1 # Notes on downgrade attacks
4 Author [@kitsunehunter](https://gist.github.com/kitsunehunter) 2023
6 This is a reworked text. You find the [original text here](https://gist.github.com/kitsunehunter/c75294bdbd0533eca298d122c39fb1bd)
8 The collective notes on iCLASS SR / iCLASS SE / SEOS downgrade attacks.
10 This document targets both Proxmark3 and Flipper Zero devices.
13 - [Notes on downgrade attacks](#notes-on-downgrade-attacks)
14 - [Table of Contents](#table-of-contents)
15 - [Terminology](#terminology)
16 - [Useful links](#useful-links)
17 - [Downgrade concept](#downgrade-concept)
18 - [Success rate](#success-rate)
19 - [Getting started](#getting-started)
20 - [Verfiy reader has iCLASS legacy enabled](#verfiy-reader-has-iclass-legacy-enabled)
21 - [Inspect reader with HID reader manager](#inspect-reader-with-hid-reader-manager)
22 - [Verify reader has ProxII enabled](#verify-reader-has-proxii-enabled)
23 - [Test files](#test-files)
24 - [Simulate a standard keyed iCLASS legacy credential](#simulate-a-standard-keyed-iclass-legacy-credential)
25 - [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
26 - [Using Omnikey Reader 5427CK Gen2 and Proxmark3](#using-omnikey-reader-5427ck-gen2-and-proxmark3)
27 - [Using Flipper Zero with NARD](#using-flipper-zero-with-nard)
28 - [Using Weaponized HID Reader](#using-weaponized-hid-reader)
29 - [Write ProxII credential to a T5577](#write-proxii-credential-to-a-t5577)
30 - [Using Proxmark3](#using-proxmark3)
31 - [Using Flipper Zero](#using-flipper-zero)
37 * Credential - an access token that acts as carrier of a SIO
39 * SIO - Secure Identity Object
41 * PACS - Physical Access Control System
43 * PACS Payload - The binary encoded credential data.
45 * Downgrade attack - Read the PACS payload off a SIO and encode it as a lesser secure legacy format
47 * Omnikey - Official HID desktop reader to read PACS payload off iCLASS SE and SEOS cards
49 * Weaponized reader - "DIY" omnikey reader to perform the same job as the omnikey using a actual HID reader you might find on a wall
51 * NARD / SAM - SIM add-on for Flipper, used with HID SAM to read iCLASS SE and SEOS
53 * SAM - HID Secure Access Module responsible for encoding and decoding PACS payload inside a SIO among others
55 * T5577 - a low frequency multi purpose card. Used as clone card.
60 [HID iCLASS Credentials tech primer](https://forum.dangerousthings.com/t/types-of-hid-iclass-cards/12243)
62 [What does all data on my card mean?!](https://www.hidglobal.com/doclib/files/resource_files/an0109_a.2_credential_id_markings_application_note.pdf)
68 There is not much you can do with just a card and a Proxmark3 or Flipper Zero. There is no card-only attack vectors. There are however reader/card vectors but that is outside the scope of this note.
70 Your iCLASS SR/iCLASS SE/SEOS credential has a SIO (Secure Identity Object) that stores your access control information also known as the PACS payload. We will need to extract the SIO with one of the methods outlined below and write that data onto a Picopass or a T5577.
73 We are downgrading from a secure credential to a lesser secure legacy format
78 Unfortantely not all readers will have iCLASS legacy enabled and your **downgrade** will not work. The good thing is that **most** readers are left in their default configuration with iCLASS legacy enabled which allows us to easily take your secure credential and make a logical copy onto a less secure format. We can easily test if the reader is standard keyed and will accept a credential downgrade attack with the steps below.
83 For the next steps, you will need a `Proxmark3` or `Flipper Zero` device.
85 ## Verfiy reader has iCLASS legacy enabled
88 Present a standard keyed iCLASS legacy credential at the reader and see if it beeps.
89 If the reader beeps, proceed to [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
92 To check if your legacy credential is standard keyed.
95 `hf iclass dump --ki 0` if it dumps == standard key
98 `Picopass app > Read card` check if key == standard
101 ## Inspect reader with HID reader manager
104 Install [HID reader manager](https://play.google.com/store/apps/details?id=com.hidglobal.pacs.readermanager&hl=en&gl=US) and register before proceeding
106 A Android phone with NFC is recommended for this next step as iPhone can only inspect readers that are bluetooth enabled natively or have a BLE backpack installed as a add-on.
