NARD SAM Expansion Board for Flipper Zero with HID Seos / iCLASS SAM

Designed by killergeek and bettse, this expansion board allows your Flipper Zero to interface with and communicate with up to two SIMs or SAMs! Why would this be useful?

A secure element provides a method for hardware to securely store and use sensitive cryptographic key material while reducing risk of comprompise, and using them is a best-practice for any good hardware design. It can also allow a vendor to allow third-parties to manfacture compatible products using the provided API's for interacting with the SAM. This is how many encoders, printers, and other third-party readers add support for such credentials. The HID SAM included in this bundle is such a module, and can be found in a wide variety of third-party devices.

The keys embedded in the SAM allow your Flipper Zero to read credentials technologies that use standard keysets and SIO's, including Seos, iCLASS SE, and DESFire*.

These are the same NARD SAM expansion boards and SAM's used in the Red Team Alliance Flipper Zero training course.

The required open-source "Seader" app can be found at https://flipc.org/bettse/seader

PCB fabrication and assembly completion in the USA!

Additional support is not available for this specific item and its capabilities without special arrangement.  Please speak to Red Team Alliance regarding training and hardware usage if you are unfamiliar with HID secure elements. *DESFire authentication is supported by the SAM but the Flipper app has not yet been updated to support this functionality.

NOTE: This is an add-on product for the Flipper Zero! The Flipper Zero itself is NOT included.

Probably Frequently Asked Questions:

Q: OH MY GOD DOES THIS BREAK SEOS!?

A: No.

Q: What do you mean? You can clearly read standard Seos cards using the Flipper Zero now! That means it's broken!

A: Actually, everything is working as designed. The SAM handles authentication challenge/response on-chip, and performs SIO decryption on-chip as well. It is no different than using any vendor's wall reader, reading a protected credential and recording the Wiegand data coming out. That is what's happening here, but without the extra step or device. With the addition of this board, SAM, and relevant Flipper app, you now have a battery-powered credential reader that also can do a bunch of other stuff as well.

Q: So if it doesn't break anything directly, why would I even want it?

A: Probably the same reason you have a Flipper Zero in the first place: Convenience. If the Flipper Zero is your hacker "Swiss Army Knife", this adds another tool.

Q: Does this mean I can write my own Seos credentials as well?

A: No. The SAM provided here is the same type and configuration present in any normal off-the-shelf reader, and does not have encoding API's. It is a READ-ONLY function!

Q: These are SO MANY WORDS and you still haven't told me anything helpful! Can I copy Seos cards or what?

A: Sort of! Although this will not enable you to encode Seos / iCLASS SE credentials directly, in most cases you can execute a downgrade attack and write the PACS Wiegand payload back to another supported credential such as ISOProx II or iCLASS Legacy / Classic.

Q: Okay... what is a downgrade attack?

A: Downgrade attacks have been technically possible for decades, but are slowly becoming more well-understood. You can learn a bit more about the concept from Babak Javadi's and Iceman's DEFCON 28 talk. If you need some hands-on practice with the technique, it is a concept covered in-depth in RTA's "Physical Access Control Systems: Practical Hacking and Defense" trainings.

Tool Origin Breakdown...
• Designed & Created in the USA
• Manufactured Overseas