Iclass SE converting Serial Number into data that can be written on a blank fob

Does anyone have an update on how to clone Iclass SE fobs? I have made some progress see below. (I am using a multiclass iclass scanner and a proxmark3).

As I understand, there is a way to convert the Iclass Serial number (found by scanning the RFID using an Multiclass Iclass reader). (the iclass serial number was then shown as the following: iCLASS[0607816ac0] ) and convert it to a number that you can then write to a 13.56 MHz card and now have a working copy of an iclass se fob.

The info that I read off the original Iclass se card is below. I want to know how to convert the scanned serial number into data that can be written on a new card.

— proxmark3 scan of the iclass se card:

[=] --------------------- Tag Information ----------------------
[+] CSN: BE 2F 02 12 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: EA FE FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden
[+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden
[+] AIA: FF FF FF 00 06 FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF 7F 1F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] 7F… chip
[=] 1F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A… debit or credit
[=] Read B… debit or credit

that’s not how that works.

you need to extract the pacs data from within the iclass SE. something you’re unable to do because the SE key is unknown. you can’t just copy the serial number you need the block data from within the tag which is the actual important info.

E2A: you could go the route of weaponising an SE reader to obtain the pacs or scavenge a HID SE capable SAM & work that into your reading

Hi Equiper. Thanks for the info.

I saw a guy scan the Iclass se fob, retrieve just the number (I believe SN), and then produce a working iclass se fob based on just the SN number (IE. 0607816ac0). I was trying to back-calculate it and come up with the data he used to create the new card… Does this sound familiar?

that isnt how it works, can you link to where you saw that? the CSN is almost never used as part of the authentication and i am struggling to see how this person obtained the necessary data without SE reading equipment which your pm3 certainly doesn’t have.

I saw it with my own eyes. I am sure there are a few ways to make this work.

The guy used this device to scan the original iclass se: Model OMNIKEY 5427 CK.

He was able to generate the 0607816ac0 number using that reader.

I was given the iclass se back, and he could generate a duplicate ONLY using the 0607816ac0 number - nothing else; no other info was provided.

I scanned the new card using my own proxmark3, and was able to get the data provided above.

How familiar are you with Iclass, iclass se?

the omnikey has the ability to read SE PACs data from within the card which is what was provided to you.

your proxmark cannot do that.

I’m incredibly familiar with iclass.

also because i just HAVE to mention it. the data provided to you was not the serial number its the PACs data. your serial number is here (and again is ignored as part of auth)

image620×158 21.1 KB

OK.

So based on him only using the ten-digit hex number, he was able to convert that into what was required to produce a working iclass se identical tag.

Thanks, I am not as familiar with these tags as you are.

Let me know what you think? I have both readers…

yes he copied the pacs data (THE IMPORTANT DATA) from one to another. this isn’t something you can do because you cannot read nor write SE with a proxmark.

what is it you’re trying to achieve because if you’re trying to make SE cards youll need the omnikey not just the proxmark.

you can attempt downgrades to the legacy form of the credential that uses a known key via proxmark but if the system is checking for the SE auth and SIO you’d be shit out of luck.

Ok, just to confirm. The data he copied was the Pacs data (that 10 digit hex number?).
That’s the only info he had pulled from the tag.

I have the omnikey reader as well. I am trying to achieve what he did. Produce a working iclass se, using only that 10 digit hex number.

I want an exact replica (of the iclass se) like he produced for me.

Not sure if this helps, but I can access the OMINKEY 5427 CK Reader Management and check how it reads the keys so I can confirm exactly what that 10 digital number is? If this helps?

you won’t be able to do that with just. proxmark

Just checked it, so the reader (OMNI) reads the iclass PACS data as you mentioned and just outputs that data. So the 10-digit hex output is the PACS data. So how to convert or write that data to a blank card?

i’m off out now but if you join here you’ll be well taken care of. Discord

You cannot originate iClass SE cards without an HID encoder (CP1000)

Thanks Equipter and Scorpion for the info.

Hi Carrera did you manage to convert and write the data to a blank card ?