This addition is for use with HID iClass legacy cards that aren’t using the HID master authentication key
PLEASE read this entire post several times before attempting anything. Mistakes are easier to avoid than they are to recover from
To start, if you have cloned you iClass legacy card (manually cloned blocks 6-9), yet aren’t getting any response from the appropriate readers, this may benefit you.
Assuming you are connected to the pm3 and running iceman repo with the credential that you are trying to get to work on the iClass readers
Step 1: hf ic chk -f iclass_default_keys.dic
assuming you get “found valid key”
“Key already at keyslot X”
whereas X=the key position in the result of:
hf ic managekeys -p
reference this key to what you have (hopefully) already documented as HID iClass master authentication key vs HID iClass default authentication key
NOTE WHAT KEY POSITION YOUR hf ic chk -iclass_default_keys.dic MATCHES WITH THE
hf ic managekeys -p COMMAND
ie. 0, 1, or 2
Step 2: hf ic info
Take note if you results show card in PERSONALIZATION vs APPLICATION mode. VERY IMPORTANT
Step 3: hf ic calcnewkey --oki X --nki Y
whereas X is the value for the HID master authentication key from the hf ic chk -f iclass_default_keys.dic cmd and Y is the value in the keyslot from hf ic chk -f iclass_default_keys.dic cmd
Step 4: READ THIS OVER AND OVER.
While it is possible to recover from an incorrect entry to block 3 (as I will describe below) it is neither fun, nor desirable. PLEASE ensure you have this next step 100% correct to prevent any headache later.
Also, before you go any further, document every value that you use in the following command, and where you use said values in the command. This will help save you in case you screw the pooch in the process.
--------------------------------------------------------------------------------------------------------------------------------
Step 4:
If card shows in personalization mode
hf ic wrbl -b 3 -d XXXXXXXXXXXXXXXX --ki Y
whereas XXXXXXXXXXXXXXXX is Kdiv new from the hf ic calcnewkey cmd.
whereas Y is the value for the keyslot found in hf ic chk -f iclass_default_keys.dic cmd
if card show in application mode
hf ic wrbl -b 3 -d XXXXXXXXXXXXXXXX --ki Y
whereas XXXXXXXXXXXXXXXX is Kdiv xor from the hf ic calcnewkey cmd
whereas Y is the value for the keyslot found in hf ic chk -f iclass_default_keys.dic cmd
Step 5: hf ic chk -f iclass_default_keys.dic* again
Step 6: hf ic managekeys -p
The value for the “key already in keyslot X” should have changed to the desired HID iClass master authentication key as opposed to the HID iClass default authentication key.
Step 7: hf ic dump --ki X
whereas X is the keyslot value for the HID iClass master authentication key in the hf ic chk -f iclass_default_keys.dic cmd
-----------------------------------------------------------------------------------------------------------------------------
If successful, you card is now operating using the HID iClass master authentication key and should be recognized by the appropriate readers! CONGRATS!
------------------------------------------------------------------------------------------------------------------------------
Notes:
if using the iceman repo:
the hf ic managekeys SHOULD show (at least in my experience) the HID iClass master authentication key in slot 0 and the HID iClass default authentication key in slot 2.
Keep in mind that every line that uses X, Y, XXXXXXXXXXXXXXXX, or YYYYYYYYYYYYYYYY refers to that specific line ONLY. The implied values change depending on what line and Step it is referring to at that specific time.
Application mode-Kdiv xor
Personalization mode-Kdiv new
In personalization mode, the fuses in block 1 have not been blown, meaning the config block (block 1) can still be modified. I would suggest NOT changing this as it gives you more options down the road for fun stuff. You can go down that rabbit hole at your own convenience. 
In application mode, the fuses in block 1 HAVE been blown. You can no longer modify block 1. That I’m aware of, at least.
--------------------------------------------------------------------------------------------------------------------------------
OH HOLY SHEEETTT I WROTE THE WRONG VALUE TO BLOCK 3!!!
First off…I done it. SEVERAL TIMES so, don’t feel bad. I will attempt to help you get out of danger.
IF you followed my instruction and DOCUMENTED your values and where you put them.
hf ic rdbl -b 3 -k XXXXXXXXXXXXXXXX --raw
whereas XXXXXXXXXXXXXXXX is the INCORRECT value that you wrote to block 3
The --raw will allow the key to be used without any computation. Hopefully allowing you to recover.
If you get a successful read, then:
if application mode
hf ic wrbl -b 3 -d XXXXXXXXXXXXXXXX -k YYYYYYYYYYYYYYYY --raw
whereas XXXXXXXXXXXXXXXX is the Kdiv xor and YYYYYYYYYYYYYYYY is the INCORRECT value that you wrote to block 3.
if in personalization mode
hf ic wrbl -b 3 -d XXXXXXXXXXXXXXXX -k YYYYYYYYYYYYYYYY --raw
whereas XXXXXXXXXXXXXXXX is the Kdiv new and YYYYYYYYYYYYYYYY is the INCORRECT value that you wrote to block 3.
FINGERS CROSSED
If you get a successful write:
hf ic dump -k X
whereas X is the HID iClass master authentication key
if you get a successful dump, you’re back in business!
if not, we still have work to do. Feel free to tag me in YOUR thread related to your specific problem and I will help where I can.
I’ve spent countless hours and over a dozen cards from iCLASS RFID Card (redteamtools.com) (huge shoutout for those!!!) getting this to work for me. And, thanks to all those that have helped me along the way on here and the proxmark forum!
I’ve read over this post several times, but I may very well have missed something. If you find an error or find something I missed, please let me know so I can update!
As always, this is only a refence, and any modification to block 3 can turn your credential useless
USE AT YOUR OWN RISK
BEST OF LUCK!!!