iclass Card Cloning using an RW300 Reader/Writer



Similar documents
MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

Gemalto Mifare 1K Datasheet

E-Blocks Easy RFID Bundle

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

SPI. Overview and Use of the PICmicro Serial Peripheral Interface. Getting Started: SPI

ACER ProShield. Table of Contents

Exercise 1: Set up the Environment

Hi Hsiao-Lung Chan Dept Electrical Engineering Chang Gung University, Taiwan

Lecture N -1- PHYS Microcontrollers

Serial Communications

Table 1 below is a complete list of MPTH commands with descriptions. Table 1 : MPTH Commands. Command Name Code Setting Value Description

UM0853 User manual. 1 Introduction. M24LRxx application software user guide

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

Develop a Dallas 1-Wire Master Using the Z8F1680 Series of MCUs

How To Program A Microcontroller Board (Eb064) With A Psp Microcontroller (B064-74) With An Ios 2.5V (Power) And A Ppt (Power Control) (Power Supply) (

8051 MICROCONTROLLER COURSE

Interface Protocol v1.2

Using The PIC I/O Ports

RFID MODULE Mifare Reader / Writer SL032 User Manual Version 1.5 Nov 2012 StrongLink

Development Kit EM4095 User s Manual

PC Base Adapter Daughter Card UART GPIO. Figure 1. ToolStick Development Platform Block Diagram

Microcontroller Code Example Explanation and Words of Wisdom For Senior Design

USB Card Reader Interface User Manual

Microtronics technologies Mobile:

An Introduction to MPLAB Integrated Development Environment

I 2 C Master Mode Overview and Use of the PICmicro MSSP I 2 C Interface with a 24xx01x EEPROM

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Programming Flash Microcontrollers through the Controller Area Network (CAN) Interface

advant advanced contactless smart card system

Chapter 13. PIC Family Microcontroller

Design And Implementation Of Bank Locker Security System Based On Fingerprint Sensing Circuit And RFID Reader

AUTOMATIC NIGHT LAMP WITH MORNING ALARM USING MICROPROCESSOR

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

RFID MODULE Mifare Reader / Writer SL031 User Manual Version 2.7 Nov 2012 StrongLink

NACCU Migrating to Contactless:

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

PIC Programming in Assembly. (

RFID MODULE Mifare Reader / Writer SL025B User Manual Version 1.4 Nov 2012 StrongLink

Measurement and Analysis Introduction of ISO7816 (Smart Card)

Using RFID Techniques for a Universal Identification Device

Reverse engineering hardware for software reversers: studying an encrypted external HDD

Byte code Interpreter for 8051 Microcontroller

IP Card Reader Interface User Manual

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING Question Bank Subject Name: EC Microprocessor & Microcontroller Year/Sem : II/IV

Security & Chip Card ICs SLE 44R35S / Mifare

RN-131-PICTAIL & RN-171-PICTAIL Web-Server Demo Application

iclass MHz Contactless Cards and Readers ACCESS SECURE IDENTITY

USER GUIDE EDBG. Description

ROM Monitor. Entering the ROM Monitor APPENDIX

Brunata Optuna W (171)

RFID MODULE Mifare Reader / Writer SL030 User Manual Version 2.6 Nov 2012 StrongLink

Data Acquisition Module with I2C interface «I2C-FLEXEL» User s Guide

Parallax Serial LCD 2 rows x 16 characters Non-backlit (#27976) 2 rows x 16 characters Backlit (#27977) 4 rows x 20 characters Backlit (#27979)

USING MIFARE CLASSIC TAGS VERSION

Tutorial for MPLAB Starter Kit for PIC18F

DsPIC HOW-TO GUIDE Creating & Debugging a Project in MPLAB

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

ACR122 NFC Contactless Smart Card Reader

ET-BASE AVR ATmega64/128

2.0 Command and Data Handling Subsystem

USB - FPGA MODULE (PRELIMINARY)

Using the HCS12 Serial Monitor on Wytec Dragon-12 boards. Using Motorola s HCS12 Serial Monitor on Wytec s Dragon-12 boards

C8051F020 Utilization in an Embedded Digital Design Project Course. Daren R. Wilcox Southern Polytechnic State University Marietta, Georgia

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Bluetooth HID Profile

Time Clock V1.2 User Manual. Time Clock V1.2. User Manual. Page 1.

Knowledge Base Article. Integrating ISONAS Access Control System with TagMaster LR-series RFID Readers

Version Date Author Description Jpo First version Jpo FET output descriptions made clearer

USB Portable Storage Device: Security Problem Definition Summary

Access Control Using Smartcard And Passcode

USB Card Reader Configuration Utility. User Manual. Draft!

