Cloning iCLASS DL (iCLASS SE)

ayeosq · March 1, 2025, 3:53am

Trying to clone this, any guide?

[usb] pm3 --> hf iclass info

[=] --- Tag Information ----------------------------------------
[+]     CSN: 50 6A A0 0E FE FF 12 XX  uid
[+]  Config: 12 FF FF FF 7F 1F FF XX  card configuration
[+] E-purse: 24 FF FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF 00 06 FF FF FF  application issuer area
[=] -------------------- Card configuration --------------------
[=]     Raw... 12 FF FF FF 7F 1F FF XX 
[=]            12 (  18 ).............  app limit
[=]               FFFF ( 65535 )......  OTP
[=]                     FF............  block write lock
[=]                        7F.........  chip
[=]                           1F......  mem
[=]                              FF...  EAS
[=]                                 3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks 
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read AA1..... debit
[=]     Write AA1.... debit
[=]     Read AA2..... credit
[=]     Write AA2.... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS SE
[+]     Card type.... PicoPass 2K
[+]     Card chip.... NEW Silicon (No 14b support)

Aoxhwjfoavdlhsvfpzha · March 1, 2025, 4:02am

Have you tried checking for keys already?

ayeosq · March 1, 2025, 4:06am

Yea, I did, no key found

[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic --elite
[+] Loaded 29 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_default_keys.dic`
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 XX
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
 🕖 Chunk [000/29]
[+] time in iclass chk 2.4 seconds

[usb] pm3 --> hf iclass chk -f iclass_elite_keys.dic --elite
[+] Loaded 729 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_elite_keys.dic`
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 XX 
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
 🕐 Chunk [635/729]
[+] time in iclass chk 10.0 seconds

Aoxhwjfoavdlhsvfpzha · March 1, 2025, 4:07am

Try that one without the --elite

ayeosq · March 1, 2025, 4:10am

[usb] pm3 --> hf iclass chk -f iclass_elite_keys.dic 
[+] Loaded 729 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_elite_keys.dic`
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 XX 
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys 
[+] Searching for DEBIT key...
 🕖 Chunk [635/729]
[+] time in iclass chk 10.0 seconds

[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic 
[+] Loaded 29 keys from dictionary file `/usr/local/bin/../share/proxmark3/dictionaries/iclass_default_keys.dic`
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 XX 
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys 
[+] Searching for DEBIT key...
 🕗 Chunk [000/29]
[+] time in iclass chk 0.9 seconds

Aoxhwjfoavdlhsvfpzha · March 1, 2025, 4:14am

Hmm, well, that puts it outside of my knowledge area

I think we’re basically here:

Where you’ll likely have to look into reader-side attacks

ayeosq · March 1, 2025, 4:25am

[usb] pm3 --> hf iclass dump --ki 1 --elite
[+] Using AA1 (debit) key[1] FD CB 5A 52 EA 8F 30 90 
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 2 --elite
[+] Using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87 
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 3 --elite
[+] Using AA1 (debit) key[3] 76 65 54 43 32 21 10 00 
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass dump --ki 0 --elite
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78 
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] 🚨 failed to communicate with card
[usb] pm3 --> hf iclass chk --vb6kdf --elite
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 E0 
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
 🕙 Chunk [4953/5000]
[+] time in iclass chk 66.4 seconds

[usb] pm3 --> hf iclass chk --vb6kdf 
[+] Reading tag CSN / CCNR...
[+]     CSN: 50 6A A0 0E FE FF 12 E0 
[+]    CCNR: 24 FF FF FF FF FF FF FF 00 00 00 00 
[=] Generating diversified keys using elite algo
[+] Searching for DEBIT key...
 🕑 Chunk [4953/5000]
[+] time in iclass chk 66.4 seconds

ayeosq · March 2, 2025, 5:00am

Regarding this reader side attack, I am considering getting one of the following for portability: i-Copy XS / Flipper Zero / Chameleon Ultra.

I have the PM3 Easy currently, and I am comfortable working with terminal.

Which would you recommend?

Aoxhwjfoavdlhsvfpzha · March 2, 2025, 5:06am

I only have a Flipper Zero, so I can’t speak to the other two, but I am happy with the F0

I do not have any experience with these attacks personally either, but from what I’ve seen online the F0 makes it pretty simple too

But I have never done it myself…

If you have an android phone, you should be able to use your PM3 with that too, makes it a bit more portable.

