Hacking iClass for Fun, Door-Entry and a Free Lunch. iClass has been broken in the public domain since approximately 2010 when Meriac published his findings at the 27th CCC in Berlin with the Heart of Darkness White-paper. But why does there appear to be limited support for hacking these cards within the community? The cards have been in the industry since 2001, boasting stronger security then the original Mifare. Since the Heart of Darkness publication HID Global appear to have pulled all their public documentation, and now you have to sign NDA’s go get the documentation needed to learn more about these cards. Also the HID RW300 Rev A Reader Meric exploited is now in short supply. There are a few other readers on eBay etc; but they are typically Rev B or C, which use a different micro-controller that isn’t vulnerable to the same attack Meriac used to extract HID’s Master Authentication & Decryption Keys – which are still in use today!
After patiently stalking eBay and other tech recycling companies; I was lucky enough to obtain a single HID RW300 Rev A, this post will walk through the exploit used to obtain the keys, and follow Meriac’s initial research and exploits.
Breaking iClass has made me more determined in recent weeks, due to my increased involvement with clients using standard iClass security…
An Unsuccessful Quick Hack
With only one Reader I initially tried following the iclass-dump post from Foundstone. I’m used to bit-banging with Arduino and FTDI cables so though this would be a quick exploit. After weeks of dumping 0’s I was beginning to think that either my reader was broken or that I was doing something wrong? I swapped Operating Systems, FTDI cables, even coded my own bit-banging program before giving-up. At this point I new nothing was wrong with my reader, that the relationship (or speed of communication) between the RW300 and my computers was off. The ICSP protocol on the micro-controller (PIC18F452) is very particular about the speed responses, a fraction of a second off, and you fail to talk to the device.
Hacking – the Right Way
With this method abandoned, I turned back to the Proxmark3 forums, where I was advised to follow the Heart of Darkness whitepaper; but I only had one reader!
In the end I managed to borrow a reader from a friend! which allowed me to successfully dump the RW300’s memory (further down the page).
I purchased a Pickit2 Starter Kit from eBay, and started to play around with their demo’s to familiarise myself with the PIC chipset and the Pickit2 device. I ordered some Male-2-Male Jumper wire from Adafruit. To easily swap the Pin 1 (MCLR) and Pin 3 (VPP), and connected the Pickit2 to the RW300 Rev A (notice in the picture below, that the black and grey cables on one end are the other way around), I did not bother with any extra voltage like the iclass-dump posting; I Just relied on the voltage/ampage coming natively out of my USB port and and Pickit2 programmer.
Trying to read the EEPROM resulted in:
I turned back to ‘Heart of Darkness’ where they used an FTDI cable and compiled the pic18-icsp programs (available in http://www.openpcd.org/git-view/iclass-security/) to dump the firmware. So I broke out my FTDI cable, once again hooked it up then successfully dumped the firmware (blocks 0-3) on one device, and the boot block on another. Then I reused the device with the wiped firmware and the intact boot loader; it now has a lot of free space since I wiped the firmware, I could now reuse this device again ( second time) to dump the EEPROM.
With all 3x dumps I could stitch the completed firmware back together (just like humpty-dumpty) and then use bin2hex (http://www.bialix.com/intelhex/) to convert the binary dump to an intel hex file – ready for flashing!
With the assembled dump & .hex file I next opened up the Pickit2 Programmer software. Selected my chipset (PIC18F452), clicked the “Auto Import Hex + Write Device” button, and selected my manufactured .hex file. And successfully flashed the Reader! Now to swipe a card under the reader and read the EEPROM.
The Reader beeped , and the LEDs flashed indicating everything is working correctly…
…except the EEPROM dump failed!
I forgot that I had left on both ‘Code Protect’ and ‘Data Protect’ from the Pickit2’s Tools Menu. Doh! So I boxed up that Reader and posted it back to my friend (it being in its original condition). I had the binary .hex file so re-flashed ‘my’ reader (this time turning off code protection and data protection). Powered up the reader, read a card to ensure it was working (beeps and LEDs flashing – bingo). Then proceeded to dump the EEPROM. The information in the ‘Heart of Darkness’ paper was right. I now had the MASTER KEYS I’d been trying so hard to retrieve.
Note: No keys are shown in the screenshot above!
Hack Complete – Reading iClass Cards
I then turned to Meriac’s CopyClass program (from http://www.openpcd.org/git-view/iclass-security/), entered the keys compiled the program to read my iClass card with HIDs Omnikey 5321 Reader.
I then decided to add to Meriac’s Code to help me to quickly dissect iClass tags and display the meaning of various bytes.
My slightly improved version looks like:
It should auto-detect between 2K and 16K cards, you can use the ‘choose book’ to read different pages/books stored on the card. And hopefully all sectors with data should automatically decrypt (provided you have the right key!). The code is available within PenturaLabs’ github repository: https://github.com/PenturaLabs/iClassReader
At this point I would like to thank Roel Verdult, Flavio D. Garcia, Milosch Meriac and Carl(http://www.proxclone.com); for their patience, quick respones to questions, guidance and support. Also thanks to my mate who wishes to remain anonymous for supplying the second RW300 RevA Reader.