Evo Laser Firmware Developer s Manual

Real-Time Application Surveillance Security System Based on LabVIEW

AVR Butterfly Training. Atmel Norway, AVR Applications Group

BLUETOOTH SMART CABLE REPLACEMENT

Application Programming Interface

Sample Project List. Software Reverse Engineering

USB Portable Storage Device: Security Problem Definition Summary

SL-8800 HDCP 2.2 and HDCP 1.x Protocol Analyzer for HDMI User Guide

EMV (Chip-and-PIN) Protocol

R&D Access Touch 3.1 User Manual Version 1.00 Public 1 (13) User Manual. Access Touch 3.1

Smart Cards and Biometrics in Physical Access Control Systems

Opgui and OpenProg user s guide. v.1.2

Application Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification

SKP16C62P Tutorial 1 Software Development Process using HEW. Renesas Technology America Inc.

Time Attendance V1.0

Nemo 96HD/HD+ MODBUS

W.A.R.N. Passive Biometric ID Card Solution

Data sheet Wireless UART firmware version 4.02

Serial Communications

udrive-usd-g1 Embedded DOS micro-drive Module Data Sheet

Overview of the LTC2978 Configuration EEPROM (NVM) Revision 1.0

MF1 IC S General description. Functional specification. 1.1 Contactless Energy and Data Transfer. 1.2 Anticollision. Energy

PMAfob Home Automation Demo

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

KTA-223 Arduino Compatible Relay Controller

Introducing etoken. What is etoken?

Aegis Padlock for business

SKYEMODULE GEMINI DATASHEET VERSION

Fondamenti su strumenti di sviluppo per microcontrollori PIC

Transcription:

Background The HID iclass family of 13.56 Mhz Contactless readers and cards was introduced over a decade ago with the primary goal of eliminating some of the security concerns that existed with the older 125Khz Proximity technology. The state-of-the-art iclass technology supported new features such as mutual authentication and Triple DES encryption to improve security and reduce the possibility of card duplication. The contactless cards themselves utilize an embedded chip technology called "PicoPass" from a French company by the name of Inside Secure http://www.insidesecure.com/. These chips basically consist of a small EEPROM memory and a simple state machine controller that is used to interact with a card reader using the ISO 14443B and ISO 15693 protocols. All data stored on iclass cards is secured by Authentication Keys. A Key is basically a password used to protect data from being read or changed without authorization. The iclass cards and readers use 64-bit keys (56 key bits plus 8 parity bits). One authentication key is used to protect each of the card s Application Areas. Two encryption keys are used to support TDES encryption of the transferred data. Since its introduction, numerous articles have been written by HID and other security industry experts who have all described the technology as "Extremely Secure" and "Difficult to Clone". Those kinds of words are usually interpreted by the hacking community as an open challenge to explore the technology and to identify and exploit any vulnerabilities that are found to exist. As a result, within the last year at least two excellent papers have been written that describe how to exploit the iclass technology. These papers discuss various methods of recovering the HID's secret authentication and encryption keys that are used with HID's "Standard Security" mode of operation and which are globally installed in all of their readers. The extraction of these keys leads to the ability to duplicate any of the "Standard Security" iclass cards that exist in the market today. The two previously published papers can be found here: Heart of Darkness- exploring the uncharted backwaters of HID iclass security http://www.openpcd.org/hid_iclass_demystified Exposing iclass Key Diversification http://www.usenix.org/events/woot11/tech/final_files/garcia.pdf Project Goals Since I am a hardware engineer by trade with no C/C++ programming experience and no C/C++ development tools I was unable to capitalize on the source code provided in the above links. As a result, my introduction to the complex world of iclass technology hacking had to begin from scratch. My primary goals were as follows: Extract the Authentication and Encryption keys from an iclass reader using only the PIC PicKit2 debugger tool and any other custom tools that I could create on my own. Hacking RFID for Fun www.proxclone.com Page 1

