Cloning HD iCLASS MIFARE Px DM18Y

Blackhawks · July 15, 2023, 6:30am

I might be getting closer … this is what Amal’s post states:

    Cloning an HID iClass credential to your flexClass
    DT Info
    Aug 2021
    Aug 2021

    amal
    Aug '21
    Steps to clone an HID iClass legacy / standard credential
    Put enrolled iClass credential on HF antenna of Proxmark3 100

    hf ic dump --ki 0
    hf ic wrbl --ki 0 -b 6 -d 030303030003E017
    hf ic wrbl --ki 0 -b 7 -d 10A145919ED16F50

Here is what my "hf ic dump --ki 0: shows me:

[usb] pm3 → hf ic dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 255 (0xFF)
.

[=] --------------------------- Tag memory ----------------------------

[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.bin
[+] saved 19 blocks to text file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.eml
[+] saved to json file C:\ProxSpace\pm3/hf-iclass-4A4B1612FFFF12E0-dump-001.json
[?] Try hf iclass decrypt -f to decrypt dump file
[?] Try hf iclass view -f to view dump file

Does anyone have any ideas what I do next? Again, what type of blank card/fob do I need and where can I purchase them?

~Blackhawks

amal · July 15, 2023, 7:15am

The messed up LF command makes me think something went haywire with the application image. J would do a pm3-flash-all again just to be sure?

Equipter · July 15, 2023, 11:01am

in which you must have cut out the LF commands/other portions of the firmware to make it fit.

when you have a 256k board you can’t have the full firmware on it, it’s too small. what i recommend you do is make two Makefile.platform files corresponding to which flags you have skipped and use them interchangeably when you need that side of the proxmark

amal · July 15, 2023, 5:04pm

Oh good eye on that!

Blackhawks · July 15, 2023, 11:40pm

Fine Gents amal & Equipter - much appreciated!

But I still have issues. The only way I could do the ./pm3-flash-fullimage is by uncommenting everything in the section as the Readme file suggested - see below.

#PLATFORM=PM3RDV4
#PLATFORM=PM3GENERIC

If you want more than one PLATFORM_EXTRAS option, separate them by spaces:

#PLATFORM_EXTRAS=BTADDON
#PLATFORM_EXTRAS=FLASH
#PLATFORM_EXTRAS=BTADDON FLASH
#STANDALONE=LF_SAMYRUN

Uncomment the lines below in order to make a 256KB image

and comment out the lines above

PLATFORM=PM3GENERIC
PLATFORM_SIZE=256
STANDALONE=
SKIP_HITAG=1
SKIP_FELICA=1
SKIP_HFPLOT=1
SKIP_NFCBARCODE=1
SKIP_ZX8211=1
SKIP_LF=1

I only now clued in that the SKIP_LF=1 must be taking out my LF functions.

So, if I am correct, my Proxmark Easy is pretty well out of memory space. What else can I delete that will allow me to bring back the LF functions? I don’t see anything else I can take out that allows me to #SKIP_LF=1

Also, if did end up creating a new “Makefile.platform.WithLF” file, how do I switch back from the original Makefile.platform file and the new Makefile.platform.WithLF file without doing all the commands again (make clean && make -j8 all + ./pm3-flash-bootrom +./pm3-flash-fullimage) before running pm3?

I may have missed something and/or not understand something so any input would be much appreciated! I appreciate your patience with this newbie!

~Blackhawks

Blackhawks · July 16, 2023, 1:33am

Nevermind … I figured it out!

Definitions	Rough estimation of the saved space
STANDALONE=	3.6KB
SKIP_LF=1	25.8KB
SKIP_HITAG=1	24.2KB
SKIP_EM4x50=1	2.9KB
SKIP_ISO15693=1	3.2KB
SKIP_LEGICRF=1	3.9KB
SKIP_ISO14443b=1	3.7KB
SKIP_ISO14443a=1	63.0KB
SKIP_ICLASS=1	10.5KB
SKIP_FELICA=1	4.0KB
SKIP_NFCBARCODE=1	1.4KB
SKIP_HFSNIFF=1	0.5KB
SKIP_HFPLOT=1	0.3KB
SKIP_ZX8211=1	0.3KB

This is what I used for my setup:
PLATFORM=PM3GENERIC
PLATFORM_SIZE=256
STANDALONE=
SKIP_HITAG=1
SKIP_FELICA=1
SKIP_HFPLOT=1
SKIP_NFCBARCODE=1
SKIP_ZX8211=1
#SKIP_LF=1
SKIP_ISO14443a=1

~Blackhawks