Trying To Clone A HID iClass Legacy Card

The Mission:

Hello people! Having obtained a ProxMark3, I’ve spent quite a bit of time scouring internet forums in an attempt to clone my apartment card so I can switch to a key fob. This brought me to the Dangerous Things forum. I then discovered the flexClass! So I now have a mission… if I can clone my card to a fob, I’ll be upgrading to the implant.

Unfortunately this is no easy feat. This very forum is littered with posts about people attempting very similar things… without success. I figured I’d begin a thread involving a step by step process.

Get The Hardware:

Here’s a breakdown of the involved hardware:

  • ProxMark3 Easy With Iceman Firmware (Not Shown)
  • HID iClass Legacy Card x2 (Apartment Access)
  • HID iClass Legacy Fob (Blank)
  • HID iClass SE R10 Reader

HID iClass Legacy Card
HID iClass Legacy Fob
HID® iClass SE R10 Reader

Update The ProxMark3:

To ensure everything was up to date, I got the latest ProxSpace build from I found the website provided the latest official firmware build as a simple Windows installation.

Check The Firmware Version:

command: hw version

Triple checking that the firmware updated successfully to v4.18341. It did.

[ Proxmark3 RFID instrument ]

[ Client ]
 Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:26 ebc6fe650
 compiled with............. MinGW-w64 13.2.0
 platform.................. Windows (64b) / x86_64
 Readline support.......... present
 QT GUI support............ present
 native BT support......... absent
 Python script support..... absent
 Lua SWIG support.......... present
 Python SWIG support....... absent

[ Proxmark3 ]
 firmware.................. PM3 GENERIC

[ ARM ]
 bootrom: Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:03 ebc6fe650
      os: Iceman/master/v4.18341-35-gab984c5fd-suspect 2024-04-07 01:42:15 ebc6fe650
 compiled with GCC 12.2.0

[ FPGA ]
 fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
 fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
 fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
 fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31

[ Hardware ]
 --= uC: AT91SAM7S512 Rev A
 --= Embedded Processor: ARM7TDMI
 --= Internal SRAM size: 64K bytes
 --= Architecture identifier: AT91SAM7Sxx Series
 --= Embedded flash memory 512K bytes ( 62% used )

Check The HF Antenna:

command: hf tune

Placing the card underneath the ProxMark3’s High Frequency (HF) antenna, I was able to find a sweet spot on the card with a voltage drop of 4,500 mV (14.5V to 10V).

Search For The Card:

command: hf search

I was already aware that my apartment complex card was a HF HID iClass. Thankfully this command confirmed it.

[+] iCLASS / Picopass CSN: 82 D1 42 10 FE FF 12 E0
[+] Valid iCLASS tag / PicoPass tag found

Read The Card:

command: hf iclass info

Ok. reading the card revealed it as an iClass Legacy card. The ProxMark3 gave me a full summary of the card structure.

[=] --- Tag Information ----------------------------------------
[+]     CSN: 82 D1 42 10 FE FF 12 E0  uid
[+]  Config: 12 FF FF FF 7F 1F FF 3C  card configuration
[+] E-purse: C4 E9 FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key ( hidden )
[+]      Kc: 00 00 00 00 00 00 00 00  credit key ( hidden )
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- Card configuration --------------------
[=]     Raw... 12 FF FF FF 7F 1F FF 3C
[=]            12 (  18 ).............  app limit
[=]               FFFF ( 65535 )......  OTP
[=]                     FF............  block write lock
[=]                        7F.........  chip
[=]                           1F......  mem
[=]                              FF...  EAS
[=]                                 3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=]     PROD0/1...... Default production fuses
[=] -------------------------- Memory --------------------------
[=]  2 KBits/2 App Areas ( 256 bytes )
[=]     1 books / 1 pages
[=]  First book / first page configuration
[=]     Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=]     AA1    | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=]     AA2    | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read AA1..... debit
[=]     Write AA1.... debit
[=]     Read AA2..... credit
[=]     Write AA2.... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 2K

Understand The HID iClass Structure:

Reading the 2011 journal article “Cryptanalysis of INCrypt32 in HID’s iCLASS™ Systems” teaches me the card’s memory structure. When reading the memory section the ProxMark3 spat out, I can see the card’s 256 bytes of memory have been broken into 32 blocks (0 to 31). As per the article, these blocks do the following:

Block Data Function
0 Card Serial Number Involved in the anti collision procedure
1 Configuration Data Security option, application limit for secured page, and read/write access
2 Stored Value Area Electronic purse
3 Key 1 (Kd) Secret key (derived from HID's master key & the Card Serial Number)
4 Key 2 (Kc) Secret key (derived from HID's master key & the Card Serial Number)
5 Application Issuer Data ?
6-18 Application Area 1 Data protected by key 1 (Kd)
19-31 Application Area 2 Data protected by key 2 (Kc)

My understanding is that blocks 0 to 2 are used for the card to interact with the reader, and blocks 3 and 4 are used by the reader to ‘unlock’ anything in the application areas. So far I have no idea what block 5 does. I shouldn’t modify blocks 0 to 5 in any way, as general forum consensus suggests changing their values will brick my card.

