Getting started with RFID, and NFC for noobs

To clarify. I’m that noob. I’m going to be getting 2 NExT implants fairly soon and would like to start on some documentation to help me clone tags. The tags are very basic HID RFID tags (I don’t think there’s anything special about them, at least not that I can find according to this). I just wanna know if anyone has some guides I can look through to help get me started on a few of the very basic levels of working with it. The NFC I’m looking at is also quite small in scope, mainly phone security and things like that.

The readers / writers / human interface devices I will be using are the Proxmark 3, ACR122U, and KBR1. I feel like this is quite close to some existing threads; but I just want essentially a list of guides on how to start and good websites and alike, anything is appreciated and apologies if it’s too close to other threads.

1 Like

Are they definitely HF, The link you provided was for HID iClass ( HF )
FYI
HID also make LF.
Did you scan your card with TagInfo or similar

if so,

Just be aware you MAY want to Hide / change / mask you UID…

The more specific you can be about what you are dealing with, the more specific we can be with the resources you are after.

There are plenty of resources we can point you towards, but rather than flooding you with them blindly, I have a few in mind for you already but will wait for your reply

Oh my apologies. Yes that is the wrong link. it was meant for the LF side since I am almost completely sure that is what’s being used. I can’t read the tag using my phone so I assume either I’m just not in the right area or it’s an LF tag. I suppose I’ll just have to wait and see. I’ll add pictures of the tag here. I’m not sure if it could possibly be right since the security flaws would be so glaring, but I think they might have printed the code on the outside of the tag so I may not even need to even read it though I will.photo_2021-05-14_12-46-21

Just be aware you MAY want to Hide / change / mask you UID…

I’m assuming spoofing it so the cloned chip is identical to the real one on the reader or something similar? Yeah I’d actually love some resources on that as well since it’ll be really useful. And even though my main use is for LF I can see a few scenarios where I need HF as well, but that’s a much more vague and undefined goal for me as of now. The reason I got the NExT is so that I can eventually do some stuff with that, but for the immediate future, I’ll be using it as a security key for my phone and similar use cases

Edit: It is HID Prox and from what I can glean it is 125 kHz
Edit 2: Number is just for inventory control from what I can tell. This is the datasheet https://www.hidglobal.com/sites/default/files/resource_files/pacs-seos-8k-keyfob-ds-en.pdf

I could make this a MEGA post from what you have asked, I am instead going to provide it to you in chunks, maybe an LF Post and an HF Post later when you have read and digested this one, you can ask for more…

image

of course the Search function is really quite good if you want to do your own research

Yeah Buddy you are playing with LF.

HID PROX

The ACR122U, and KBR1 wont work with the LF side
However they will work with the HF side when you start playing with that side.
including your phone ( Probably ) and the Proxmark

For now, you will solely be using the Proxmark3

FYI the Blue Cloner :blue_cloner: is also an option for the HID Prox, It does however put a password on it, which is not a problem if you only ever want to use the blue cloner, otherwise you will need the Proxmark to remove the password

BLUE CLONER
Not that you asked, but here are a couple of Blue Cloner threads that may be / become of interest

Firstly, when your NExT arrives in will be in EM mode, this will need to be changed to HID.
To do this, you are going to need to setup your Proxmark
Assuming you are using windows, you are going to want an install guide, such as this one

If you are using something else, let us know what and I / we can find you another guide

Once you have SUCCESSFULLY it installed, you will just need to learn the commands

I just grabbed you a guide from the interwebs

( just be aware, the syntax may be slightly different but we can step you through it if you get stuck, it will be pretty close )

it is contained within

HID ProxCard

Let’s take a look at the more popular HID ProxCard.

On the front of the card it has some numbers and the words “HID Proximity”. With some Googling we can ascertain that this is an HID ProxCard which we can clone with some Proxmark commands.

To start off we can search for a supported tag with lf search :

proxmark3> lf search
#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132
Valid HID Prox ID Found!

Knowing that it’s definitely a ProxCard we can upgrade to the HID specific commands. We already know the Tag ID ( 2004263f88 ) but we can run lf hid fskdemod to read Proxcards continuously (Push the button on the PM3 to stop scanning):

proxmark3> lf hid fskdemod 
#db# TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132                             
#db# Stopped

This Tag ID is directly encoded from the Facility Code (19) and Card ID (8132). You can use some of the online 26 bit Wiegand calculators online to double check this for yourself.

This effectively means that you only need to know those numbers (which are printed on the card itself) to clone the card.

Most low frequency tags don’t have any kind of complex authentication scheme or any protection against replay attacks. It’s a simple matter to scan an existing working card and create a clone. With a high powered reader, one can steal RFID tags from multiple feet away.

With the Tag ID in hand, we now need a blank RFID card that we can clone the Tag ID onto. The best card for this is the T5577 which can emulate a variety of low frequency cards including the two being discussed here (HID ProxCard, EM41000).

With the Tag ID in hand and T5577 ready we can clone simply with:

proxmark3> lf hid clone 2004263f88 
Cloning tag with ID 2004263f88
#db# DONE!

Now the T5577 tag should function as an identical clone to the original ProxCard!

In addition to reading and writing, the PM3 is also capable of simulating an RFID tag but it really isn’t as intuitive as one would like. You generally need to have a computer of some sort connected to the PM3 and have the ability to run commands. The simulation could be useful to a pentester, but reading and writing is all most people need.

I think that is a good first CHUNK of info…

cookie monster

2 Likes

Ahhh awesome. Thanks man. Yeah I’ll definitely be looking into the HF side. might even try to set some phone security quite early using it. But for now I’ll just focus on getting the tag onto it. As for the cloner. I was looking at it. But since I am getting the Proxmark 3 I’ll probably only be using that. Since in the long term I can see the password being more of a pain than anything else. Thank you for the links, I will definitely be looking into them. I just need to get into it and whet my appetite for it. And learn some of the lingo used. Then I can start doing more of my own reading on the topic.

2 Likes

hey guys i have some questions regarding LF and HF RFIDS Fob. so my question is does Chameleon tiny pro Read and Write on LF and HF RFID’S fobs. also does proxmark3 from this website read and write HF RFID fobs or do i have to buy HF antenna for that.???

See the answer to your same question I answered and moved to this thread

The Proxmark3 has a built in HF antenna on the bottom board, so no you don’t need to buy an HF antenna and yes it will read and write both LF & HF fobs/ cards/implants…

Have a read of this thread from the start, it should provide you with a decent starting point to build on

Link to top post

1 Like