Does anyone have an update on how to clone Iclass SE fobs? I have made some progress see below. (I am using a multiclass iclass scanner and a proxmark3).
As I understand, there is a way to convert the Iclass Serial number (found by scanning the RFID using an Multiclass Iclass reader). (the iclass serial number was then shown as the following: iCLASS[0607816ac0] ) and convert it to a number that you can then write to a 13.56 MHz card and now have a working copy of an iclass se fob.
The info that I read off the original Iclass se card is below. I want to know how to convert the scanned serial number into data that can be written on a new card.
you need to extract the pacs data from within the iclass SE. something you’re unable to do because the SE key is unknown. you can’t just copy the serial number you need the block data from within the tag which is the actual important info.
E2A: you could go the route of weaponising an SE reader to obtain the pacs or scavenge a HID SE capable SAM & work that into your reading
I saw a guy scan the Iclass se fob, retrieve just the number (I believe SN), and then produce a working iclass se fob based on just the SN number (IE. 0607816ac0). I was trying to back-calculate it and come up with the data he used to create the new card… Does this sound familiar?
that isnt how it works, can you link to where you saw that? the CSN is almost never used as part of the authentication and i am struggling to see how this person obtained the necessary data without SE reading equipment which your pm3 certainly doesn’t have.
also because i just HAVE to mention it. the data provided to you was not the serial number its the PACs data. your serial number is here (and again is ignored as part of auth)
yes he copied the pacs data (THE IMPORTANT DATA) from one to another. this isn’t something you can do because you cannot read nor write SE with a proxmark.
what is it you’re trying to achieve because if you’re trying to make SE cards youll need the omnikey not just the proxmark.
you can attempt downgrades to the legacy form of the credential that uses a known key via proxmark but if the system is checking for the SE auth and SIO you’d be shit out of luck.
Not sure if this helps, but I can access the OMINKEY 5427 CK Reader Management and check how it reads the keys so I can confirm exactly what that 10 digital number is? If this helps?
Just checked it, so the reader (OMNI) reads the iclass PACS data as you mentioned and just outputs that data. So the 10-digit hex output is the PACS data. So how to convert or write that data to a blank card?