adapted the notes on downgrade attacks to follow the repo style

CHANGELOG.md

@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Change `notes on downgrade attacks` - reworked the original text follow repo style (@iceman1001)
  - Added `hf mf info` command and static encrypted nonce detection (@merlokk)
  - Added Saflok KDF - generate MFC keys (@h1kari)
  - Changed `lf fdx demod` - now raw bytes shows all data (@iceman1001)

README.md

@@ -13,20 +13,22 @@ The Proxmark3 is the swiss-army tool of RFID, allowing for interactions with the
 | [![MacOS Build and Test](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/macos.yml/badge.svg?branch=master)](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/macos.yml) | [![Ubuntu Build and Test](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/ubuntu.yml/badge.svg?branch=master)](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/ubuntu.yml) | [![Windows Build and Test](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/windows.yml/badge.svg?branch=master)](https://github.com/RfidResearchGroup/proxmark3/actions/workflows/windows.yml) |
 
 # Table of Contents
- 1. [PROXMARK3 INSTALLATION AND OVERVIEW](#proxmark3-installation-and-overview)
- 2. [Notes / helpful documents](#notes--helpful-documents)
- 3. [How to build?](#how-to-build)
-     1. [Proxmark3 RDV4](#proxmark3-rdv4)
-     2. [Generic Proxmark3 platforms](#generic-proxmark3-platforms)
- 4. [What has changed?](#what-has-changed)
- 5. [Development](#development)
- 6. [Supported operative systems](#supported-operative-systems)
- 7. [Precompiled binaries](#precompiled-binaries)
- 8. [Proxmark3 GUI](#proxmark3-gui)
- 9. [Official channels](#official-channels)
-10. [Maintainers](#maintainers)
-11. [Citation](#citation)
-12. [Copyright and licensing terms](#copyright-and-licensing-terms)
+- [Iceman Fork - Proxmark3](#iceman-fork---proxmark3)
+- [Table of Contents](#table-of-contents)
+- [PROXMARK3 INSTALLATION AND OVERVIEW](#proxmark3-installation-and-overview)
+  - [Notes / helpful documents](#notes--helpful-documents)
+- [How to build?](#how-to-build)
+  - [Proxmark3 RDV4](#proxmark3-rdv4)
+  - [Generic Proxmark3 platforms](#generic-proxmark3-platforms)
+- [What has changed?](#what-has-changed)
+- [Development](#development)
+  - [Supported operative systems](#supported-operative-systems)
+  - [Precompiled binaries](#precompiled-binaries)
+  - [Proxmark3 GUI](#proxmark3-gui)
+  - [Official channels](#official-channels)
+  - [Maintainers](#maintainers)
+  - [Citation](#citation)
+  - [Copyright and licensing terms](#copyright-and-licensing-terms)
 
 # PROXMARK3 INSTALLATION AND OVERVIEW
 
@@ -58,7 +60,7 @@ The Proxmark3 is the swiss-army tool of RFID, allowing for interactions with the
 |[Developing standalone mode](/armsrc/Standalone/readme.md)|[Wiki about standalone mode](https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode)|[Notes on Magic UID cards](/doc/magic_cards_notes.md)|
 |[Notes on Color usage](/doc/colors_notes.md)|[Makefile vs CMake](/doc/md/Development/Makefile-vs-CMake.md)|[Notes on Cloner guns](/doc/cloner_notes.md)|
 |[Notes on cliparser usage](/doc/cliparser.md)|[Notes on clocks](/doc/clocks.md)|[Notes on MIFARE DESFire](/doc/desfire.md)|
-|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|[Notes on HID downgrades / RM](https://gist.github.com/kitsunehunter/c75294bdbd0533eca298d122c39fb1bd)|
+|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|[Notes on downgrade attacks](/doc/md/hid_downgrade.md)|
 
