Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-05-06 07:39:54

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

iClass SE / SEOS...

Does anyone have iClass SE readers / writers or associated software etc...?

Offline

#2 2014-05-12 07:34:44

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: iClass SE / SEOS...

900NNNNAK20000
It was back in February 2012. Are you looking for a specific revision ?

Last edited by app_o1 (2014-05-19 14:29:39)

Offline

#3 2014-05-12 08:05:16

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Not necessarily but at this point in time any information can be useful.

I have been working with a few readers (such as the 900 series). Things I've noticed are that there are conflicting reports from people on what contained within the new SE readers.
From my own research I know that the CLRC663 is being used in the R10SE readers.
carl55 has recently posted that the R40SE is using PicoRead labelled ICs. I was not aware that these IC's supported SEOS, DESFire EV1,...

I have uncovered SNMP keys and salts for the Omnikey readers/programmers at this stage.

Offline

#4 2014-05-12 13:37:08

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: iClass SE / SEOS...

I will try to find out what IC it is hiding.

It was a SE RevB.x
CORE FW : frw0009

Yours too ?

Last edited by app_o1 (2014-05-12 13:38:59)

Offline

#5 2014-05-12 15:22:26

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: iClass SE / SEOS...

Unfortunately the product sticker for the iClass SE R40 reader that I tore down was misplaced so I don't know the details of the reader. However, I do believe that the part number was 920NNNNAK00000. Below are the top and bottom photos of the circuit board. The PCB is marked as "R40 ARTEMIS 47-0402-01 Rev4"

iClass SE R40 PCB-Front
iClass SE R40 PCB-Back

Offline

#6 2014-07-03 13:18:20

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Thanks for your photos carl55.
I have been busy working on this in my spare time... Which I don't seem to have much of any more.

Here are some happy snaps of my own...

iCLASS SE R10 - 900NTNTEG00000 Rev E
PCB%20Populated%20Bottom.jpg
PCB%20Populated%20Top.jpg

I also have photos of the SE-OSDP modules, different OK5427 readers / programmers.

Things I have discovered...

  • The R10 contains an 'Artemis SAM', LPC1227 and CLRC663.

  • The programmers have the same 'Artemis SAM'

  • Readers contain iCLASS, MIFARE, DESFire, SEOS and other keys

I have acquired all sorts of interesting software, cards and firmware.

There are two types of cards I've seen so far. It looks like there is three in total.
* READER MAPPER
* ELITE PREP
* READER CONFIGURATION

...Still looking at it. I'll report back what I can as I go.

Offline

#7 2014-07-03 22:28:11

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: iClass SE / SEOS...

Thanks for the information. That is very interesting!
So from your photo it looks like the newer RevE iClass SE readers have been redesigned to use the new NXP PR600 chip that integrates both the ARM Cortex microcontroller die and the 13.56 Mhz Contactless transceiver die into a single 100-pin LQFP package.
That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip. That functional integration and the fact that they are solidifying their key storage makes me feel that HID is  trying real hard to make it more difficult for us to crack the SE technology. smile

Keep  us informed as you learn more.

Offline

#8 2014-07-04 15:29:52

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

carl55 wrote:

That will make things a little more difficult to reverse engineer since the communication path between the two parts is now inside the chip.

Good news is that the datasheets on the 100 pin LQFP clearly state that the dies are separate and the pins are broken out. smile

HID are calling programmers 'encoders' now. The CP1000 appears to be an OK5427 with an 'Artemis SAM'. I don't see why you couldn't use the OK5427 to program cards without the SAM (if you had the know-how).

OK5427 downloads...
http://www.hidglobal.com/drivers?field_ … 513&os=All
I can't see anything useful here... yet.

Encoder downloads...
http://www.hidglobal.com/drivers?field_ … All&os=All
Download the everything on this page. There are plugins / Zip archives (viewable, passworded) with very interesting contents.
You will laugh when you discover the password.

CP1000 Quick start guide...
http://www.hidglobal.com/sites/hidgloba … -in-en.pdf

CP1000 Use case examples...
https://www.hidglobal.com/sites/hidglob … -an-en.pdf

Offline

#9 2014-07-04 15:36:26

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: iClass SE / SEOS...

+1

Last edited by app_o1 (2014-07-04 15:41:57)

Offline

#10 2014-08-21 15:20:35

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: iClass SE / SEOS...

Hey 0xFFFF and carl55,

Did any of you two figured out the pin layout of the white-connector-socket on the back? It would be nice to have an overview of all the pins, and where they connect to.

Secondly, could you explain how to remove the epoxy from the readers. What type of chemical is the best approach?

Thanks a lot!

Offline

#11 2014-08-21 20:24:21

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: iClass SE / SEOS...

