Help Cloning iCLASS / PicoPass Card

Support
1

I have been trying to clone a card that I have. I just need a duplicate – not an implant or anything. After researching this, I thought a good first step would be to create a dump file. This is where I can into some complications.

[usb] pm3 --> auto
[=] hf search
[+] iCLASS / Picopass CSN: CF 64 6D 16 FE FF 12 E0 
[+] Valid iCLASS tag / PicoPass tag found

[usb] pm3 --> hf iclass dump
[-] Run command with keys

[usb] pm3 --> hf iclass dump -k 3F90EBF0910F7B6F
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F).
[!!] failed to communicate with card

Can someone tell me what I am doing wrong? Is it possible to clone this card? How can I do so? I am using a proxmark3 easy.

I just grabbed the “iClass Master Key” from here. Is this correct? Cheatsheet

2

I’m useless with iClass / Picopass otherwise I would help you directly.

use the search function

Screenshot_20221012_164322
Screenshot_20221012_1643221080×727 102 KB

You are looking for anything from

@philidelphiaChickens AND/OR @NinjuhhNutz

They are the iClass Pico-Gurus

3 Likes
3

First things first -

  1. Where did you get 3F90EBF0910F7B6F from?
  2. could you run hf iclass info and show the results?
4

@philidelphiaChickens first question was going to be mine. I can’t remember exactly who it was that told me (what seems like a lifetime ago) NOT to use explicitly typed keys, rather than the key index option in the proxmark.

Other than custom keys, the proxmark has the 3 most commonly used keys for the iclass cards.

I would try hf ic dump --ki 0 then try --ki 2 if it’s not successful. Odds are, you’re good with that. PLEASE do not write anything to block 1 or block 3. I’ve done it and it’s a nightmare, and I’m currently trying to help another forum member recover from that mistake.

5

I’d be willing to guess that was me, but honestly at this point who cares?
I’m also quite curious to see the info.

I agree completely.

1 Like
6

It was VERY well received advice, and has saved me quite a few times from fat fingering :stuck_out_tongue:

1 Like
7

I was able to get the dump working with hf ic dump --ki 0. I was also able to get this to emulate successfully with hf iclass sim 3 (it might have been slightly different, I don’t remember the command exactly).

Now that this works, I was wondering how I can write to a physical card. What are the steps for doing this from the dump file? What kind of card do I need? Does this look like the right kind?

8

That’s good to know. Could you please share the results of the dump? That’ll help us know if you’ll be able to properly clone to a new card.

11

Awesome! That looks good - I was worried that the card would have secure bits. It looks like you should be able to start cloning. For blocks 6-9, run hf iclass wrbl --ki 0 -b [block number] -d [numbers associated with block] with the new card on the reader.

14

No spaces in hex values, otherwise looks right! Also, on the target card, you can overwrite a block if you get it wrong, don’t stress about it!

1 Like
15

thanks for all your help!

3 Likes
16

@philidelphiaChickens I see how it is! I get tied up at work for ONE night and don’t get a chance to visit the forum…and you go and have all the fun by yourself :crazy_face: :stuck_out_tongue_winking_eye:

@iand5739 you’re in good hands my friend!

4 Likes
17

Thanks to you both. Everything works great!

2 Likes
18

Hi all, someone know on which implant I could clone this? I have a xMagic, xEM, xSIID and NExT, one of these is compatible?

19

Great implant selection you have.

However, of the ones you have, the only HF implant capable of cloning would be the xMagic , but I dont like your chances.

If you can enroll, thete may be a possibility the NExT or xSIID may be compatible, but that will depend on the access system.

You best chance would likely be the FlexClass

https://dangerousthings.com/product/flexclass/

20

I am attempting to backup a picopass 2k and I cannot get the command hf ic dump --ki 0 to do anything. Has this command been changed to something else in recent ICEMAN fork?

21

What errors are you getting?

Have you tried hf iclass chk -f iclass_default_keys.dic

1 Like
22

no errors just does nothing. The command hf iclass chk -f iclass_default_keys.dic returns the following:
[usb] pm3 → hf iclass chk -f iclass_default_keys.dic
[+] Loaded 28 keys from dictionary file C:\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR…
[+] CSN: 0E 6F B5 02 F8 FF 12 E0
[+] CCNR: 70 D1 FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key…

[+] Found valid key AE A6 84 A6 DA B2 32 78

[+] time in iclass chk 2.1 seconds
[+] Key already at keyslot 0
[?] Try hf iclass managekeys -p to view keys

[usb] pm3

1 Like
23

Yep, it seems to have changed, hf ic doesn’t work anymore, use the full hf iclass

24

awesome that works. results:
[usb] pm3 → hf iclass dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.

[=] --------------------------- Tag memory ----------------------------

[=] block# | data | ascii |lck| info
[=] ---------±------------------------±---------±–±---------------
[=] 0/0x00 | 0E 6F B5 02 F8 FF 12 E0 | .o… | | CSN
[=] 1/0x01 | 12 FF FF FF 7F 1F FF 3C | …< | | Config
[=] 2/0x02 | 70 D1 FF FF FF FF FF FF | p… | | E-purse
[=] 3/0x03 | 53 9A A2 D2 C7 03 19 A0 | S… | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | … | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | … | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | … | | User / HID CFG
[=] 7/0x07 | 78 28 77 CB 52 6B 92 51 | x(w.Rk.Q | | User / Enc Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Enc Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Enc Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | … | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | … | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | … | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | … | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | … | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | … | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | … | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | … | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | … | | User
[=] ---------±------------------------±---------±–±---------------
[?] yellow = legacy credential

[+] saving dump file - 19 blocks read
[+] Saved 152 bytes to binary file C:\ProxSpace\pm3/hf-iclass-0E6FB502F8FF12E0-dump.bin
[+] Saved to json file C:\ProxSpace\pm3/hf-iclass-0E6FB502F8FF12E0-dump.json
[?] Try hf iclass decrypt -f to decrypt dump file
[?] Try hf iclass view -f to view dump file

[usb] pm3

so I am guessing I need to figure out how to clone using the data from that output. Not certain… seen someone mention using hf iclass wrbl --ki 0 -b [block number] -d [numbers assciated with block] writing blocks 6 through 9? I would gather I would need a picopass card to write to as well?

1 Like