HID pivClass 0009p HF

So I just installed my NExT and I’m trying to use it at work. The company I work for has 2 different HID card systems, both of them use HID seperate HID 0009p cards.

At the one site I was able to clone my card to the next NExT using a Chinese Blue cloner. (I knew about the password, but didn’t know it could brick it until I did more research. So I’m not planning on using it any more.)

So I programmed my other card into my NExT but I’m not getting a read from the reader.
I used the Diagonstic card on the reader(HID pivClass RK40 I think) and It is receiving a HF 13.57MHZ signal, but not 125KHz signal. I tried to find the LF antenna with the round tester and I don’t receive any signal at all.

From my understanding, the HID 0009p is only a low frequency 125KHz card. So it shouldn’t be able to communicate with the 13.57MHz. Could it be dropping to 125KHz when it detects a card is near?

I’m waiting for my Proxmark3 easy to arrive it is currently on back order.

Has anyone seen had experienced this issue before? Is there is something that the proxmark3 would be able to copy that the Blue cloner isn’t like a Password?

I’m pretty sure multi-frequency readers can be configured by the controller to be one or both frequencies… maybe they just turned off LF functionality.

1 Like

I do have a couple of questions for you
Your Title

HID pivClass 0009p HF

The HF at the end suggests High Frequency and you successfully used a Blue cloner for one ( LF only )

Yeah Prox should be LF and I guess it could be a multiclass reader :man_shrugging:
Are both the Readers and cards the same?

Just to be clear
2 sites
you have 1 card for each site?

If so, there may be a couple of options for you.

  • If they are both using the same mode ( for example HID Prox ) approach the administrator to enroll one card to both sites

  • Get another LF implant and have 1 card written to each

  • or try Roscos “newly” found alternative solution, However I dont know how the systems will deal with the seperate UIDs

  • Also I think his testing was with EM41xx not HID…but worth a visit anyway

  • Hack: store 2 to 3 different EM41xx on a single T5577

Also
Could you do 2 things?

Can you take a photo of the readers or post make and model here? and confirm

Does it look like this

image
Which is the HID pivClass RK40

  • Supports reading non FIPS-201 credentials such as iCLASS, iCLASS SE, Seos and standard Prox
    This suggests to me that it is Multiclass, and it could explain what is going on. see my note at the bottom.

Can you try and scan you access card with TagInfo and post the results here ( If any, If only LF you wont get a read )

But if you do get a read

The PM3 will allow us to get a bitmore info about the card and potentially find out what is going on…plus remove the blue cloner password

Sorry I am all over the place with my reply.
Whilst we wait for your PM3 to arrive
When you reply can you put your replies in a logical order, something like

Site A Reader:
Photo:
Make:
Model:
Diagnostic Card results:
Site A Card:
Photo / Description:
TagInfo results:

Site B Reader:
Photo:
Make:
Model:
Diagnostic Card results:
Site B Card:
Photo / Description:
TagInfo results:

1 Like

That’s what I’m thinking, but I’m confused because I’m pretty sure it’s using a LF Card.

That is correct, and the readers at each site are different.

Site A
This site worked when I tested it, I was able to clone my card using the Blue cloner.

I have full access to this system but have not been successful in programming Site B

Reader
IEI Prox Pad Plus
And
HID Thin line 2 (5395 part number)
Card

Site B

This site is tricky, It is my main site, but the card system is ran by the county. To make matters worse they have a wierd sense of security. (Will walk into our server rooms because it’s their building, wont allow us to have our own camera in there because 2 seperate camera systems can’t run in the the same room… Our departments have clashed)
So I don’t think they will program It but who know I can always ask.

Site B

Reader
It’s a bad photo but I can get a better one tomorrow.

I believe that it is a pivClass RK40

When I use the RFID Diagonstic card only the 13.56MHz shows up.

Card

They are both 0009p cards. I found

HID GLOBAL CREDENTIAL IDENTIFICATION.pdf (367.2 KB)

2.1

000 is 125kHz HID, Indala or EM Prox (single tech)

I also tried tag info on both cards and did not get a read on either one.

