iCopy-X / iCopy-XS — Overview, Decision Graph, How to Read This Series

1. What this series is

This is the iCopy-X / iCopy-XS deep dive — twelve volumes covering Nikola Lab and Lab401’s commercial portable RFID-NFC cloning device from end to end. The reader is assumed to be an engineer doing authorized physical-pentest work, a facility-owner self-audit, or a red-team operator who needs a portable card-cloning capability that does not require sitting at a laptop with the Proxmark3 client open. The reader is also assumed to know what RFID, NFC, MIFARE, HID Prox, and ISO 14443 mean at a conceptual level; the series builds from there to the operational depth needed to actually use the iCopy-X effectively.

The position of the iCopy-X in the Hack Tools hub is specific. It is the only portable, standalone, push-button RFID cloning tool covered in any depth. The Proxmark3 RDV4 — the sibling tool that shares almost identical silicon — is treated separately as a lab-grade research instrument with a full client SDK. The Flipper Zero is treated as a multi-tool whose RFID capability is one of many; it is not, and is not trying to be, the iCopy-X. Cheap AliExpress “handheld duplicators” are treated in Vol 11 (Comparisons) as the contrast at the low end — they can copy a HID Prox UID and nothing else, and they cannot decode MIFARE keys at all.

The twelve volumes are:

Vol	Title
1	Overview, decision graph, how to read this series (this volume)
2	Hardware tour — case, LCD, buttons, coils, the NanoPi NEO + Proxmark3 + FPGA + STM32 stack, microSD, USB-C, battery, teardown
3	RFID / NFC primer — LF and HF physics, ISO 14443A/B and 15693, why some cards crack and others do not
4	LF tag families in scope — EM4XX, T5577, HID Prox, Indala, AWID, ioProx, Viking, HITAG, all the legacy access-control technologies
5	HF tag families in scope, Part 1 — the MIFARE family (Classic, Ultralight, NTAG) and the darkside / nested / hardnested key-recovery attacks
6	HF tag families in scope, Part 2 — iCLASS Legacy / Elite / SE / SEOS, ISO 15693, FeliCa, Legic, and what the iCS Decoder Tool unlocks
7	Operating modes Part 1 — Auto Clone, Scan, Read LF / Read HF, Sniff for MIFARE keys
8	Operating modes Part 2 — Emulation LF / HF, and the Expert / Proxmark Mode escape hatch
9	Card-stock ecosystem — T5577 universal LF blanks, MIFARE Magic Gen1a / Gen2 / Gen3, iCLASS / SEOS blanks, why “Genuine” packs cost more
10	Firmware update workflow + the iCopy-X-Community teardown and upstream repos + the partial open-source story
11	Side-by-side comparisons — iCopy-X vs Proxmark3 RDV4 vs Flipper Zero vs cheap handheld duplicators vs ChameleonMini
12	Legal, ethics, posture, cheatsheet, glossary

The series is meant to be read end-to-end the first time and then dipped into as a reference. Most readers in physical-pentest work need Vol 2 (what’s actually inside this thing), Vol 7 + Vol 8 (the operating modes), Vol 9 (which blank card to use), and Vol 12 (the legal envelope and the cheatsheet) as the load-bearing volumes for day-to-day work. The card-technology volumes (Vols 3, 4, 5, 6) are read once and referred back to when a new technology appears in the field. The firmware and comparison volumes (10, 11) are for when a decision needs to be defended in writing — to a client, to compliance, to a security committee.

2. What the iCopy-X is, briefly

The iCopy-X is a handheld appliance — about the size of a small TV remote, 120 × 55 × 24 mm, 113 g — that reads and clones RFID and NFC cards across the entire low-frequency (125 kHz) and high-frequency (13.56 MHz) bands used by physical access-control systems. Its enclosure has a 1.3-inch 240 × 240 colour LCD on the top face, a 4-button keypad below the screen, an internal microSD card with a pre-loaded 16 GB image, a USB-C port for charging and host communication, and a 2000 mAh lithium battery. The bottom face is the antenna PCB, which carries the LF and HF coils in a single integrated layout. The whole device runs on a Nikola Lab firmware image that boots into a vendor-branded UI immediately on power-on.