To answer your question, No, I have not done any mapping of the 30-pin Molex debug connector that is used on the iClass SE readers. Since the reader that I broke down was one of the old original SE readers I didn't spend much time looking at it. I assumed that the newer (RevE) readers have made some major design changes and my time would be better spent looking at one of those when time permits. I have been spending what little time I do have trying to analyze the new iclass Secure Identity Object (SIO) data structure and the modified SE communication sequences.

Regarding your question about how I de-potted the reader ...

The iclass SE readers appear to use two different materials in the encapsulation process. There is one softer type of potting compound that is used around the electronic components and a more rigid (almost crystalized) type of compound that appears to be used to secure it to the plastic case.

I personally did not use any chemicals at all although that may be a better approach if you know what you are doing (I don't).
As the first step, I simply cut off the plastic case and rigid crystalline potting material using a small rotary tool (Dremel) with an abrasive cutoff wheel.
The softer material that surrounds the actual components was then removed using a soldering iron with a small pointed tip. The heat of the soldering tip does not melt the material but it does seem to allow it to be easily chipped away in small pieces. The heat seems to almost make it fracture and crumble so it can be easily carved away. It took me about three to four hours to get the circuit board down to what was shown in the picture in my post above. Believe it or not, the reader actually continued to work until I was about 98% done , before I accidently broke off a small (0402) passive component.

Offline

#12 2014-08-22 02:08:22

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

De-potting potted things...

  • Buy a 1L bottle of acetone from the local hardware store. (You don't really need that much)

  • Fill a glass container with enough acetone to submerge the potted thing. I use an airtight seal-able glass container.

  • Remove what you can from the potted thing. e.g. Stickers, plastic outer shell,... (I use a CNC to mill away some of the material)

  • Place the potted thing in the glass container and place the container somewhere safe - Away from children, heat, light...

  • Remove the thing 24 hours later. Break off any loose potting compound you can. Most of this can be done by hand and maybe with a little assistance from some hand tools

  • Depending on the size of the thing and the potting compound used you should be able to get down to the PCB in a day or two. Results vary

Notes for the iCLASS readers I have worked on:
iCLASS R10:
It took over a week to remove the potting compound. In the end the reader was no longer functional. I suspect the acetone destroyed some components. I never looked in to it.

iCLASS R10 SE:
The reader was insanely easy to remove the potting compound and get to the PCB. Just like carl55, I accidentally broke off some components and as a result, the reader did not function correctly. I have since repaired the reader. It only took me 24 hours.

Offline

#13 2014-08-22 02:12:26

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Forgot about the header. The plug you're looking for is the Hirose 30pin .5mm SMD connector. Part number is DF-12-30DS-0.5V
I can work on the pinout but instead I have been working on some VERY interesting HID vulnerabilities.

Offline

#14 2014-08-22 09:14:50

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: iClass SE / SEOS...

Wow, thank you both for the extensive quick reply!

I'll try my luck then with peeling of the material and throw it in acetone if needed.

Regarding the header, I totally understand that documenting 30 pins is no joy! However, I'm actually mostly interested in two facts.

1. Is UART0 of the LPCxxxx chip (RX, TX, but also if RTS and DTR are available). The last two can force the micro-controller to fall back into ISP serial programming mode.

2. Are the JTAG pins broken out?

The datasheets of the used micro-controllers are publicly available, so If you could verify these two sets of pins, I would be extremely grateful!

Thanks a lot again, best regards.

Offline

#15 2017-02-15 01:50:52

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

From%20the%20grave%20128.jpg
...umm. It's been a while.

No surprise, this is a multilayered board. I've sacrificed a reader to make following traces easier...
PCB%20Bottom.jpg
PCB%20Top.jpg
If anyone has any experience with removing the solder mask, I'd like to hear what method(s) you use. Ideally I'm looking for a chemical process.

This IC is going for a swim...
HID%20IC-0048-01B%200813.jpg

Pinout - I'll update as I go.

Offline

#16 2017-02-15 11:21:44

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

OK. So the HID IC-0048 -01B 0813 is an INFINEON M8830-B1
DIE%20INFINEON%20M8830-B1.jpg
DIE%20INFINEON%20M8830-B1_2.jpg

Here's a happy snap of the LPC122x...
DIE%20LPC122x.png

...And the 663 that is the other half of the PR600HL...
DIE%20RC663.jpg
DIE%20RC663_2.jpg

The dies are not connected internally. Each individual pin is exposed on the LQFP100.

Offline

#17 2017-02-15 11:37:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: iClass SE / SEOS...

Impressive bro!

Offline

#18 2017-02-15 12:25:00

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Thanks smile
I'm glad to get back in to the action again.

