Trying To Clone A HID iClass Legacy Card

Hey. So moving on with my research…

Attempt To Dump The Whole Card To Memory:


Using the ‘dump’ command instructs the ProxMark3 to read all the card data and save that data to file (both a .bin and .json file). To do this, an 8 byte hexadecimal key is required. The software already comes with a set of keys that can be viewed with the following command.

command: hf iclass managekeys -p

[=] idx| key
[=] ---+------------------------
[=]  0 | AE A6 84 A6 DA B2 32 78
[=]  1 | FD CB 5A 52 EA 8F 30 90
[=]  2 | F0 E1 D2 C3 B4 A5 96 87
[=]  3 | 76 65 54 43 32 21 10 00
[=]  4 |
[=]  5 |
[=]  6 |
[=]  7 |
[=] ---+------------------------

Adding the ‘ki’ parameter with a number at the end (‘2’ for example) instructs the ‘dump’ command to use the corresponding key, and attempt to access the card.

command: hf iclass dump --ki 0
command: hf iclass dump --ki 1
command: hf iclass dump --ki 2
command: hf iclass dump --ki 3

What I’m not sure on:

  • What are these keys?
  • Where did they come from?
  • How are they used by the ProxMark3 to access the card?

Is there a paper somewhere that explains this?

1 Like