The headline feature is the Auto Clone mode — a single key sequence that scans whatever card is held against the antenna, identifies the technology, decodes the relevant identity bits (UID, page contents, sector data with keys where required), and writes those bits to an appropriate blank card held against the same antenna. For the supermajority of authorized physical-pentest tasks — duplicating a maintenance worker’s HID Prox card to a T5577 blank, or copying a MIFARE Classic 1K hotel-room key onto a Magic Gen2 card — Auto Clone is the entire workflow. The other operating modes (Vol 7, Vol 8) exist for the cases where Auto Clone cannot complete on its own: cards whose keys must first be recovered through a sniffing attack, cards whose UID cannot be written to a generic blank, and the edge cases where dropping to Proxmark3 expert mode is necessary.

There are three product tiers as of mid-2026 (prices in EUR direct from icopyx.com): Basic at €375, Intermediate at €465, and Advanced at €530. The differences are in the blank-card stock included in the box; the device hardware and firmware are identical across tiers. The Lab401 distribution channel adds VAT and varies the blank-card pack composition slightly depending on region. The optional iCS Decoder Tool (Vol 6) is sold separately and adds iCLASS SE / SEOS decoder capability to a device that already has the base iCLASS Legacy / Elite support shipped in firmware. As of mid-2026 the iCS Decoder is about €200 add-on, sold only through Lab401 and a handful of authorized resellers.

3. Hardware-at-a-glance — and the surprising open-source story

The framing of the iCopy-X in the 2026-05-24 scaffold called it “a closed appliance with a closed-source vendor firmware.” That framing was half wrong, and the half that is right is more nuanced than it appears.

Below the application layer — the user-facing Python and Node.js software running on the Linux side — the iCopy-X is built on extensively open hardware and substantially open firmware. The relevant components:

Component	What it does	Open-source status
NanoPi NEO (FriendlyARM SBC)	The Linux application processor: Allwinner H3 quad-core Cortex-A7 at 1.2 GHz, 256 MB RAM, runs OpenWrt	NanoPi NEO board fully open (FriendlyARM); Allwinner H3 has well-documented mainline Linux support
Atmel AT91SAM7S512 (ARM7TDMI MCU)	The RFID protocol brain — the canonical Proxmark3 MCU, implements ISO 14443A/B, ISO 15693, and the LF tag state machines on top of the FPGA-managed RF. The same silicon as in the Proxmark3 RDV4.	Firmware lineage open (the Proxmark3 RRG fork); Nikola Lab maintains an internal fork with iCopy-X-specific commands
Xilinx Spartan-3 XC3S100E FPGA	The Proxmark3 RF modem — receives and transmits the 125 kHz LF and 13.56 MHz HF carrier modulation patterns	Verilog source open (Nikola-Lab/icopy_fpga_3s_0921); contributed to Proxmark3-RRG mainline August 2021 and currently lives in the unified fpga/ directory as fpga_icopyx_*.bit/.v alongside the standard PM3 variants
STM32F103 housekeeping MCU	LCD interface, keypad scanner, audio amplifier, RTC, and power coordination — NOT the RFID protocol layer (that’s the SAM7S512 above). Three-processor architecture: NanoPi NEO = Linux apps, SAM7S512 + FPGA = RFID, STM32F103 = housekeeping.	Firmware source open (Nikola-Lab/icopy_stm32), MIT-licensed. The vendor describes this MCU as the “HMI controller”.
LF coil + HF coil + matching network	The antenna PCB carrying the two air-loop coils, their resonant capacitors, and the analog front end into the FPGA	Schematics and Gerbers open (Nikola-Lab/icopy_hw_ant_pcb)
Main PCB (the “green PCB”)	The integration board: holds the FPGA, the STM32, the LCD interface, the keypad scanner, the power supply, the battery management, and the USB-C bridge	Schematics and Gerbers open (Nikola-Lab/icopy_hw_main_pcb); a partial bill-of-materials extractable from the PCB schematic PDF
FPC connector PCB	The flexible printed circuit linking the main PCB to the NanoPi NEO	Schematics and Gerbers open (Nikola-Lab/icopy_hw_usb_fpc)
Linux distribution image	The OpenWrt image that boots on the NanoPi NEO — kernel, root filesystem, the Lab401 application bundle	Mixed — OpenWrt itself is open; the Lab401 application bundle on top is closed and is delivered as the .ipk package the firmware update workflow handles
The user-facing Python / Node.js application	The on-device UI, the seven operating modes, the .ipk update mechanism, the per-device serial-bound packaging	Closed; this is what the icopyx.com firmware-update form generates per device

