Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi everyone, Morning
how to manually calculate the dump file only from printed numbers on iclass tag?
I know some gurus can calculate the dump file only from printed numbers on back of iclass tag (if not wear out). So they dont need to physically have the orginal card to clone^_^
The reason i have to do this is because I got an unreadable iclass thin DP card with "+" before printed card numbers. I can not read this card just as stated in other topic.
can someone guide me for this? T_T
Best regards
Last edited by yukihama (2018-07-19 02:42:44)
Offline
The only information that is normally printed on an iClass card is the card number and the HID order number.
In order to make a copy of the access control payload of an iClass credential you will need to program blocks 6,7,8 and 9.
Unfortunately, the information printed on the card itself is NOT sufficient to make a copy of the card.
Block 6 contains the card format information that indicates things such as whether the card data is encrypted, what type of encryption is used (DES or TDES), what blocks are encrypted, whether a PIN is stored on the card, PIN length, etc.
Blocks 7 and 8 and part of 9 contain the wiegand code. If the wiegand code is less than 64-bits then it will all be stored in block 7 and blocks 8 and 9 would be filled with 0's.
If a PIN is stored on the card it will be stored in block 9.
The wiegand code is stored with a logic 1 start sentinel appended to the front of the bit stream (see example below).
So ...
To make a copy of the card without having it in your possession you would need to know several things.
1. The card format. This tells you how many bits are used (transmitted) in the wiegand code. It also defines the parity scheme being used.
2. The card number used in the access control application. This is normally printed on the card.
3. The facility code used in the acess control application. This is NOT printed on the card.
If you make the assumption that the card uses a format less than 64-bit, does not need to support encryption and that no PIN is used then things become much simpler.
All you need to do is:
a. Use a generic Block 6 value of 0x000000000000c014 (specifies no encryption used)
b. Use a value of 0x0000000000000000 in Blocks 8 and 9
c. Load the wiegand code into block 7 and add a logic 1 "Start Sentinel" to the most significant bit.
Example:
Format: 26-bit
Fac Code: 100
Card No: 1234
26-bit Wiegand Code: 0x2C809A4
Wiegand Code + Start Sentinel: 0x6C809A4
64-bit Block 7 Value: 0x0000000006C809A4
If you have access to a Digital Storage oscilloscope or Logic Analyzer then you can easily hook it up to the wiegand output of an iclass reader. The captured output will give you all of the information necessary to make a copy of that card. The number of pulses will give you the format information and the captured data bits will provide you the facility code and card number values.
Last edited by carl55 (2018-07-18 03:11:22)
Offline
The only information that is normally printed on an iClass card is the card number and the HID order number.
In order to make a copy of the access control payload of an iClass credential you will need to program blocks 6,7,8 and 9.
Unfortunately, the information printed on the card itself is NOT sufficient to make a copy of the card.
Hi Carl55, You are such a genius with so much knowledge.
It's my honor to get your help^)^
I will make a try and update later^)^
Best Regards
Offline