Cloning my work ID

That makes me think it is a placement issue rather than a format issue. If you have an lf xled detector you should be able to move it around on the pad to see where the signal is brightest.

1 Like

The info does look identical now when I scan my badge and my NExT. The reader is a HID multiCLASS SE RP15. I’m looking for pictures of the antenna now.

Good call! I have the xField Detectors that came with the bundle I got.

1 Like

Unfortunately it looks like that reader is fully potted with resin. So unless someone bought one to deliberately to take it apart (and found a way to remove the resin) the xfield detector is your best bet.

1 Like

Sounds good! I’ll do some digging tomorrow. Thankfully I’m one of the few people in the office now so there’s no one to try to avoid! LOL!

1 Like

I still can’t scan my implant on the work reader. I used the LF xField Detector to try to find the hot spot but unsuccessful. I ran it slowly over the whole face of the reader horizontally, vertically, at 45 degrees and -45 degrees but it never lit up. Testing with my work badge it can be read ~2" away. I guess the next step is to try to clone my badge to another card and try that

this

2 Likes

Can you also try your diagnostic card
:card_diagnostic_dt:
and let us know if the HF led also lights up.

This should also show your how the reader is searching for cards…ie. constant / pulsing

1 Like

I cloned my badge to a T5577 card but I still get nothing on the reader. The diagnostic card lights up the HF side which is weird because the TagInfo app on my phone won’t scan the badge and my ProxMark3 I gives me the info that I posted above:

[+] [C1k35s  ] HID Corporate 1000 35-bit std    FC: XXX  CN: XXXXXX  parity ( ok )
[=] found 1 matching format 
[+] DemodBuffer:
[+] XXXXXXXXXXXXXXXXXXXXXXXXX

[=] raw: 00000000000000XXXXXXXXXX

[+] Valid HID Prox ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands

[=] Found a EM4305 tag

[=] Addr | data     | ascii |lck| info
[=] -----+----------+-------+---+-----
[=]   00 | XXXXXXXX | ....  | ? | Info/User
[=]   01 | XXXXXXXX | ....  | ? | UID
[=]   02 |          |       |   | Password   write only
[=]   03 |          |       |   | User       read denied
[=]   04 |          |       |   | Config     read denied
[=]   05 |          |       |   | User       read denied
[=]   06 |          |       |   | User       read denied
[=]   07 |          |       |   | User       read denied
[=]   08 |          |       |   | User       read denied
[=]   09 |          |       |   | User       read denied
[=]   10 |          |       |   | User       read denied
[=]   11 |          |       |   | User       read denied
[=]   12 |          |       |   | User       read denied
[=]   13 |          |       |   | User       read denied
[=]   14 |          |       |   | Lock       read denied
[=]   15 |          |       |   | Lock       read denied

did you do an HF SEARCH with your proxmark3 on your work badge? could be dual frequency and still use a chip your phone can’t scan or doesn’t understand.

1 Like

I didn’t. I’ll do that tonight when I get home.

That is exactly what I thought, what I was going to ask next and why I asked this

however,

I was/am confused by that.

Out of curiosity, can you try an NFC Tools scan (remembering that it is not as accurate at chip identification as TagInfo, but I would like to see if it is “seeing” anything)

Nothing on NFC Tools either.

Weird, do you have another HF card you can test your phone with…if you haven’t already.

Not to suck eggs, but just to cover off the possibilities.

NFC turned on
Screen Turned on
Phone cover removed
Use DT Diagnostic Card :card_diagnostic_dt: to check NFC
Try another HF access card
Google you phone’s NFC antenna location or check

I can scan my xSIID and NExT just fine with the phone. Just double checked both to be sure everything’s good there. I appreciate that line of thinking though. Simple things often get overlooked.

yeah, I am just clutching at straws here…:man_shrugging:
hoping for simple, expecting something less so.

Amals suggestion is looking more likely

My guess is it is a iClass possibly SE

but I belive HID do a UHF rain / ucode or something like that, which your phone wouldn’t see…but then your :card_diagnostic_dt: HF

tenor

Agreed! Hopefully the ProxMark has the answers!

So, hf search did the trick. I got this: Valid iCLASS tag / PicoPass tag found. I didn’t realize that because when I did auto before it did the LF scan first and found the other chip.

Doing hf iclass info gets me this:

[=] --------------------- Tag Information ----------------------
[+]     CSN: B1 83 40 0F FF FF 12 E0  uid
[+]  Config: 12 FF FF FF F9 BF FF 3C  card configuration
[+] E-purse: D1 F7 FF FF FF FF FF FF  Card challenge, CC
[+]      Kd: 00 00 00 00 00 00 00 00  debit key, hidden
[+]      Kc: 00 00 00 00 00 00 00 00  credit key, hidden
[+]     AIA: FF FF FF FF FF FF FF FF  application issuer area
[=] -------------------- card configuration --------------------
[=]     Raw: 12 FF FF FF F9 BF FF 3C 
[=]          12.....................  app limit
[=]             FFFF ( 65535 )......  OTP
[=]                   FF............  block write lock
[=]                      F9.........  chip
[=]                         BF......  mem
[=]                            FF...  EAS
[=]                               3C  fuses
[=]   Fuses:
[+]     mode......... Application (locked)
[+]     coding....... ISO 14443-2 B / 15693
[+]     crypt........ Secured page, keys not locked
[=]     RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=]  32 KBits/3 App Areas ( 2048 bytes )
[=]     AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=]     AA2 blocks 242 { 0x13 - 0xFF (19 - 255) }
[=] ------------------------- KeyAccess ------------------------
[=]  * Kd, Debit key, AA1    Kc, Credit key, AA2 *
[=]     Read A....... debit
[=]     Read B....... credit
[=]     Write A...... debit
[=]     Write B...... credit
[=]     Debit........ debit or credit
[=]     Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+]     CSN.......... HID range
[+]     Credential... iCLASS legacy
[+]     Card type.... PicoPass 32K with current book 16K / 2

I don’t really know what that means.

It means you’re probably going to want to keep an eye on the Announcements section. Testing commencing soon™

image

image

9 Likes

nice work team @Amal and @leumas95
:+1:

3 Likes