The community work to map all this out lives at iCopy-X-Community/icopyx-teardown (the original teardown / forensics / nanopi-neo / networking / operations notes, last pushed 2021-10-15) and iCopy-X-Community/icopyx-upstream (the catalog of which official Nikola-Lab sources have been released, last pushed 2021-08-25). Both repos are essentially in maintenance — the major releases happened in mid-to-late 2021 when the vendor honoured the Proxmark3 GPL-derivation obligation and pushed the hardware schematics, FPGA Verilog, and STM32 firmware sources public. The Linux application layer is still closed, and the firmware-update mechanism is bound per-device by serial number — the .ipk package that updates a specific iCopy-X cannot be transferred to a different unit, and the per-device packaging is the copy-protection mechanism that prevents one user’s update from being redistributed.

What this means practically for someone holding an iCopy-X:

• The radio hardware is verifiable from schematics. You can confirm the LF and HF front-end designs, the FPGA bitstream architecture, the STM32 protocol implementations. None of the RF behaviour is mysterious.
• The firmware update process requires you to keep using the vendor’s per-device build pipeline. You cannot self-build a firmware image; you cannot share one with another user; the device is fundamentally tied to Lab401’s customer-support workflow for updates (Vol 10 §4).
• The Lab401 / icopyx.com vendor support relationship is structural. If the company disappears, the existing devices keep working but cannot be updated. The community-supplied open-source layers (PM3 firmware, FPGA bitstream, STM32 firmware) could in principle replace the closed layer, but no community group has built that alternative as of mid-2026 — and doing so would require porting the RF state machines into a UI that ran on the NanoPi NEO Linux, which is a project on the scale of writing a new Proxmark3 client from scratch.

This combination — open hardware, open low-level firmware, closed application UI, vendor-tied update pipeline — is unusual in the RFID-tool space. Proxmark3 RDV4 is end-to-end open; Flipper Zero is open enough to support an extensive third-party firmware ecosystem (Momentum, Xtreme, etc.); cheap AliExpress duplicators are entirely closed and have no community footprint. The iCopy-X occupies a middle position: the hardware is buildable in principle, the radio firmware is community-auditable, but the appliance experience is a vendor product that you pay for.

Vol 2 walks the hardware in detail — what the schematics show, what the FPGA bitstream does, how the STM32 firmware structures its RFID state machines, and where the LCD / keypad / battery / power-supply / USB-C subsystems hang off the main PCB. Vol 10 covers the firmware update workflow, the per-device packaging mechanism, and the open-source upstream repos in operational detail.

4. Decision graph — when iCopy-X wins, when something else wins

The iCopy-X is the right tool for a specific cluster of physical-pentest tasks. Outside that cluster, other tools are better — and a good engineer chooses based on the task, not on which tool happens to be in the bag.

The decision graph at the top level is portability versus capability. A small portable cloner that lives in a jacket pocket and runs on its own battery is enormously useful in the field — but only if it actually does the thing the field task requires. A laptop-tethered Proxmark3 RDV4 in a research-grade lab setting has access to every possible RFID research capability, but the operator cannot walk a hallway with it. The iCopy-X is at one extreme of this tradeoff; the Proxmark3 RDV4 is at the other.

The detailed decision graph runs roughly like this:

What is the task?

  Clone an HID Prox / iCLASS Legacy / MIFARE Classic / EM4XX card
  to a blank, in a hallway or office, without setting up a laptop?
    --> iCopy-X. This is its native use case.

  Recover MIFARE Classic keys from a card whose keys you do not know,
  in the field, without laptop access?
    --> iCopy-X has Sniff mode + darkside + nested + hardnested
        recovery on board. It will work. Slower than a tethered
        Proxmark3 because the H3 is less compute, but it works.

