iClass / Picopass tool for libnfc
A CLI tool for reading and writing HID iClass (Picopass) Access Control cards.
git submodule update --init
autoreconf -vis
rm -rf build && mkdir build
cd build
../configure
make
sudo make installDefault behaviour is to dump APP1.
For more options:
nfc-iclass -h
Usage: ./src/nfc-iclass [options] [BINARY FILE|HEX DATA]
Options:
-c <KEY> Use CREDIT KEY Kc / APP2 (default is DEBIT KEY Kd / APP1)
-C <?|CARD> Create CONFIG card (? prints list of config cards)
-d <KEY> Use non-default DEBIT KEY for APP1
-e AUTH KEY is ELITE
-h You're looking at it
-k <KEY> Keyroll KEY for CONFIG card
-n Do not DIVERSIFY key
-o <FILE> Write TAG data to FILE
-r <KEY> Re-Key with KEY (assumes new key is ELITE)
-R <KEY> Re-Key to non-ELITE
-w <BLOCK> WRITE to tag starting from BLOCK (specify # in HEX)
If no KEY is specified, default HID Kd (APP1) will be usedUse ELITE key for APP1:
nfc-iclass -d DEADBEEFCAFEF00D -eDump contents of APP2:
nfc-iclass -c 0DC442031337D00FWrite APP1 blocks 8 & 9:
nfc-iclass -w 8 aabbccddaabbccddaabbccddaabbccddor
nfc-iclass -w 8 /tmp/iclass-8-9-dump.icdRe-key to ELITE key:
nfc-iclass -r deadbeefcafef00dRevert to default iClass Kd (note re-key to NON-ELITE with -R)
nfc-iclass -d deadbeefcafef00d -e -R AFA785A7DAB33378Show available CONFIG cards:
nfc-iclass -C ?Create CONFIG card AV1:
nfc-iclass -C AV1Create KEYROLL card:
nfc-iclass -C KRE -k F00FBEEBD00BEEEEiClass readers can be reconfigured using CONFIG cards. These will normally be provided free of charge upon request but as we now have the master Kd it's easy enough to dump the set and recreate them at will.
The available cards are:
Note that a config card is slightly different from a standard one in that APP1 uses more blocks. This matters for KEYROLL cards as they need the extra space to store the new keys. Other types may work on a standard card but the most reliable method is to use an existing config card and overwrite it.