Cloning iClass DP (13mhz side) to NeXT implant?

I have a work badge that’s an iclass DP (using the diagnostics card we only use the 13 “nfc” side)

i’d really like to clone my badge over as i’m told we only use the uid of the badge for reading.
it seems like lots of people have run into this issue. am i correct in assuming that an iclass / picopass cannot be cloned over to a 14a style card (implant) as they’re too different?

also someone else mentioned that the uid of the NeXT cannot be changed, that’s not true, is it?

Correct, the uid cannot be changed on the hf side of the next

1 Like

Any way you could convince the people who run your security system to enrol your NExT’s UID?

1 Like

not really. how common are 14a cards or regular 125khz installs still in the wild though?

The last two places I worked used 125khz HID Prox and I see HID readers often enough to say they are still common.

I have actually made a iClass implant antenna, not available yet but maybe soon, just finished testing the latest design and it works well? :eyes:



Looks cool ! Which chip did you use ?

Here is the product page for it flexClass (HID iClass) - RFID & NFC Chip Implants and Biohacking products

Soon to be back in stock…


To add on the flexclass subject…all the research I’ve done, iClass rarely uses the actual uid for authentication (at least not directly) but rather blocks 6-9 and the uid is used in conjunction with the authentication key to work its magic.

Translation :stuck_out_tongue: you probably won’t have to actually enroll or clone your flexclass’s uid instead of just cloning the data blocks.

Hope that helps

Thank you for the info!

I have accidentally overwritten block 1 that contains the encrypted key, next the flexclass does not respond to any block read or write command.

Is there a way to calculate the authentication key from UID and block 1 ?

I’m at work, and only have my Mac book with me. All my Proxmark3 files are on my windows/linux laptop at home. I’ll have to look at my notes to refresh my memory. IIRC block 3 is where your key is stored indirectly. If you actually overwrote block 1… TSK TSK TK

what do you get from

hf ic info

specifically, where it gives you “card configuration” and breaks down each byte?

Sorry I meant erased block 3 not block 1.
So is there a way to calculate the authentication key from UID and block 3 ?

Do you know what you accidentally wrote to block 3? There is a key calculation command that will give you what you need to write to block 3. Also, there are multiple “ways” to write the data in the block.

Again, this is where a bit of reading on this forum comes in handy. All the info you need is easily found here.

If @herveld dumped the flexClass before writing to it, I think that dump should be stored in the pm3 folder.

1 Like

good thinking! That didn’t even cross my mind until you mentioned it. Between that and what hf ic info gives now, should allow the xor calculation to get it back to where it should be.

1 Like

I indeed dumped the flexclass before writing to it - using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87

Original block 3 was : 57 8C F3 23 4E 76 31 3E and CSN : 01 D9 50 01 0B 00 12 E0

Then after successfully writing to block 6 to 9, I wrote to block 3 :
hf ic wrbl --ki 2 -b 3 -d F9D201B9445C3784

[+] Using key[2] F0 E1 D2 C3 B4 A5 96 87
[+] Wrote block 3/0x03 successful

pm3 → hf ic dump --ki 2
[+] Using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 255 (0xFF)
[!!] :rotating_light: failed to communicate with card

pm3 → hf ic wrbl --ki 2 -b 3 -d 578CF3234E76313E (original block3)
[+] Using key[2] F0 E1 D2 C3 B4 A5 96 87
[-] :no_entry: Writing failed

Is there a command to calculate the new generated key from block 3 and CSN to re-enable writing and restore original key ?

Indeed there is. @philidelphiaChickens and I sort of teamed up on a thread and tried to put as much of what we discovered the hard way all in one place to make it easier for others.
Hopefully it will serve you well. Do yourself a favor and (while I’m partial to notepad++) use something to document every single command you use BEFORE you execute it. It will make troubleshooting and recovering much easier if you fubar the commands. Copy and paste it rather than typing it again is cheap insurance. I’ve fat fingered commands more than once and it’s a royal pita to come back from.

Let us know what ya find.

1 Like

@NinjuhhNutz Thank you for pointing me to the right direction !

Though I am still unsure about what you mean by “Kdiv xor”

Is it the original AA1 key xored with CSN or Original block 3 xored with CSN, or something else ?

I would rather be sure not to mess things up a bit more…

Is your credential in personalization or application mode?

hf ic info

This command should give you a breakdown of block 1 (configuration block) and explicitly state which mode it’s set to. Depending on which mode it’s in will dictate the approach for calculating the new key to be written to block 3.

If you can post the results of the command, I’ll try to walk you through getting you up and going.

1 Like