Before we begin:
HID iCLASS Credentials tech primer
What does all this shit on my card mean?!
Key Terms:
-
SIO - Secure Identity Object
-
PACS - Physical Access Control System
-
Encoding - Writing binary data to a credential
-
Logical copy - Not a 1:1 copy as we can only read the binary data off the SIO and encode it as a legacy format but should work regardless
-
Omnikey - Official HID desktop reader to read PACS binary off iCLASS SE and SEOS
-
Weaponized reader - "DIY" omnikey reader to perform the same job as the omnikey using a actual HID reader you might find on a wall
-
NARD & SAM - Optional add-on for Flipper to read iCLASS SE and SEOS and perform downgrade attacks
-
PM3 - Proxmark 3
-
F0 - Flipper Zero
-
SAM -
Ur fuckin uncleHID Secure Access Module for decoding PACS data on a SIO
There is not much you can do with just a Proxmark 3 or Flipper Zero (without going into semi offline / remote attacks)
Your iCLASS SE or SEOS credential has a SIO (Secure Identity Object) that stores your access control information also known as the PACS data. We will need to extract the SIO which contains the PACS data with one of the methods outlined below and encode that data onto a iCLASS legacy credential.
Unfortantely not all readers will have iCLASS legacy enabled and your downgrade will not function. The good thing is that most readers are left in their default configuration with iCLASS legacy enabled which allows us to easily take your secure credential and make a logical copy onto a less secure format. We can easily test if the reader is standard keyed and will accept a credential downgrade attack with the steps below.
If the reader beeps, proceed to encoding a downgraded iCLASS legacy credential.
To check if your credential is standard keyed:
PM3 hf iclass dump --ki 0 if it dumps == standard key
F0 Picopass app > Read card check if key == standard
To encode a standard keyed iCLASS legacy credential to test:
PM3 hf iclass encode --bin 110000000000000001000101000000100001111001011000 --ki 0 encodes iclass_dump.json to card
F0 qflipper > SD card > apps data > picopass drop .picopass file here and write to card on Flipper
Hold the device to the reader. If it beeps, proceed to encoding a downgraded iCLASS legacy credential.
PM3 hf iclass eload -f iclass_dump.json
PM3 hf iclass sim -t 3
F0 qflipper > SD card > apps data > picopass drop .picopass simulation file here and simulate on Flipper
A Android phone with NFC is recommended for this next step as iPhone can only inspect readers that are bluetooth enabled natively or have a BLE backpack installed as a add-on. This method of inspection will not work if the reader has a MOB key or ELITE key. Reader inspection is only possible on official HID readers, not third party readers using HID credentials.
Click use NFC and hold the phone to the reader and follow the prompts. Click on apply template.
Click on the plus button
Click on credentials
Make sure the switch for iCLASS is switched on (blue)
If you have successfully confirmed that iCLASS legacy is switched on. You can proceed to the next step which is encoding a downgraded iCLASS legacy credential.
- Download latest version of Omnikey workbench here
- Plug in Omnikey reader
- Start Omnikey workbench
- Switch reader mode to CCID mode
- Go to reader upload tab
- Use the "load file" function and load the
encoder.cfgconfig file - Launch PM3 client, place iCLASS/Picopass card on HF antenna and read your original card on the Omnikey reader
- Press enter
Before proceeding, I will assume you already have a NARD add-on board, SAM card, and have installed it correctly without letting the blue smoke out 🔥
- Launch Seader application
if credential == iCLASS use read picopass
if credential == SEOS use read 14443A
- Place credential on flipper and read
- Save as picopass
- Go to picopass app and write your downgraded iCLASS credential to a iCLASS card
BEFORE YOU BEGIN. This method involves more technical steps, wiring, and is recommended for advanced users. If this is your first time with RFID technology and downgrade attacks, we suggest any of the two options above.
To begin, you will need the following bill of materials:
- Any standard keyed iClass SE reader
- ESP-RFID-TOOL
- Some 20-24 AWG wire or ethernet cable
- Your preferred power source (5-9v)
- Connect the
Data 0, Data 1, Ground, Powerto the respective terminals on the ESP-RFID-TOOL - Provide 5-9V power to the reader and ESP-RFID-TOOL at the same time using your preferred power source
IT IS ABSOLUTELY NECESSARY THAT THE READER AND ESP RFID TOOL SHARE THE SAME GROUND EVEN IF YOU ARE POWERING ESP-RFID-TOOL AND READER SEPERATELY
- Connect to the wifi network ESP-RFID-TOOL and navigate to
192.168.1.1for the interface - Scan your credential on the reader
- open
log.txtand copy the binary string WITHOUT the preamble - Use the above instructions and encode the binary wiegand data to a iClass card using PM3
STOP. This will only work if the low frequency field (125kHz) is active on your reader. A good indicator to look out for is the "multiCLASS" sticker on the reader.
You can check if the LF field is active by using one of these methods:
- Hold a RF field detector at the reader and see if the red light flashes
- Use the Flipper RFID detector app
apps > tools > RFID detectorand make sure RFID symbol is active - Use reader manager and inspect the reader and check if 125khz prox is enabled at the bottom of the credentials page
Apply SEOSauce® directly to the reader and see if it boils immediatly
- Copy the raw PACS binary from your Omnikey output
- PM3
wiegand decode --bin <raw PACS binary>
Below is example syntax, you will use your specific card information gathered in the previous step.
- PM3
lf hid clone -w c1k48s --fc 69 --cn 69420 - PM3
lf hid readerto verify output
- After reading your credential with Seader in the instructions above, select the
save RFIDoption - Use the 125kHz RFID app and write the data to a T5577
Testing out readers to see if a standard user (random person with the HID Reader Manager app) can enable legacy mode. For me it is grayed out and says only an admin or HID can enable legacy modes. Is there a way to reset the reader or force enable the legacy mode? Thank you!