I still can’t scan my implant on the work reader. I used the LF xField Detector to try to find the hot spot but unsuccessful. I ran it slowly over the whole face of the reader horizontally, vertically, at 45 degrees and -45 degrees but it never lit up. Testing with my work badge it can be read ~2" away. I guess the next step is to try to clone my badge to another card and try that
this
Can you also try your diagnostic card
and let us know if the HF led also lights up.
This should also show your how the reader is searching for cards…ie. constant / pulsing
I cloned my badge to a T5577 card but I still get nothing on the reader. The diagnostic card lights up the HF side which is weird because the TagInfo app on my phone won’t scan the badge and my ProxMark3 I gives me the info that I posted above:
[+] [C1k35s ] HID Corporate 1000 35-bit std FC: XXX CN: XXXXXX parity ( ok )
[=] found 1 matching format
[+] DemodBuffer:
[+] XXXXXXXXXXXXXXXXXXXXXXXXX
[=] raw: 00000000000000XXXXXXXXXX
[+] Valid HID Prox ID found!
[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands
[=] Found a EM4305 tag
[=] Addr | data | ascii |lck| info
[=] -----+----------+-------+---+-----
[=] 00 | XXXXXXXX | .... | ? | Info/User
[=] 01 | XXXXXXXX | .... | ? | UID
[=] 02 | | | | Password write only
[=] 03 | | | | User read denied
[=] 04 | | | | Config read denied
[=] 05 | | | | User read denied
[=] 06 | | | | User read denied
[=] 07 | | | | User read denied
[=] 08 | | | | User read denied
[=] 09 | | | | User read denied
[=] 10 | | | | User read denied
[=] 11 | | | | User read denied
[=] 12 | | | | User read denied
[=] 13 | | | | User read denied
[=] 14 | | | | Lock read denied
[=] 15 | | | | Lock read denied
did you do an HF SEARCH with your proxmark3 on your work badge? could be dual frequency and still use a chip your phone can’t scan or doesn’t understand.
I didn’t. I’ll do that tonight when I get home.
That is exactly what I thought, what I was going to ask next and why I asked this
however,
I was/am confused by that.
Out of curiosity, can you try an NFC Tools scan (remembering that it is not as accurate at chip identification as TagInfo, but I would like to see if it is “seeing” anything)
Weird, do you have another HF card you can test your phone with…if you haven’t already.
Not to suck eggs, but just to cover off the possibilities.
NFC turned on
Screen Turned on
Phone cover removed
Use DT Diagnostic Card to check NFC
Try another HF access card
Google you phone’s NFC antenna location or check
I can scan my xSIID and NExT just fine with the phone. Just double checked both to be sure everything’s good there. I appreciate that line of thinking though. Simple things often get overlooked.
yeah, I am just clutching at straws here…
hoping for simple, expecting something less so.
Amals suggestion is looking more likely
My guess is it is a iClass possibly SE
but I belive HID do a UHF rain / ucode or something like that, which your phone wouldn’t see…but then your HF
Agreed! Hopefully the ProxMark has the answers!
So, hf search
did the trick. I got this: Valid iCLASS tag / PicoPass tag found
. I didn’t realize that because when I did auto
before it did the LF scan first and found the other chip.
Doing hf iclass info
gets me this:
[=] --------------------- Tag Information ----------------------
[+] CSN: B1 83 40 0F FF FF 12 E0 uid
[+] Config: 12 FF FF FF F9 BF FF 3C card configuration
[+] E-purse: D1 F7 FF FF FF FF FF FF Card challenge, CC
[+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden
[+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden
[+] AIA: FF FF FF FF FF FF FF FF application issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF F9 BF FF 3C
[=] 12..................... app limit
[=] FFFF ( 65535 )...... OTP
[=] FF............ block write lock
[=] F9......... chip
[=] BF...... mem
[=] FF... EAS
[=] 3C fuses
[=] Fuses:
[+] mode......... Application (locked)
[+] coding....... ISO 14443-2 B / 15693
[+] crypt........ Secured page, keys not locked
[=] RA........... Read access not enabled
[=] -------------------------- Memory --------------------------
[=] 32 KBits/3 App Areas ( 2048 bytes )
[=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) }
[=] AA2 blocks 242 { 0x13 - 0xFF (19 - 255) }
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read A....... debit
[=] Read B....... credit
[=] Write A...... debit
[=] Write B...... credit
[=] Debit........ debit or credit
[=] Credit....... credit
[=] ------------------------ Fingerprint -----------------------
[+] CSN.......... HID range
[+] Credential... iCLASS legacy
[+] Card type.... PicoPass 32K with current book 16K / 2
I don’t really know what that means.
It means you’re probably going to want to keep an eye on the Announcements section. Testing commencing soon™
Are there cards that we can copy onto that has both LF and RF (like the example given above), or can I just have a LF card and a RF card together, and it should be fine?
I’m not quite sure what you are asking, but if I’m correct, you want something like this!?
but also, you would be fine using two cards together of different frequencies
Low Frequency 125kHz
High Frequency 13.56MHz
Ah, I just saw your other post, So do you want an iClass HID?
Ah sorry for the confusion, I’m in the exact same scenario as the person here.
The work ID seems to be dual frequency.
- LFID - EM4x05 / EM4x69 - HID Prox ID
- iCLASS legacy
I now generally understand how to clone each one individually, was curious how to do either
- both on the same card (does such write cards exist?). or
- if I just use a cloned iclass card + a cloned 5577 card stacked on top of each other, will that likely work?
Unfortunately, there currently exists no product like the flexMN for iClass + T5577. You’ll need a blank iClass/PicoPass2k and T5577 to properly clone both frequencies. You could totally then use glue or whatever to secure the two together. They are entirely different frequencies of communication, so you shouldn’t have any communication issues between the card and the reader.
Thanks for the pointer! Going to try it and report back on whether it works