Need help cloning HID iClass Legacy

Support
1

Hello all! I’m a new member but have been lurking for a long time. I’ve mostly used my proxmark for lf research and cloning.

I’ve recently had need to clone an iClass Legacy credential and thought it would be fairly simple from what I had been reading here over the course of looking into lots of things.

When I run the hf ic info command I get the following:

[=] --------------------- Tag Information ----------------------
[+]     CSN: 02 15 9F 00 F8 FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: FC E1 FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key, hidden
[+]      Kc: 00 00 00 00 00 00 00 00  credit key, hidden
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF 7F 1F FF 3C
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=]     AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit or credit
[=]     Read B....... debit or credit
[=]     Write A...... credit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

Which shows it’s an iClass Legacy credential.

When I run any command like: “hf ic dump --ki 0” I get a response like:

[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card

When I run hf search I get:

pm3 --> hf search
[\] Searching for iCLASS / PicoPass tag...
[+] iCLASS / Picopass CSN: 02 15 9F 00 F8 FF 12 E0

[+] Valid iCLASS tag / PicoPass tag found

When I run “hf ic chk -f iclass_default_keys.dic” I get:

[+] loaded 11 keys from dictionary file C:\Working\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+]     CSN: 02 15 9F 00 F8 FF 12 E0
[+]    CCNR: FC E1 FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
[/]Chunk [000/11]
[+] time in iclass chk 2.3 seconds

It doesn’t say that it found any valid keys for it.

I’m starting to wonder if the readers are set to use a non standard key or something else I’m not thinking of.

[ CLIENT ]
RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:42:19
compiled with… MinGW-w64 10.3.0
platform… Windows (64b) / x86_64

[ PROXMARK3 ]
firmware… PM3 GENERIC

[ ARM ]
bootrom: RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:44:03
os: RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:44:34
compiled with GCC 10.1.0

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 53% used )

Sorry for the long post with a bunch of copied outputs but I’m stumped and need a push in the right direction.

I’ve scoured the internet and this forum for people having the same issue but have only found @695 and the info posted in Cloning a HID IClass 2k key fob - #19 by 695

I also think the info from @NinjuhhNutz posted in So You Want To Implant An HID Card may also be key but I can’t quite figure out what’s going on…

Thanks if you read this far, any help would be most appreciated!

2

I can’t be much help personally, and you have already tagged NinjuhhNutz above, but I’ll also throw out a @philidelphiaChickens who is also quite knowledgeable with iClass

3

Thank you, kindly!

4

Yes, I have some thoughts. This week is beyond crazy busy, and I will respond when I can. Sorry!

1 Like
5

Thanks so much, I’d greatly appreciate any help you can offer when you get the time!

6

Try

hf ic dump --ki 1
hf ic dump --ki 2

maybe it’s using one of the other keys that the pm3 has built in (if we’re lucky)

iirc the “failed to communicate with card” error is coming from a failed authentication due to wrong key.

also…the directory on your dictionary files looks a bit odd.

\dictionaries/iclass_default_keys.dic

vs

\dictionaries\iclass_default_keys.dic

that may also give you different results.

let us know what you find!

1 Like
7

Hey @NinjuhhNutz thanks so much for the suggestions.

I get the same responses when trying keys one and two. I have also tried any other keys I’ve found online from other documentation.

[usb] pm3 --> hf ic dump --ki 1
[+] Using AA1 (debit) key[1] 76 65 54 43 32 21 10 00
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card
[usb] pm3 --> hf ic dump --ki 2
[+] Using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card

I hadn’t noticed the directory, good eye! I have tried all the keys in the iclass_default_keys and iclass_other with the same results.

8

Hey All,

I’ve finally made some progress while using the sim command and running a LOCLASS attack on a reader on site and using a valid know CSN:

hf iclass sim -t 2 --csn [CSN OF VALID CARD]

Which gave me the iclass_mac_attack.bin that has allowed me to run:

hf iclass loclass -f iclass_mac_attack.bin

Which gave me the keys being used in a couple of formats (I ended up using the ICLASS format) which then lets me run:

hf iclass managekeys --ki 7 -k [HID ICLASS FORMAT KEY FROM COMMAND ABOVE]

Which saves the key into slot 7 of the managed iclass keys (so you don’t mistype them) and can then run:

hf iclass dump --ki 7 --elite

Which then dumps the card using the key stored in slot 7 after elite computations have been applied.

