iCopy-X Open Source Firmware v1.1.1
Two IPK variants
| File | PM3 firmware | LUA scripts | Use when |
|---|---|---|---|
icopy-x-flash.ipk |
RRG/Iceman (included) | Lua 5.4 (iceman) | You want the latest PM3 client + firmware |
icopy-x-noflash.ipk |
Unchanged (factory) | Lua 5.1 (factory) | You want to keep your current PM3 version |
Installation
- Ensure that your device is up to date (1.0.90 - get it from here: https://icopyx.com/pages/update-your-icopy-x)
- Download the IPK of your choice
- Put your iCopy-X into PC-Mode
- Delete ALL OTHER IPK files from the device
- Transfer the IPK onto your device and close PC-Mode
- Navigate to About > Update, and press [OK]
- Device will restart
- While restarting, the screen will flash and stay blank for up to 10 seconds. Don't panic!
If you're using the "flash" version, there will be some extra steps:
- Device will restart and detect that you need to flash your device. Click OK.
- Read the instructions: Make sure your device has charge, make sure it's plugged in, and then Start
- After flashing, your device will restart.
- While restarting, the screen will stay blank for up to 10 seconds. Don't panic!
Companion PM3 Clients (for PC-Mode)
Connect to your iCopy-X's Proxmark module directly from your computer.
| File | PM3 version | Contents |
|---|---|---|
clients-flash.zip |
RRG/Iceman | Linux x86_64 + macOS + Windows CLI clients |
clients-noflash.zip |
Factory (iCopy-X original) | Windows client (pre-built) |
Using the companion client
- Download the matching
clients-[flash|noflash].zipfor your IPK variant - Extract to a folder on your computer
- Put your iCopy-X into PC-Mode
- Connect via USB
- Run:
proxmark3 /dev/ttyACM0(Linux/macOS) orproxmark3.exe COMx(Windows)
AdjustttyACM0andCOMxaccording to the real port assigned to your iCopy-X.
Release Notes
Notes taken from #5 - Massive PR from @amec0e
LF, HF and QoL Changes
Firstly, I will say I am sorry this is such a big PR, this is a collection of all the changes and improvements I had made to the iCopy-X firmware since May 11th to present day. I have also tried to add comments where possible for any issues that may or may not arise like the Noralsy pwd bit being set and changing downlink modes on certain T55xx chips. Below is some of the notable mentions because there has been a lot of changes since May 11th till now.
Notable Changes
LF:
- Added LF Dump Saving Functionality, then refactored it to help with displaying and simulation so it is not reliant on filenames for information.
- Fixed T55 tags from soft bricking when t55xx chk was run as part of the normal scan flow.
- Fixed the T55xx naming convention for dumps.
- Added PAC Simulation and fixes.
- Added Noralsy Simulation and fixes.
- Added Keri Simulation and fixes.
- Gallagher Simulation has been removed as it was not supported for the no-flash version, it was also unconfirmed so removed the SIM_MAP entry.
- Fixed Hitag2 Valid Keyword. (Read Note Below.)
- Added Paxton Net2/Switch2 Scan/Read/Write support. (Read Note Below)
HF:
- Fixed MFC UID Verification (Tested on 1K only)
- Implemented Gen2 1K magic card Write and Verify support.
- Added Json dump saving functionality.
- Removed eml saving as it is not needed.
- Fixed B0 not reading correctly in write_with_standard and added json file as a fallback.
- Removed the very loose Fallback for verification so actual written verification code can be tested.
- Changed fchk function to now look for
mfc_default_keys.dicin/keys/mf1/and use the generated as a fallback if not found.
QoL:
- AutoCopy Button is Back! Previously broken.
- Added hex input support and LEFT and RIGHT keys for plugins.
- Fixed the black button bar that lingered in dump file view, now dismisses properly when both M1/M2 set to null.
- Fixed Plugins to also call dismissButton to strip the text and box area when buttons are null
- Added Medium text size for plugins to make things a little more readable.
- Fixed Dump entry duplication and deletion to properly show only one file per stem and remove all from stem if deleted. This was extended to mf1, mfu, iclass, icode alongside t55xx.
- Updated the pm3_compat.py to also add reverse rules for Keri, PAC, Noralsy simulation for the no-flash version. (tested and working)
Plugins:
- Added chk_t55xx_pwds plugin.
- Added lf_clone_and_pwd plugin.
- Added wipe_t55xx plugin.
- Added T55xx_detect plugin.
- Added T55xx_recovery plugin.
- Added T55xx_block_writer plugin.
- Added T55xx_block_reader plugin.
- Added Paxton_block_reader plugin.
Known Issues:
- During my testing I noticed Gallagher dumps write fine, however scan or reading them back gives different values, checking with the RDV4 on BREAKMEIFYOUCAN confirmed the original wrote data is correct this is a firmware issue from circa 2022, values from iCopy-XS PC-Mode confirm Gallagher is detected with different values.
- Paxton when using tin foil and a paxton card sometimes might not display the UID: under the ID: field. During my testing I noticed on every initial boot Paxton would fail auth in lf search so I added a second check so the first fired does not count and the second reads, this has fixed it in most cases but it may still be a bit touchy when using the tin foil. As a result the initial scan when on hitag2 tags a little longer but makes the detection for paxton more reliable.
- There is no Pax 10 support.
- Aware that the padded Paxton ID is still in the dump file for switch2 dumps, it is harmless and not consumed, can be removed at a later date.
Things I reverted for now:
- Workflow is back to your original
- Readme is back to your original.
There are many other smaller fixes throughout addressing many different things, these was just some of the notable mentions, while I tried to make this PR more compatible with the no-flash version for easier integration, there may still be some things that are not fully compatible or genuinely broken/different in the circa 2022 firmware.
I also have not extensively tested all of these changes are working fine on the no-flash version as my intention was to not support it so there may be hidden bugs on the no-flash version (also likely a few still lingering in the flash version too) but in the interest of getting out the many improvements I have made, I decided to attempt to fix what I knew immediately would have been an issue (The new simulation options added which is done).
Hitag2 Detection Notes:
Iceman removed Valid Hitag2 keyword for Hitag2 so it would never trigger with its current Valid Keyword. Tested and working on the iCopy-XS without no PM3 modifications or tricks, just needed to place the card (not a fob) at the back of the iCopy reader not the front. (Tested on my latest Flash Version)
Paxton Scan/Read/Write Notes:
Using some tricks for this one (tin foil) and a paxton card and reading from the back of the machine not the front give me more than enough of a read to implement full scan/read and write support baked in as it should be. When dumping the paxton it will dump blocks 4,5,6,7 and concatenate them for block writing, it will additionally create a EM410x dump with the padded Paxton ID only for net2 so there is a padded EM410x paxton id file ready for a downgrade attack. I have tested net2/switch2 cards and fobs with the tinfoil and both detect fine. The Padded Pax ID is used for both Net2 and Switch2 for the filename convention though this can be changed. For cloning/writing It is assumed Paxton to Paxton not Paxton to Non-Paxton Hitag2.
This support would not have been possible without Equip who I owe a huge thanks to for his in depth knowledge of paxton and the information, dumps and support he provided me during the course of this implementation that helped me shape the way this is implemented, thank you!
Paxton/Hitag2 TL;DR - This fixes Hitag2 detection and adds Paxton Net2/switch2 scan/read/write support with addtional EM410x dump for downgrade attack for Net2.