Beginner's Guide to HID iClass Cloning with the Flipper Zero

Our StandardUser team is excited to share new processes we're learning. Thanks to Sebastian Bowman, Security Engineer, for this guide.

As technology continues to be integrated into every grain of our lives, the use of radio-frequency identification (RFID) access cards becomes more prevalent in every industry. Ranging from government to warehouse work, there is a solid chance that you will be given a RFID access card to access buildings and secure areas. However, as advancements in technology continue to enhance the security of RFID access systems, the development of cloning technology also persists. It has become imperative for individuals and organizations to learn about cloning RFID access cards, and the technology's potential malicious uses, in order to protect themselves and their place of work.

Brute Force an HID iClass SE reader

The original goal of this project is to successfully brute force a door that utilizes NFC cards to authenticate. Specifically, an HID iClass SE reader that utilizes HID iCLass DP cards. In the process of figuring out how to brute force, we have learned a great amount about how to clone said iClass DP cards, so we decided to make a writeup for anyone else interested in doing so. To start, through simple fuzzing, reading the frequency, and/or research online, you can learn that the cards transfer the “Key” at a frequency of 13.56Mhz.

Picopass

With this information above, we can conclude that the reader is most likely designed to interact with cards that use the “Picopass protocol.” Picopass is a type of contactless smart card technology used for secure identification and authentication purposes. It was developed by a French company named Inside Secure and communicates using ISO 14443B and ISO 15693 protocols. Picopass operates at a frequency of 13.56 MHz and is the standard for high-frequency (HF) RFID systems.

RFID vs NFC

To clear confusion, NFC is best described as a subset of RFID. The difference is the size of the wavelengths in which data is sent, just some basic chemistry. The higher frequency correlates to less distance the wavelength can travel. The lower the frequency, the longer distance the wavelength can travel.

Frequency with regards to tech equals the amount of data you can transmit. Therefore, with NFC you can send more data; however, you must be close to the card reader for it to work, while RFID can be set up to work from 100+ meters but with less security. Since people can send more data over NFC, we can implement more security layers; in our case, these cards add encryption.

Each “|” represents a data stream being transmitted

Flipper Zero

The Flipper Zero comes with many different applications capable of reading and writing NFC or RFID. The default firmware for the Flipper Zero comes with an application that is capable of reading and writing cards that communicate on the 13.56MHz frequency -- this application is called Picopass Reader. This application is designed to work with multiple card types, but it is limited to writing only and it cannot currently emulate different saved cards.

Cloning

To make a clone of this card, you simply need another HID iClass DP card, which can be purchased online. Due to the embedded “Pico Pass” chip in contactless cards, you need to write your data to another one of these same chips. You also need the PicoPass reader tool installed on your Flipper Zero. This can be done by flashing your Flipper Zero with the most recent version of the Flipper Zero firmware. Alternatively, you can flash a 3rd party firmware called ‘Rogue Master’. Once you have all of these components:

1. Start up your Flipper Zero, and take out the card you would like to copy

2. Hit the down arrow >> Scroll right or left until you are in the “Apps” directory

3. In the apps directory, select “Tools”