I think SWD is on P100 pins 14, 16 & 18. Have a look at the first photo in #15

I think the first column is wrong as these pins were taken from a PDF I found online for the PR601. The pins probably moved between 600 & 601?

            LPC122x pin         600HL pin   P100
SWCLK       PIO0_18             9   ?
SWDIO       PIO0_25             85          14
Reset       PIO0_13             4           18
 
SWCLK alt   PIO0_26             86          16
SWDIO alt   PIO1_2              15  Test pad near U302
 
            PIO0_1              92          7
            PIO0_2              93          9
VDC behind diode                            11, 13
5VDC                                        15, 17
            PIO0_28             89          23
            PIO0_11             2           27
            PIO0_10             1           29

I've updated the pastebin.

Offline

#19 2017-02-15 13:25:49

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

More information on the SLE88CFX4000P / m8830:
Evaluation Documentation
Datasheet

Offline

#20 2017-02-16 12:09:21

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Can't seem to find where P100 pins 1, 3, 5 & 21 go. Probably nc.
Updated details in posts above.

Offline

#21 2018-11-08 15:49:05

innocent_ethical
Contributor
Registered: 2018-11-07
Posts: 2

Re: iClass SE / SEOS...

Any updates on this forum???

Last edited by innocent_ethical (2018-12-04 12:55:28)

Offline

#22 2018-11-16 16:05:50

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: iClass SE / SEOS...

innocent_ethical wrote:

Any updates to this forum??
6


it is impossible task to duplicate te iclass SIO cards.  Time to giveup bro....

Offline

#23 2018-12-04 12:29:32

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: iClass SE / SEOS...

yukihama wrote:
innocent_ethical wrote:

Any updates to this forum??
6


it is impossible task to duplicate te iclass SIO cards.  Time to giveup bro....

mate, just you don't know doesn't mean it's not possible, it's out there for a while already.

Offline

#24 2018-12-05 14:49:15

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: iClass SE / SEOS...

brantz wrote:
yukihama wrote:
innocent_ethical wrote:

Any updates to this forum??
6


it is impossible task to duplicate te iclass SIO cards.  Time to giveup bro....

mate, just you don't know doesn't mean it's not possible, it's out there for a while already.


Thanks Pal, but according to Carl55 and Iceman, the SIO iclass card are no way to copy or crack.

Any clues to share^_^I am grateful to your kind guidance^_^

Offline

#25 2018-12-05 15:10:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: iClass SE / SEOS...

its just not solved right now,  is what I belive @brantz is saying.  Doesn't mean it will remain unsolved...

Offline

#26 2018-12-14 11:14:33

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: iClass SE / SEOS...

yukihama wrote:
brantz wrote:
yukihama wrote:

it is impossible task to duplicate te iclass SIO cards.  Time to giveup bro....

mate, just you don't know doesn't mean it's not possible, it's out there for a while already.


Thanks Pal, but according to Carl55 and Iceman, the SIO iclass card are no way to copy or crack.

Any clues to share^_^I am grateful to your kind guidance^_^


Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment

Yeah, you are right, in this case, it's not really duplicating, it's program one with the same information.

Last edited by brantz (2018-12-14 11:15:50)

Offline

#27 2018-12-16 02:40:07

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: iClass SE / SEOS...

brantz wrote:


Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment


Basically, to open any iclass door, just power off the door power and the door is unlocked...LOL

Offline

#28 2019-01-15 01:34:40

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: iClass SE / SEOS...

Yeah, you are very right and very humorous

yukihama wrote:
brantz wrote:


Basically, to clone an iclass fob, most of time we need to know its facility code, card number and the card format. If you know these information plus the target reader's authentication key, technically, you can program one with know information with the proper equipment


Basically, to open any iclass door, just power off the door power and the door is unlocked...LOL

Offline

#29 2019-06-20 05:12:42

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass SE / SEOS...

Question — since the iClass SE readers all now contain the "Artemis SAM", presumably the key material is no longer stored in the firmware but rather in the SAM? Obviously that makes it that much harder to dump the keys, but just curious.

Offline

#30 2019-06-20 05:40:28

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Answer — SLE88 / SAM is in all iClass SE readers. The keys you are looking for are stored on it. The security offered by this change is as good as the implementation.
Dumping the firmware gives a few answers but not the keys you're looking for. So it's probably not worth your time and effort.
More information on the SAM (in card form) here - https://www.hidglobal.com/products/embedded-modules/iclass-se/sio-processor
...Or you can just pop open a reader and mount the SLE88 IC on to something with a PC/SC interface.

Offline

#31 2019-06-20 08:00:44

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass SE / SEOS...

