THIS POST IS A WORK IN PROGRESS. Additions / Corrections are requested.
Ever since the introduction of flexClass (and even sometime before then), I’ve seen a good deal of folks, especially new folks, looking for assistance in cloning an HID access card onto an implant. HID’s system is weird and not especially intuitive, and I wanted to write this as an informal “guide” to what HID cards are cloneable since I suspect cloning these things will become much more popular in the future. At some point in the soon I’ll update with a more in-depth guide to cloning an iClass card to a flexClass/blank RedTeamTools card.
HID is a big company. They have a multitude of different card types. See the post here for more information. Most of the rest of this article will be about cloning the most common commonly used iClass cards.
Not even the cards that are described as the same. HID has two different card types: iClass SE and normal old iClass. iClass has been “cracked” (i.e. easily hackable) for a long time, but SE cards are not. In general, if you have a system that uses SE cards, at this point there isn’t a good way to clone cards over. Some of the data stored on the card is encrypted.
HID sells iClass SE products, which use data that has been encrypted in such a way that the data can’t be cloned from one card to another without ceasing to function. We don’t know what kind of cryptographic process they’re using to encrypt this data, so we can’t reverse-engineer it.
HID manufactures a great number of readers, enough so that they can accept pretty much any set of HID card types in any combination. This is great for interoperability, but not for figuring out what chip type you’ll need. Some readers can properly read iClass SE cards AND non-SE iClass cards, so It’s important to know what the reader is actually looking for when it scans a card.
Readers are fairly easy in terms of determining type. On the bottom of most readers, HID labels them as to what kind of cards the reader is set to accept. Blank readers do exist, and it’s helpful at that point to know what kind of cards you’re working with. If the information is covered up with a sticker (the place I have an HID card for uses CBORD. If you have CBORD, assume the readers are SE.)
Some are unlabeled, and this is a point where we will need to start doing some more guesswork based on the card information. This is where you’ll need a proxmark.
Blocks 6-9 are generally the non-secure HID iClass blocks. 1-5 are settings for the card (ie block size, UID, etc). Afterward are the SE (AKA secure) blocks. If there’s anything past those blocks, you are likely to run into problems cloning the card successfully.
Generally, I recommend getting a blank iClass card sold by RedTeamTools. These cards are essentially what’s in the flexClass in the traditional card form factor. Try cloning just blocks 6-9 and usin the cloned card on all the standard access points you use a card with. Does it work? Great! You should be good to go to get a flexClass.
This is where is gets a little tricky. SE cards are generally non-clonable (though you can still clone blocks 6-9 as you would with a non-se card, in the hopes that some of the readers aren’t configured to only look for SE cards). If you are able to have two cards, you could possibly send one of them to @Amal for custom conversion. You’d need to take that up with him though.