yes, ki0 is just the legacy key, you can’t use --ki0 on anything other than a legacy key.
Legacy - Uses globally static identical keys across cards (one of like 4 types of legacy, Ki0 being the default, others are weird sisters you rarely see)
SE - Uses a KDF known only to the internal SAM within the reader to build keys relevant to individual cards, making them applicable to all SE systems.
Elite - uses a shared base key for the system deployment that is “rolled” against a base card relevant to its current encoding scheme (SE/legacy) forming a uniquely generated key for each card tied to CSN, which the reader is able to generate upon first contact after establishing encoding scheme (via AIA) and reading the CSN, elite keyed cards can only be used within the system they’re encoded for and not applicable to other elite keyed systems unless they happen to have the same elite key (this doesn’t happen by accident, HID doesn’t allow two clients to share a key)
SIO is a second layer of security that can be applied to all card types regardless of what kind of keying they have, encoding the PACs data using criteria from the specific card and only allowing that specific SIO blob to be allowed.
some systems will use SIO, SE, Elite on the card you’re given but still allow legacy to pass PACs which makes all of those effectively useless security measures.
