Possible to clone iclass SE card?

New to RFID cloning here. Been trying to use a proxmark3 easy to clone an iclass card but I’ve been confused by all the tutorials posted online. I would appreciate if anyone would be willing to share the steps on how to clone this particular card.

Sharing some of the info I got from my pm3 easy:

It is not possible to clone iclass SE cards as far as I know

It’s unlikely but it is possible that the reader may only be looking at the CSN, If you can get an iClass card in personalisation mode (red team tools sells one) you can try copying the CSN of your SE card to it.

Does anyone (@amal, @Pilgrimsmaster ) know how the eye class SE authentication works? Would it be possible to brute force the master key? I’d be happy to donate some computer and proxmark time to that

I’m super late to the party, but iClass SE isn’t cloneable. No HID systems that use iClass cards use the CSN for authentication, AFAIK.

Non-SE iClass (AKA Legacy) has been cracked for a long time. SE terminals that accept legacy cards can have a downgrade attack run on them, but I’m not the right person to ask about that.

1 Like

yooooo namedrop :sunglasses:

also, there has been ONE (1) observed case of the CSN being used as the only thing for auth, a school in Italy :slight_smile:




Hi Team,

First time post, but been in the RFID side of things in the retail and warehousing space for a while…
I’m curious to see if there is any traction with Iclass SE there seems to be variant understandings on such IClass standard.
I have cloned other cards which are straight forward, but it seems the SE is the challenge.
Here from MR keyfob apparently can do this? is this even possibly?
iCLASS SE Fob Duplication Instructions - YouTube

Then quotes like this" I copy-x They have an add on that copies iclass se “First in the world” I guess it works only on buildings with support for legacy system as well which they say is about 85% coverage"

overall is there any traction with SE and if so, can anyone share intel?

There is no traction with SE. What these are doing is extracting the pacs data using a legitimate HID reader, and then writing it to an iClass Legacy card. This only works if the target readers want to accept legacy.

Hi Scorpion,

Thanks for the reply.

Does anyone have an update on how to clone Iclass SE fobs?

As I understand there is a way to convert the Iclass Serial number (found by scanning the RFID using an Multiclass Iclass reader). (the iclass serial number was then shown as the following: iCLASS[0607816ac0] ) and convert it to a number that you can then write to a 13.56 MHz card and now have a working copy of an iclass se fob.

The info that I read off the original Iclass se card is below. I want to know how to convert the scanned serial number into data that can be written on a new card.

proxmark3 scan of the iclass se card:

[=] --------------------- Tag Information ----------------------
[+] CSN: BE 2F 02 12 FE FF 12 E0 uid
[+] Config: 12 FF FF FF 7F 1F FF 3C card configuration
[+] E-purse: EA FE FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden
[+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden
[+] AIA: FF FF FF 00 06 FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF 7F 1F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] 7F… chip
[=] 1F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] -------------------------- Memory --------------------------
[=] 2 KBits/2 App Areas ( 256 bytes )
[=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) }
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A… debit or credit
[=] Read B… debit or credit

i have been reading and still confused about whether i can copy my current iclass 2k SE fob. I have 6 fobs and i want them converted to a card format to fit in my wallet.
Can i read my current fob, and then transfer the data or copy it to a blank card? If so what equipment do i need?
Do i need the site code and ID and can that be extracted. Some tell me to get the cp1000 and will do the job, others say it wont work and some say need the icopyx and proxmark etc… A lot of back and forward and hoping someone can provide a latest update if it can be done and what is required and how to do it.

There is a company in Canada cloning iClass SE in less than 5 min. for $150 *U.S. using “proprietary” software.

So it must be possible.
They’ve been doing it a while.

1 Like

Wait, is iClass SE an actual different card technology than iClass legacy? I thought it was just marketing mumbo for “We put an SIO credential on the iClass legacy chip” and you had to go for Seos to get an actual hardware upgrade.

Need to pick up an SE I guess…

1 Like

No this would be legacy + SIO which is its own thing

SE is the same chip architecture just using a separate proprietary crypto.

To downgrade to legacy you can extract the PACs content of an SE with a weaponised reader or you can purchase the SE SAM by itself and use something like the pmRDV4 or flipper (with a SAM adaptor hardware addon) you can then encode this PACs content onto a legacy credential and hope that legacy remains enabled.

For direct to other SE cloning you’d need an omnikey to encode the PACs data in SE to an SE cred.

Other options also include downgrading to hidprox low frequency given LF is enabled on the reader & no SIO on the hf credential