Access Control Electronics iClass Software

Odd iClass Quirk: How I resolved it

I realised that recent iClass cards/fobs I purchased had an odd behaviour.

  1. It would be detectable by Proxmark3 as an iClass legacy tag.
  2. However, Proxmark3 refuses to authenticate with the master key.
  3. Switching over to iclassified + OmniKey 5321, it successfully reads and authenticates. (indicating that the fobs appear to use the default HID keys)
  4. Looking at Block 03, it seems to use the default HID auth keys. (which was what I definitely purchased).
Legacy iClass credential using default HID master key but cannot be authenticated by pm3

After some experimentation, and a pile of bricked iClass tags 💸 , I seemed to have stumbled upon a solution to resurrect these anomalous cards/fobs again.

You will need:

  • Your anomalous iClass credentials
  • A laptop that natively runs proxmark3, AND dual boots to Windows XP with iClassified (NOTE: XP + Omnikey + iClassified combo doesn’t seem to play nice on a VM, I found that only a native environment works. Also, pm3 software does not play well with XP)
  • Proxmark3
  • An original HID iClass USB reader, compatible with iClassified (I used an Omnikey 5321)
Good ol Windows XP.
  1. Since Proxmark3 can read the iClass card/fob’s CSN, calculate a new (different from default) key using calcnewkey.
    [usb] pm3 --> hf iclass calcnewkey o (default HID master key) n (your chosen key)
    [+] Old div key : XX XX XX XX XX XX XX XX
    [+] New div key : XX XX XX XX XX XX XX XX
    [+] Xor div key : XX XX XX XX XX XX XX XX
  2. Get the Xor Div Key, store it somewhere. Need it in a mo.
  3. Reboot to your Windows XP environment.
  4. cd to your iClassified folder, and overwrite Block 03 with the calculated div key:
    iclassified>iclass.exe write 3 (calculated key)
  5. Verify that your card/fob no longer authenticates with the default HID master key.
    iclassified>iclass.exe read
    Error: Authentication failed
  6. Reboot back to your environment with Proxmark3. Verify that you can now read the credential with your chosen key.
    [usb] pm3 --> hf iclass rdbl b 06 k (your chosen key)
    [+] block 06: 00 00 00 00 00 00 FF FF

NOTE: I have noticed that this method seems to have a spotty success rate. Out of the 15 seemingly glitchy iClass cards/fobs I attempted to resurrect, 4 of them were bricked and could not be read with the key I specified. They could also not be read by iClassified+OmniKey.

Leave a Reply

Your email address will not be published. Required fields are marked *