Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hello guys,
I got to play with our condo new issued cards,
I cant get read on proxmark, that said iclass seos ip is printed on it with sn.
Hf ic .. search commands doesn't work at all, my mct android got another read , attached is a pic.
https://www.dropbox.com/s/uhavyykk4qmwg88/Screenshot_20180105-182135.png?dl=0
Anyone encounter those, insights on how to read and eventually reprogram clone etc..
Couldnt find anything in the forum.
Thanks,
Offline
??? your pic shows a 14A tag... Why don't you test those commands instead?
Offline
I did try 14A commands, i get nothing.. for some reason the card wont read with original condo reader for while after proxmark test, kind of lock down mode ?! I am running your build for now , should i give a try on original build ?
Offline
you need distance for 14a between tag & reader. iClass is also sensitive.
but of course, you should try offical pm3 firmware.
Offline
iClass SEOS has nothing to do with iClass but the name. A bit like Bluetooth Low Energy and Bluetooth
SEOS is built on top of an ISO14443A JCOP card.
Offline
Oh good to know, I was suspecting something like that, Physical inspection (flashlight lol) shows high-frequency antenna (Square) with normal chip size, I have ubertooth somewhere, any pointer how to get into the card with it ?
Offline
Sorry for the confusion. BLE and Bluetooth were just a comparison point: when you look at BLE the protocol it's completely different from Bluetooth. They only share the name.
It's the same for iClass and SEOS: the protocol to interact with them is completely different. But SEOS is not BLE (even though there is a BLE module hat can be added to the readers and an app to allow using a phone instead of a badge), it's RFID ISO14443A while iClass is built on top of ISO15693. Same frequency of 13.56MHz but different modulation and protocol.
To interact with a SEOS badge you need to use "hf 14a" command set instead of "hf iclass".
I haven't found any publication yet about the SEOS protocol. Maybe that's something I will publish later if I find some time to add the commands to the pm3
Offline
Great work, I will play with tag tomorrow, will try to snoop around as well.
I see your point, they made application for this type which use BLE or NFC, attached
https://www.dropbox.com/s/tmoo0d3wort4z70/Screenshot_20180107-003923.png?dl=0
Thatsaid, I will appreciate any help on it, perhaps we can get raw data commands from valid communication to program, decode,etc..as it is promised to be a step up replacement for many areas of rfid.
Let me know how can I help , I got tag, proxmark,chameleon mini,omnikey,hacked,arc to test with.
Offline
Thanks for the offer. I already know/understand most of the SEOS protocol and I know how to decode it when it's snooped. It's just a matter of taking time to turn that knowledge into C code for the proxmark in a meaningful command set
Offline
whenever you feel like sharing what the SIO blob decoded structure looks like, then that would be helpful. It should be ASN1 based.
Offline
I wish jump will help out on this i really want this nailed and that can be added to proxmark demoded cards
Offline
Btw Iceman build is not working properly for 14a commands , it keep crashing .. sniff is not working, proxmark goes unresponsive . Just a feedback
Offline
Only 14a sniff? I used it yesteday, works like a charm. however "hf mf sniff" seems weird to me
Offline
Somehow i believe it is hardware related, rdv2 got the issue while original proxmark doesn't replicate the issue .. just tested it again
Offline
I have an unused "Seos IP" card, any one know how to interact with the card? i.e. read data
hf 14a info
UID : XX XX XX XX
ATQA : 00 01
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
ATS : 05 78 77 80 02 9C 3A
- TL : length is 5 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
- TC1 : NAD is NOT supported, CID is supported
Answers to magic commands: NO
Offline
You need to know the AES encryption key that has been configured in order to talk to read the data.
Offline
Sniff or snoop the key out, the harder part would be emulating it or to find card that accept custom uid following same seos protocol, is your reader iclass se ?
Offline
It seems you're not familiar with SEOS protocol if you think the key can be sniff'd.
Emulating SEOS with a proxmark is trivial though
Offline
Ah, so it is encrypted key that changes over each read type ?
The iclass se reader which they use to read seos card here, send same series of commands and didn't notice changes on raw data with same card read so had the assumption of fixed key, atlease same fixed key per card uid ..
Please elaborate on how seos works? It would be interesting to nail it.
Offline
There are still some pieces that I'm missing about this protocol and I'm still working on getting the complete picture.
The card and the reader share a pair of AES keys. One of them is being used along with robust RNG on both sides to negotiate a session key. The only thing that is transmitted is the index of the key to use for this session key negotiation. The session key is not transmitted.
So yes in theory it's possible to sniff and get the keys from there but the complexity of the attack is too high (2**129)
Offline
I know I'm late to the party, but have you made any progress jump? Could you please share what you've found out and any documentation you've gathered? It would be really beneficial for my Bachelor's thesis.
There are still some pieces that I'm missing about this protocol and I'm still working on getting the complete picture.
The card and the reader share a pair of AES keys. One of them is being used along with robust RNG on both sides to negotiate a session key. The only thing that is transmitted is the index of the key to use for this session key negotiation. The session key is not transmitted.
So yes in theory it's possible to sniff and get the keys from there but the complexity of the attack is too high (2**129)
Offline
Pages: 1