loclass ERROR

prox_students · 2019-12-12 20:20:20

Hello,

I tried sim attack loclass a few times using pm3 rdv4.0 (firmware up to date) which worked for other readers, but this reader shows the following error. Here's the trace:

[usb] pm3 --> hf iclass sim 2
[=] Starting iCLASS sim 2 attack (elite mode)
[=] press Enter to cancel
#db# [+] going into attack mode, 9 CSNS sent
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: d2 .... e0 OK
[+] 9 out of 9 MAC obtained [OK]
[+] saved 216 bytes to binary file iclass_mac_attack-8.bin

[usb] pm3 --> hf iclass sim 4
[=] Starting iCLASS sim 4 attack (elite mode, reader in key roll mode)
[=] press Enter to cancel
#db# [+] going into attack keyroll mode, 9 CSNS sent
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 01 .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 0c .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 10 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 13 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 07 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 14 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: 17 .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: ce .... e0 OK
#db# [+] CSN: d2 .... e0 OK
#db# [+] CSN: d2 .... e0 OK
[+] 18 out of 18 MAC obtained [OK]
[+] saved 216 bytes to binary file iclass_mac_attack_keyroll_A.bin
[+] saved 216 bytes to binary file iclass_mac_attack_keyroll_B.bin

[usb] pm3 --> hf iclass loclass f iclass_mac_attack-8.bin
[+] loaded 216 bytes from binary file iclass_mac_attack-8.bin
----------------------------
[=] Bruteforcing byte 1
[=] Bruteforcing byte 0
[=] Bruteforcing byte 69
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64,
65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80,
81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96,
97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112,
113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,
129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,
145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,
161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,
177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,
193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,
209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,
225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,
241,242,243,244,245,246,247,248,249,250,251,252,253,254,255, 0,

[!] Failed to recover 3 bytes using the following CSN
[!] CSN = 01 0A 0F FF F2 FF 15 E0
[+] time: 105 seconds
[!!] loclass exiting. Try run `hf iclass sim 2` again and collect new data

Does anybody know why this error "Failed to recover 3 bytes using the following CSN" occurs and possible solution to extract the key?

iceman · 2019-12-12 20:24:37

Not really.
How sure are you that the reader in question was configured to use Elite / High security?

prox_students · 2019-12-12 20:34:19

It's definitely not a SE reader. The credential itself it not a SE - the AA2 block 5 was FFFFFFFFFFFFFFFF.

HID Masterkey didn't authenticate the credential either, which leads me to believe the reader could be configured for Elite ? Could you correct me if I'm wrong?

Last edited by prox_students (2019-12-12 20:57:33)

yukihama · 2019-12-14 16:56:37

prox_students wrote:

It's definitely not a SE reader. The credential itself it not a SE - the AA2 block 5 was FFFFFFFFFFFFFFFF.
HID Masterkey didn't authenticate the credential either, which leads me to believe the reader could be configured for Elite ? Could you correct me if I'm wrong?

maybe you can write a list of possible iclass keys and make a tool to automatically check each one^_^

iceman · 2019-12-14 17:11:02

you mean like

hf iclass chk

prox_students · 2019-12-14 17:14:11

Sorry my bad. The reader is a SE reader. So far the findings are:

- The reader is a SE reader. Unknown whether it's configured for Elite.
- Sim 2 attack works, but loclass fails.
- Credential is NOT an SE based on AA2 block 5 being FFFFFFFFFFFFFFFF read by RW400.
- PM3 RDV4 iceman fork(latest firmware) does not detect the credential at all at different angles. Antenna functioning well, hf iclass reader tried.

I just found a thread from iceman suggesting to use lookup command here.

But I am having trouble finding e-purse and mac value as sim 2 & 4 attack only outputs CSN. It's also problematic as my pm3 doesn't detect the tag at all. I've tried other iClass tags and pm3 detect all of them, but this problematic tag. This tag authenticates with the installed reader well, so there's no issue with the tag itself.

Any help would be appreciated !

iceman · 2019-12-14 17:47:42

The sim 2 itself doesn't mean anything. Its just collecting data part of the loclass attack. When you run the offline part, you see if it actually worked.

Right now you seem to speculate much. I would suggest you start reading the datasheets and get started from there.

Proxmark3 community

Announcement

#1 2019-12-12 20:20:20

loclass ERROR

#2 2019-12-12 20:24:37

Re: loclass ERROR

#3 2019-12-12 20:34:19

Re: loclass ERROR

#4 2019-12-14 16:56:37

Re: loclass ERROR

#5 2019-12-14 17:11:02

Re: loclass ERROR

#6 2019-12-14 17:14:11

Re: loclass ERROR

#7 2019-12-14 17:47:42

Re: loclass ERROR

Board footer