Clone HID iClass PicoPass 2k

Support
1

Hi mates,

I’m trying to clone a fob key HID iClass PicoPass 2K. I’m using Proxmark3. Can someone help me or teach me? How to use this tool?

I read a lot of discussions but still feel lost on this.

That’s what I got:

hf ic info

HID iClass PicoPass Info
HID iClass PicoPass Info977×794 37.4 KB

Also, I read this info:

iClass Documentation

Thank you.

2

If the fob you’re copying from is using the standard key, all you should need to do is have the existing fob on the hf antenna and then run:

hf iclass rdbl -b 7 --ki 0

Then take the valid fob off the proxmark and put the writable fob/card on and run:

hf iclass wrbl -b 7 -d XXXXXXXXXXXXXXXX --ki 0

Replace the Xs with the 8 bytes (16 hex symbols) that the proxmark3 output when you ran the rdbl command.

That should be it (assuming they’re not using non-standard ‘high security’ keys or something else going on).

Here is a list (incomplete and made very quickly) of posts that contain useful iClass information. I suggest you read each carefully as the next steps for standard and more involved iClass cloning have been covered elsewhere:

5 Likes
3

Now I got this:

image

I’m trying to clone it using this card: “5577 Blank cards” (Comes with proxmark3). Also, I tried with CUID Blank cards.

Thank you.

4

I understand there is a steep learning curve with some of this but you just blatantly ignored my suggestion to carefully read other posts so you could help yourself…I even gave you some of the most useful posts to get you started.

I’m not your mother, it’s not my job to spoon feed you.

TL;DR - You’ve got the wrong kind of blanks.
Please learn to search the forum rather than asking questions that have already been answered.

5

So, correct me if I get the terminology wrong but shouldn’t “clone” mean that also the UID is copied over the blank?
Just copying the content of the blocks would be a dump.

BTW @vniux those cards aren’t the same type as the Iclass, not even the same size.

6

There’s your issue. You need a blank PicoPass 2k card in order to properly clone. T5577 is an LF card. Generally the gold standard for blank 2k cards is RedTeamTools, but they are currently out of stock. I’m on their notification list for when it’s back in stock. They’ve been out of stock for a while, I might make a post when they are FINALLY back. In the meantime, eBay is your best (albeit overpriced) option.

These will probably do the trick, but no guarantees:

7

Generally speaking yes… clone means ID and memory blocks… however… the functional meaning is to simply enable the target chip to function like the source chip with the intended application… and in this case, the iClass legacy system ignores the UID completely and only cares about the content of a few memory blocks… therefore cloning a source iClass chip to another target chip just requires copying those memory blocks, ignoring the UID.

8

Hi there,

I’ve already got my new FOB keys PicoPass 2k. I tried everything in the post referenced, but it doesn’t work.

I’m trying to understand everything. So I guess this FOB Key has more security than I expected.

hf ic dump --ki 0

image

hf iclass rdbl -b 7 --ki 0

hf iclass wrbl -b 7 -d AEA684A6DAB23278 --ki 0

image

It doesn’t work :neutral_face:

Also, I read your article @AustralianElectrical on https://forum.dangerousthings.com/t/need-help-cloning-hid-iclass-legacy/16334/6 I don’t have access to the reader.

Any other Ideas?

9

you’re getting a successful dump with --ki 0 as well as as wrbl…which means you’re credential is using that key!

–ki 0

in your post about

hf ioclas wrbl -b blah blah blah…
you siad it was unsuccessful…but never said why or how you determined that? the post didn’t show a rdbl comman showing diff values?

what makes you think it didn’t work?

what does

hf ic rdb l -b 7 --ki 0 give you?

AND now that I think about it…why are you writing THAT value to block 7??? I’ve never seen THAT used THERE???

1 Like
10

Hi @NinjuhhNutz,

I’m using “hf iclass rdbl -b 7 --ki 0” because @AustralianElectrical told me.

I’m learning about this. so I don’t know exactly why I’m using that block to copy the key.

When I put the original FOB I got this:
image

After writing in the new FOB I got this:
image

When I said it’s not working. means; When I put the new FOB key close to the reader didn’t do anything.

Thank you for your time. I want to learn more about this, but it’s complicated for me.

11

so block 7 should not be THAT value…unless the proverbial stars have aligned. THAT value belongs to another name that you are aware of. That value will be xor’d with you CSN from block 1 in order to authenticate you credential. then the other data blocks (or in this case, block 7 alone) will be checked against the database to approve or deny the check. Does that make sense?

12

You right.

I got another FOB key blank that shows this:
image

The 7 block in the second FOB key has another value that I overwrote with the default value “AE A6 84 A6 DA B2 32 78”.

I see that always when I run this line:

hf iclass rdbl -b 7 --ki 0

I got the same key value AE A6 84 A6 DA B2 32 78. I understand this key value is a default value in Proxmark3

Again my question originally is how can I clone the original FOB key?

13

you need to have the original values of blocks 6-9. I just tried the card with only block 7 cloned and it was a no-go.

14

Ok, I got it.

How can I get the original values?

When I use this command line, I always query the manage keys file.

hf iclass rdbl -b 6 --ki 0

That always means the HEX key that I got is:

AE A6 84 A6 DA B2 32 78

Because in the file, these are the values:

image

15

Ummmmmmmmm…unless you took notes on it before you wrote over it, I don’t know of a way to recover what USED to be written to that block.

16

Hiya @vniux Hope you aren’t still struggling with this.

I found this video that could help you out.

hope this helps :smiley:

Take Care!

1 Like