 # How to build?
 

doc/hid_downgrade.md

@@ -0,0 +1,258 @@
+# Notes on iCLASS SE / SEOS downgrade attacks
+<a id="top"></a>
+
+This is a reworked text. You find the [original text here](https://gist.github.com/kitsunehunter/c75294bdbd0533eca298d122c39fb1bd)
+
+This document targets both Proxmark3 and Flipper Zero devices. 
+
+# Table of Contents
+- [Notes on iCLASS SE / SEOS downgrade attacks](#notes-on-iclass-se--seos-downgrade-attacks)
+- [Table of Contents](#table-of-contents)
+- [Terminology](#terminology)
+- [Useful links](#useful-links)
+- [Downgrade concept](#downgrade-concept)
+- [Success rate](#success-rate)
+- [Getting started](#getting-started)
+  - [Verfiy reader has iCLASS legacy enabled](#verfiy-reader-has-iclass-legacy-enabled)
+  - [Inspect reader with HID reader manager](#inspect-reader-with-hid-reader-manager)
+  - [Verify reader has ProxII enabled](#verify-reader-has-proxii-enabled)
+  - [Test files](#test-files)
+- [Simulate a standard keyed iCLASS legacy credential](#simulate-a-standard-keyed-iclass-legacy-credential)
+- [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
+  - [Using Omnikey Reader 5427CK Gen2 and Proxmark3](#using-omnikey-reader-5427ck-gen2-and-proxmark3)
+  - [Using Flipper Zero with NARD](#using-flipper-zero-with-nard)
+  - [Using Weaponized HID Reader](#using-weaponized-hid-reader)
+- [Write ProxII credential to a T5577](#write-proxii-credential-to-a-t5577)
+  - [Using Proxmark3](#using-proxmark3)
+  - [Using Flipper Zero](#using-flipper-zero)
+
+
+# Terminology
+^[Top](#top)
+
+* Credential - an access token that acts as carrier of a SIO
+
+* SIO - Secure Identity Object
+
+* PACS - Physical Access Control System
+
+* PACS Payload - The binary encoded credential data.
+
+* Downgrade attack - Read the PACS payload off a SIO and encode it as a lesser secure legacy format
+
+* Omnikey - Official HID desktop reader to read PACS payload off iCLASS SE and SEOS cards
+
+* Weaponized reader - "DIY" omnikey reader to perform the same job as the omnikey using a actual HID reader you might find on a wall
+
+* NARD / SAM - SIM add-on for Flipper, used with HID SAM to read iCLASS SE and SEOS
+
+* SAM - HID Secure Access Module responsible for encoding and decoding PACS payload inside a SIO among others
+
+* T5577 - a low frequency multi purpose card. Used as clone card.
+
+# Useful links
+^[Top](#top)
+
+[HID iCLASS Credentials tech primer](https://forum.dangerousthings.com/t/types-of-hid-iclass-cards/12243)
+[What does all data on my card mean?!](https://www.hidglobal.com/doclib/files/resource_files/an0109_a.2_credential_id_markings_application_note.pdf)
+
+
+# Downgrade concept
+^[Top](#top)
+There is not much you can do with just a card and a Proxmark3 or Flipper Zero.  There is no card-only attack vectors.  There are however reader/card vectors but that is outside the scope of this note.
+
+Your iCLASS SR/iCLASS SE/SEOS credential has a SIO (Secure Identity Object) that stores your access control information also known as the PACS payload. We will need to extract the SIO with one of the methods outlined below and write that data onto a Picopass or a T5577.
+
+In short:
+We are downgrading from a secure credential to a lesser secure legacy format
+
+# Success rate
+^[Top](#top)
+
+Unfortantely not all readers will have iCLASS legacy enabled and your **downgrade** will not work. The good thing is that **most** readers are left in their default configuration with iCLASS legacy enabled which allows us to easily take your secure credential and make a logical copy onto a less secure format. We can easily test if the reader is standard keyed and will accept a credential downgrade attack with the steps below.
+
+# Getting started
+^[Top](#top)
+
+For the next steps, you will need a `Proxmark3` or `Flipper Zero` device.
+
+## Verfiy reader has iCLASS legacy enabled
+^[Top](#top)
+
+Present a standard keyed iCLASS legacy credential at the reader and see if it beeps.
+If the reader beeps, proceed to [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
+
+Instructions:
+To check if your legacy credential is standard keyed.
+
+PM3 
+`hf iclass dump --ki 0` if it dumps == standard key
+
+F0 
+`Picopass app > Read card` check if key == standard 
+
+
+## Inspect reader with HID reader manager
+^[Top](#top)
+
+Install [HID reader manager](https://play.google.com/store/apps/details?id=com.hidglobal.pacs.readermanager&hl=en&gl=US) and register before proceeding
+
+A Android phone with NFC is recommended for this next step as iPhone can only inspect readers that are bluetooth enabled natively or have a BLE backpack installed as a add-on. 
+
+This method of inspection will not work if the reader has a MOB key or ELITE key. 
+
+Reader inspection is only possible on official HID readers, not third party readers using HID credentials. 
+
+Click use NFC and hold the phone to the reader and follow the prompts. Click on apply template.
+
+<img width="299" alt="Reader Manager Home Screen" src="./img/readermanager_1.png">
+
+Click on the plus button
+
+<img width="298" alt="Templates" src="./img/readermanager_2.png">
+
+Click on credentials
+