So now I’ve finally been able to dump the data off the credentials using the custom keys.

I’m now waiting for my writable cards to arrive so I can see how simple it will be to write the blocks needed to the new cards and have them recognised my the readers on site.

I’ll probably come crawling back with more questions once I have a crack at writing and testing the new cards.

Wish me luck…

3 Likes
9

Well done! I hadn’t thought of doing that. It sounds like you’ve got a good handle on things. Sorry for the delay in responding. Let us know how you fare in the future!

greatinterest
greatinterest323×156 7.79 KB

1 Like
11

@adrawat I’m also getting timeout while waiting for reply. Have you had any progress?

12

@midnitesun Yes, it worked for me same as AustralianElectrical.
I was running the sim command on my iclass card without reading things properly. When I ran the sim command on the READER on site, it went exactly as mentioned by AustralianElectrical.

All the best to you.

13

@AustralianElectrical What blocks did you copy from your elite card to the standard iclass to get it working?

14

You don’t. You have to keyroll your new card to the elite key.

15

Thanks @scorpion. Really appreciate it.
If possible, can you please share any link or page for the Keyroll process/command.

16

Okay, So I was able to do the Clone of my iClass legacy card with elite keys into a standard iClass legacy card. Thanks to this post.

Below steps : (After you know the ELITE key saved on memory index 7 of managekeys)

Step1: Place the new iclass Standard card on the Proxmark for all the steps.
hf ic info

Check “fuses: mode” from result. For me it was “APPLICATION” . very important. So, only go to step 2 if this mode is the same for you otherwise go for the above mentioned post.

Step2: hf iclass calcnewkey --oki X --nki 7 --elite
Whereas X is the value for the new standard iClass legacy card master authentication key from memory index X of managekeys
And on memory index 7 I have saved my Elite key of existing card I am trying to clone.
Note down the XOR keys(only for application mode)

Step3: hf iclass wrbl -b 3 -d <XOR key> --ki X
Please note, Crosscheck everything before running this command. if XOR key is not correct or any incorrect key is inputted then this command might brick your card/fob. So, be very careful.
Again, X is the value for the new standard iClass legacy card master authentication key from memory index X of managekeys.

Step4: Save same values in the existing iClass elite card on block 6 to 9 to the new iClass card.

hf iclass wrbl -b 6 -d RequiredValue --ki 7 --elite
hf iclass wrbl -b 7 -d RequiredValue --ki 7 --elite
hf iclass wrbl -b 8 -d RequiredValue --ki 7 --elite
hf iclass wrbl -b 9 -d RequiredValue --ki 7 --elite

All the best.

17

Hey guys,
The instructions above have worked wonders for me.
I was able to run a loclass attack on my RFID reader and find the elite key to unlock my iClass legacy key fob.
Only difference I found was that my key fob came with user SIO/SR credentials for blocks 10-16.
I followed the instructions from adrawat’s post above and copied both user credentials (blocks 6-9) and user SIO credentials (blocks 10-16) onto a new key fob (exact model/match to the old key fob).
I ran hf iclass dump --ki 7 --elite on my new fob to double check and saw the copied credentials.
I then went to try it out on my building’s reader, which did not recognize the new fob.
When I brought the fob back to check if any of my credentials were copied incorrectly, it could no longer be read by the proxmark3 using key 7.
After running hf iclass info, I get the following:

Screenshot 2024-01-21 214652
Screenshot 2024-01-21 214652651×679 16.5 KB

Under Fuses:crypt it says “No auth possible. Read only if RA is enabled”
For the other normal readable cards, I get Fuses: crypt “Secured page, keys not locked.”
Just wondering if I bricked my key fob somehow or did my building’s reader somehow locked my fob?
Happy to try again without copying SIO/SR credentials, but thought I would ask to see if anyone has experienced this before.