108 This method of inspection will not work if the reader has a MOB key or ELITE key.
110 Reader inspection is only possible on official HID readers, not third party readers using HID credentials.
112 Click use NFC and hold the phone to the reader and follow the prompts. Click on apply template.
114 <img width="299" alt="Reader Manager Home Screen" src="./img/readermanager_1.png">
116 Click on the plus button
118 <img width="298" alt="Templates" src="./img/readermanager_2.png">
122 <img width="299" alt="creds" src="./img/readermanager_3.png">
124 Make sure the switch for iCLASS is switched on (blue)
126 <img width="297" alt="Screenshot 2023-11-14 221005" src="./img/readermanager_4.png">
128 If you have successfully confirmed that iCLASS legacy is switched on then proceed to the next step
130 ## Verify reader has ProxII enabled
133 You can verify that the low frequency ProxII is enabled by using one of the following methods:
135 * Hold a [RF field detector](https://sneaktechnology.com/product/rf-detector-by-proxgrind-2/) at the reader and see if the RED LED flashes
136 * Use the Flipper RFID detector app `apps > tools > RFID detector` and make sure RFID symbol is active
137 * Use [reader manager](#inspect-reader-with-hid-reader-manager) and inspect the reader and check if 125khz prox is enabled at the bottom of the credentials page
143 Below are two dump files provided for easy testing.
145 - PM3 - Download [hf-iclass-dump.json](../traces/iclass/hf-iclass-dump.json)
146 - F0 - Download [iclass-flipper.picopass](../traces/iclass/iclass-flipper.picopass)
149 How to restore the dump files on each device.
152 - run the follwing command to restore hf-iclass-dump.json to a picopass card
153 `hf iclass restore -f hf-iclass-dump.json --ki 0`
156 - Drop the iclass-flipper.picopass file here and write to card on Flipper
157 `qflipper > SD card > apps data > picopass`
160 # Simulate a standard keyed iCLASS legacy credential
163 For [Test files](#test-files) if needed.
166 Once you loaded the file and started the simulation. Hold the device to the reader. If it beeps, proceed to [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
170 hf iclass eload -f hf-iclass-dump.json
175 `qflipper > SD card > apps data > picopass`
176 drop iclass-flipper.picopass file here and simulate on Flipper
179 # Write a downgraded iCLASS legacy credential
182 ## Using Omnikey Reader 5427CK Gen2 and Proxmark3
185 1. Download latest version of Omnikey workbench [here](https://www3.hidglobal.com/drivers/14994)
186 2. Plug in Omnikey reader
187 3. Start Omnikey workbench
188 4. Switch reader mode to CCID mode
189 5. Go to reader upload tab
190 6. Use the "load file" function and load the `encoder.cfg` [config file](../traces/iclass/encoder.cfg)
191 7. Launch PM3 client, place iCLASS/Picopass card on HF antenna and read your original card on the Omnikey reader
194 ## Using Flipper Zero with NARD
197 Prequisite, you must already have a [NARD add-on board](https://github.com/killergeek/nard) and a HID SAM
199 If not, you can buy a [kit](https://www.redteamtools.com/nard-sam-expansion-board-for-flipper-zero-with-hid-seos-iclass-sam/) from RTA webshop.
203 1. Launch Seader application
205 if `credential == iClass` use read picopass
207 if `credential == SEOS` use read 14443A
209 2. Place flipper on credential and read
211 4. Go to picopass app and write your credential to a card
213 ## Using Weaponized HID Reader
217 This method involves more technical steps, wiring, and is recommended for advanced users. If this is your first time with RFID technology and downgrade attacks, we suggest any of the two options above.
219 Prequisite, you will need the following bill of materials (BOM):
220 * A standard keyed iCLASS SE reader
221 * A ESPKEY [Github project](https://github.com/rfidtool/ESP-RFID-Tool)
222 * Some 20-24 AWG wire or ethernet cable
223 * Your preferred power source (5-9v)
225 The easiest way is to buy a [ESPKEY](https://www.aliexpress.com/item/32850151497.html)
229 1. Connect the `Data 0, Data 1, Ground, Power` to the respective terminals on the ESPKEY
230 2. Provide 5-9V power to the reader and ESPKEY at the same time using your preferred power source
232 IT IS ABSOLUTELY NECESSARY THAT THE READER AND ESPKEY SHARE THE SAME GROUND EVEN IF YOU ARE POWERING ESPKEY AND READER SEPERATELY
234 3. Connect to the wifi network the ESPKEY and navigate to `192.168.1.1` for the interface
235 4. Scan your credential on the reader
236 5. Open `log.txt` and copy the binary string WITHOUT the preamble
237 6. Use `hf iclass encode --bin <COPIED BINARY STRING> --ki 0` to encode the PACS payload to a iCLASS legacy card
240 # Write ProxII credential to a T5577
243 OBS! Downgrading to a T5577 will only work if reader has low frequency (125 kHz) / Prox II enabled.
244 A good indicator to look out for is the "multiCLASS" sticker on the reader.
249 1. Copy the raw PACS binary from your [Omnikey](#using-omnikey-reader-5427ck-gen2-and-proxmark3) output
250 2. PM3 ``wiegand decode --bin <raw PACS binary>``
252 Below is example syntax, you will use your specific card information gathered in the previous step.
254 3. `lf hid clone -w c1k48s --fc 69 --cn 69420`
255 4. `lf hid reader` to verify output
257 ## Using Flipper Zero
260 1. After reading your credential with [NARD / Seader](#using-flipper-zero-with-nard)
261 2. select the ``save RFID`` option
262 3. Use the 125kHz RFID app and write the data to a T5577