Demonstrate the ability to clone any "Standard Security" Or "High Security" iclass card using an off-the-shelf HID RW300 iclass Reader/Writer. Demonstrate the ability to modify a "Standard Security" Or "High Security" iclass card to output any facility code and card number that I chose. To date, I have accomplished all of these goals. The rest of this write-up summarizes how the above goals were accomplished. Extracting the PIC18F452 Code & Keys The first thing I had to do was procure a minimum of three iclass readers since the firmware and key extraction procedure involved erasing different sections of code in each step. It appears that HID dumped a ton of older Generation 1 readers to a surplus dealer near their headquarters in Irvine, CA. The surplus dealer (OCDepot- located in Orange County CA) lists the readers on EBay for a fraction of the original price. I decided to buy a lot of 10 RW300 units. As far as I can tell the RW300 and RW400 readers use the same firmware so either one would work but the RW300 was cheaper. The readers use a PIC18F452 microcontroller so I set out to read the PIC datasheet from cover to cover before beginning my work. Datasheet link: http://ww1.microchip.com/downloads/en/devicedoc/39564c.pdf. As stated in the Heart of Darkness paper referenced above, the author was able to exploit a weakness in the PIC 18F452 microcontroller to bypass the code protection feature. In order to do so, select sectors of the microcontroller had to be erased so that new code could be loaded into the PIC. The new code would then use the integral UART serial port to dump the code from the remaining sectors (and EEPROM). The difficulty was that the PICKit 2 debugger device only allowed a full chip erase before any new code could be loaded. The ability to erase individual sectors (and code protection bits) however was needed. Again, since I do not have the ability to use the C code provided by the Heart of Darkness author, I decided to program an 8-bit microcontroller to talk across the in-circuit debug interface of the PIC. Using the PIC 18FXX2/XX8 Programming specification as a guide, I was able to program (in assembly) the individual sector erase and code load routines into my Parallax SX28 microcontroller that I needed to dump the iclass firmware and EEPROM memory image that contained the keys. By re-joining all of the individual serial data dumps that I collected, I now had a complete image of the HID firmware including the EEPROM. After redefining some of the PIC s configuration bits my initial thought was that I could now use the PIC debugger to analyze the execution of the code. WRONG!!! The HID application is heavily interrupt driven and relies on the use of the built-in timers to do most everything. Debuggers in general are inherently bad for debugging this type of code. The HID application would barely get out of the initialization sequence before getting hung. My only other options were to patch in my own debugging code or to utilize the RW300 s built-in RS-232 port to do my debugging and code analysis. I chose a combination of both as you will see in the following sections. Hacking RFID for Fun www.proxclone.com Page 2

Disassembling the Code While having a binary image of the firmware code allows me to reload the reader to its original state, it alone was not sufficient to allow a complete understanding of the inner workings of the HID application. To support my analysis goals, I needed to break the code down into a more human friendly assembly code using a PIC18F disassembler. A sample of the raw binary hex capture along with a sample of disassembled code is shown in the two figures below. sub49 00088E 0x0E35 MOVLW 0x35 ; Initialize I/O ports 000890 0x6E92 MOVWF TRISA, A ; 000892 0x6A80 CLRF PORTA, A ; 000894 0x0EF0 MOVLW 0xF0 ; 000896 0x6E93 MOVWF TRISB, A ; 000898 0x6E81 MOVWF PORTB, A ; 00089A 0x0EB1 MOVLW 0xB1 ; 00089C 0x6E94 MOVWF TRISC, A ; 00089E 0x0ECD MOVLW 0xCD ; 0008A0 0x6E82 MOVWF PORTC, A ; 0008A2 0x0E80 MOVLW 0x80 ; 0008A4 0x6E95 MOVWF TRISD, A ; 0008A6 0x0E10 MOVLW 0x10 ; 0008A8 0x6E83 MOVWF PORTD, A ; 0008AA 0x6A96 CLRF TRISE, A ; 0008AC 0x6A84 CLRF PORTE, A ; 0008AE 0x6AC2 CLRF ADCON0, A ; 0008B0 0x0E07 MOVLW 0x7 ; 0008B2 0x6EC1 MOVWF ADCON1, A ; 0008B4 0x0012 RETURN ; Hacking RFID for Fun www.proxclone.com Page 3

