Help how to clone iclass/picopass

so even if i get an original card (picopass) from the same supplier that my work buys them and cloned blocks 6-9 it still might not work?

i find out monday when i go back to work if cloning blocks 6-9 did the trick or not on todays card.

the reader in question is a standard parking gate card reader. since i have more then 1 car i wanted to have an additional card in the other car since i tend to forget to bring it and losing them happens to often so its easier for me to make my own copies then purchase a new one at 50$ a pop


(Disclaimer: I am not a mathematician nor a cryptographer. I’m a computer science undergraduate with a focus in machine learning. All of this to say I have some idea what I’m talking about but also have no clue what I’m talking about. Please take what I say with a grain of salt)

Think about it this way: All the SE blocks are the outputs of a big mathematical equation. As a completely random hypothetical example, let’s create BFG PClass SD, a completely fake brand that has a similar system to the HID iClass SE, just a completely different naming scheme. We’ve broken the SD system, and have somehow figured out the equation, which looks like this:

encryptedDataToStoreOnCard = log_15_ (3z((unencryptedData) * x^3 - y(unencryptedData^2)^3))

z, y are going to be some ungodly long prime numbers, and the whole thing is going to be a mess. x will be the card’s UID. If the system knows this equation and can read the UID, it can decode the data it’s reading properly, as it’s been programmed to know what z and y are. However, the user can’t do this because they don’t know z or y and definitely are not supposed to know the equation. Therefore, it’s secure: no one knows all the elements except the reader, and the software on the reader is obfuscated in such a way that someone who cracks it open won’t be able to figure out how secure it is. For extra security, we can have a different equation and z and y for multiple different blocks of data on the card, so that not one but multiple equations need to be found and solved.

The HID iClass SE system has a similar problem, which many are trying to solve: we just don’t know how to properly decode the system, as we don’t know all the elements and we don’t know how all the elements fit together.

before buying the proxmark3 on this website i asked the question on wheather or not it cloned picopass cards with the hid iclass dp logo and everybody said yes.
i guess what they meant by saying yes was eventually it should but not right now

I assume you’re referring to this post

To be clear: we have said that it has the functionality to read and clone blocks from HID cards. At no point did we say that there is a 100% guarantee that cloning will work properly and that you will have an all-in-one solution that will be easy to control. If you look back at all the things I’ve written about HID cards, I have always said that SE is not cloneable. We have no clue if and/or when it will ever be possible. I assume that there are researchers working on it now, but I personally doubt SE will be cracked any time in the near future. What we might have said is that DP cards can have the non-SE sections cloned with no problem and work fine.

Some DP cards don’t have SE blocks stored on them. Some do. It all comes down to what system your employer/school/whatever uses. You can’t win if you don’t enter, and the proxmark3 is your ticket.


i never imaged RFID cards were so complexed. Figured you scan a card on a scanner (proxmark3)that reads the data and copies it onto a blank card compatible to the same card. never imagined it to be so complex. ah well that’s life .
i’ll check back in the future who knows maybe someone might find a way to copy these types of cards with new technology

(Oversimplification ahead) Some cards are basically small computers running java applets. These don’t give you the ability to just read the entire card, so you can’t just clone them.

Have a look at your bank card some time if it is NFC capable.

1 Like

Don’t we all wish it were that simple. And by the same token, are glad that it’s not!

ok so i tried the cloned card with only blocks 6-9 copied and no it didn’t work so i figured tonight i try writing all of the blocks one by one and i was able to copy blocks 3-18 exactly the same without an issue. when i tried to copy blocks 2 and 1 i got writing failed so i said ok let me try a doing a
hf ic dump --ki 0 to see how it looks my cloned card so far but to my surprise

i cant see the data anymore because it says it has 2 application areas like in the photo i provided .something it never said till i try cloning block 2
what does this mean and how can i back track myself or fix the issue to see the data again.

do i need to wipe my cloned card and restart the process?
Can i even wipe my cloned card to re-enter data onto it again?
if yes what’s the command line to wipe the card clean and try re -entering the data. any information is greatly appreciated

Block 0 is the UID and cannot be changed. I’m not clear on what block 2 does, but I suspect that’s also not changeable.

Changing the application area sizes is likely to do nothing.

If you did not change block 1, you should be able to change the blocks 6+.

I wonder if one could write an Apex applet to emulate an HID card.

my issue is i dont see the data like i use to when i run the command line
hf ic dump --ki 0.
instead i get message saying card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F).
never say that before.

I’m wondering if you managed to change the partitioning on the card.

Just to make sure, can you restart ProxSpace?

You might have borked the card, which means that you’ll need a new card if you want to keep trying. :frowning:

At this point, if you’re planning on going the implant route, I might start talking to @amal about custom services.

Were you able to change the Debit/Credit keys? (Blocks 3+)

uh oh…you did a naughty!

writing directly to block 3 is a big no no! ask me how I know :stuck_out_tongue:

I’m not saying it’s impossible to recover from, as there are a few threads over on the proxmark forum I’ve read about reverse engineering the Kd-which is the debit key-aka block 3. It just honestly seemed like more work than it was worth for me (seeing as it was one of several blank cards that I had to experiment with)

@philidelphiaChickens he won’t be able to read or write any blocks or dump now, right? Changing the Kd by manually writing it to match the other credential creates a snafu when trying to authenticate via UID/master key. Or, did I misunderstand what I was reading?

yes. its only when i tried block 2, and 1 it said writing failed

Blocks 0-5 I try to stay well clear of as much as I can.

but all the other command lines still read the card . such as hf ic info. tells me all the info