Cloning a HID IClass 2k key fob

I just looked on all three. Only found them on eBay searching for iclass 2k. Read and writeable cards are 14.95AU; one seller claims to be in Brighton Australia so you may get a fairly quick delivery.

Im from Sydney so yeah that sounds perfect, I think I found the listing you’re talking about, is it the HID ICLASS Legacy card? Would that work thr same?

1 Like

Looking at the red team card and the eBay posting, the legacy seems the same…but it’s eBay so it is possible its wrongly described.

Well I guess we’ll find out in 4-10 days since that’s how long delivery takes, thanks so much for your help I’ll try keep this thread updated

1 Like

Wanted to say I also bought the blue key fob from ebay managed to get one for around 18 aud so I’ll be testing that aswell

1 Like

A legacy blank iClass card should do the trick. If it’s a PicoPass 2k, I think you should be all set. That’s essentially what the flexClass is.

2 Likes

The process is pretty much identical for the cards and the fobs…other than placement. I used my PM3 RDV2 and didn’t have any coupling issues, but I have read that others have had issues. Read up, as I hope your adventures with this is WAY easier and less stressful than mine was in the beginning :stuck_out_tongue:

1 Like

Hey just got the stuff i ordered this will be my first time cloning a hf tag can you run me through the process real quick?

Im trying to simply dump from one token to another but when i run the command hf iclass dump it gives me [-] run command with keys
Screenshot 2022-08-09 151405

Yeah the original one

Hey guys this is my second post about this topic, im trying to clone a HID Iclass 2k tag to another tag. I have purchased a non-programmed one and it has arrived.

I tried to simply dump and restore using this post Cloning an HID iClass credential to your flexClass

however when i type in hf ic --ki 0 i get this error

To rule out the easy stuff,

  1. what version is your pm3? Latest Version?

  2. can you do a simple hf search and detect the fob?

1 Like

oh sorry i wasnt sure since i havent updated the other one in a while, but to answer your question yes and yes

  1. Trying changing the ki value. Others had success for example using “2”, when “0” didn’t work.
1 Like

What does the ki value mean?

Change the 0 to a 2

--ki is the key value the card wants in order to release some of the information stored on the card.

1 Like

That will probably work for the pm3 because it knows to look for the other authentication key, but can (and in my experience, will) cause issues with the reader that he is trying to use the cloned tag for. Blocks 6-9 are all the reader really cares about once authentication is done. BUT, --ki 2 uses a different key than --ki 0, so the authentication isn’t gonna be too happy about that.

the "using AA1 key [0] AE xx xx xx xx xx xx xx should be the correct key for the class tag.

UNLESS the reader has been configured to use a custom key. In which case you may very well be royally screwed.

It sounds like you’re just not communicating with the credential at all. What does your “hf search” command give you? Have you tried repositioning the card? Moving the pm3 to different surfaces? I know that sounds trivial, but it does in fact make a huge difference.

In my PM conversation with @695, the pm3 was able to detect the presence of the card. I’m guessing it’s a key error. Either it’s not --ki 0 and is some other pre-stored number OR the card has a non-standard key. It’s unusual but not impossible, especially if the admin who handles card stuff is on top of their security.

1 Like

yea that’s what I was thinking as well. But, if it is as simple as the card using a different key (as is the case with the red team tools cards in the state that they come) it’s fairly simple to change the authentication key used in the card. assuming that the reader does in fact use the --ki 0 key.

I suppose step 1 would be to get a successful dump from the original tag and verify that is does in fact use --ki 0. If not, if we can determine the key being used, easy as pie :wink:

1 Like