PM3 can't read iclass 2000 DL card

brantz · 2017-12-06 01:08:11

well, this is the situation,

new iclass 2000 DL has very long reading distance compare to DP card on authentic iclass reader, almost doubled.

using "hf tune" on PM3, I can see the voltage drops alot when DL card is approaching, but PM3 can't read anything out from it.

PM3 returns "no known card found" when probing

I've tried on original PM2 and elechouse v2 dev version, same result

Technically DL, DP just strands for the different factory, but I can see the size and shape of antenna has changed a bit between DL and DP

Has anyone experienced this?

Thanks

Heru · 2017-12-16 10:48:03

Hi , yes, I've similar issue, but what about DY card? what does it signify?

brantz · 2018-05-16 14:01:47

An update on this topic.

From my experience, all recent produced iclass 2xxx cards are not be able to read by PM3.

I've tested on following PM3 on market (proxmark3 original, proxmark easy, Elechouse Rdv2, Radiowar enhanced PM3), none of them is able to read.
hf tune shows the voltage change while card is approaching. But when reading, just return "no tag found". Also tested on multiple branches and versions of firmware. No luck all of them.

However, original HID iclass readers have no problem reading them at all.

The cards I have tested are ordered from HID directly in standard security mode.

The antenna I used is from this https://hackerwarehouse.com/wp-content/uploads/2016/04/proxmark3-kit-rdv2-VB5A0486.jpg, I bought it from elechouse website directly. It never had any problem reading 2000, 2020, 2050, 2080, 2060 credentials before, just the recent ordered thin card from HID are not able to be read, the antenna structure looks quite different in the new card compare to previous 2000 card. please refer to pictures below.

New 2000:
https://www.dropbox.com/s/w0tlq78ws11nu … m.jpg?dl=0
https://www.dropbox.com/s/zh051jn5jta51 … m.jpg?dl=0

Previous 2000:
https://www.dropbox.com/s/f3ht6klu1lyir … m.jpg?dl=0

As I mentioned, the voltage still decreased while the card approaching to PM3 antenna, I have tried all possible angles and distances, no luck, all ended up with "no tag found". However, on R10, R30, R40 and RW300, got read immediately with correct bit output.

Anyone has insight?

Shashadow · 2018-06-05 09:03:32

Hello.

I know it's maybe a stupid suggestion, but do you try with old release from aspers?
Version 2.5 pre-compiled Windows.
I have a similar issue with thincard iclass.
I don't know if mine is newer or oldest, but after install old firmware from pre compiled version, all iclass tag work perfectly for me.
I know it's old and no more supported soft, but just for knowledge if you have time get a try :
http://www.proxmark.org/forum/viewtopic.php?id=5718
I can give you 2.5 version if you don't find

brantz · 2018-06-05 14:53:18

Shashadow wrote:

Hello.
I know it's maybe a stupid suggestion, but do you try with old release from aspers?
Version 2.5 pre-compiled Windows.
I have a similar issue with thincard iclass.
I don't know if mine is newer or oldest, but after install old firmware from pre compiled version, all iclass tag work perfectly for me.
I know it's old and no more supported soft, but just for knowledge if you have time get a try :
http://www.proxmark.org/forum/viewtopic.php?id=5718
I can give you 2.5 version if you don't find

Hi Shashadow, that would be great if you could share a copy of that. I'll give it a go.

Thank you very much

Shashadow · 2018-06-05 23:36:59

no problem, here a link for 2.5 :

pm3-v2.5

just unzip, open a cmd, go to "win32 (client+GUI)" directory and run :
(think to change before your "comX number" in bat's file)

FLASH - Bootrom.bat
and after
FLASH - fullimage.bat

no problem for switch between old and new release, I do it lot of time :-)

PS : check during upgrade if your "comX number" change, don't stop your upgrade, just go in your Windows device manager ad re-change comX in the good serial port you have (Windows will tell you port is busy, but doesn't matter, do it, it will accept), and your upgrade will continue

(yes I know it's in French, but I'm sure you will find your way :-) )

after upgrade use the old client (proxmark3 comX) and check with a lot of "hf search" your iclass card
for me it was ok, just too bad we don't have any improvement from last iceman release, but for a test it's good to know if it works too for you.
thanks

Last edited by Shashadow (2018-06-06 08:58:12)

Shashadow · 2018-06-10 21:51:20

hello Brantz,

just for know, have you tried the old release proxmark with your thincard iclass ?
thanks

Last edited by Shashadow (2018-06-10 21:52:24)

brantz · 2018-06-18 15:57:01

Shashadow wrote:

hello Brantz,
just for know, have you tried the old release proxmark with your thincard iclass ?
thanks

Hi Mate,

sorry for the late reply.

