Cloning iClass DP (13mhz side) to NeXT implant?

I tried to vnc to my laptop at home with my Proxmark3, but I may have closed it before leaving for work this evening. So, I don’t have access to the Proxmark3 client and don’t remember all of the commands exactly. But, you should be able to work out the details with the -h after “hf ic calcnewkey”

hf ic rdbl -b 3 -k F9D201B9445C3784 --raw

if you get a successful read, we’re getting somewhere.

1 Like

[=] --------------------- Tag Information ----------------------
[+] CSN: 01 D9 50 01 0B 00 12 E0 uid
[+] Config: 12 FF FF FF E9 7F FF 3C card configuration
[+] E-purse: FE FF FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key ( hidden )
[+] Kc: 00 00 00 00 00 00 00 00 credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF E9 7F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] E9… chip
[=] 7F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] PROD0/1… Default production fuses
[=] -------------------------- Memory --------------------------
[=] 32 KBits/17 App Areas ( 32768 bytes )
[=] 2 books / 8 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 255 ( 0x13 - 0xFF ) - 242 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A… debit
[=] Read B… credit
[=] Write A… debit
[=] Write B… credit
[=] Debit… debit or credit
[=] Credit… credit

Try the hf ic rdbl command I posted earlier (I assume you only read the last post I made, and not the one before it) to see what kind of response you get. That will determine how you go about the command to hopefully get your block 3 to where it needs to be.

I tried the command : hf ic rdbl -b 3 -k F9D201B9445C3784 --raw

It did not return anything. :unamused:

Anything else I can try to get back to initial state ?

Try it without the --raw modifier. The biggest hurdle will be recovering from your block 3 entry.

I just got to work, and kind of walked in to a shit show tonight. So, it’ll be a couple hours before I can work on anything else. I’ll try to work on a couple different options to see what we can come up with.

without going into too much detail, play around with the calcnewkey command. and use the various results to try with the rdbl -b 3 command.


hf ic rdbl -b 3 -k OF91A7CCFC449CCF
it’s been a while, but that’s the Kdiv xor value from the original key and what you explicitly typed using your csn.
if that doesn’t work, try
578CF3234E76313E and then
581D54EFB232ADF1 as the key. Hopefully one of them will work.

Also, what exactly does “did not return anything” mean? NO response at all? or failed? or?

I tried all the keys you mentioned - with and without --raw and always get no response = immediately back to the pm3 prompt.

okay, when I get some time tonight when I get home from work I’ll try to wrap my head around exactly what you have going on. I think there’s diversification that needs to be done with your can and the value you sent to block 3 and coming up with what we actually need to use currently as the key in order to write the correct value to block 3 for the master authentication key. There WILL be a viola moment…hopefully :crazy_face:

1 Like


hf ic rdbl -b 3 -k 1FAC2F3E42CC9DC9

if not, try the --raw…fingers crossed!

Not much luck with the new key, with or without --raw, still back to pm3 prompt. :cry:

hf ic rdbl -b 3 -k 8B33496B29F0424D

hf ic rdbl -b 3 -k 103D88F2BE880106

and hf ic info before moving the implant at all…to make sure that its just not a comm issue instead of a key issue.

I’m running out of ideas…But, I have a million things going on, so admittedly, it doesn’t have 110% of my attention. My apologies.


So…I’m wondering something.

hf ic rdbl -b 3 -k f13882c2bfa58467

Same results for new keys… no output.

Not a comm issue as hf ic info always works.

Okay…so I’m understanding your situation correctly. I want to make sure of a couple things.

You did or did not run a hf ic calcnewkey command before writing to block 3?
Did you just write the value F9D201B9445C3784to block 3 and call it a day?

Where did you come up with the value that you wrote to block 3?

I’m sure there is a way to recover, I’m just trying to work it out while juggling everything else.

No, I did not run a hf ic calcnewkey command before writing to block 3.

I mistakenly wrote the actual value F9D201B9445C3784 that came from block 3 read of my original badge.

Ah! That’s where the issue is! I need the csn of the original badge. I knew it was something small I was missing :stuck_out_tongue: