ContextQMD
Back to Proxmark3

HF_ICECLASS — iCLASS Multi-Mode Standalone

doc/standalone/hf_iceclass.md

4.92373.4 KB
Original Source

HF_ICECLASS — iCLASS Multi-Mode Standalone

Author: Iceman Frequency: HF (13.56 MHz) Hardware: RDV4 (requires flash memory)

Back to Standalone Modes Index | Source Code | Development Guide

What

A multi-mode iCLASS standalone with 7 selectable modes for different operations: full simulation, reader attack, dump-and-simulate, read-and-simulate, and configuration card creation. Only one mode is active per compile.

Why

HID iCLASS is a widely deployed access control system. This mode provides a comprehensive toolkit for iCLASS assessment:

  • Credential recovery: Capture authentication data for offline key recovery (loclass attack)
  • Badge simulation: Emulate captured iCLASS credentials at readers
  • Reader configuration: Create config cards that can reconfigure iCLASS readers (e.g., downgrade attacks)

How

The mode selected at compile time (ICE_USE macro) determines behavior:

ICE_USE ValueModeDescription
ICE_USE_FULLSIMFull SimulationEmulate a complete iCLASS card from EEPROM dump
ICE_USE_READER_ATTACKReader AttackCapture authentication MACs for loclass recovery
ICE_USE_DUMP_SIMDump & SimulateDump a card then immediately simulate it
ICE_USE_READ_SIMRead & SimulateRead credential blocks and simulate
ICE_USE_CONFIG_CARDConfig CardCreate configuration cards for reader reprogramming

The reader attack mode is particularly powerful: it captures the authentication exchange between a reader and cards, producing MAC pairs that feed into the loclass attack for key recovery.

LED Indicators

LEDMeaning
B (solid/blink)Attack mode activity
D (solid)General operation indicator
Mode-specific patternsVary by selected ICE_USE mode

Button Controls

Vary by selected mode. Generally:

ActionEffect
Button pressMode-specific action
HoldExit standalone mode

State Machine (Reader Attack Mode)

mermaid
stateDiagram-v2
    [*] --> WaitCard : Startup\n(Reader Attack mode)

    WaitCard --> Authenticate : iCLASS card detected
    Authenticate --> CaptureMAC : Auth exchange\ncaptured
    CaptureMAC --> SaveFlash : MAC pair logged

    SaveFlash --> WaitCard : Continue collecting
    WaitCard --> [*] : Button hold / USB data

    note right of CaptureMAC
        MAC pairs used for
        loclass key recovery
    end note

State Machine (Dump & Simulate Mode)

mermaid
stateDiagram-v2
    [*] --> ScanCard : Startup

    ScanCard --> DumpCard : iCLASS card found
    DumpCard --> LoadEmulator : Dump complete
    LoadEmulator --> Simulate : Data loaded

    Simulate --> [*] : Button hold / USB data
    DumpCard --> ScanCard : Dump failed

Flash Storage

  • Captured MAC pairs stored on SPI flash for later retrieval
  • EEPROM dumps stored for simulation modes
  • Configuration card templates

Compilation

make clean
make STANDALONE=HF_ICECLASS -j
./pm3-flash-fullimage