Thank you to both of you for the help!

1 Like

Okay.
Here are my thoughts.
Because both cards didn’t read on TagInfo, and they both allow you access, they must be LF only.
Because both cards are labelled HID I am going to assume they are HID Prox.
Which your bluecloner can read/write from/to.

It is strange however that your LF LED on the Diagnostic card is not illuminating
and also that you could only successfully write the site B card.

Because you have better access to the Site A system, I would suggest:
Waiting for your Proxmark then:

Remove the :blue_cloner: password

Write the Site B to your NExT ( actually to a test card/fob first )
then enroll that same info to your Site A profile on that system.
This in theory will give you access to both sites with one card / Implant

In fact, in the interim I would grab a test card T5577
With your :blue_cloner:, copy and write the Site B info to your card.
Test that at Site B

If that works, try to enroll that card at site A.

If that works, the only thing left to do write the site B info to your NExT, then test the coupling of your NExT on the readers.

I know you didn’t manage to write Site B to your NExT previously, but that can sometimes be fickle.

If you can’t write to the T5577 card, then we may need to wait for the Proxmark3 :pm3_easy: to do some more diagnostics.

This may help with your NExT read / writing

1 Like

Thank you! I will wait until the Proxmark3 arrives.

In the mean time I’ll at least be able to get into site A with my implant. I will play around with NFC commands.
I’m not quite sure what I want to do with it. Currently it plays Mr.Roboto by Styx.

I will update this post when I reciept the PM3 and try it

1 Like

Not necessarily… flexClass for example cannot be read by TagInfo… nor certain Legic access cards.

The proxmark3 should help clear this up

1 Like

Awesome, Thanks, that makes more sense then…and explains the HF on the Diacnostic Card :card_diagnostic_dt: but no read on the TagInfo

SickUntriedBlackfly-max-1mb

2 Likes

When will I get it??? JK :stuck_out_tongue_winking_eye:. I love you’re company! Literally, the best Costomer service I have ever seen.
I ordered the bundle and you offered to send the implant out early! I thought I was going to have to wait a couple more weeks to become a cyborg!

1 Like

The HID 0009p does certainly appear to be a low frequency card. Could you try presenting both the diagnostic card and your credential simultaneously to the reader? That should show if the low frequency does turn on as well.

2 Likes

Hah! I’m actually programming them now and will have them to Michelle for fulfillment by Wednesday. Actually delivery ETA is… soon™

2 Likes

Yes, I will try that tomorrow and let you know.

so-excited-cant-wait

3 Likes

I know it’s trademarked but I am totally going to steal this!!!

1 Like

Too late. I’ve already started using Soon™

1 Like

So I tried it this morning and the low frequency light is not turning on at all, while reading my ID badge.

Update
Site C uses the same badge as site B

But different Readers

I get both a high frequency and a low frequency signal from the reader at Site C.

So I tested it with my badge and it worked…
SITE C READER

Unfortunately I’m still only getting a high frequency signal from the readers at Site B

Is it possible to program the badge on the high frequency side of my chip with the Proxmark?

Unfortunately not, The UID is unchangeable.

This is where social engineering comes in, when you approach the system administrator to enroll your NExT UID into the system under your profile.

If you wait for your PM3, and we can get more info on that Site B card, we will have a better idea of your options.

1 Like

I received my PM3 today!!!

This is the reading I get doing a LF And HF search on the PM.

Any suggestions for what i should try next?

Based on that, your implant and card are the same, and they are low frequency.

I would suggest holding your diagnostic card and pass to the reader at the same time and see if the LF lights up then. Nevermind I see that You tried that already. That reader must be doing something strange.

Update,
I was able to successfully clone the t5577 card that came with the PM3 and used it to open the doors at Site B.

Unfortunately, even after removing the password the the Blue cloner set up on my implant and reprogramming it with the Proxmark3 my implant still doesn’t work.

I think that the low frequency side of the reader may be to weak to communicate with the implant.

This might just give me an excuse to purchase the FlexMT!

2 Likes