+<img width="299" alt="creds" src="./img/readermanager_3.png">
+
+Make sure the switch for iCLASS is switched on (blue)
+
+<img width="297" alt="Screenshot 2023-11-14 221005" src="./img/readermanager_4.png">
+
+If you have successfully confirmed that iCLASS legacy is switched on then proceed to the next step 
+
+## Verify reader has ProxII enabled
+^[Top](#top)
+
+You can verify that the low frequency ProxII is enabled by using one of the following methods:
+
+ * Hold a [RF field detector](https://sneaktechnology.com/product/rf-detector-by-proxgrind-2/) at the reader and see if the RED LED flashes
+ * Use the Flipper RFID detector app `apps > tools > RFID detector` and make sure RFID symbol is active
+ * Use [reader manager](#inspect-reader-with-hid-reader-manager) and inspect the reader and check if 125khz prox is enabled at the bottom of the credentials page
+
+
+## Test files
+^[Top](#top)
+
+Below are two dump files provided for easy testing.
+
+PM3 - Download [hf-iclass-dump.json](../traces/iclass/hf-iclass-dump.json)
+F0  - Download [iclass-flipper.picopass](../traces/iclass/iclass-flipper.picopass)
+
+
+How to restore the dump files on each device.
+
+PM3
+- run the follwing command to restore hf-iclass-dump.json to a picopass card
+ `hf iclass restore -f hf-iclass-dump.json --ki 0`
+
+F0 
+- Drop the iclass-flipper.picopass file here and write to card on Flipper
+ `qflipper > SD card > apps data > picopass` 
+
+
+# Simulate a standard keyed iCLASS legacy credential
+^[Top](#top)
+
+For [Test files](#test-files) if needed.
+
+Instructions:
+Once you loaded the file and started the simulation. Hold the device to the reader. If it beeps, proceed to [Write a downgraded iCLASS legacy credential](#write-a-downgraded-iclass-legacy-credential)
+
+PM3 
+```
+hf iclass eload -f hf-iclass-dump.json
+hf iclass sim -t 3
+```
+
+F0 
+`qflipper > SD card > apps data > picopass` 
+drop iclass-flipper.picopass file here and simulate on Flipper
+
+
+# Write a downgraded iCLASS legacy credential
+^[Top](#top)
+
+## Using Omnikey Reader 5427CK Gen2 and Proxmark3
+^[Top](#top)
+
+1. Download latest version of Omnikey workbench [here](https://www3.hidglobal.com/drivers/14994)
+2. Plug in Omnikey reader
+3. Start Omnikey workbench
+4. Switch reader mode to CCID mode
+5. Go to card diagnostic tab and place card on reader
+6. Copy the raw PACS binary
+7. Launch PM3 client, place iCLASS/Picopass card on HF antenna, and use following command to write your credential
+    `hf iclass encode --bin <COPIED BINARY> --ki 0` 
+
+## Using Flipper Zero with NARD
+^[Top](#top)
+
+Prequisite, you must already have a [NARD add-on board](https://github.com/killergeek/nard) and a HID SAM
+
+If not, you can buy a [kit](https://www.redteamtools.com/nard-sam-expansion-board-for-flipper-zero-with-hid-seos-iclass-sam/) from RTA webshop.
+
+Follow these steps:
+
+1. Launch Seader application
+
+ if `credential == iClass` use read picopass
+ 
+ if `credential == SEOS` use read 14443A
+ 
+2. Place flipper on credential and read
+3. Save as picopass
+4. Go to picopass app and write your credential to a card
+
+## Using Weaponized HID Reader
+^[Top](#top)
+
+OBS!
+This method involves more technical steps, wiring, and is recommended for advanced users. If this is your first time with RFID technology and downgrade attacks, we suggest any of the two options above.
+
+Prequisite, you will need the following bill of materials (BOM):
+* A standard keyed iCLASS SE reader
+* A ESPKEY [Github project](https://github.com/rfidtool/ESP-RFID-Tool)
+* Some 20-24 AWG wire or ethernet cable
+* Your preferred power source (5-9v)
+
+The easiest way is to buy a [ESPKEY](https://www.aliexpress.com/item/32850151497.html)
+
+Follow these steps:
+
+1. Connect the `Data 0, Data 1, Ground, Power` to the respective terminals on the ESPKEY
+2. Provide 5-9V power to the reader and ESPKEY at the same time using your preferred power source
+
+IT IS ABSOLUTELY NECESSARY THAT THE READER AND ESPKEY SHARE THE SAME GROUND EVEN IF YOU ARE POWERING ESPKEY AND READER SEPERATELY
+
+3. Connect to the wifi network the ESPKEY and navigate to `192.168.1.1` for the interface
+4. Scan your credential on the reader
+5. Open `log.txt` and copy the binary string WITHOUT the preamble
+6. Use the above instructions and encode the binary wiegand data to a iCLASS card using PM3
+
+
+
+# Write ProxII credential to a T5577
+^[Top](#top)
+OBS!  Downgrading to a T5577 will only work if reader has low frequency (125 kHz) / Prox II enabled.
+
+## Using Proxmark3
+^[Top](#top)
+
+1. Copy the raw PACS binary from your [Omnikey](#using-omnikey-reader-5427ck-gen2-and-proxmark3) output
+2. PM3 ``wiegand decode --bin <raw PACS binary>``
+
+Below is example syntax, you will use your specific card information gathered in the previous step.
+
+3. `lf hid clone -w c1k48s --fc 69 --cn 69420`
+4. `lf hid reader` to verify output
+
+## Using Flipper Zero
+^[Top](#top)
+
+1. After reading your credential with [NARD / Seader](#using-flipper-zero-with-nard)
+2. select the ``save RFID`` option 
+3. Use the 125kHz RFID app and write the data to a T5577
+
+
+Author [@kitsunehunter](https://gist.github.com/kitsunehunter) 2023

