Cloning iClass 16k/16 card

Hey there! Decently new to all this, but I have a nice technical background so I’m able to understand a lot of the processes and command line work. I have an access card I would like to clone to something (ideally small form factor but that’s not the important bit here) and after exploring the forums a bit I didn’t see anyone posting about experience with the card I have.
It’s an iClass card, and via the labelling “2+” I can tell it has “size 2” memory, 16k/16 as they call it, and is programmed with a non iso14443B standard. I’ll be honest the memory labels don’t make much sense to me, but these markings were enough to be comfortable saying it’s probably not an SEOS card, so there shouldn’t be issues there.
Reference doc here (section 3.3)
I’m wondering if for the sake of access control this memory size is significant in some way, or even just what that nomenclature means, because it doesn’t make much sense to me. I don’t have much context regarding what the other different card sizes’ data looks like, and the dumps didn’t look particularly different from other iClass ones I’ve seen here. If the sizing isn’t important for access control, cool, we can move on and leave this as something to wonder and learn about over time.
On the cloning target side of things, assuming size is irrelevant, what possible chip(s) can I clone to? There only seem to be one or two links going around, either to flexclass which is far too expensive for what I want since I don’t intend to implant (yet), or to deviant ollam’s eternally sold out 2k cards. Are these legitimately the only two possibilities or have my eyes just glossed over things and I’ve missed the other options?

Thanks all!

Yeah. that’s good.
treat it like a prototype, just focus on getting it working first, the size/form factor can com later.
I already have a couple of ideas for you.
but if you can get a full size card for testing it will effectively remove range/coupling as a variable and you can focus on the important bit.

Two of my ideas, you wouldn’t need a PM3

  • Can you get a spare card that is enrolled and working?

  • Can you modify your current card.

if yes to either of these, and you know what form factor you would like, it would be super easy to turn a card into a fob or similar.

that’s a good start.

Do you have a ProxMark3?

if you are wanting a glass xSeries sized option, that will get much more tricky.

As for the cloning, iClass is not my strong suit.
I would be referencing the following

Cloning an HID iClass credential to your flexClass

Also I would be asking the following for assistance if I got stuck (the authors of the above links)

@philidelphiaChickens @NinjuhhNutz @leumas95

Out of their own necessity, they have all done the research and experimentation.

@leumas95 actually developed the FlexClass with Amal and he may be able to direct you to chip / card sources :man_shrugging:

Have you read the card and seen how much data is actually been used or how much is free?

I know there was going to be a batch of the 16kb FlexClass made, so down the track, this may be your option.

I’m not sure of the cost of the chips themselves, but if you do decide to implant one inside you, you are paying for the proven safety of the implant and the guarantee that comes with it.

Not a great answer, but I hope you can at least pull something of use out of it.

1 Like

No unfortunately, I just use the ID/security card security staff gave to me for site access, it’s unique to the individuals and I don’t want to pretend I lost it just to get another.

I don’t know but I don’t wanna accidentally “brick” my card for site access. If it’s not risky to attempt I’d consider it, I just don’t know what modifications cause bad/permanent things yet.

Indeed! I was heading out earlier so I didn’t have time to reopen pm3 to get the dump, but here’s what I’ve read so far. Idk if there’s more data anywhere else, but that’s certainly not 16k in bits or bytes, not even considering what the “/16” bit means. I do see something about application areas, not sure what that means or how to read it if it’s more data.

Yep, was reading that one earlier! :slight_smile:
I’m assuming for that one, in instruction steps 3 and 4 the -d arguments are meant to be from the data in step 2 yeah?

The other links I had seen earlier as well, and are what led me to wonder about 2k vs 16k/16 and if it matters (not that the 2k is currently in stock anyways).

Ooh thank you for that info!

See above dump for all that I presently know how to view ^^,

Good to hear in case 2k isn’t viable!

Yeah, that’s the cost I was referring to not needing right now, because I have no foreseeable-future plans of getting an implant, but someday when I eventually do I will absolutely put down for the safe and well tested option~
For now, just external testing with whatever I’m able :slight_smile:
The small form factor I was hoping for was actually just to embed in a fabric or silicone wrist band for convenience. An explant, if you will :3

It let me know I’ve at least been pursuing the right lines of research haha, I appreciate it!


Edit to remark on the curse of modern services auto-emojifying classic emoticons, let me have my sideways smileys :’)

1 Like

:grin:

SO,
after reading all that, this is what I would do

I would forget about all the programming bullshit, and “go analog.”

Can you do me 2 things,

  • scan your card with TagInfo, and check

EXTRA - IC Information- Capacitance: ???

  • Use a bright torch / flashlight from behind the card to shillouette the chip and share the image

IF it looks feasible from the above information

Find yourself a wrist band you would like to use, and there is a reasonable chance if you grab one like these, it will have the correct antenna in it.



Or find yourself a suitable antenna from elsewhere

  • Throw your card in some acetone, carefully remove the chip and antenna from the remains.
  • De-solder the Chip from the antenna ( Put the antenna aside for later, if required to refurb)
  • Solder the chip onto the new wristband antenna
  • Test it
  • Protect it as you see fit
  • Insert into wristband

Job Done :+1:

I haven’t gone into too much detail, as I have done something quite similar before, and its pretty easy.
But if you get stuck, or are confused about any part of the process, just ask.

1 Like

Considering that RedTeamTools is currently out of iClass cards, obtaining a 2k card is a little more expensive. eBay has them, but again, they’re more expensive.

That said, @leumas95 would be more knowledgeable, but if I HAD to guess, I would guess that a 2k would work. In the same way that a MIFARE 4k can be cloned to a 1k if only the first few lines are used, based on your posted dumps, I would be willing to guess that you can clone it just fine.

Out of curiosity, can you post what happens when you use the command hf ic info?

3 Likes

As comfortable as I am with soldering components and chemical shenanigans, it is unfortunately also a visual ID badge with a photo directly printed on it, so not just something I can dissolve into the void without repercussions ;u;

Apparently iPhone only allows scanning NDEF formatted tags :’<

1 Like

You weren’t kidding, shipping is as costly as the item themselves holy dang. Think I’ll pass on 25$ for a single card/fob

I’ll give it a shot someday when I can get my hands on a 2k then, the dumps I got didn’t seem to look v different from ones from 2ks in other threads I’d seen, so hopefully it’s just unused space.


Looks like it is indeed 16k/16, and looks like there is some more info about the data storage in here that makes that name make more sense

Ahh. bugger

Well I’ll hand it over to @philidelphiaChickens to help you out with the cloning

1 Like

I have a couple still functioning Iclass 2k cards that I don’t need anymore (since I finally jacked into the matrix without being “jacked in” and figured out what I had been trying to wrap my noodle around.) If you’d like, I could send you one to play around with. AND give you some pointers on what NOT to do to make it a very lightweight paperweight :crazy_face:

It’s actually quite trivial once you know and understand the several BIG FUCKING DETAILS that make or break working with it. :man_shrugging:

DM me if you’re interested

2 Likes

FWIW, I think these will also do the trick.

2 Likes