Need help cloning HID iClass Legacy

Support
#1

Hello all! I’m a new member but have been lurking for a long time. I’ve mostly used my proxmark for lf research and cloning.

I’ve recently had need to clone an iClass Legacy credential and thought it would be fairly simple from what I had been reading here over the course of looking into lots of things.

When I run the hf ic info command I get the following:

[=] --------------------- Tag Information ----------------------
[+]     CSN: 02 15 9F 00 F8 FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: FC E1 FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key, hidden
[+]      Kc: 00 00 00 00 00 00 00 00  credit key, hidden
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF 7F 1F FF 3C
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=]     AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit or credit
[=]     Read B....... debit or credit
[=]     Write A...... credit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

Which shows it’s an iClass Legacy credential.

When I run any command like: “hf ic dump --ki 0” I get a response like:

[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card

When I run hf search I get:

pm3 --> hf search
[\] Searching for iCLASS / PicoPass tag...
[+] iCLASS / Picopass CSN: 02 15 9F 00 F8 FF 12 E0

[+] Valid iCLASS tag / PicoPass tag found

When I run “hf ic chk -f iclass_default_keys.dic” I get:

[+] loaded 11 keys from dictionary file C:\Working\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+]     CSN: 02 15 9F 00 F8 FF 12 E0
[+]    CCNR: FC E1 FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
[/]Chunk [000/11]
[+] time in iclass chk 2.3 seconds

It doesn’t say that it found any valid keys for it.

I’m starting to wonder if the readers are set to use a non standard key or something else I’m not thinking of.

[ CLIENT ]
RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:42:19
compiled with… MinGW-w64 10.3.0
platform… Windows (64b) / x86_64

[ PROXMARK3 ]
firmware… PM3 GENERIC

[ ARM ]
bootrom: RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:44:03
os: RRG/Iceman/master/v4.14434-62-gf4487abed 2021-10-16 14:44:34
compiled with GCC 10.1.0

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 53% used )

Sorry for the long post with a bunch of copied outputs but I’m stumped and need a push in the right direction.

I’ve scoured the internet and this forum for people having the same issue but have only found @695 and the info posted in Cloning a HID IClass 2k key fob - #19 by 695

I also think the info from @NinjuhhNutz posted in So You Want To Implant An HID Card may also be key but I can’t quite figure out what’s going on…

Thanks if you read this far, any help would be most appreciated!

Clone HID iClass PicoPass 2k
#2

I can’t be much help personally, and you have already tagged NinjuhhNutz above, but I’ll also throw out a @philidelphiaChickens who is also quite knowledgeable with iClass

#3

Thank you, kindly!

#4

Yes, I have some thoughts. This week is beyond crazy busy, and I will respond when I can. Sorry!

1 Like
#5

Thanks so much, I’d greatly appreciate any help you can offer when you get the time!

#6

Try

hf ic dump --ki 1
hf ic dump --ki 2

maybe it’s using one of the other keys that the pm3 has built in (if we’re lucky)

iirc the “failed to communicate with card” error is coming from a failed authentication due to wrong key.

also…the directory on your dictionary files looks a bit odd.

\dictionaries/iclass_default_keys.dic

vs

\dictionaries\iclass_default_keys.dic

that may also give you different results.

let us know what you find!

1 Like
Clone HID iClass PicoPass 2k
#7

Hey @NinjuhhNutz thanks so much for the suggestions.

I get the same responses when trying keys one and two. I have also tried any other keys I’ve found online from other documentation.

[usb] pm3 --> hf ic dump --ki 1
[+] Using AA1 (debit) key[1] 76 65 54 43 32 21 10 00
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card
[usb] pm3 --> hf ic dump --ki 2
[+] Using AA1 (debit) key[2] F0 E1 D2 C3 B4 A5 96 87
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[!!] failed to communicate with card

I hadn’t noticed the directory, good eye! I have tried all the keys in the iclass_default_keys and iclass_other with the same results.

#8

Hey All,

I’ve finally made some progress while using the sim command and running a LOCLASS attack on a reader on site and using a valid know CSN:

hf iclass sim -t 2 --csn [CSN OF VALID CARD]

Which gave me the iclass_mac_attack.bin that has allowed me to run:

hf iclass loclass -f iclass_mac_attack.bin

Which gave me the keys being used in a couple of formats (I ended up using the ICLASS format) which then lets me run:

hf iclass managekeys --ki 7 -k [HID ICLASS FORMAT KEY FROM COMMAND ABOVE]

Which saves the key into slot 7 of the managed iclass keys (so you don’t mistype them) and can then run:

hf iclass dump --ki 7 --elite

Which then dumps the card using the key stored in slot 7 after elite computations have been applied.

So now I’ve finally been able to dump the data off the credentials using the custom keys.

I’m now waiting for my writable cards to arrive so I can see how simple it will be to write the blocks needed to the new cards and have them recognised my the readers on site.

I’ll probably come crawling back with more questions once I have a crack at writing and testing the new cards.

Wish me luck…

3 Likes
#9

Well done! I hadn’t thought of doing that. It sounds like you’ve got a good handle on things. Sorry for the delay in responding. Let us know how you fare in the future!

greatinterest

1 Like
#10

Glad it worked for you @AustralianElectrical.

I have same card as you. Default keys 0,1,2 dump is also failing same as you.
But I am also getting below error when running a LOCLASS attack:

[usb] pm3 --> hf iclass sim -t 2 --csn FF548401F9FF12E0 
[=] Starting iCLASS sim 2 attack (elite mode)
[=] press `enter` to cancel
[#] going into attack mode, 9 CSNS sent

[!] timeout while waiting for reply.

Any ideas on how to fix this or if someone faced the same?

My iClass card Info:

[=] --------------------- Tag Information ----------------------
[+]     CSN: FF 54 84 01 F9 FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: F0 DB FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF 7F 1F FF 3C
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      7F.........  chip
[=]                         1F......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit
[=]     Read B....... credit
[=]     Write A...... debit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K
#11

@adrawat I’m also getting timeout while waiting for reply. Have you had any progress?