Having a disassembled version of the code now allowed me to begin analyzing the operation of the reader and to add my own comments for future reference. My first area of focus was on the RS-232 serial interface since I planned on using that interface to control the readers communication with my iclass cards as well as performing some rudimentary debugger activities. Talking to the Reader The RWXXX family of iclass readers include an RS-232 serial interface to allow low level control of the card read and write operations. A brief summary of the instructions supported by this interface is shown below. A complete description of the serial protocol can be found in the iclass Serial Protocol Interface document published by HID. Unfortunately, it appears that all copies of this document were mysteriously removed from the internet immediately following the release of the Heart of Darkness paper. Instruction Description 0x52 Select Current Key / Diversify Key 0xA4 Select Card 0xA6 Page Select (16kbit card only) 0xC2 Transmit (read/write) 0x70 LED / Sounder Control 0x71 Open Collector Output 0xD8 Load Key 0x84 Ask Random 0xC0 Retrieve Data 0xF2 Read EEPROM 0xF4 Write EEPROM / Reset RF Field 0x54 Encrypt/Decrypt (Gen 2.0 only) 0xC2 ISO Pass-Through iclass Serial Command Summary My initial efforts to understand this interface focused on correlating each of the above instructions to a specific portion of assembly code that performed the function. This activity proved to be very beneficial as I discovered a couple of very interesting things. 1. According to the documentation, the Read EEPROM function allows the user to gain access to a limited portion of EEPROM where the Product ID, Version and baud rate settings can be read. The memory locations that hold the keys and other important configuration information cannot be read. However, by inserting a few NOP instructions in this routine where the address value checking was being done I was able to bypass the restrictions and gain access to the entire EEPROM memory through the serial interface. 2. The second important discovery that I made was that the same Read EEPROM routine also supported the reading of a few select RAM Register File locations. Accessing this feature required using a undocumented parameter value in the command sequence. After inserting a few additional NOPs in this code I now had the ability to do a complete register dump at will. I could definitely see my own custom debugger starting to materialize (Whoopee!!!) Hacking RFID for Fun www.proxclone.com Page 4

3. One other discovery involved finding two additional undocumented instructions. I haven t had time to analyze these routines yet but they are definitely on my future to do list since I believe that they have something to do with the keys. With my initial serial command analysis complete, it was time to create a special tool that would allow me to play with the interface and the various commands. My limited programming ability forces me to use one of the two forms of BASIC that I am familiar with and have previously used. (Visual Basic or Liberty Basic). A screenshot of my Serial Command Tool is shown below. The tool allows me to do the following using only a PC connected to the RW300 s RS-232 serial interface: 1. Read a cards User ID (UID) 2. Load New Keys anywhere into the eight user-key locations. 3. Authenticate with iclass credential **. 4. Calculate a diversified key for a specific UID 5. Read and Write the cards data blocks in the HID application area 6. Dump entire Register File and EEPROM at any time. 7. Manipulate the LED and Beeper tunes. ** Authentication requires that the HID Master key (extracted from EEPROM earlier) first be loaded into one of the 8 user key locations. After a few weeks of playing with the serial interface I felt that I had a pretty good understanding of how the interface worked and what kinds of things could be done It was now time to throw a little hardware together and write another application which would take advantage of all that I had learned. Read on Hacking RFID for Fun www.proxclone.com Page 5

Serial Command Tool Screenshot showing Read Block results & File Register Dump (Note: sensitive key information is obscured) Building an iclass Cloner I originally planned to build a completely standalone cloning device but later decided to demonstrate the ability to clone or modify an iclass credential using a PC connected to the RW300 Reader. The use of a PC simplified the software development process and allowed me to include some TDES encryption and decryption in my application. There is nothing that precludes developing a functionally equivalent standalone unit in the future using an 8-bit microcontroller (communicating via RS-232) and a Generation 2 reader (which would perform the necessary encryption/decryption so it would not have to be performed within the microcontroller). [Note: A free DES encryption/decryption routine (written entirely in Liberty Basic) is available from the following website: http://lbpe.wikispaces.com/cryptographywithlb102. It dropped right into my code and worked like a charm. Thank you Verisoft!] Hacking RFID for Fun www.proxclone.com Page 6

A block diagram of my cloner is shown in the figure below. The design also includes (as an option) a separate microcontroller that interfaces with an LCD and the Readers Wiegand interface. This feature allows the unit to display the format, facility code and card number that is output by the reader when a card is presented. This capability operates totally independent of the PC and will allow the unit to function as a standalone card reader if a PC is not connected. 26- bi t 0020205DF 00001 0000751 8-bit uc PC Wiegand Data 0 Wiegand Data 1 RW300 iclass Reader/Writer RS-232 Tx RS-232 Rx USB to Serial iclass Cloner System Block Diagram RW300 Reader and LCD mounted on an acrylic stand. Hacking RFID for Fun www.proxclone.com Page 7

The software application that I wrote (using Liberty Basic) is used to control the reader via the RS-232 interface. The application is used to perform the following tasks: 1. Authenticate with an iclass card. 2. Display the UID and Diversified Key for the card being read. 3. Read the HID access application memory blocks. 4. Decrypt, decode and display the card format, facility code and card number. 5. Provide the user the option to modify the card format, facility code and/or card number. 6. Encrypt the newly modified card data. 7. Write captured data back to a new card if card duplication is desired 8. Write modified data to a card if a change to card parameters is desired. Note: The last capability is useful if you know your boss s card number (printed on the back of his card) and you want to modify your card to give you access to the executive bathroom. (Just joking folks!!) A screenshot of the iclass Cloner application is shown below. iclass Card Reader/Writer Application Screenshot What about High Security Mode? Up to this point my debugging and cloning activities have always involved the use of cards that operate in standard security mode and use the same HID Master Authentication Key. What about the cards (and readers) that have been updated (via configuration cards) to use what HID refers to as High Security or Custom key mode? Hacking RFID for Fun www.proxclone.com Page 8

