Implemented an iclass sim function that prevents simulated card responses after updating block 3.
Block 3 gets updated with the XOR key as if it was in personalization mode.
Updates to the functionality of iclass sim -t 6 to specifically target the last SIO block and to do it automatically.
It now checks the AIA to determine if the card is SR or SE and adjust the block to jam based on the SIO length declared in block 6 (if SE) or fixed length if SR.
Added an option for hf iclass legrec to further increase speeds by using a shorter delay of 1500 vs the default of 3390.
This seems to be stable on new silicon especially now that we're keeping the field always on.
It may be more risky for the --fast operation.
1- Added a --fast option for hf iclass legrec that further increases the speed from 4.6 key updates/second to 7.4 key updates/second. This is achieved by skipping some safety checks and is a very fast but more risky operation.
2- Automated AA2 block selection based on the values in the config block
3- Other minor code cleanups
Improved the speed of hficlass legrec from 7200 keys / hrs to 17800 keys / hr by removing the need to drop the field and re-select, re-authenticate with the card at every loop.
Re-select and re-authenticate will still happen if there's a read error and a loop needs to be repeated.
Updated hf iclass legrec:
1- Fixed communication timing inconsistencies by moving away from iclass_writeblock_ext to iclass_writeblock_sp which supports start_time and end_time
2- Reduced number of debug messages being printed
Overall this reduces slightly the speed of the process, but it should make it more stable as the timings are now all correctly being accounted for.
Improved readability of erase phase during iclass tear (client and arm side).
It is redundant to see a list of FF during the erase phase (which can be pretty lengthy), so it will only show it once when all bits are FF and then will resume printing the moment bits start changing again post erase phase.
1- Renamed legreclookup to legbrute to be in line with the command name
2- Updated estimate values with speed increase gains
3- Improved some if statements readability in iclass.c and added start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; to increase speed by ~8% (1.86 loops per second to 2.01 loops per second = ~560 more loops per hour).
Tried disabling some arm communications/comments but the speed increase was negligible (~1 sec / 1000 updates).
Improved algorithm for hf iclass legrec by taking in account the hash0 limitations for the ending bits distributions of each key bite, thus reducing the key entropy and number of required tries from 2^24 to almost 2^19
1- Inlined functions related to hf iclass legrec within util.c for marginal performance gains.
2- Fixed bug preventing errors to be displayed properly and the process from interrupting on an error or on completion.
3- Fixed code indentation of the while loop in iclass.c
4- Fixed bug in the while cycle (was missing index++)
5- Improved ways to display hex results by using dbhexdump
Added missing definition of picopass block size in util.c
Changed some variables to full lowercase
Added comment explanation on correlation between macs and decimal values
Made multiple changes as per iceman's comments.
Removed redundant/unused function i forgot into cmdhficlass.c
Moved conversion functions in util.c for now but haven't yet check if it's possible to reuse the current fuctions already there. Will do that in a moment.
Based on the work described in Dismantling iClass whitepaper.
hf iclass legbrute is tested working
hf iclass legrec is partially working: logic of operations and sequence seems to be in order and was tested on simulated data to be effective. The privilege escalation part is still not successful, but the logic should be correct.