No luck. seems the version you shared does't compatible with my hardware.
after flashed bootroom and full imagine, OS is loaded correctly, but PM3 doesn't respond to any command. strange

I'll try another device

crazyquark · 2018-07-06 06:47:50

Hi,

I was able do dump some older iClass cards with my pm3 but then I bought some new iClass 2000 (labeled iClass DL) cards to write the dumps to them and PM3 can't access those. I see the same voltage drop when doing `hw tune` on the HF antenna but nothing else.

I also tried the pm2.5-bin old release from Windows to no success.

Is there some raw mode I can try to see what the protocol is?
Has anyone had any success with newer iClass 2000 cards?
Also, where could I buy "compatible" iClass cards, preferably not from US

Sorry, for all the questions!

Last edited by crazyquark (2018-07-06 07:15:58)

marshmellow · 2018-07-06 13:05:55

brantz wrote:

Shashadow wrote:
hello Brantz,
just for know, have you tried the old release proxmark with your thincard iclass ?
thanks
Hi Mate,
sorry for the late reply.
No luck. seems the version you shared does't compatible with my hardware.
after flashed bootroom and full imagine, OS is loaded correctly, but PM3 doesn't respond to any command. strange
I'll try another device

You must use the client (proxmark3.exe) from the matching version for the firmware.

crazyquark · 2018-07-07 08:45:32

marshmellow wrote:

You must use the client (proxmark3.exe) from the matching version for the firmware.

For what is worth, that's what I did but it did not reveal anything new compared to the latest version of PM3.
But I might have a different card than you.

Last edited by crazyquark (2018-07-07 08:45:50)

gmsuz · 2018-07-07 14:41:47

I have no problem with thin DP or DL cards with my PM3 on newer firmware. But this thin cards with + in front of the serial no. was unable to be read by PM3 and prompted as "no known/supported 13.56 MHz tags found". No issue on thin cards with * in front of serial no.

I am not sure if the problem you are see is the same as me.
Are your cards with an * or + ?

crazyquark · 2018-07-07 15:52:30

gmsuz wrote:

I have no problem with thin DP or DL cards with my PM3 on newer firmware. But this thin cards with + in front of the serial no. was unable to be read by PM3 and prompted as "no known/supported 13.56 MHz tags found". No issue on thin cards with * in front of serial no.
I am not sure if the problem you are see is the same as me.
Are your cards with an * or + ?

They actually have a "=" at the beginning of the serial numbers so maybe even newer?

gmsuz · 2018-07-07 16:23:04

Found this on HID GLOBAL CREDENTIAL IDENTIFICATION MARKINGS
APPLICATION NOTE

Programming Type (valid for iCLASS & Seos only)
Value Description
- Configured, iCLASS/Genuine HID Seos
= Configured, iCLASS (non-ISO14443B)
* Programmed, iCLASS/Seos
+ Programmed, iCLASS (non-ISO14443B)
/ Custom Programmed, Seos
A Seos multi ADF ES profile (1)

Both " = " & " + " are iCLASS (non-ISO14443B).

The usual * card will display Coding: ISO 14443-2 B/ISO 15693

CSN: 5A 03 1A 02 FF FF 12 E0
CC: FF FF FF FF 35 FF FF FF
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
RA: Read access not enabled
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
OTP: 0xFFFF

KeyAccess:
Read A - Kd or Kc
Read B - Kd or Kc
Write A - Kc
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: FF FF FF FF FF FF FF FF
: Possible iClass (legacy tag)

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

Maybe this is the problem "non-ISO14443B" on the "+" and "=" cards

crazyquark · 2018-07-07 18:13:35

Interesting. I wonder what standard it uses then.

