Help how to clone iclass/picopass

after running the command line
hf ic dump --ki 0 this is what showed up .
hopefully i get a little closer to actually copying this card . fingers crossed

Now weā€™re getting somewhere!

This is what youā€™re looking for. Blocks 6-9 are what you want to copy to your new card

is the link that @Pilgrimsmaster sent earlier, and it spells it out pretty straight forward for you.

hf ic wrbl -b 6 -d A30303030003E017 --ki 0

for block 6 and duplicate for 7-9 with the appropriate data, all caps, no spaces.

after writing blocks 6-9 manually, do the dump again to verify the cloned card matches the original and give it a try!

ok i hope it did it correct.
i duplicated blocks 6-9 like u mentioned and added the appropriate data. i did the ic dump info and as u can see in the new card blocks 6- 9 are the same . the only number i noticed isnā€™t the same is block 0 my original data numbers are different then the copy card. is that normal or did i miss something?
hereā€™s


a picture of the hf ic dump info on new card. let me know if i did it write from the original card ?

is my card really copied ? crossing my fingers

i cant try it out till i get back to work but from what u see do you think i did it correct?

You canā€™t change the UID but I believe from other peopleā€™s comments that it is more concerned about the content of the card itself.

I assume that it uses some form of challenge/response with the card, but I have not looked into it.

If everything except block 0 is identical then you should be good. As you canā€™t modify parts of block 0 (maybe all) then this shouldnā€™t be a problem.

1 Like

blocks 6- 9 are identical
block 2,3,10,11,12,13,14,15,16, are not exact copy.
is that normal ? i was only told to copy blocks 6-9 from above. was i suppose to copy every
block or just from 6-9?
maybe blocks 6 threw 9 are the only ones necessary to copy and the rest are just fillers . just thinking outside the box

Unfortunately this may be all for naught. Anything past block 7 is going to be SE blocks which arenā€™t cloneable.

1 Like

Good catch! I didnā€™t even pay attention to anything past block 9! Iā€™ve been so buried in my own projects, I guess Iā€™m used to that. Still no progress on the SE cards?

SE cards are incredibly tricky and have yet to be cracked. Never say never, but theyā€™ve been out for long enough with very little progress, I suspect it will be a long time, if ever, before theyā€™re cracked.

Thereā€™s a very good paper on the original iClass security issues, called ā€œHeart of Darknessā€.

As I understand, SE cards have those extra filled data blocks with data that is encrypted with the UID. Since we canā€™t change the UID on these cards and we donā€™t know exactly how these extra blocks are encrypted, we donā€™t know how to decrypt and clone them to a new card.

Fingers crossed! One day itā€™ll happen and we will know exactly how theyā€™re encrypted and someone smarter than me will figure out a way to reverse engineer! By then, there will be new more secure tech that will start the cycle all over again.

1 Like

so if i understand well the card i copied blocks 6-9 onto the new card really isnā€™t completely a copy of my original card since not every block was copied as well nor can they be if i understood correctly?

The short of it is that youā€™ll likely not be able to use the cloned card on many readers, depending on how theyā€™re configured. Blocks 6-9 are what youā€™ll need for any terminals that are not looking for the SE section of your card. If you clone blocks 6-9 and none of the readers are working, itā€™s more than likely that theyā€™re looking for the SE data. Unfortunately, that data cannot be properly cloned.

1 Like

can i know what SE section of the card means?

Any time anything secure is broken, there will be a rush to develop something new and more secure. Itā€™s an arms race that will never end. Non-SE has been broken for a long time, and SE is still somewhat a mystery, and yet it sounds to me that HID is working on even more secure systems.

Iā€™m not sure I follow. Are you asking if thereā€™s a way to decode SE blocks, how to find SE blocks, how SE works, or something else?

Any data stored after block 9 will almost certainly be SE.

I thought what ā€œSEā€ means was the question.

Secure Encryption?
Self Erasing?
Suicidal Elephants?

Aha! Iā€™d guess SE means Secure Encryption/Edition but HID literally brands it as ā€œiCLASS SEĀ®ā€.

Why Apple has iPhone SEs as the brand name is the real question.

i didnā€™t know what SE stands for
Iā€™m new to this cloning world.
i just thought buying the proxmark3 would be able to solve my issue of making copies of my work card .
if what your telling me the picopass cards cant be copied for security reasons i guess i spent money that i could of spent elsewhere

the card at the bottom reads
HID iclass DP
no SE wriiten on the card.
so maybe its not a SE card?