0xFFFF wrote:

Answer — SLE88 / SAM is in all iClass SE readers. The keys you are looking for are stored on it. The security offered by this change is as good as the implementation.
Dumping the firmware gives a few answers but not the keys you're looking for. So it's probably not worth your time and effort.
More information on the SAM (in card form) here - https://www.hidglobal.com/products/embedded-modules/iclass-se/sio-processor
...Or you can just pop open a reader and mount the SLE88 IC on to something with a PC/SC interface.

Thanks!
Good to know smile

Offline

#32 2019-06-21 19:21:46

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass SE / SEOS...

Another interesting question..... is anyone here familiar with the "iClass SE Seos Profile" readers, that apparently exclusively support Seos?

I'm curious if there is a way to reset/downgrade those readers to support normal iClass SE (and other HF technologies) also. Looking at HID docs they have their own separate type of config cards also, not sure how/if that complicates things.....

Offline

#33 2019-06-25 00:21:14

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

They are capable. There are a few ways to reconfigure them. The most common method is using a configuration card.

The configuration cards change due to the firmware, existing configuration, etc...

Offline

#34 2019-06-25 04:25:22

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass SE / SEOS...

0xFFFF wrote:

They are capable. There are a few ways to reconfigure them. The most common method is using a configuration card.

The configuration cards change due to the firmware, existing configuration, etc...

Interesting... I figured it would be something config-card related.

My understanding is that in general, iClass SE reader config cards use the iClass SE technology.

iClass SE "Seos Profile" readers (at least officially) only support Seos technology, which might explain why HID sells separate config cards for them that presumably use Seos tech.

I'm guessing to convert/downgrade it to support iClass SE (and other HF technologies), you'd need a Seos config card that tells the reader to start supporting iClass SE again? Do you know if that type of config card officially exists / is sold by HID, or if you'd need to program something custom using e.g. a CP1000 encoder?

Thanks!

Offline

#35 2019-06-25 05:12:40

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

HID configuration cards are a mix of different technology types. Depends on the application / requirements.

Recently been informed that HID are trying to push SEOS readers at a lower cost. Not sure how well they are going but my opinion (for now) is stay away.
Yet another proprietary system. No certifications or standards testing as far as I can tell. You're locked in.
"Seos adheres to best practices for data protection and widely reviewed open standards..."

Don't necessarily need an encoder or configuration cards as far as I'm aware. I'm making an educated guess here, I could be wrong. Need to get my hands on one (preferably two) for proper analysis.

Offline

#36 2019-06-25 17:36:09

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: iClass SE / SEOS...

0xFFFF wrote:

HID configuration cards are a mix of different technology types. Depends on the application / requirements.

Recently been informed that HID are trying to push SEOS readers at a lower cost. Not sure how well they are going but my opinion (for now) is stay away.
Yet another proprietary system. No certifications or standards testing as far as I can tell. You're locked in.
"Seos adheres to best practices for data protection and widely reviewed open standards..."

Don't necessarily need an encoder or configuration cards as far as I'm aware. I'm making an educated guess here, I could be wrong. Need to get my hands on one (preferably two) for proper analysis.

Yeah I saw that recently with what they are calling their "iClass SE Express" reader https://www.hidglobal.com/products/readers/iclass-se/iclass-se-express-r10.

Under the hood I'm curious how that differs from the "iClass SE Seos Profile" readers they have been selling for a while.

Offline

#37 2019-06-26 06:25:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: iClass SE / SEOS...

I think we all are interested in SEOS inner workings.  So far there is piece here and blobs there all based on Carl55 and 0xFFFF findings.

Offline

#38 2019-06-26 07:30:07

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Demystifying SEOS is on my list of things that would be nice to achieve in this lifetime. tongue
Being able to pursue interesting subjects like this depend on my free time and finances.

Offline

#39 2019-06-26 09:16:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: iClass SE / SEOS...

thats serious limit since you don't have any spare time bro smile

Offline

#40 2019-06-27 00:08:14

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: iClass SE / SEOS...

Ha Ha! I know!
That's why I don't post as often as I'd like.
Time spent not researching stuff is valuable time lost.

Offline

#41 2020-06-19 11:45:21

Hain
Contributor
Registered: 2020-06-19
Posts: 3

Re: iClass SE / SEOS...

Since it's your goal and I'm sure a lot of peoples interest, could we coordinate a shared document or wiki where we could pool all our knowledge about SEOS?

Last edited by Hain (2020-06-19 11:45:46)

Offline

#42 2020-11-19 04:25:24

yukihama
Contributor
Registered: 2018-05-13
Posts: 133

Re: iClass SE / SEOS...

nice idea

Offline

Board footer

Powered by FluxBB