Bluetooth Hacking?
Talk:HID iClass demystified

From OpenBeacon

(Redirected from User talk:Milosch)
Jump to: navigation, search

Q: Is it possible to write and copy HID iCLASS cards using Omnikey 5321 or 6321 USB desktop readers?

A: Yes - Currently all iCLASS Standard Security cards can be written and copied with the keys we extracted. The Omnikey 5321/6321 Readers firmware supports the Standard Security card protocol. If you don't have the Standard Security keys yet, you can extract the authentication and encryption key from a reader.

As a proof-of-concept we published the CopyClass software for Omnikey 5321 or 6321 USB desktop readers. Please install OMNIKEY synchronous API drivers first before using this software.

Q: Where can I find the CopyClass windows software seen in the whitepaper and where do I get the source code?

A: Read the CopyClass source code to understand how that software works. The Code is available in zip and tar.bz2 format.

Q: That nice, but in fact actually it's impossible to buy a machine able to make a copy ?

A: You only need the standard Desktop USB Omnikey Readers 5321/6321 to make a copy manually. You don't even need a special software, but only the extracted authentication key. A copy can be made using the free ContactlessDemoVC.exe (see Fig. 10 and Table III on page 6). This process can be fully automated in software.

Q: Where can I find ContactlessDemoVC.exe?

A: ContactlessDemoVC.exe is part of the CardMan Synchronous API SDK v1.1.1.4 and can be downloaded for free at

Q: Does a a stand-alone machine exist to copy iCLASS cards?

A: Not to our knowledge. I don't think someone created a machine without the need of a computer yet for copying these cards. The reason is that the protocol is not know well enough yet for building a custom RFID reader. Till then such a machine can be only built around existing OMNIKEY readers that provide iCLASS support.

Q: Do I need un-programmed iCLASS cards for cloning Standard Security iCLASS cards ?

A: No - any programmed standard security card can be used and re-programmed. It doesn't matter that the card serial number is different, as this number is not transmitted to the back-end. The only numbers transmitted can be modified freely (facility code, card number, counter etc.) by using an Omnikey reader and the extracted authentication and encryption keys.

The difference between an un-programmed card and a programmed card is only the authentication key. This means if you want to use un-programmed cards, you need to change the authentication key first. Conveniently the Omnikey API helps provides a key derivation API call that allows you to update the key to any Standard Security Key Derivation compatible key.

If you already have card standard security cards, this step is not needed any more - just copy the content there and update the counter value if needed to clone any Standard Security iCLASS card.

Q: What are the implications of the 13.56MHz iCLASS findings for 125KHz HID Prox ?

None - the older LF (125KHz) HID Prox card system don't support encryption. These LF tags can be easily read out and simulated using cheap micro controller based devices. Both system don't share any similarities.

Q: Having a TTL-232R-5V-WE and a 2-way switch to switch between 12V PPP programming voltage and 5V programming voltage manually - what the kind of connector to use plugging into the reader?

A simple 0.1" header will do.

Q: Where to find the software used to capture the necessary information to extract the security Keys?

The Code is available in zip and tar.bz2 format - see the pic18-ics & firmware-dumper directory. The iCLASS high security keys are kept in EEPROM near the standard security key in the case of RW400 readers.

Q: Can I use the extracted high security keys with a standard Omnikey USB desktop reader?

As the Omnikey-Reader doesn't support High Security Key derivation, you can't use the extracted keys directly. You can although store the extracted keys into another RW400 reader to read and decrypt high security cards using the same key. The data transmitted on the RS232 port is a raw copy of the authentication sectors. Store that information to a new standard security card an use a second reader in key rolling mode mode and the extracted keys you can create card copies by switching the standard security key to the High Security key extracted.