Last edited by crazyquark (2018-07-07 18:22:50)

yukihama · 2018-07-17 15:54:47

I got this similar problem todayT_T cry.....
The unreadable card is iclass thin white card with "+" before some numbers.
No luck with my three PM3 devices.
Is that any way to get the dump file out of the printed number on the thin card?

brantz · 2018-07-24 12:22:21

That's not always the case.

gmsuz wrote:

Found this on HID GLOBAL CREDENTIAL IDENTIFICATION MARKINGS
APPLICATION NOTE
Programming Type (valid for iCLASS & Seos only)
Value Description
- Configured, iCLASS/Genuine HID Seos
= Configured, iCLASS (non-ISO14443B)
* Programmed, iCLASS/Seos
+ Programmed, iCLASS (non-ISO14443B)
/ Custom Programmed, Seos
A Seos multi ADF ES profile (1)
Both " = " & " + " are iCLASS (non-ISO14443B).
The usual * card will display Coding: ISO 14443-2 B/ISO 15693
CSN: 5A 03 1A 02 FF FF 12 E0
CC: FF FF FF FF 35 FF FF FF
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
RA: Read access not enabled
Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
OTP: 0xFFFF
KeyAccess:
Read A - Kd or Kc
Read B - Kd or Kc
Write A - Kc
Write B - Kc
Debit - Kd or Kc
Credit - Kc
App IA: FF FF FF FF FF FF FF FF
: Possible iClass (legacy tag)
Valid iClass Tag (or PicoPass Tag) Found - Quiting Search

Maybe this is the problem "non-ISO14443B" on the "+" and "=" cards

AmmonRa · 2019-04-27 12:49:45

I have been trying to get some new type cards to be detected. So far not much luck. Sniffing the card being read by an omnikey looks the same for new and old cards.... could it be that new type requires more power then the pm3 can provide?

slp · 2019-04-28 16:07:17

Same problem. Tried various PM3 hardware including RDV2, Easy, RDV4 + big HF antenna, and software (official, RRG, older, most recent...).
The new ISO thin standard security "iCLASS DL" (no other markings on card) that I have are not recognized by Proxmark. The old ones - thick clamshell format - work correctly.
I also can sniff the communication between the new cards and iClass reader using Proxmark, and it looks the same as for old ones.

I can see several other people having similar issues along a few threads here.
How about submitting an issue to Github?

Donni · 2019-05-10 19:36:49

Any one managed to get this working?

Last edited by Donni (2019-05-10 20:40:59)

Supercodegames · 2019-05-12 04:01:07

@slp , created a issue at the proxmark repository

If anyone has a hunch at what is causing the problem, please let us know at the issue:

https://github.com/Proxmark/proxmark3/issues/820

Last edited by Supercodegames (2019-05-12 04:02:04)

onebyte · 2019-06-05 03:25:26

I can use pm3 with old, non programmed legacy iclass fob, no sign, no number, blanked one. Today I bought another one, same shape, exactly same, no serial, no sign, nothing on the back, legacy blank fob. But this new one is not recognized by pm3. They changed internal circuit or anything with this old legacy fob? I thought only ER is not cloneable, and new programmed not recognized by pm3, but this new blank is same as programmed(has serial number and programmed) one so how can I get blank...

aaronml · 2019-06-24 02:57:52

Something seems odd here........ HID has had an "alternate" version of iClass for years, supported by all generations of their official readers, and only in the past couple of years did they dust it off, for the (presumably) main purpose of making it harder for Proxmark users to clone it?

I find it very hard to believe that PM3 is the only thing broken by this change.... surely there are some 3rd-party "iClass CSN-only" readers getting broken by this also, making customers unhappy...

Isn't iClass Legacy technology just a standard PicoPass card with an HID-specific CSN range, and HID-specific encryption/authentication keys?

I wonder if the iClass SE cards have been updated to this new standard, or if they are still using the ISO14443B-compliant credentials?

piwi · 2019-11-29 07:53:10

Did anyone try the official release recently? There had been improvements with the iclass commands.

iceman · 2019-11-29 20:22:05

I did actually.

piwi · 2019-12-03 13:24:25

Just in case you tested with one of those iClass "DL" or "2000" cards: could you read/dump them? If reading failed, can you please snoop communication between a reader and card and post the result ('hf list iclass') here?

Note: just like with ISO14443A it is best to keep some minimum distance between reader and card.

