Cloning my work ID

Unfortunately it looks like that reader is fully potted with resin. So unless someone bought one to deliberately to take it apart (and found a way to remove the resin) the xfield detector is your best bet.

1 Like

Sounds good! I’ll do some digging tomorrow. Thankfully I’m one of the few people in the office now so there’s no one to try to avoid! LOL!

1 Like

I still can’t scan my implant on the work reader. I used the LF xField Detector to try to find the hot spot but unsuccessful. I ran it slowly over the whole face of the reader horizontally, vertically, at 45 degrees and -45 degrees but it never lit up. Testing with my work badge it can be read ~2" away. I guess the next step is to try to clone my badge to another card and try that



Can you also try your diagnostic card
and let us know if the HF led also lights up.

This should also show your how the reader is searching for cards…ie. constant / pulsing

1 Like

I cloned my badge to a T5577 card but I still get nothing on the reader. The diagnostic card lights up the HF side which is weird because the TagInfo app on my phone won’t scan the badge and my ProxMark3 I gives me the info that I posted above:

[+] [C1k35s  ] HID Corporate 1000 35-bit std    FC: XXX  CN: XXXXXX  parity ( ok )
[=] found 1 matching format 
[+] DemodBuffer:

[=] raw: 00000000000000XXXXXXXXXX

[+] Valid HID Prox ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands

[=] Found a EM4305 tag

[=] Addr | data     | ascii |lck| info
[=] -----+----------+-------+---+-----
[=]   00 | XXXXXXXX | ....  | ? | Info/User
[=]   01 | XXXXXXXX | ....  | ? | UID
[=]   02 |          |       |   | Password   write only
[=]   03 |          |       |   | User       read denied
[=]   04 |          |       |   | Config     read denied
[=]   05 |          |       |   | User       read denied
[=]   06 |          |       |   | User       read denied
[=]   07 |          |       |   | User       read denied
[=]   08 |          |       |   | User       read denied
[=]   09 |          |       |   | User       read denied
[=]   10 |          |       |   | User       read denied
[=]   11 |          |       |   | User       read denied
[=]   12 |          |       |   | User       read denied
[=]   13 |          |       |   | User       read denied
[=]   14 |          |       |   | Lock       read denied
[=]   15 |          |       |   | Lock       read denied

did you do an HF SEARCH with your proxmark3 on your work badge? could be dual frequency and still use a chip your phone can’t scan or doesn’t understand.

1 Like

I didn’t. I’ll do that tonight when I get home.

That is exactly what I thought, what I was going to ask next and why I asked this


I was/am confused by that.

Out of curiosity, can you try an NFC Tools scan (remembering that it is not as accurate at chip identification as TagInfo, but I would like to see if it is “seeing” anything)

Nothing on NFC Tools either.

Weird, do you have another HF card you can test your phone with…if you haven’t already.

Not to suck eggs, but just to cover off the possibilities.

NFC turned on
Screen Turned on
Phone cover removed
Use DT Diagnostic Card :card_diagnostic_dt: to check NFC
Try another HF access card
Google you phone’s NFC antenna location or check

I can scan my xSIID and NExT just fine with the phone. Just double checked both to be sure everything’s good there. I appreciate that line of thinking though. Simple things often get overlooked.

yeah, I am just clutching at straws here…:man_shrugging:
hoping for simple, expecting something less so.

Amals suggestion is looking more likely

My guess is it is a iClass possibly SE

but I belive HID do a UHF rain / ucode or something like that, which your phone wouldn’t see…but then your :card_diagnostic_dt: HF


Agreed! Hopefully the ProxMark has the answers!

So, hf search did the trick. I got this: Valid iCLASS tag / PicoPass tag found. I didn’t realize that because when I did auto before it did the LF scan first and found the other chip.

Doing hf iclass info gets me this:

[=] --------------------- Tag Information ----------------------
[+]     CSN: B1 83 40 0F FF FF 12 E0  uid
[+]  Config: 12 FF FF FF F9 BF FF 3C  card configuration
[+] E-purse: D1 F7 FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key, hidden
[+]      Kc: 00 00 00 00 00 00 00 00  credit key, hidden
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF F9 BF FF 3C 
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      F9.........  chip
[=]                         BF......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=]  32 KBits/3 App Areas ( 2048 bytes )
[=]     AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=]     AA2 blocks 242 { 0x13 - 0xFF (19 - 255) }
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit
[=]     Read B....... credit
[=]     Write A...... debit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 32K with current book 16K / 2

I don’t really know what that means.

It means you’re probably going to want to keep an eye on the Announcements section. Testing commencing soon™




nice work team @Amal and @NiamhAstra


Are there cards that we can copy onto that has both LF and RF (like the example given above), or can I just have a LF card and a RF card together, and it should be fine?

I’m not quite sure what you are asking, but if I’m correct, you want something like this!?

but also, you would be fine using two cards together of different frequencies

Low Frequency 125kHz
High Frequency 13.56MHz

Ah, I just saw your other post, So do you want an iClass HID?

Ah sorry for the confusion, I’m in the exact same scenario as the person here.

The work ID seems to be dual frequency.

  1. LFID - EM4x05 / EM4x69 - HID Prox ID
  2. iCLASS legacy

I now generally understand how to clone each one individually, was curious how to do either

  1. both on the same card (does such write cards exist?). or
  2. if I just use a cloned iclass card + a cloned 5577 card stacked on top of each other, will that likely work?