  Clone an iCLASS SE / SEOS card?
    --> iCopy-X PLUS the iCS Decoder Tool. The base iCopy-X cannot
        do this; the iCS Decoder is the add-on that unlocks it.
        Without the add-on, the card reads as encrypted nonsense.

  Read an ISO 15693 iCODE SLIX (modern library-book / inventory tag)?
    --> iCopy-X supports this partially. For SLIX with the privacy
        protection enabled, you may need to drop to Proxmark mode
        ([Vol 8](vol8.md)) to get the full sequence working.

  Sniff a transit card / contactless payment card / passport?
    --> Use a Proxmark3 RDV4 in a lab. The iCopy-X is for cloning
        identity tokens you are authorized to duplicate, not for
        eavesdropping on payment systems or passport data — both of
        which sit firmly inside criminal-law tripwires regardless
        of intent. The iCopy-X firmware does not have explicit
        legal guardrails here; the operator's restraint is the
        guardrail ([Vol 12](vol12.md)).

  Build a custom RFID experiment — your own protocol, a new
  attack on an existing one, your own emulation patterns?
    --> Proxmark3 RDV4 with the open client SDK. The iCopy-X is
        a closed application layer; you cannot scripted-extend it.

  Just need to read a UID and copy it to a UID-only blank?
    --> Honestly, a $30 AliExpress handheld duplicator does this.
        The iCopy-X is overkill for this single task. Buy a $30
        duplicator AND an iCopy-X if you do this often — the
        duplicator is faster to whip out for the simple cases.

  Demonstrate a Wi-Fi / Bluetooth / sub-GHz / infrared / GPIO /
  BadUSB capability alongside the RFID work?
    --> Flipper Zero. The iCopy-X is RFID/NFC only. The Flipper is
        a multi-tool whose RFID is one capability among many; its
        RFID is weaker than the iCopy-X (much smaller antennas,
        lower transmit power, fewer technologies supported) but
        its breadth is what justifies it.

  Need lab-grade key-recovery analytics, custom dictionary attacks,
  or scripted batch operations?
    --> Proxmark3 RDV4. The iCopy-X has Expert / Proxmark Mode but
        it is intended as an escape hatch, not as the day-to-day
        interface ([Vol 8 §5](vol8.md)). Lab work belongs in the lab.

The right mental model is that the iCopy-X covers the field-ready 80 percent of authorized physical-pentest RFID work, and the Proxmark3 RDV4 covers the research-grade remainder. They are complementary, not competitive. An operator with both has the right tool for every situation; an operator with only the Proxmark3 RDV4 cannot work effectively in the field without laptop access; an operator with only the iCopy-X cannot do the research and analysis work that turns a difficult card into a clonable card.

5. Pricing, what’s in the box, the blank-card story

Lab401 and icopyx.com sell the iCopy-X in three tiers as of mid-2026:

Tier	Price (EUR, from icopyx.com)	Blank cards included	Typical use
Basic	€375	A small starter pack of T5577 LF blanks and MIFARE Magic Gen2 HF blanks	Single-engagement pentest where the operator brings their own blank stock for ongoing work
Intermediate	€465	Larger pack including iCLASS Legacy blanks and a wider HF assortment	Pentest practice where the operator runs multiple engagements and wants the most-common blanks pre-stocked
Advanced	€530	Largest pack including iCLASS-compatible blanks for SE/SEOS work (you still need the iCS Decoder Tool to actually use them)	Full physical-pentest practice expecting to encounter the full range of card technologies

The iCopy-X device itself, plus the USB-C cable and a basic stylus, is identical across all three tiers. The price difference is entirely the blank-card stock. The operator can also buy the Basic tier and source blanks separately from Lab401’s à la carte blank-card SKUs, or from third-party suppliers, with the catch that Lab401’s “Genuine” packs are explicitly tested against the iCopy-X firmware and the cheaper AliExpress alternatives have higher batch-to-batch variability in the OTP / lock-bit configuration of the magic-write commands. Vol 9 covers the blank-card ecosystem in detail; the short version is that for any reader who plans to do this work professionally, the cost of a failed clone in front of a client far exceeds the price difference between a Lab401 pack and an AliExpress pack, and the Lab401 packs are worth it for the predictable behaviour alone.

