I have ran into a snag and I’m one of the geniuses here can help me out. I was able to scan my work badge with the PM3 using lf search, it said HID prox was discovered and gave me the ID being sent along with all of the other numbers I can’t remember right now, facility code and what not. I was able to write the ID to my NExT using lf hid clone and copying the ID I scanned from the badge.
I then did another lf search and scanned the NExT, then my work badge again, and all the numbers sent over matched, with the exception of my work badge showing as an em chip and the NExT showing unable to ID the chip.
I try to scan at the reader at work and it flashes green like it got a read, but the door doesn’t open unlock.
The readers are one of these 2, I can’t tell which by looking at them. Looks like they’re both multi class.
It has been pointed out to me I may have issues with the reader trying scan the HF side my NExT, so I start moving the xFD around the reader and can’t get it to light up, granted its pretty hard to see it light up as all of the readers I use are outside and it pretty sunny today.
Since I can’t see the xFD all that well I decide it’s time to try the big black field detector card, and the only side that will light up is the HF side anywhere I position it over the reader.
But I know the badge transmits on LF cause the LF commands are the only ones I’ve used to see my badge in the PM3.
So I’m at a loss.
Here’s a picture of the badge in case anyone here needs to see it. (With the work related stuff covered)
If it does turn out it’s using the HF instead of the LF then there would be 3 possibilities to making it work?
New chip with rewritable UID for HF. (Magic chip?)
Have my employer add the UID on my implant to their system.
Very slim chance the reader isn’t looking at the UID, and maybe looking for something that can be written to my NExT? Datasheet doesn’t say anything about NTAG so I doubt it. It just calls out the ISO14443A.
There is a flaw in your logic buddy.
Just because you don’t look for something doesn’t mean it is not there.
Both the reader AND card COULD be both LF and HF, but you need to look to confirm.
it’s like Schrödinger’s Frequency
hf search
also, if you have a bright flashlight behind your card, my guess is you MAY see a circular antenna in the centre and another antenna running the perimeter.
So you initially read your work card as HID
Then when you checked later it is saying EM
We probably want to also bottom out this anomaly.
Ideally we want you work to be using LF because it is much easier to play nice with.
I would say you are in the ball park here, but there could be a couple of hiccups.
New chip with rewritable UID for HF. (Magic chip?) Well, sorta, kinda, maybee, it depends
Have my employer add the UID on my implant to their system Well, sorta, kinda, maybee, it depends
Very slim chance the reader isn’t looking at the UID, and maybe looking for something that can be written to my NExT? Well, sorta, kinda, maybee, it depends
Let’s see how your further testing goes before diving deeper into those, but you are on the right track.
Do you have any test cards? T5577 ones? Write to those for your testing, when / if it works, then we will have an answer, basically we are eliminating the implant from the equation ( Freshly installed and reduced read range etc. )
Can you also read your card with TagInfo and see if you get a succesful read.
If so, how may byte UID?
I saw one of these this morning, actually. I also only got HF with the diagnostic card but will circle back tonight and spend some time probing it with a field detector.
Yea I didn’t really think about till you pointed it out. I could be mistaken too, I spent quite a bit of time playing with the PM3 so I could be confusing things in my head.
I have the cards that came with my bundle, I’d have to look to you what they are though.
Ironically my current phone doesn’t have NFC lol. Old one at home does though, so I’ll update when I get there I guess!
I also tested a few more of the readers around here and none of them trigger the LF side of the detector card.
Well buddy, i think we will be playing in the HF space and taginfo and / or hf search will confirm it.
UNLESS you can get the access manager to switch on the LF function IF they are multiclass readers, but thats almost like asking somebody to leave the window open for you whilst they go through the locked door
PM3 does not read the work badge with hf search. I am also unable to read the work badge with the tag info app on android. after taking a flashlight to I am able to find only circuit.
I AM however able to get a read from my NExT on both the PM3 with hf search and from the TagInfo app.
Another thing I wanted to mention is that with the readers at work, if you try to badge through a door you aren’t authorized for the light on the reader will flash through red/green/blue very quickly. When I scanned my NExT on it the light turned solid green just like if I scanned my badge, the door just didn’t unlock.
Here’s where I’m at. sent the command, then 3 lf hid read commands, first one is the t5577 card that came with the NExT bundle, then my actual work badge, and lastly my NExT.
I guess I just have to go back to work and try the t5577?
I’m still very confused as to what is going on as far as not picking up a LF field at the reader.
If you’re using the -r option, you don’t need the --fc or --cn options
On the other hand, if you are using the --fc--cn options you don’t need -r but you do need the -w option
For you I’d just use the -r option here
That’s what I recommend
Have you tried your detector card on the PM3 to make sure the LF side works?
Another theory:
Your dual-frequency readers at work could be set to work with the UID of 14a tags, so they could be reading the HF half of your NExT and ignoring the LF tag that would actually open the door
I checked out the one I found. I got nothing with a LF field detector. Slapped my Flipper against it with “detect reader” and got a solid 13.56. The HF field detector lights well about a half inch along the perimeter. But the really damning thing was when I accidentally presented a MIFARE Classic and the reader responded. Out of curiosity, I held the LF field detecctor against the reader (in a few positions) while presenting the MIFARE tag. No lights on the LF field detector. I’m guessing it’s possible to turn off the LF side.
Looking through the documents you linked to, those readers seem pretty new. One in particular is sports some slick features. I couldn’t track down a manual for either. I’m guessing we’re just seeing something that the Proxmark team hasn’t studied: “No known/supported 13.56MHz tags found” can mean that in addition to what we typically expect: it not being a HF transponder.
