HID Iclass proxmark3

–ki 2 worked for me at least for rdbl/dump. (which is the same Kd key from picopass that I was using, but thanks for that tip! I’ll keep it in mind!) I did manually clone block 1 to the test card to match my functioning work badge. I’ll try it again omw out in a few hours.

I admit that I’m not that well versed in the key area. The debit and credit keys on my work badge vs the blank are very different. And, I’m not that familiar with the diversified keys either. Looks like I need to do some more reading! :man_facepalming:

okay so newest attemp = fail

at this point, I’m wondering if I done something that I shouldn’t have without realizing it, and I think I’m going to get a couple more cards from redteamtools. Support the business AND have spares is a double win! :metal:

here is the dump from my working badge and below it the cloned card. The only differences I see are the epurse and debit key. I may be missing something?

I should mention that I feel honored :stuck_out_tongue:

I have a post over on the proxmark forum (yes I mentioned there that I also had one here and sent a link) and actually got a reply from iceman himself! :metal:

anyways, carl55, mentioned that the redteamtools cards were shipped as unitialized/unprogrammed and that was part of the trouble that I was having getting it to work as a clone. Said that modifying the block 1 config and block 3 debit key for the card to behave as a programmed credential in order for the reader to see it and use the master authentication key vs default keys that the pm3 was already familiar with. I wasn’t expecting that and I’m pretty sure I let the smoke out of the card, as now I can’t get a successful read. I think frustration got the best of me and I pulled the trigger before I had fully wrapped my head around what I was trying to do. I have a couple new cards otw, so I guess a fresh start is a good thing!

I’ll keep one tucked away for safe keeping and document in detail every command issued and the results so I can learn from that little uh oh!

1 Like

Out of curiosity, did you change block 1?


Top photo is my flexClass (though admittedly I Foolishly cloned blocks that won’t work). Bottom is the source data. I left blocks 1 and 3 unchanged.

Changing block 1 might have been your undoing. Block one has the data configuration stored in it, which means that you probably locked yourself out of the card. I think the first bitpair is the lock for writing data to the card.

1 Like

I figured as much. I appreciate the info. When the new cards come in, I guess I’ll start over. No touchy touchy block 1 haha got it!

Sounds good. Please let us know how you fare! I’m looking forward to hearing more from you about this project.

You might also find this interesting. More details on which bit pairs are which fuses.

okay so I just remembered something that I’ve wanted to ask, but I’m never at a good place to ask it when I think of it. Figures…

I get the data written in hex, what I don’t get is where that corresponding decimal value comes from? is there a reference that I haven’t been able to find? I’m not sure if it makes as much sense in a question form as it does in my head?

It’s the ASCII representation of the Hex data.

1 Like

That I understand, but what the data actually refers to is what I’m unclear on.

In this case nothing, but if it was an NDEF then you could read it there.

The proxmark 3 is a multi purpose tool. It shows various bits of data in several formats as it doesn’t know what will make sense.

Okay. Is there a way for me to see the data in that format? I’m just trying to wrap my head around what I’m actually looking at in the dump and info results.

I’ve done some digging elsewhere, and came up with a question that I can’t find an answer for.

The iClasss cards from redteamtools come non programmed and unpersonalized. I’ve come across mentions of the picopass personalization procedure. But I can’t find any documentation on it other than one or two mentions in various forum threads about needing it for the reader to recognize the card and to use the iclass master key instead of the picopass default key.

At the point I’m fairly confident that the flexclass is easily cloneable for what I need. But, not 100% so I’d like to be sure before the implant procedure.

@amal ? Any insight? I have 2 new cards that should be delivered today before I go to work tonight. Hopefully I’ll have some time to work on it tonight at work.

Finally had an opportunity to snap a pic of the reader. Some asshole broke it off the pole it was mounted on. To my delight :crazy_face:

And new cards came in the mail last night. I’ll work on it to ought at work :crossed_fingers:t2:

writing the authentication key to block 3…so the card from redteam is using the picopass default rather than the hid master. While the card is still in personalization mode, from what I gather on the proxmark forum, it’s a “true” write of the key to block 3 instead of the xor version of the key that would be necessary while in application mode. But, then how exactly do I put the card in application mode?

For the record, I have the same question posted over on the pm3 forum, but response times there aren’t quite what they are here. So, yea :crazy_face:

That is a great question and one I don’t have a good answer to. Let us know what you find out!

1 Like

SUCCESS! So, carl55 over on the pm3 forum helped me get over the hump. Ended up writing a config file to set the card in application mode and the new xor’d diversified key to use the HID master key vs the HID default. Then writing blocks 6-9 and viola!

I’m waiting on a reply from carl55 for a more detailed explanation so I can bring it over here! Huge thanks to everyone that’s helped out over here!


That’s great news! If you want to add it onto my HID Wiki, please do.

1 Like

Will do! When I get a reply and better explanation written up I’ll add the how-to for going from personalized to application mode and an easy to understand process for calculating the new keys.


Just got a confirmation on what I was waiting on to do the write up for iclass cloning for unprogrammed credential. I’ll work on it tonight at work. Probably send you @philidelphiaChickens a rough draft for review before adding to your thread.