@philidelphiaChickens’s thread “So You Want To Implant An HID Card” mentions that blocks 6 to 9 are ‘generally’ the non-secure blocks that I can adjust for the purposes of cloning the card.

Attempt To Dump The Whole Card To Memory:

command: hf iclass dump --ki 0
command: hf iclass dump --ki 1
command: hf iclass dump --ki 2
command: hf iclass dump --ki 3

No dice! I was unable to pull any information off the card using any of ProxMark3’s stored keys.

Attempt To Read The Card’s “Block 7” To Memory:

command: hf iclass rdbl --blk 7 --ki 0
command: hf iclass rdbl --blk 7 --ki 1
command: hf iclass rdbl --blk 7 --ki 2
command: hf iclass rdbl --blk 7 --ki 3

Also a fail. None of the stored keys worked for reading the block.

Check With Other Cards:

To ensure the ProxMark3 wasn’t the problem, I did the following:

  • The second card: The same results, so neither apartment card can be read.
  • The iClass Legacy fob: The dump was successful, as was the individual block reading.

Check The Card Reader:

command: hf iclass sim -t 2
command: hf iclass loclass -f iclass_dump.bin

I took my laptop with the ProxMark3 connected, and ran the sim command with the ProxMark3 up against the HID iClass SE Express R10 reader in my apartment. After a few attempts I was able to complete a loclass attack and get a dump file. Unfortunately the loclass command timed out without providing results.

Currently Stuck:

Bear in mind, up to this point everything I’ve learnt and tried has come from reading forums. It may not seem like much, but I’m pulling myself up by my boot straps.

Some things I need to investigate further are:

Can anyone suggest what to try next?


Can you give hf iclass chk -f iclass_default_keys.dic a try?

There’s also an iclass_elite_keys.dic you could try


Thanks @Aoxhwjfoavdlhsvfpzha, I’ll give it a try after I’ve looked into the card’s structure (walk first, run later).

Edit: I’ve added “Understand The HID iClass Structure” to what I’m hoping will eventually be a walkthrough for future forum members.

1 Like

Hey. So moving on with my research…

Attempt To Dump The Whole Card To Memory:

Using the ‘dump’ command instructs the ProxMark3 to read all the card data and save that data to file (both a .bin and .json file). To do this, an 8 byte hexadecimal key is required. The software already comes with a set of keys that can be viewed with the following command.

command: hf iclass managekeys -p

[=] idx| key
[=] ---+------------------------
[=]  0 | AE A6 84 A6 DA B2 32 78
[=]  1 | FD CB 5A 52 EA 8F 30 90
[=]  2 | F0 E1 D2 C3 B4 A5 96 87
[=]  3 | 76 65 54 43 32 21 10 00
[=]  4 |
[=]  5 |
[=]  6 |
[=]  7 |
[=] ---+------------------------

Adding the ‘ki’ parameter with a number at the end (‘2’ for example) instructs the ‘dump’ command to use the corresponding key, and attempt to access the card.

command: hf iclass dump --ki 0
command: hf iclass dump --ki 1
command: hf iclass dump --ki 2
command: hf iclass dump --ki 3

What I’m not sure on:

  • What are these keys?
  • Where did they come from?
  • How are they used by the ProxMark3 to access the card?

Is there a paper somewhere that explains this?

1 Like

They’re like a password for the chip, the chip won’t communicate with a device that doesn’t know the password

Two answers for this one:

  1. The keys come from HID, the company that manufactures the cards

  2. The RFID Hacking community got them by hacking a lot of cards and readers, if you want to know more about this step, look into the iClass “Heart of Darkness” exploit, it’s very neat

If you’re looking for a raw breakdown of the technical side, I’m not the best guy for it, but basically the PM3 passes the “codephrase” to the chip so the chip knows it’s authorized to talk to the PM3

There are papers on the various exploits in some form or another, but unfortunately HID would have you believe these were secure cards, so they don’t publish much data about the cards themselves that would be helpful here in one place

1 Like

Thanks so much! I’ll have some reading to get through at work tomorrow.

1 Like