HID iClass Legacy PicoPass 2K Clone Error

Hi all, I have tried to clone my HID PicoPass 2k from my source fob to my destination fob. I’m getting the iCLASS restore failed error code. Does anyone know what I am doing wrong? Am i getting the wrong blank fob?

This is the hf iclass info for my source fob:

[usb] pm3 --> hf iclass info

[=] --- Tag Information ----------------------------------------
[+]     CSN: FD CC 61 11 FE FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: 34 FA FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- Card configuration --------------------
[=]     Raw... 12 FF FF FF 7F 1F FF 3C
[=]            12 (  18 ).............  app limit
[=]               FFFF ( 65535 )......  OTP
[=]                     FF............  block write lock
[=]                        7F.........  chip
[=]                           1F......  mem
[=]                              FF...  EAS
[=]                                 3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read AA1..... debit
[=]     Write AA1.... debit
[=]     Read AA2..... credit
[=]     Write AA2.... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

And this is the hf iclass info for my destination fob

[usb] pm3 --> hf iclass info

[=] --- Tag Information ----------------------------------------
[+]     CSN: 70 89 ED 15 FE FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: FE FF FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- Card configuration --------------------
[=]     Raw... 12 FF FF FF 7F 1F FF 3C
[=]            12 (  18 ).............  app limit
[=]               FFFF ( 65535 )......  OTP
[=]                     FF............  block write lock
[=]                        7F.........  chip
[=]                           1F......  mem
[=]                              FF...  EAS
[=]                                 3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read AA1..... debit
[=]     Write AA1.... debit
[=]     Read AA2..... credit
[=]     Write AA2.... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K
[usb] pm3 --> hf iclass info

[=] --- Tag Information ----------------------------------------
[+]     CSN: FD CC 61 11 FE FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: 34 FA FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- Card configuration --------------------
[=]     Raw... 12 FF FF FF 7F 1F FF 3C
[=]            12 (  18 ).............  app limit
[=]               FFFF ( 65535 )......  OTP
[=]                     FF............  block write lock
[=]                        7F.........  chip
[=]                           1F......  mem
[=]                              FF...  EAS
[=]                                 3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read AA1..... debit
[=]     Write AA1.... debit
[=]     Read AA2..... credit
[=]     Write AA2.... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K
[usb] pm3 --> hf iclass dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.

[=] --------------------------- Tag memory ----------------------------

[=]  block#  | data                    | ascii    |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=]   0/0x00 | FD CC 61 11 FE FF 12 E0 | ..a..... |   | CSN
[=]   1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< |   | Config
[=]   2/0x02 | 34 FA FF FF FF FF FF FF | 4....... |   | E-purse
[=]   3/0x03 | 71 E6 51 B8 06 93 7D 44 | q.Q...}D |   | Debit
[=]   4/0x04 | FF FF FF FF FF FF FF FF | ........ |   | Credit
[=]   5/0x05 | FF FF FF FF FF FF FF FF | ........ |   | AIA
[=]   6/0x06 | A3 03 03 03 00 03 E0 17 | ........ |   | User / HID CFG
[=]   7/0x07 | DF B9 34 52 A5 17 F2 3C | ..4R...< |   | User / Enc Cred
[=]   8/0x08 | 2A D4 C8 21 1F 99 68 71 | *..!..hq |   | User / Enc Cred
[=]   9/0x09 | 2B E7 39 3C F8 E7 1D 7E | +.9<...~ |   | User / Enc Cred
[=]  10/0x0A | 30 33 81 02 64 1C 83 02 | 03..d... |   | User / SIO / SR
[=]  11/0x0B | 04 10 A5 02 05 00 A6 08 | ........ |   | User / SIO / SR
[=]  12/0x0C | 81 01 01 04 03 03 00 08 | ........ |   | User / SIO / SR
[=]  13/0x0D | A7 17 85 15 95 5E CF 03 | .....^.. |   | User / SIO / SR
[=]  14/0x0E | 6F 43 9B 12 68 A9 45 7E | oC..h.E~ |   | User / SIO / SR
[=]  15/0x0F | 43 29 60 78 38 42 4B 0A | C)`x8BK. |   | User / SIO / SR
[=]  16/0x10 | EE A9 02 05 00 05 00 00 | ........ |   | User / SIO / SR
[=]  17/0x11 | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  18/0x12 | FF FF FF FF FF FF FF FF | ........ |   | User
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential
[?] cyan = SIO / SR credential

[+] saving dump file - 19 blocks read
[+] Saved 152 bytes to binary file `C:\Users\User\Desktop\rrg_other-20240522-2b8ae4079cf869eaa6a01a2ecafa5ebeb03fb05f\client\/hf-iclass-FDCC6111FEFF12E0-dump-001.bin`
[+] Saved to json file `C:\Users\User\Desktop\rrg_other-20240522-2b8ae4079cf869eaa6a01a2ecafa5ebeb03fb05f\client\/hf-iclass-FDCC6111FEFF12E0-dump-001.json`
[?] Try `hf iclass decrypt -f` to decrypt dump file
[?] Try `hf iclass view -f` to view dump file

[usb] pm3 --> hf iclass restore -f hf-iclass-FDCC6111FEFF12E0-dump.bin --first 6 --last 18 --ki 0
[+] Using key[0] AE A6 84 A6 DA B2 32 78
[+] Loaded 152 bytes from binary file `hf-iclass-FDCC6111FEFF12E0-dump.bin`
[=] restore started...
[!] iCLASS restore failed
[usb] pm3 -->

Can you try a hf iclass chk -f iclass_default_keys.dic on the card you want to clone to?