I have heard that the i-Copy devices have weird proprietary stuff baked into them, and frankly I’ve never heard a particularly glowing review of them, so I wouldn’t get one personally…
I’m also not certain that the Chameleon Ultra is capable of attacking iClass systems, but I know very little about the Chameleon devices, just make sure it’ll do what you need before you go that route…

ayeosq · March 2, 2025, 5:38am

Android Client for Proxmark

Which one is best supported?

Aoxhwjfoavdlhsvfpzha · March 2, 2025, 5:39am

github.com/RfidResearchGroup/proxmark3

doc/termux_notes.md

master

# Proxmark 3 on Android
<a id="top"></a>

## Table of Contents
- [Proxmark 3 on Android](#proxmark-3-on-android)
  - [Table of Contents](#table-of-contents)
  - [Requirements](#requirements)
  - [Notes](#notes)
  - [Setup](#setup)
    - [Setting up Termux](#setting-up-termux)
    - [Install Proxmark3 package which follows tagged releases](#install-proxmark3-package-which-follows-tagged-releases)
    - [Optional: Install Proxmark3 package which offers a more up to date version from git `master` branch](#optional-install-proxmark3-package-which-offers-a-more-up-to-date-version-from-git-master-branch)
    - [Optional: Building Proxmark3 client from source](#optional-building-proxmark3-client-from-source)
  - [PC-like method](#pc-like-method)
    - [Specific requirements](#specific-requirements)
    - [USB\_ACM](#usb_acm)
      - [Enable the driver](#enable-the-driver)
      - [Building the kernel](#building-the-kernel)
      - [Flashing the kernel](#flashing-the-kernel)
      - [Testing](#testing)

This file has been truncated. show original

Termux

In particular you’ll need to use the TCP/UDP bridge method if you don’t have a rooted device

Pilgrimsmaster · March 2, 2025, 5:59am

This is what I use

BUT
Iceman is replying…so… listen to what he says

Iceman · March 2, 2025, 6:01am

iCLASS SE,…

Your options is limited.

a flipper with NARD / SAM
a pm3 with sim module / SAM
xcopy-xs with that ICS addon reader thingy

another alternative is to sniff/jam in order to do the nr-mac on pm3
on flipper w nard you can do same, I think its called “nr-mac replay” there

Aoxhwjfoavdlhsvfpzha · March 2, 2025, 6:08am

Do you need the nard on the flipper?

This video:

Looks like it does it without…

But I know nothing about the attack!
Also could still be a work in progress/not released yet perhaps…

Or maybe this is emulation only? It might not actually give you a look at the PACS which you would need a SAM for?

ayeosq · March 2, 2025, 7:11am

NR-MAC Attack
Been reading but seems like iClass SE not possible

ayeosq · March 2, 2025, 4:29pm

Can’t find any NARD / SAM module for sale.
My only option was kind of : DIY NARD Flipper add-on
Have anyone here done it before?

ayeosq · March 3, 2025, 3:19am

How to clone your iClass Fob or KeyCard with Mr. Key Fob!

Looking at his method, is it worth to get the OMNIKEY 5427 CK?

Equipter · March 3, 2025, 3:42am

no you dont need the NARD to do NR-MAC, the point of NR-MAC is that you can do it without needing a weaponised reader or NARD, it doesn’t work on all readers anymore as many have been patched with a few update

Equipter · March 3, 2025, 3:43am

iclass SE is totally possible with NR-MAC so long as the reader is susceptible to the auth-skip it relies on, worth trying definitely. if it doesnt work then NARD+SAM is the way to go

Equipter · March 3, 2025, 3:51am

the only option avsailable rn is FlipperMeister

but DIYing is WAY cheaper, you just need to but a smartcard2click module and buy a HID SE SAM and wire the module up to your flipper and insert the SAM, I have the NARD+SAM but many have done the DIY version.

honestly i very much recommend you join the flipper zero official discord server Flipper Devices and come into the NFC channel where you will find the 3 developers of the entire flipperzero iclass suite including the picopass app, seader software and NR MAC attack. (bettse, nvx and zve8), Killergeek did the design for the NARD board but all 3 are very knowledgeable and familiar with iclass on the flipper and how to go about setting up the DIY NARD and where to purchase the SAM (AFTER NR-MAC has been tried!!! you could very likely save yourself some money given its chances of success)