iClass Card Identification and Possible Cloning

In addition to the new apartment key with my other post, I’ve also gotten a new job that has given out some ID’s which I couldn’t help but take a look at. They are iCLASS, but as I’ve been reading here, that doesn’t mean a whole lot in terms of figuring out if it’s clonable. The writing on the back says its a HID iClass Px D9P which I’d never heard of and couldn’t find online.

Running an lf search nets me the following:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] [C1k48s  ] HID Corporate 1000 48-bit std    FC: 4530  CN: 85581  parity ( ok )
[=] found 1 matching format
[+] DemodBuffer:
[+] 1D96A9555555555555555556655556569A59555996A5969A

[=] raw: 09e0000000014011b2029c9b

[+] Valid HID Prox ID found!

[=] Couldn't identify a chipset

The hf search alternatively gets me

[usb] pm3 --> hf search
[|] Searching for iCLASS / PicoPass tag...
[+] iCLASS / Picopass CSN: 10 73 EB 02 F8 FF 12 E0

[+] Valid iCLASS tag / PicoPass tag found

and a further investigation with a hf iclass info gets us:

[usb] pm3 --> hf iclass info

[=] --------------------- Tag Information ----------------------
[+]     CSN: 10 73 EB 02 F8 FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: E6 FF FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF 7F 1F FF 3C
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit
[=]     Read B....... credit
[=]     Write A...... debit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

Also looks like it’s using default keys:

[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic
[+] loaded 28 keys from dictionary file C:\Proxmark\ProxSpace\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+]     CSN: 10 73 EB 02 F8 FF 12 E0
[+]    CCNR: E6 FF FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...

[+] Found valid key AE A6 84 A6 DA B2 32 78

[+] time in iclass chk 0.7 seconds
[+] Key already at keyslot 0
[?] Try `hf iclass managekeys -p` to view keys

Since it’s legacy, would the flexClass work as a possible replacement/cloneable solution?

Dump it using the key you found, and post that.

[usb] pm3 --> hf iclass chk -f iclass_default_keys.dic
[+] loaded 28 keys from dictionary file C:\working\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+]     CSN: CB 0E 9C 15 FE FF 12 E0
[+]    CCNR: FF FF FF FF FD FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
[\]Chunk [000/28]
[+] time in iclass chk 0.9 seconds

hmm… seems this has keys that are not in the dictionary… lame. Info gets me;

[usb] pm3 --> hf iclass info

[=] --------------------- Tag Information ----------------------
[+]     CSN: CB 0E 9C 15 FE FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: FF FF FF FF FD FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF 00 06 FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF 7F 1F FF 3C
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit
[=]     Read B....... credit
[=]     Write A...... debit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS SE
[+]     Card type.... PicoPass 2K

I’m not sure if sniffing with the legit reader would help here… are coms between reader and iClass secured?

Never mind the first thing I said. iClass SE means no dumping it. Your only option is to record the wiegand data off a wall reader or omnikey and then use the proxmark to encode block 7 onto a legacy card. This only works if your target reader accepts legacy.

If I had to guess, then I’d say probably since this company is no stranger to access ID management.

Why does yours say its an SE card? Did I miss something in my hf iclass info?

It says it’s an SE card… because it is. Yours is legacy.

I didn’t know there was such thing as iClass SE Legacy? Is Amal testing a different card or did I miss something in my own Proxmark readings?

His card is different. SE is not legacy. It is based on the same card technology (picopass) but uses different (unknown) master keys and KDF. It was created by HID in response to the legacy master keys being leaked.

Ah cool then, so if mine is legacy, it should be flexClass capable, no?

Most likely. If you can show me the full output of hf iclass dump --ki 0, I can say for sure.

Yep, produces the following:

[=] --------------------------- Tag memory ----------------------------

[=]  block#  | data                    | ascii    |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=]   0/0x00 | 10 73 EB 02 F8 FF 12 E0 | .s...... |   | CSN
[=]   1/0x01 | 12 FF FF FF 7F 1F FF 3C | .......< |   | Config
[=]   2/0x02 | FF FF FF FF D9 FF FF FF | ........ |   | E-purse
[=]   3/0x03 | 05 96 50 5C 2B 0E 49 89 | ..P\+.I. |   | Debit
[=]   4/0x04 | FF FF FF FF FF FF FF FF | ........ |   | Credit
[=]   5/0x05 | FF FF FF FF FF FF FF FF | ........ |   | AIA
[=]   6/0x06 | FF FF FF FF FF FF FF FF | ........ |   | User / Cred
[=]   7/0x07 | FF FF FF FF FF FF FF FF | ........ |   | User / Cred
[=]   8/0x08 | FF FF FF FF FF FF FF FF | ........ |   | User / Cred
[=]   9/0x09 | FF FF FF FF FF FF FF FF | ........ |   | User / Cred
[=]  10/0x0A | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  11/0x0B | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  12/0x0C | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  13/0x0D | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  14/0x0E | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  15/0x0F | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  16/0x10 | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  17/0x11 | FF FF FF FF FF FF FF FF | ........ |   | User
[=]  18/0x12 | FF FF FF FF FF FF FF FF | ........ |   | User
[=] ---------+-------------------------+----------+---+----------------

dump is also [here](https://file.io/YfJNELSXzgdC)

Oh, that’s odd. 2 questions: where are you geographically, and what does this card do?

Up in Canada, and it does entry into our office buildings.

Do you have a picture of the readers? Do they have HID branding on them?

Yep, they’re HID readers, look similar to this guy but not certain whats written on the bottom bit:

image600×600 34.6 KB

Ah, you said the card is “iClass Px” right? The iclass side is blank because they’re only using prox right now.

Try lf search on your card.

Yep, it says its a iClass Px D9P on the back. LF search gets us:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] [C1k48s  ] HID Corporate 1000 48-bit std    FC: 4530  CN: 85581  parity ( ok )
[=] found 1 matching format
[+] DemodBuffer:
[+] 1D96A9555555555555555556655556569A59555996A5969A

[=] raw: 09e0000000014011b2029c9b

[+] Valid HID Prox ID found!

Nice. All you need is an xEM or next

Already got a flexMN and flexMT so they’re built in. I ran into trouble with the actual writing though. It told me that:

[usb] pm3 --> lf hid clone -r 09e0000000014011b2029c9b
[=] Preparing to clone HID tag using raw 09e0000000014011b2029c9b
[#] Tags can only have 84 bits
[=] You can cancel this operation by pressing the pm3 button

And then it just hangs indefinitely.