2 Likes
[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic
[+] Loaded 28 keys from dictionary file `C:\Users\User\Desktop\rrg_other-20240522-2b8ae4079cf869eaa6a01a2ecafa5ebeb03fb05f\client\dictionaries/iclass_default_keys.dic`
[+] Reading tag CSN / CCNR...
[+]     CSN: 70 89 ED 15 FE FF 12 E0
[+]    CCNR: FE FF FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...

[+] Found valid key 20 20 66 66 66 66 88 88

[+] time in iclass chk 2.2 seconds
[+] Added key to keyslot 4
[?] Try `hf iclass managekeys -p` to view keys

This is what i’m getting when i did it on the destination fob.

This is the fob i got on AliExpress - and it has a sticker that says “iCopy-X iCL”.

Try hf iclass restore -f hf-iclass-FDCC6111FEFF12E0-dump.bin --first 6 --last 18 --ki 4

1 Like
[usb] pm3 --> hf iclass restore -f hf-iclass-FDCC6111FEFF12E0-dump.bin --first 6 --last 18 --ki 4
[+] Using key[4] 20 20 66 66 66 66 88 88
[+] Loaded 152 bytes from binary file `hf-iclass-FDCC6111FEFF12E0-dump.bin`
[=] restore started...
[#] Write block [  6/0x06] successful
[#] Write block [  7/0x07] successful
[#] Write block [  8/0x08] successful
[#] Write block [  9/0x09] successful
[#] Write block [ 10/0x0A] successful
[#] Write block [ 11/0x0B] successful
[#] Write block [ 12/0x0C] successful
[#] Write block [ 13/0x0D] successful
[#] Write block [ 14/0x0E] successful
[#] Write block [ 15/0x0F] successful
[#] Write block [ 16/0x10] successful
[#] Write block [ 17/0x11] successful
[#] Write block [ 18/0x12] successful
[+] iCLASS restore successful
[?] Try `hf iclass rdbl` to verify data on card

This looks extremely promising, you are such a legend. I’m going to try it out now - taking a 15 mins drive just to test this.

2 Likes

Hey, @equipter, sorry to bug you for questions again, but does the cloned card’s key have to match the source card’s key? It seems like that’s the one the reader would know to use, but I don’t know…

I also don’t know if that would vary from system to system, I know iClass is used for many applications of course… Is there like a general rule?

Thanks in advance!

Just tried the fob, unfortunately the reader does not even read the HID fob.

But the restore using --ki 4 was successful.

When i try to dump the new fob now, it’s giving this error

[usb] pm3 --> hf iclass dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card

You have to use --ki 4 instead of --ki 0 for all the commands on the new card

I think at least one of the problems is that the reader is trying to authenticate with the card using key 0, but the card is expecting key 4 and so we get nowhere

What sort of reader do the fobs go to?

I tried with --ki 4, as well. It’s giving me the same error

[usb] pm3 --> hf iclass dump --ki 4
[+] Using AA1 (debit) key[4] 00 00 00 00 00 00 00 00
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card```

It’s on one of the regular HID iClass reader,
image

1 Like

It looks like it didn’t save the key to slot 4 permanently, you can use -k 2020666666668888 instead

I think you can manually save that key to one of the slots with the hf iclass managekeys command, but you’d have to play with it

Those readers can be used with a variety of different iClass credentials, and not all of them can be cloned, at least not that I’m aware of

I unfortunately don’t know enough to tell the difference between them just by looking at the dump, though if I had to guess this smells of SIO to me
(Here’s a thread that touches on that subject: HID Iclass Legacy 2k FOB with a HID iClass SE Reader R10)

Fortunately, the guy I’d go to for iClass and HID systems I already pinged earlier, so hopefully he’ll swoop in and help out :classic_smile:

In the meantime, I think if you run a hf iclass decrypt -f hf-iclass-FDCC6111FEFF12E0-dump.bin it may help narrow down the options

1 Like

Oh, also, because of this:

I think you might be stuck getting a new blank that takes key 0, if it does end up being a clone-able credential

But I’m not certain

CC @BananaPie

this is an iclass SR (legacy+sio)

its got standard keying so you wouldn’t need to do keyrolling as its not elite keyed, the issue here is that the SIO cannot be transferred successfully to another iclass card that has a different CSN, and you cannot change the CSN.

so you will not be able to make an SR clone, on a standard iclass legacy if you take the 6/7/8/9 and write them into the new iclass and change 0xA3 to 0x03 in the first byte of block 6, this will make your card not present as an iclass SR but just a standard legacy, IF the readers are configured to allow PACs over legacy, it should accept.

HID have been pushing sysadmins to manually disable legacy functionality when not actively in use so that may be disabled, worth a shot anyway.

are we sure that they’re iclass readers and not multiclass readers because if they’re multiclass readers you may also be able to attempt a PACs downgrade to a lower chipset HIDrox on a t5577.

to test this I would make two credentials, one T5577 HIDprox with the pacs encoding, and one legacy with the PACs encoding with that block 6 change.

sorry it took me a while to reply I’m at EMFCamp but I am following along interested to see if youre able to get this working.

2 Likes

Managed to get it working, it was due to the destination fob that I received.

Had to get the XOR div key, and write blk 3. After that i can use it as a standard keyed HID fob.

not sure if that makes sense.

1 Like

aha, the DRM tags from icopy-xs team…

They changed the key on those cards. Hence you need run the chk command.

You can liberate the card by swapping to the default AFA key.

3 Likes