related.

My understanding is that in general, iClass SE reader config cards use the iClass SE technology.

iClass SE "Seos Profile" readers (at least officially) only support Seos technology, which might explain why HID sells separate config cards for them that presumably use Seos tech.

I'm guessing to convert/downgrade it to support iClass SE (and other HF technologies), you'd need a Seos config card that tells the reader to start supporting iClass SE again? Do you know if that type of config card officially exists / is sold by HID, or if you'd need to program something custom using e.g. a CP1000 encoder?

Thanks!

0xFFFF · 2019-06-25 05:12:40

HID configuration cards are a mix of different technology types. Depends on the application / requirements.

Recently been informed that HID are trying to push SEOS readers at a lower cost. Not sure how well they are going but my opinion (for now) is stay away.
Yet another proprietary system. No certifications or standards testing as far as I can tell. You're locked in.
"Seos adheres to best practices for data protection and widely reviewed open standards..."

Don't necessarily need an encoder or configuration cards as far as I'm aware. I'm making an educated guess here, I could be wrong. Need to get my hands on one (preferably two) for proper analysis.

aaronml · 2019-06-25 17:36:09

0xFFFF wrote:

HID configuration cards are a mix of different technology types. Depends on the application / requirements.
Recently been informed that HID are trying to push SEOS readers at a lower cost. Not sure how well they are going but my opinion (for now) is stay away.
Yet another proprietary system. No certifications or standards testing as far as I can tell. You're locked in.
"Seos adheres to best practices for data protection and widely reviewed open standards..."
Don't necessarily need an encoder or configuration cards as far as I'm aware. I'm making an educated guess here, I could be wrong. Need to get my hands on one (preferably two) for proper analysis.

Yeah I saw that recently with what they are calling their "iClass SE Express" reader https://www.hidglobal.com/products/readers/iclass-se/iclass-se-express-r10.

Under the hood I'm curious how that differs from the "iClass SE Seos Profile" readers they have been selling for a while.

iceman · 2019-06-26 06:25:07

I think we all are interested in SEOS inner workings. So far there is piece here and blobs there all based on Carl55 and 0xFFFF findings.

0xFFFF · 2019-06-26 07:30:07

Demystifying SEOS is on my list of things that would be nice to achieve in this lifetime.
Being able to pursue interesting subjects like this depend on my free time and finances.

iceman · 2019-06-26 09:16:53

thats serious limit since you don't have any spare time bro

0xFFFF · 2019-06-27 00:08:14

Ha Ha! I know!
That's why I don't post as often as I'd like.
Time spent not researching stuff is valuable time lost.

Hain · 2020-06-19 11:45:21

Since it's your goal and I'm sure a lot of peoples interest, could we coordinate a shared document or wiki where we could pool all our knowledge about SEOS?

Last edited by Hain (2020-06-19 11:45:46)

yukihama · 2020-11-19 04:25:24

nice idea

Proxmark3 community

Announcement

#1 2014-05-06 07:39:54

iClass SE / SEOS...

#2 2014-05-12 07:34:44

Re: iClass SE / SEOS...

#3 2014-05-12 08:05:16

Re: iClass SE / SEOS...

#4 2014-05-12 13:37:08

Re: iClass SE / SEOS...

#5 2014-05-12 15:22:26

Re: iClass SE / SEOS...

#6 2014-07-03 13:18:20

Re: iClass SE / SEOS...

#7 2014-07-03 22:28:11

Re: iClass SE / SEOS...

#8 2014-07-04 15:29:52

Re: iClass SE / SEOS...

#9 2014-07-04 15:36:26

Re: iClass SE / SEOS...

#10 2014-08-21 15:20:35

Re: iClass SE / SEOS...

#11 2014-08-21 20:24:21

Re: iClass SE / SEOS...

#12 2014-08-22 02:08:22

Re: iClass SE / SEOS...

#13 2014-08-22 02:12:26

Re: iClass SE / SEOS...

#14 2014-08-22 09:14:50

Re: iClass SE / SEOS...

#15 2017-02-15 01:50:52

Re: iClass SE / SEOS...

#16 2017-02-15 11:21:44

Re: iClass SE / SEOS...

#17 2017-02-15 11:37:42

Re: iClass SE / SEOS...

#18 2017-02-15 12:25:00

Re: iClass SE / SEOS...

#19 2017-02-15 13:25:49

Re: iClass SE / SEOS...

#20 2017-02-16 12:09:21

Re: iClass SE / SEOS...

#21 2018-11-08 15:49:05

Re: iClass SE / SEOS...

#22 2018-11-16 16:05:50

Re: iClass SE / SEOS...

#23 2018-12-04 12:29:32

Re: iClass SE / SEOS...

#24 2018-12-05 14:49:15

Re: iClass SE / SEOS...

#25 2018-12-05 15:10:55

Re: iClass SE / SEOS...

#26 2018-12-14 11:14:33

Re: iClass SE / SEOS...

#27 2018-12-16 02:40:07

Re: iClass SE / SEOS...

#28 2019-01-15 01:34:40

Re: iClass SE / SEOS...

#29 2019-06-20 05:12:42

Re: iClass SE / SEOS...

#30 2019-06-20 05:40:28

Re: iClass SE / SEOS...

#31 2019-06-20 08:00:44

Re: iClass SE / SEOS...

#32 2019-06-21 19:21:46

Re: iClass SE / SEOS...

#33 2019-06-25 00:21:14

Re: iClass SE / SEOS...

#34 2019-06-25 04:25:22

Re: iClass SE / SEOS...

#35 2019-06-25 05:12:40

Re: iClass SE / SEOS...

#36 2019-06-25 17:36:09

Re: iClass SE / SEOS...

#37 2019-06-26 06:25:07

Re: iClass SE / SEOS...

#38 2019-06-26 07:30:07

Re: iClass SE / SEOS...

#39 2019-06-26 09:16:53

Re: iClass SE / SEOS...