BTW: does anybody know what "DL" or "DP" stands for? (no, please, no punishing because of thread hijacking )

lohcm88 · 2019-12-03 14:20:47

piwi wrote:

Did anyone try the official release recently? There had been improvements with the iclass commands.

Yes, I hv tried today and it work great on first try! My card had a + sign and previous official or RRG release cannot read that card at all.. Thank you!

Btw mine is iclass DP +xxxxxx xxxxxxxxxxx-1 SR

Last edited by lohcm88 (2019-12-03 14:22:46)

lohcm88 · 2019-12-04 02:57:46

piwi wrote:

Did anyone try the official release recently? There had been improvements with the iclass commands.

Just found out that the reading/extracting part is good but the cloning part is bad.

piwi · 2019-12-04 17:56:05

I didn't rework the clone function yet. 'hf iclass chk' is next on my list.

piwi · 2019-12-09 08:37:06

fixes to 'hf iclass chk' have been merged to master, fixes to 'hf iclass clone' and 'hf iclass writebl' have been pushed as PR#896 and are ready to test.

lohcm88 · 2019-12-11 06:26:30

piwi wrote:

fixes to 'hf iclass chk' have been merged to master, fixes to 'hf iclass clone' and 'hf iclass writebl' have been pushed as PR#896 and are ready to test.

Tested "chk" and "writeblk" are working.. "clone" still not working..

piwi · 2019-12-11 08:32:45

lohcm88 wrote:

Tested "chk" and "writeblk" are working.. "clone" still not working..

Can you please be a bit more specific? What are you trying to achieve, which commands are you using, which responses do you get and which results do you expect which are not achieved?

Last edited by piwi (2019-12-11 08:33:03)

lohcm88 · 2019-12-11 10:14:05

It work at times but subsequently give me error "Failed to select card! Aborting" when using the hf iclass clone command

piwi · 2019-12-11 17:15:59

lohcm88 wrote:

https://lh3.googleusercontent.com/kVFCb9wU36YR1zGFERJzbpHut78YlmN385RWfKrj5SAB03K0HaaQJCIaGG08rruk1dX78lVCyiMxSH9sjV-f_dmPK5aWZOGI_ITRme4f1116rEp2Y-A7DX5GvJsEFKddkzfaTPJhAQBeTCUyXDeHYf3i1FXKlQcoZtCNndaO9rtdG3pTPad-r5tjVXYyjlGmxo96c8ERKKTICKma2AvPOxOWTvn7qq_iDLdg2YTjN_hVeGKEmnOcm_QUn-WkCtt-B3FxauTQM0g9wUUZz2MH6yBl--cqbI-psZVi1HwOsMmPbS187MNnRXzMWp4x5yL_KlLg7HFq5be93nWeb4gPMkjcfiTnVhPJpiLB-l_xZZiOjkuLhYAHQuYSpgERcX_l_XAe9eYZ2xCghjXZAH5nbs4c1Q21AWe_JG1hX3CLd7bZnr9q80x2WIJYJjPxfi8vjEOOitqWGNqydX1OISUHcCf6-ylzkJHHR5xg0fpfTAhzZgXCp4EjONa79hEE6if38ncfTr2fzUDBUCfpkDIlokcydXJsCbN4tlUADkl6dtw_BcdW1cpjLjRRfVwsJZD9z7Qp9ezXh2KKLWjo1gR5V8VD56mNfURCUcoBS0-NTwQeXdChy1uOyQ-WzOFyqPQZThgUIWy2pi084YA18Oq9wH-f9hcI7kDFbCCCQ7jCSE7m29Qru_6H2jI=w479-h450-no

Do you have an alternative file sharer for those without a Google account?

lohcm88 · 2019-12-12 01:35:02

How about this?

piwi · 2019-12-12 13:01:02

That's better.

Fix committed to PR#896.

genexis · 2019-12-22 09:55:48

I just tried it with a relatively new HID iCLASS +65xxx 33101xxxxxx-1 SE card. As per the previous replies, this seem like a non-ISO14443B where the command HF SEARCH is not picking up anything.

Currently using Proxmark3 (the original from a few years back)
Compiled iceman's latest build from github with Makefile.platform = PM3OTHER
Flashed bootrom and firmware with the latest from iceman.