According to HID s iclass Application Note #28: HID Custom Keys add an additional layer of security to the basic iclass key diversification and encryption scheme. A site-specific Custom Key is assigned by HID to each customer, replacing the Standard Key. For the HID Application Area, HID s key management system uses a proprietary algorithm to generate a 256 key matrix from the Custom Master key. The CSN is used to extract bytes from 8 different locations in the key matrix to create 64-bit keys. I have found their description to be accurate with one exception. The High Security key table that is generated is actually 128 bytes, NOT 256 bytes. This is evidenced by the fact that the algorithm that generates the table index from a UID actually clears the most significant bit of the index value. Also, the table itself only occupies 128 bytes of File Register space as can be seen when dumping the file register memory. This appears to be a feeble attempt to deceive iclass High Security card users into feeling more secure. The figure below attempts to show how the Standard and High Security modes differ. It is important to note that the High Security key that the reader needs to communicate with a credential cannot be stored in EEPROM since it is different for each card. It is always generated on the fly. When cloning a card, this is the key that must be loaded into the user key space of a reader to allow it to authenticate with a High Security credential. The original High Security key that is loaded onto a configuration card and later stored in the reader EEPROM is ONLY used to create the 128 byte key table. 64-bit Keys stored in Reader EEPROM Authentication Key Difference (Standard vs. High Security ) HID Master Key High Security Key Std Security Mode High Security Mode Key Table Generation Algorithm 128 Byte Key Table DES Encryption Fortification Algorithm iclass Credential Diversified Key Stored in Tag iclass Credential UID Table Pointer Algorithm Index based on UID Unique Key Generated for each UID Hacking RFID for Fun www.proxclone.com Page 9

High Security Key Generation Example: In the example shown below, I took the High Security Key value that was loaded on the configuration card depicted in the Heart of Darkness paper along with the UID of that same card and ran it through the various HID algorithms to generate the key table and appropriate table indexes to obtain the key that would be necessary to talk to the card using my RW300 setup. If I were using the OmniKey reader then the key would be required to be reverse permuted before it could be used. [Note: Even though the key table is correct, since the configuration card used in the example below is a standard security card, the example calculation would not apply!] Config Card UID: 4D13D100F7FF12E0 High Security Key: 10AC40BF3FB59F6E Key Table Indexes: 75 19 57 2E 59 25 7B 0C Reader Key (to Auth): 5B4AEB670C500C61 (highlighted below) 0 1 2 3 4 5 6 7 8 9 A B C D E F 00 10 20 30 40 50 60 70 7C E0 60 E8 46 CC CD B8 9D B6 EA E7 61 29 17 70 F6 C4 F7 66 1C 76 37 E4 9E 4A DF 56 A3 07 54 61 2A 12 63 38 09 50 B4 CB 7E 91 38 44 68 57 67 26 AA B0 91 38 F4 1D 21 34 1E 0E 86 3F 67 83 20 47 B8 34 59 92 EF 99 6D CD 33 CF E5 7B 43 F7 53 6B 05 33 9C CD C8 1F F4 EB 32 0C EC 99 2F CD 27 8E B9 57 41 3C 28 F3 B9 22 71 D9 E1 41 CC 1A 49 83 8A 26 92 1A 3F 5B EC D9 A6 2A 55 0C 79 99 53 00 128-Byte High Security Key Table (shown with highlighted indexes for UID above) I have generated several High Security keys and modified a configuration card to load these new keys into my RW300 reader and several iclass cards. Using the key tables that I recovered from the reader and the HID key pointer algorithm, I was successful each time at recovering a key that then allowed me to read (and modify) the data that was contained in each of the credentials that I had updated with the High Security key. Summary As stated in the front section of this write-up, I have accomplished all of my original goals. I have proven that with a little perseverance and some limited programming skills, that the ability to clone an iclass credential is within the reach of the average RFID hacker. My intent is not to divulge all of the detailed knowledge that I have gained but rather to share enough information to make people aware that this technology is not as secure as is sometimes claimed. As a result, I have no intent to release any of my source code for the applications shown herein. My analysis of this technology is not yet complete. I have recently begun looking into the biometric side of iclass access control and intend to investigate the vulnerabilities associated with the use of fingerprint templates in high security applications. Happy Hacking!! Hacking RFID for Fun www.proxclone.com Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information