traces/iclass/hf-iclass-dump.json

@@ -0,0 +1,33 @@
+{
+  "Created": "proxmark3",
+  "FileType": "iclass",
+  "Card": {
+    "CSN": "6DC25B15FEFF12E0",
+    "Configuration": "12FFFFFF7F1FFF3C",
+    "Epurse": "FFFFFFFF05FEFFFF",
+    "Kd": "B2453554FC7F4148",
+    "Kc": "FFFFFFFFFFFFFFFF",
+    "AIA": "FFFFFFFFFFFFFFFF"
+  },
+  "blocks": {
+    "0": "6DC25B15FEFF12E0",
+    "1": "12FFFFFF7F1FFF3C",
+    "2": "FFFFFFFF05FEFFFF",
+    "3": "B2453554FC7F4148",
+    "4": "FFFFFFFFFFFFFFFF",
+    "5": "FFFFFFFFFFFFFFFF",
+    "6": "030303030003E017",
+    "7": "783602A2283010E8",
+    "8": "2AD4C8211F996871",
+    "9": "2AD4C8211F996871",
+    "10": "FFFFFFFFFFFFFFFF",
+    "11": "FFFFFFFFFFFFFFFF",
+    "12": "FFFFFFFFFFFFFFFF",
+    "13": "FFFFFFFFFFFFFFFF",
+    "14": "FFFFFFFFFFFFFFFF",
+    "15": "FFFFFFFFFFFFFFFF",
+    "16": "FFFFFFFFFFFFFFFF",
+    "17": "FFFFFFFFFFFFFFFF",
+    "18": "FFFFFFFFFFFFFFFF"
+  }
+}

traces/iclass/iclass-flipper.picopass

@@ -0,0 +1,22 @@
+Filetype: Flipper Picopass device
+Version: 1
+Credential: 00 00 C0 00 45 02 1E 58
+# Picopass blocks
+Block 0: 6D C2 5B 15 FE FF 12 E0
+Block 1: 12 FF FF FF 7F 1F FF 3C
+Block 2: FF FF FF FF 05 FE FF FF
+Block 3: B2 45 35 54 FC 7F 41 48
+Block 4: FF FF FF FF FF FF FF FF
+Block 5: FF FF FF FF FF FF FF FF
+Block 6: 03 03 03 03 00 03 E0 17
+Block 7: 78 36 02 A2 28 30 10 E8
+Block 8: 2A D4 C8 21 1F 99 68 71
+Block 9: 2A D4 C8 21 1F 99 68 71
+Block 10: FF FF FF FF FF FF FF FF
+Block 11: FF FF FF FF FF FF FF FF
+Block 12: FF FF FF FF FF FF FF FF
+Block 13: FF FF FF FF FF FF FF FF
+Block 14: FF FF FF FF FF FF FF FF
+Block 15: FF FF FF FF FF FF FF FF
+Block 16: FF FF FF FF FF FF FF FF
+Block 17: FF FF FF FF FF FF FF FF