I have an access badge that I use dozens of times a day, I would love to have a implant to replace it unfortunately I have no clue what kind of chip it is. The card is unmarked but I recall seeing a WAVE ID logo on the reader at the security desk but they make readers that support many protocols so that did not limit it much.
I have a pm3, I have done both an lf search and hf search with no results for either.
I also decided to run hw tune with the tag on the antennas and off the antennas to see if there was power draw from the tag, the HF voltage dropped by 4v so I assume it is some sort of HF tag.
Beyond that I am sort of at a loss, I have been trying to solve this on and off for months so any pointers would be awesome
Have you also tried scanning it with a Android phone? Although this might not work as you’ve already tried scanning with PM3 but nothing, give it a try if you can.
Can you take a picture of the reader, and hopefully that may be helpful?
Again apologies, can but I assume you tried to read other cards in the same session, and they read correctly?
Is the unmarked card a generic card with no markings on it?
white?
Lanyard hole?
Also have you tried shining a bright light from behind it?
If the antenna is around the perimeter of the card ( Rectangular ) it is PROBABLY HF
If it is circular it is PROBABLY LF
Try that and let us know
Bugger, maybe you can find a super duper light source???
If it is a possibility to talk to the security desk staff, there may be other clues/ options
ie. 4 byte / 7 byte IDs
Can you swipe your implants or spare cards etc on an access reader, Doesit light / beep? keep a record of the time and place, check the security logs, Do they display a UID / NUID
I have one more idea…if you can get a spare card!
To my great embarrassment this post might have been premature. I just had the inspiration to sit here moving the tag a few mm at a time, did not think to try that because it its a big card that works at any angle on the readers at work. Anyway seems to be some sort of iClass card…
[+] : Possible iClass - legacy credential tag
[+] : Tag is iClass , CSN is in HID range
[+] Valid iClass tag / PicoPass tag found
Again sorry to have bothered anyone. Although if anyone knows why the PM3 struggles to read it (unless it is in exactly the right place) but I can just jump next to the reader on the doors to open it? Knowing that might make me feel better about the number of hours I have been researching this…
Sadly, it looks like cloning this card will be out of my grasp for now. You need access to one of the readers to even attempt to crack the card and I won’t be able to get any private time with a reader . I will work something out but this is going back on the shelf for now.
Why do you need private time with a reader? If you can already take your genuine card to your PM3, you’re all set to clone it already.
The PM3 isn’t all that great with range. In HF, mine struggles even with full size NFC cards. In LF, it works better, but it’s sub-par compared to a wall reader. The only time it works like a champ is with the DT ProxLF coil and a LF implant, funnily enough, which is why I once asked Amal if he ever planned to release a HF version of the ProxLF - hint hint nudge nudge @amal
If I were you, I’d blur out the names and faces from them pictures - if nothing else, so your company doesn’t find them online serendipitously and fire you.
Really? The card is protected and the only information I found (admittedly it was rather old proxmark forum posts) the only attacks on iClass involve the reader.
Any advice would be greatly appreciated.
Hmm sorry, I was under the impression that those were plain old ID cards. If it’s anything smarter than that (challenge-response or encrypted), then you’re most likely SOL no matter what methink. But perhaps not: were you thinking of sniffing the traffic between the card and a genuine reader?
The concern isn’t so much that you might be one of the employees on the photos, it’s more that someone at your company sees pictures from your company’s blog posted in a thread about cloning one of their company-issued security cards, and that they trace the thread back to you.
were you thinking of sniffing the traffic between the card and a genuine reader?
Yes pretty much. There are some know weaknesses if you can sniff the traffic. Some are even implemented in pm.
That’s a fair point.
I’m pulling the image but more so someone external doesn’t find out too much about our badges. If work has an issue I feel like me scanning my hand might be an easier way to trace me
The legacy iclass legacy master key has been leaked making cloning these cards trvial if you can get a blank one. However there isn’t a compatible implant.
