I’m trying to clone my work ID to my NExT but I’m not sure I’m doing it right. When I do lf searchI get:
[+] [C1k35s ] HID Corporate 1000 35-bit std FC: XXX CN: XXXXXX parity ( ok )
[=] found 1 matching format
[+] DemodBuffer:
[+] XXXXXXXXXXXXXXXXXXXXXXXXX
[=] raw: 00000000000000XXXXXXXXXX
[+] Valid HID Prox ID found!
[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands
So I tried lf hid clone -r 00000000000000XXXXXXXXXXand verified that when I read it back I got the same raw value but by work reader doesn’t even give me a beep to let me know it was declined. So I looked at the lf em 4x05 commands and I tried a dump and I get this:
[=] Preparing to clone HID tag using raw XXXXXXXXXXXXXXXXXXXXXXXXX
[#] Tags can only have 84 bits
[=] You can cancel this operation by pressing the pm3 button
That makes me think it is a placement issue rather than a format issue. If you have an lf xled detector you should be able to move it around on the pad to see where the signal is brightest.
The info does look identical now when I scan my badge and my NExT. The reader is a HID multiCLASS SE RP15. I’m looking for pictures of the antenna now.
Unfortunately it looks like that reader is fully potted with resin. So unless someone bought one to deliberately to take it apart (and found a way to remove the resin) the xfield detector is your best bet.
I still can’t scan my implant on the work reader. I used the LF xField Detector to try to find the hot spot but unsuccessful. I ran it slowly over the whole face of the reader horizontally, vertically, at 45 degrees and -45 degrees but it never lit up. Testing with my work badge it can be read ~2" away. I guess the next step is to try to clone my badge to another card and try that
I cloned my badge to a T5577 card but I still get nothing on the reader. The diagnostic card lights up the HF side which is weird because the TagInfo app on my phone won’t scan the badge and my ProxMark3 I gives me the info that I posted above:
[+] [C1k35s ] HID Corporate 1000 35-bit std FC: XXX CN: XXXXXX parity ( ok )
[=] found 1 matching format
[+] DemodBuffer:
[+] XXXXXXXXXXXXXXXXXXXXXXXXX
[=] raw: 00000000000000XXXXXXXXXX
[+] Valid HID Prox ID found!
[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands
[=] Found a EM4305 tag
[=] Addr | data | ascii |lck| info
[=] -----+----------+-------+---+-----
[=] 00 | XXXXXXXX | .... | ? | Info/User
[=] 01 | XXXXXXXX | .... | ? | UID
[=] 02 | | | | Password write only
[=] 03 | | | | User read denied
[=] 04 | | | | Config read denied
[=] 05 | | | | User read denied
[=] 06 | | | | User read denied
[=] 07 | | | | User read denied
[=] 08 | | | | User read denied
[=] 09 | | | | User read denied
[=] 10 | | | | User read denied
[=] 11 | | | | User read denied
[=] 12 | | | | User read denied
[=] 13 | | | | User read denied
[=] 14 | | | | Lock read denied
[=] 15 | | | | Lock read denied
did you do an HF SEARCH with your proxmark3 on your work badge? could be dual frequency and still use a chip your phone can’t scan or doesn’t understand.
That is exactly what I thought, what I was going to ask next and why I asked this
however,
I was/am confused by that.
Out of curiosity, can you try an NFC Tools scan (remembering that it is not as accurate at chip identification as TagInfo, but I would like to see if it is “seeing” anything)