Anybody else has any break through in this?

piwi · 2019-12-22 13:58:12

You should try official repo.

NYCity25 · 2020-02-02 11:56:40

latest official firmware, noticeable improvement on iclass detection, reading speed etc, but not able to write blk or clone xxx onto some iclass cards.

the old version of legacy fobs are OK though, the new(?) version of iclass cards not able to be written onto ( default keys)

thanks

ilovepancakes · 2020-02-06 01:35:54

Can't seem to detect or do anything with iclass DL cards on latest iceman repo. It does appear to read them on latest official build. Is a fix planned to be merged into iceman build?

Proxmark3 community

Announcement

#1 2017-12-06 01:08:11

PM3 can't read iclass 2000 DL card

#2 2017-12-16 10:48:03

Re: PM3 can't read iclass 2000 DL card

#3 2018-05-16 14:01:47

Re: PM3 can't read iclass 2000 DL card

#4 2018-06-05 09:03:32

Re: PM3 can't read iclass 2000 DL card

#5 2018-06-05 14:53:18

Re: PM3 can't read iclass 2000 DL card

#6 2018-06-05 23:36:59

Re: PM3 can't read iclass 2000 DL card

#7 2018-06-10 21:51:20

Re: PM3 can't read iclass 2000 DL card

#8 2018-06-18 15:57:01

Re: PM3 can't read iclass 2000 DL card

#9 2018-07-06 06:47:50

Re: PM3 can't read iclass 2000 DL card

#10 2018-07-06 13:05:55

Re: PM3 can't read iclass 2000 DL card

#11 2018-07-07 08:45:32

Re: PM3 can't read iclass 2000 DL card

#12 2018-07-07 14:41:47

Re: PM3 can't read iclass 2000 DL card

#13 2018-07-07 15:52:30

Re: PM3 can't read iclass 2000 DL card

#14 2018-07-07 16:23:04

Re: PM3 can't read iclass 2000 DL card

#15 2018-07-07 18:13:35

Re: PM3 can't read iclass 2000 DL card

#16 2018-07-17 15:54:47

Re: PM3 can't read iclass 2000 DL card

#17 2018-07-24 12:22:21

Re: PM3 can't read iclass 2000 DL card

#18 2019-04-27 12:49:45

Re: PM3 can't read iclass 2000 DL card

#19 2019-04-28 16:07:17

Re: PM3 can't read iclass 2000 DL card

#20 2019-05-10 19:36:49

Re: PM3 can't read iclass 2000 DL card

#21 2019-05-12 04:01:07

Re: PM3 can't read iclass 2000 DL card

#22 2019-06-05 03:25:26

Re: PM3 can't read iclass 2000 DL card

#23 2019-06-24 02:57:52

Re: PM3 can't read iclass 2000 DL card

#24 2019-11-29 07:53:10

Re: PM3 can't read iclass 2000 DL card

#25 2019-11-29 20:22:05

Re: PM3 can't read iclass 2000 DL card

#26 2019-12-03 13:24:25

Re: PM3 can't read iclass 2000 DL card

#27 2019-12-03 14:20:47

Re: PM3 can't read iclass 2000 DL card

#28 2019-12-04 02:57:46

Re: PM3 can't read iclass 2000 DL card

#29 2019-12-04 17:56:05

Re: PM3 can't read iclass 2000 DL card

#30 2019-12-09 08:37:06

Re: PM3 can't read iclass 2000 DL card

#31 2019-12-11 06:26:30

Re: PM3 can't read iclass 2000 DL card

#32 2019-12-11 08:32:45

Re: PM3 can't read iclass 2000 DL card

#33 2019-12-11 10:14:05

Re: PM3 can't read iclass 2000 DL card

#34 2019-12-11 17:15:59

Re: PM3 can't read iclass 2000 DL card

#35 2019-12-12 01:35:02

Re: PM3 can't read iclass 2000 DL card

#36 2019-12-12 13:01:02

Re: PM3 can't read iclass 2000 DL card

#37 2019-12-22 09:55:48

Re: PM3 can't read iclass 2000 DL card

#38 2019-12-22 13:58:12

Re: PM3 can't read iclass 2000 DL card

#39 2020-02-02 11:56:40

Re: PM3 can't read iclass 2000 DL card