Getting started with HID

My office building uses HID ProxCard II badges (at least that’s what’s printed on them) for access, and from what I’ve been reading I should be able to use the DT xEM Transponder with this, but I want to take small steps before getting an implant – particularly after reading how the xEM Cloner can garble the password on the chip.

I’ve done a fair bit of research, but I still have quite a few questions I’m hoping people here can answer.

1. Are there any wearables I could try out before getting an implant that would work for HID? I’m thinking ring or bracelet. Most of what I’ve found seems to be HF stuff (like the NTAG213), and from what I understand ProxCard is LF - 125kHz. TrossenRobotics has an LF RFID ring (http://www.trossenrobotics.com/rfid_ring) but almost no specs on it. It also indicates it is read-only, which seems odd.

2. It sounds like HID and EM41xx are different modes for transponders. Are these different data formats, or different communication protocols? Would an EM4102 device not work with an HID ProxCard II reader? What do I need to look for to guarantee a transponder would work with my building security system?

3. Assuming the xEM Cloner is a no go, what other options are there for cloning the data from my HID card? Should I hack together my own reader/writer? How much data would I need to copy for an HID ProxCard? Just a multi-byte ID? I read somewhere that the ProxCards have 137 billion unique codes; that sounds like a 37 bit number. I’ve also read about a 26-bit format. Are these both actually a fixed-length format (e.g. 64 bit) with some extra flags / reserved bits? I can’t find any documentation on what’s stored on the ProxCard. Anyone know where to find out more?

Thanks in advance for any guidance!

Hi there,

1. Not that I know of, but I’m sure there are some really bad looking RFID wristbands that have an ATA5577 chip in them somewhere. If not, you could probably break open one of those blue ATA5577 keyfobs and make something. That ring Trossen is selling is actually our product… we supplied them with a bunch of rings a while back and then we decided to get out of the wearable game. That ring contains an EM4102 chip, not an ATA5577, so it cannot be reprogrammed.

2. Yes, HID ProxCard II and EM (EM41xx family) chips both operate at 125khz but they have different data encoding and analog performance specifications. The ATA5577 chip is great because it can be programmed to change the way internal data is communicated (data encoding) and the analog performance specifications can also be changed by setting internal register values. It cannot be in two modes at once though, it can just be set to operate in a specific configuration and that’s it… so it can be in either HID or EM “mode”… it can also be configured to communicate like an Indala chip as well.

3. We are working on getting a new cloner that has better coupling, but in the mean time you could use a Proxmark3 to clone, or another type of cloner. The two things you need to do to get an ATA5577 chip (xEM) programmed with HID data is 1) program the ID into memory, and 2) change the analog settings to comply with HID ProxCard. Doing this requires special signal timing when communicating with the ATA5577, which is not super easy to do unless you can make your own reader/copier. As for the HID ProxCard data format, I’m not sure… but a Proxmark3 will dump out all kinds of data for you. If you’re interested in doing any “research” grade investigations, get yourself a Proxmark3.

Thanks, amal – lot’s of really useful information here. I’ll do some experimenting (with something with an ATA5577) and report back on my progress here.