Cloning iClass DP (13mhz side) to NeXT implant?

Sorry I meant erased block 3 not block 1.
So is there a way to calculate the authentication key from UID and block 3 ?

Do you know what you accidentally wrote to block 3? There is a key calculation command that will give you what you need to write to block 3. Also, there are multiple “ways” to write the data in the block.

Again, this is where a bit of reading on this forum comes in handy. All the info you need is easily found here.

If @herveld dumped the flexClass before writing to it, I think that dump should be stored in the pm3 folder.

1 Like

good thinking! That didn’t even cross my mind until you mentioned it. Between that and what hf ic info gives now, should allow the xor calculation to get it back to where it should be.

1 Like

I indeed dumped the flexclass before writing to it - using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87

Original block 3 was : 57 8C F3 23 4E 76 31 3E and CSN : 01 D9 50 01 0B 00 12 E0

Then after successfully writing to block 6 to 9, I wrote to block 3 :
hf ic wrbl --ki 2 -b 3 -d F9D201B9445C3784

[+] Using key[2] F0 E1 D2 C3 B4 A5 96 87
[+] Wrote block 3/0x03 successful

pm3 → hf ic dump --ki 2
[+] Using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 255 (0xFF)
[!!] :rotating_light: failed to communicate with card

pm3 → hf ic wrbl --ki 2 -b 3 -d 578CF3234E76313E (original block3)
[+] Using key[2] F0 E1 D2 C3 B4 A5 96 87
[-] :no_entry: Writing failed

Is there a command to calculate the new generated key from block 3 and CSN to re-enable writing and restore original key ?

Indeed there is. @philidelphiaChickens and I sort of teamed up on a thread and tried to put as much of what we discovered the hard way all in one place to make it easier for others.
Hopefully it will serve you well. Do yourself a favor and (while I’m partial to notepad++) use something to document every single command you use BEFORE you execute it. It will make troubleshooting and recovering much easier if you fubar the commands. Copy and paste it rather than typing it again is cheap insurance. I’ve fat fingered commands more than once and it’s a royal pita to come back from.

Let us know what ya find.

1 Like

@NinjuhhNutz Thank you for pointing me to the right direction !

Though I am still unsure about what you mean by “Kdiv xor”

Is it the original AA1 key xored with CSN or Original block 3 xored with CSN, or something else ?

I would rather be sure not to mess things up a bit more…

Is your credential in personalization or application mode?

hf ic info

This command should give you a breakdown of block 1 (configuration block) and explicitly state which mode it’s set to. Depending on which mode it’s in will dictate the approach for calculating the new key to be written to block 3.

If you can post the results of the command, I’ll try to walk you through getting you up and going.

1 Like

I tried to vnc to my laptop at home with my Proxmark3, but I may have closed it before leaving for work this evening. So, I don’t have access to the Proxmark3 client and don’t remember all of the commands exactly. But, you should be able to work out the details with the -h after “hf ic calcnewkey”

hf ic rdbl -b 3 -k F9D201B9445C3784 --raw

if you get a successful read, we’re getting somewhere.

1 Like

[=] --------------------- Tag Information ----------------------
[+] CSN: 01 D9 50 01 0B 00 12 E0 uid
[+] Config: 12 FF FF FF E9 7F FF 3C card configuration
[+] E-purse: FE FF FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF E9 7F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] E9… chip
[=] 7F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] PROD0/1… Default production fuses
[=] -------------------------- Memory --------------------------
[=] 32 KBits/17 App Areas ( 32768 bytes )
[=] 2 books / 8 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 255 ( 0x13 - 0xFF ) - 242 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A… debit
[=] Read B… credit
[=] Write A… debit
[=] Write B… credit
[=] Debit… debit or credit
[=] Credit… credit

Try the hf ic rdbl command I posted earlier (I assume you only read the last post I made, and not the one before it) to see what kind of response you get. That will determine how you go about the command to hopefully get your block 3 to where it needs to be.

I tried the command : hf ic rdbl -b 3 -k F9D201B9445C3784 --raw

It did not return anything. :unamused:

Anything else I can try to get back to initial state ?

Try it without the --raw modifier. The biggest hurdle will be recovering from your block 3 entry.

I just got to work, and kind of walked in to a shit show tonight. So, it’ll be a couple hours before I can work on anything else. I’ll try to work on a couple different options to see what we can come up with.

without going into too much detail, play around with the calcnewkey command. and use the various results to try with the rdbl -b 3 command.


hf ic rdbl -b 3 -k OF91A7CCFC449CCF
it’s been a while, but that’s the Kdiv xor value from the original key and what you explicitly typed using your csn.
if that doesn’t work, try
578CF3234E76313E and then
581D54EFB232ADF1 as the key. Hopefully one of them will work.

Also, what exactly does “did not return anything” mean? NO response at all? or failed? or?

I tried all the keys you mentioned - with and without --raw and always get no response = immediately back to the pm3 prompt.

okay, when I get some time tonight when I get home from work I’ll try to wrap my head around exactly what you have going on. I think there’s diversification that needs to be done with your can and the value you sent to block 3 and coming up with what we actually need to use currently as the key in order to write the correct value to block 3 for the master authentication key. There WILL be a viola moment…hopefully :crazy_face:

1 Like


hf ic rdbl -b 3 -k 1FAC2F3E42CC9DC9

if not, try the --raw…fingers crossed!

Not much luck with the new key, with or without --raw, still back to pm3 prompt. :cry:

hf ic rdbl -b 3 -k 8B33496B29F0424D

hf ic rdbl -b 3 -k 103D88F2BE880106

and hf ic info before moving the implant at all…to make sure that its just not a comm issue instead of a key issue.

I’m running out of ideas…But, I have a million things going on, so admittedly, it doesn’t have 110% of my attention. My apologies.


So…I’m wondering something.

hf ic rdbl -b 3 -k f13882c2bfa58467

Same results for new keys… no output.

Not a comm issue as hf ic info always works.

Okay…so I’m understanding your situation correctly. I want to make sure of a couple things.

You did or did not run a hf ic calcnewkey command before writing to block 3?
Did you just write the value F9D201B9445C3784to block 3 and call it a day?

Where did you come up with the value that you wrote to block 3?

I’m sure there is a way to recover, I’m just trying to work it out while juggling everything else.