The iCS Decoder Tool — the iCLASS SE / SEOS decoder add-on — is sold separately at approximately $488 USD (~€450) as of mid-2026, available only from Lab401 and a small number of authorized resellers. It is a separate physical USB-C accessory device (~90 × 55 × 24 mm, 60 g), NOT a firmware unlock or accessory antenna. It connects to the iCopy-X over USB-C and decodes captured SE/SEOS data, re-encoding it in legacy iCLASS format that the iCopy-X can then write to a compatible blank. The trick is that the re-encoded credential only works against readers that still accept legacy iCLASS SIO format alongside SE/SEOS — empirically about 85% of deployments (HID’s default reader configuration includes legacy acceptance for backward compatibility). The remaining ~15% of deployments are SE/SEOS-only and reject the legacy re-encoding. The iCS Decoder is not bound to a specific iCopy-X serial number; it works with any iCopy-X running sufficiently recent firmware. The accessory ships with 3 OTW-compatible blank cards and a USB-C cable. Vol 6 §3 covers the iCS Decoder in full operational detail.

6. Posture, legal envelope, and what this series will not teach you

Every RFID and NFC tool covered in the Hack Tools hub operates under a single baseline rule: own the hardware you are working on, or have explicit written authorization from the owner. The ../_shared/legal_ethics.md document at the project level is the canonical statement of this rule; this volume and the rest of the iCopy-X series operate inside it.

What that rule looks like for the iCopy-X specifically:

The tool’s headline use case — Auto Clone — is functionally indistinguishable between authorized and unauthorized use. The device cannot know whether the operator owns the card being held against the antenna or whether the operator has authorization to clone it. The legal envelope is entirely on the operator’s side. In practice, every legitimate operator has documentation in their bag: a signed pentest scope, a facility owner’s written authorization, a corporate red-team charter, an OSCP-style engagement letter. The documentation is not paranoia — it is the difference between professional security work and a charge under the CFAA in the United States or its equivalents elsewhere.

Within that envelope, several specific use cases sit on top of bright legal lines that this series will not help the operator cross:

• Payment cards (EMV contactless, Apple Pay / Google Pay token-bearing devices) are out of scope. The iCopy-X firmware does not specifically target them; the operator should not either. Cloning a payment card moves the operator’s exposure from CFAA territory into the much harsher EFT and bank-fraud statutes.
• Passports and government identity documents are out of scope. ICAO 9303 passports use BAC / PACE / EAC authentication and the iCopy-X’s antenna will read the basic UID layer; doing more than that moves the operator into federal identity-document tampering exposure.
• Transit cards in the supermajority of metropolitan systems can technically be read by the iCopy-X, and in many systems can be partially modified. Modifying a transit card to obtain free or fraudulent rides is theft of service and is not what the iCopy-X is for; the legal exposure is similar to (if smaller than) payment-card fraud.

The legitimate use cases — what this series is genuinely for — are physical-pentest of corporate access control (HID Prox at the door, MIFARE Classic at the elevator, iCLASS SE / SEOS at the secure floor), facility-owner self-audit (the building owner cloning a contractor’s badge to test what the contractor could do with it), and red-team engagements with documented client authorization. Vol 12 is the long-form treatment of all of this with the laminate-ready cheatsheet, the international variations on the relevant statutes, and the “what to keep in the engagement folder” reference.

7. Where this fits in the Hack Tools lineup

The iCopy-X is the only purpose-built portable RFID cloner in the lineup. Its closest relatives by category are:

• Proxmark3 RDV4 — the lab sibling. Same FPGA bitstream lineage, same STM32 protocol layer at the silicon level, but with the full open-source client SDK on a laptop instead of a closed appliance UI. The relationship is genuinely intimate: the iCopy-X is, architecturally, a portable Proxmark3 with extra application software on top. Vol 11 covers the comparison in detail.
• Flipper Zero — the multi-tool sibling. RFID is one of many Flipper capabilities; its RFID is weaker than the iCopy-X (smaller antennas, lower power, fewer tag families) but its sub-GHz, NFC, infrared, BadUSB, and GPIO capabilities make it the right choice when an operator is doing more than just RFID. The Flipper does not have iCLASS or SEOS support at all in mainline firmware (Momentum / Xtreme add some); the iCopy-X has both natively (SEOS via the iCS Decoder).
• The cheap AliExpress handheld duplicators — the low-end sibling. They are UID-only, cannot recover keys, cannot emulate, cannot decode iCLASS or SEOS. They are useful for trivial HID Prox cloning and for nothing else. Vol 11 covers why an operator might want one of these in addition to an iCopy-X (they are fast and disposable; an iCopy-X is a substantial investment to risk in casual demonstration contexts).
• The ChameleonMini and ChameleonUltra — the emulation-focused sibling. These are NFC-only (no LF) and emulation-only (no card-cloning to physical blanks). They have a place in a workflow that depends on emulating a captured card without ever materialising it on physical stock, which is sometimes a desired authorisation strategy for engagements where the test must leave no physical artifact.

