micsen/iClass.md

## iClass.md

      
    Raw
  

              iClass.md
            
          
    iClass


More details: https://forum.dangerousthings.com/t/types-of-hid-iclass-cards/12243
SE to legacy Downgrade guide: https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/hid_downgrade.md
More information about data layout: https://web.archive.org/web/20220727184834/http://www.proxmark.org/files/proxclone.com/Spoofing_iClass_rev2.pdf

Legacy

Picopass hardware.  The PACS is blocks 6, 7, 8, 9.  6 is a config, 7 is the pacs data, but can overflow to 8.  9 has PIN, if applicable.
7, 8, 9 can be encrypted and if 3des, the key is 16 bytes and leaked.  This is not the same as the key to read data from the card.
Keys to read data (even if encrypted) off card

These are 8 bytes


Standard
This has been leaked.  You can copy the 6-9 blocks between cards without decryption to duplicate credential


Elite
Sometimes thought of as 'custom', but by defintion these are generated by HID.  There is a list of ~700 that as been leaked from iCopyX (https://pastebin.com/KWcu0ch6).
The loclass attack can be used to derive the key from sample emulated UIDs.  It is rumored some readers have been upgraded to block the default UIDs, but others can be generated.


Custom
These are keys the customer generates.  Some of the keys in the iCopyX leak (https://pastebin.com/KWcu0ch6) might be custom keys.  If the key is long (AES length) the SE KDF is used; If the key is short (64bit), the standard KDF is used.  This means loclass won't work against custom keyed systems.


Data layout

Block 6: Config

TL;DR: if the last byte is 0x17 then block 7, 8, 9 are encrypted. Use https://iclass.ericbetts.dev/ to decrypt
b7 >> 4 & 0xF -> ApplicationSubType 1=Standard, 2=Config, other values reserved for future use
b7>>2 & 0x3 -> ApplicationType 1=AccessControl, 2=ConfigCardBase, 3=ConfigCardExtension, 0=RFU
b7 & 0x03 -> EncryptionType, 0=None, 1=DES, 2=2K3DES, others RFU
b6>>7 & 0x01 -> HasSentinelBit Flag
b6>>5 & 0x03 -> UserIDBlockOffset
b6 & 0xF -> PinSize
b5 & 0x3 -> PasswordEncryptionType, 0=None, 1=DES, 2=2K3DES, others RFU
b5>>2 & 0x3 -> FolderNumber
b4>>5 & 0x7 -> PageNumber
b4 & 0x1F -> BlockNumber

Block 7

PACS bits with sentinel bit (unless pacs continued in next block)
Block 8

PACS bits continued
Block 9

other stuff and PIN
SR

Transitional credential.  Keys and block 6, 7, 8, 9 are like Legacy, but there is a SIO (like SE) blocks 10+
SE

Standard key and KDF have not been leaked.  The loclass attack doesn't work.  The contents of 6+ are an SIO (Secure Identity Object).  Can be Standard or Elite keyed like Legacy.
See also
So, you correctly identified you have a iClass SE or SEOS credential.
Seos

Not picopass.  Javacard (smartcard), 14443a (aka NFC-A).  Contains an SIO, but cannot be accessed without HID reader
See also
So, you correctly identified you have a iClass SE or SEOS credential.

  
## readers.md

      
    Raw
  

              readers.md
            
          
reader
prox
iclass
MFC
iClass SR
MFC SR
iClass SE
MFC SIO
Desfire
Seos


prox
X


iClass

X
X
X
X


multiClass
X
X
X
X
X


iClass SE

X
X
X
X
X
X
X
X


multiClass SE
X
X
X
X
X
X
X
X
X


Signo
X
X
X
X
X
X
X
X
X
reader	prox	iclass	MFC	iClass SR	MFC SR	iClass SE	MFC SIO	Desfire	Seos
prox	X
iClass		X	X	X	X
multiClass	X	X	X	X	X
iClass SE		X	X	X	X	X	X	X	X
multiClass SE	X	X	X	X	X	X	X	X	X
Signo	X	X	X	X	X	X	X	X	X