HID Iclass proxmark3

Okay. Is there a way for me to see the data in that format? I’m just trying to wrap my head around what I’m actually looking at in the dump and info results.

I’ve done some digging elsewhere, and came up with a question that I can’t find an answer for.

The iClasss cards from redteamtools come non programmed and unpersonalized. I’ve come across mentions of the picopass personalization procedure. But I can’t find any documentation on it other than one or two mentions in various forum threads about needing it for the reader to recognize the card and to use the iclass master key instead of the picopass default key.

At the point I’m fairly confident that the flexclass is easily cloneable for what I need. But, not 100% so I’d like to be sure before the implant procedure.

@amal ? Any insight? I have 2 new cards that should be delivered today before I go to work tonight. Hopefully I’ll have some time to work on it tonight at work.

Finally had an opportunity to snap a pic of the reader. Some asshole broke it off the pole it was mounted on. To my delight :crazy_face:

And new cards came in the mail last night. I’ll work on it to ought at work :crossed_fingers:t2:

writing the authentication key to block 3…so the card from redteam is using the picopass default rather than the hid master. While the card is still in personalization mode, from what I gather on the proxmark forum, it’s a “true” write of the key to block 3 instead of the xor version of the key that would be necessary while in application mode. But, then how exactly do I put the card in application mode?

For the record, I have the same question posted over on the pm3 forum, but response times there aren’t quite what they are here. So, yea :crazy_face:

That is a great question and one I don’t have a good answer to. Let us know what you find out!

1 Like

SUCCESS! So, carl55 over on the pm3 forum helped me get over the hump. Ended up writing a config file to set the card in application mode and the new xor’d diversified key to use the HID master key vs the HID default. Then writing blocks 6-9 and viola!

I’m waiting on a reply from carl55 for a more detailed explanation so I can bring it over here! Huge thanks to everyone that’s helped out over here!


That’s great news! If you want to add it onto my HID Wiki, please do.

1 Like

Will do! When I get a reply and better explanation written up I’ll add the how-to for going from personalized to application mode and an easy to understand process for calculating the new keys.


Just got a confirmation on what I was waiting on to do the write up for iclass cloning for unprogrammed credential. I’ll work on it tonight at work. Probably send you @philidelphiaChickens a rough draft for review before adding to your thread.

Its the same reader that I have on one of my workplaces. The NEXT chip would read it but the software saw it as “unknown device” so they couldn’t enroll it. Will try again later with FlexM1 , hopefully this will work for enrolling. Fingers crossed!

No you probably need a flexclass for that.

1 Like

as @zwack said, you will definitely need a flexclass. Don’t make my initial mistake and think “HF is HF” and it’ll work.

flexclass is the only working implant that uses the iclass credential at this point. Do you have a proxmark and a valid credential for the reader?

1 Like

Anyone know when/if the flexclass will be back in stock?

From my understanding, IFis a yes, WHEN is also a yes :stuck_out_tongue: :grimacing:

I’m also very impatiently awaiting the restock!


Thanks to @yeka



The wiki at So You Want To Implant An HID Card - WIKIs - Dangerous Things Forum has been updated to reflect how to clone HID iClass legacy credentials NOT using HID iClass master authentication keys.

Read and enjoy!


This is great. Thank you so much for your hard work on this!


Ow okey , I based my answer on the google spreadsheet:

What is the “yes” for then if not enrolling or cloning?

There SHOULD be a link to a post where it was used, did you follow that?

Also it will depend on the software settings, If done strictly and allows HID only, it may not work, if opened to “Other” ISO14443-A and a UID it should.

Can you speak to the administrator and get access to the software enrollment page?

I have not found a link…
I will try with the flexm1 to get it enrolled with low hopes :smile:
Access to the software enrollment program will be impossible I am afraid. Its a huge building shared with multiple companies and its used for the car parking and elevator.