Cross-references into the broader Hack Tools knowledge base that will recur throughout this series:

• ../_shared/comparison.md — cross-tool decision matrix in prose form.
• ../_shared/capability_matrix.html — the sortable matrix of every tool’s capabilities, with explicit RFID scoring.
• ../_shared/legal_ethics.md — the baseline lab-discipline rules.
• ../Hacker Tradecraft/ — the cross-cutting tradecraft deep dive, especially Vol 15 (RFID / NFC / Access Control).
• ../Antennas/ — the antenna deep dive. The iCopy-X’s antennas are not user-replaceable, but understanding LF / HF coil resonance (Antennas Vol 14 on transmitting loops) helps when troubleshooting why a particular card-and-coil combination is reading poorly.

8. How to use this series day-to-day

The series is structured so that the first read-through is end-to-end and subsequent visits are spot-checks. For day-to-day use the right approach is:

• Before an engagement: read Vol 12 (legal / posture) and check Vol 11 (comparison) to confirm the iCopy-X is the right tool for the scope. If the scope includes iCLASS SE or SEOS work, confirm the iCS Decoder Tool is on hand (Vol 6 §5) and that the blank-card stock includes the right SE/SEOS-compatible blanks (Vol 9 §4).
• During an engagement: keep the cheatsheet (Vol 12 §4) accessible. The operating-mode quick reference (Vol 7 + Vol 8) is the load-bearing reference when something does not auto-clone on the first try.
• After an engagement: review what cards were encountered. If new technologies appeared, read the relevant card-technology volume (Vol 3 for the primer, Vols 4–6 for the family-specific depth). Update any blank-card inventory notes (Vol 9) and adjust the next engagement’s pre-flight checklist accordingly.

When the iCopy-X firmware is updated (Vol 10 covers the per-device .ipk workflow), revisit Vols 7 and 8 for the operating-mode reference; firmware updates have historically added new technologies and refined the menu structure, and a stale memory of where Sniff mode lives in the menu has cost more than one operator an embarrassing pause in front of a client.

The series is current as of the iCopy-X 2.0 firmware family — the major firmware revision that introduced the iCS Decoder Tool support. Firmware revisions within the 2.0 family typically add tag families or refine recovery algorithms without restructuring the operating modes; major firmware-version changes (a future iCopy-X 3.0) would require a substantive update to Vol 7 and Vol 8 specifically. The dated note at the top of each volume tracks the most recent revision.

9. Resources

• Vendor product pages: https://icopyx.com/ (Nikola Lab, the manufacturer) and https://lab401.com/ (the EU/global distributor).
• iCopy-X-Community teardown repo: https://github.com/iCopy-X-Community/icopyx-teardown — the original community teardown, last major activity 2021-10-15 but still the canonical reference for hardware internals.
• iCopy-X-Community upstream repo: https://github.com/iCopy-X-Community/icopyx-upstream — the catalog of what Nikola Lab has released open-source, last major activity 2021-08-25.
• Nikola-Lab GitHub org: https://github.com/Nikola-Lab — the official upstream of the open-sourced hardware schematics, FPGA Verilog, and STM32 firmware.
• Proxmark3 RRG mainline (the project the FPGA bitstream is now part of): https://github.com/RfidResearchGroup/proxmark3
• This subproject’s local resources: 05-resources/ — Lab401 user manual PDF, iCS Decoder product PDF, firmware update guide PDF, current firmware IPK image, and 3D-printable iCLASS reader-holder STL files for bench work.