Identifying a unknown RFID chip

I have an access badge that I use dozens of times a day, I would love to have a implant to replace it unfortunately I have no clue what kind of chip it is. The card is unmarked but I recall seeing a WAVE ID logo on the reader at the security desk but they make readers that support many protocols so that did not limit it much.

I have a pm3, I have done both an lf search and hf search with no results for either.
I also decided to run hw tune with the tag on the antennas and off the antennas to see if there was power draw from the tag, the HF voltage dropped by 4v so I assume it is some sort of HF tag.

Beyond that I am sort of at a loss, I have been trying to solve this on and off for months so any pointers would be awesome :smiley:

1 Like

Sorry, if this is sucking eggs, :egg: :egg: but did you try reading with your phone?
Only asked because you didn’t mention it
Tag Writer
Tag Info
NFC Tools

1 Like

Have you also tried scanning it with a Android phone? Although this might not work as you’ve already tried scanning with PM3 but nothing, give it a try if you can.

Can you take a picture of the reader, and hopefully that may be helpful?

1 Like

Yes, I tried NFC Tools on my android, also nothing. :crying_cat_face:

This looks like the one at the security desk, but they have a few readers with that form factor.

Again apologies, can but I assume you tried to read other cards in the same session, and they read correctly?
Is the unmarked card a generic card with no markings on it?
Lanyard hole?

Also have you tried shining a bright light from behind it?
If the antenna is around the perimeter of the card ( Rectangular ) it is PROBABLY HF
If it is circular it is PROBABLY LF
Try that and let us know

1 Like

Yeah, it’s going to be pretty difficult to identify. Here’s the list of supported chips (a lot of different chips, almost every in the world):

Not sure why PM3 isn’t detecting anything. Do you have an Android phone?

1 Like

Nothing to apologize about lol, you are helping, it’s always good to check these base assumptions.

Read and write both work fine with multiple other chips. Both LF and HF.

Yeah, it is a lot… :crying_cat_face:

Yeah, and I can read other HF chips with it.

Its one of these:

EDIT: removed image

The one on the right is the one I have although if you forget your card they give you a temp one like the old one on the left.

The card is too thick to see the antenna, after this COVID-19 thing I could get a guest card to look at the coil.

Nor am I, at a complete loss.

Yeah, that would have been my suggestion also

Bugger, maybe you can find a super duper light source???

If it is a possibility to talk to the security desk staff, there may be other clues/ options
ie. 4 byte / 7 byte IDs

Can you swipe your implants or spare cards etc on an access reader, Doesit light / beep? keep a record of the time and place, check the security logs, Do they display a UID / NUID

I have one more idea…if you can get a spare card!

To my great embarrassment this post might have been premature. I just had the inspiration to sit here moving the tag a few mm at a time, did not think to try that because it its a big card that works at any angle on the readers at work. Anyway seems to be some sort of iClass card…

[+]       : Possible iClass - legacy credential tag          
[+]       : Tag is iClass , CSN is in HID range          
[+] Valid iClass tag / PicoPass tag found

Again sorry to have bothered anyone. Although if anyone knows why the PM3 struggles to read it (unless it is in exactly the right place) but I can just jump next to the reader on the doors to open it? Knowing that might make me feel better about the number of hours I have been researching this…

No can do :frowning:
Then again I could “loose” it… :wink:

Anyway, time to work out if I can clone it…

Thanks for all the input @Pilgrimsmaster @rero_fox

1 Like


Not at all

No need now

1 Like

Sadly, it looks like cloning this card will be out of my grasp for now. You need access to one of the readers to even attempt to crack the card and I won’t be able to get any private time with a reader :frowning:. I will work something out but this is going back on the shelf for now.

Well, at least you are a step closer :mechanical_arm::mechanical_leg:

1 Like

Why do you need private time with a reader? If you can already take your genuine card to your PM3, you’re all set to clone it already.

The PM3 isn’t all that great with range. In HF, mine struggles even with full size NFC cards. In LF, it works better, but it’s sub-par compared to a wall reader. The only time it works like a champ is with the DT ProxLF coil and a LF implant, funnily enough, which is why I once asked Amal if he ever planned to release a HF version of the ProxLF - hint hint nudge nudge @amal :slight_smile:

1 Like

If I were you, I’d blur out the names and faces from them pictures - if nothing else, so your company doesn’t find them online serendipitously and fire you.

1 Like

Really? The card is protected and the only information I found (admittedly it was rather old proxmark forum posts) the only attacks on iClass involve the reader.
Any advice would be greatly appreciated.

It’s a photo from Google from our blog post, the badges print is slightly wrong and there stock photos afaik. But Ty for the concern :grinning:

Hmm sorry, I was under the impression that those were plain old ID cards. If it’s anything smarter than that (challenge-response or encrypted), then you’re most likely SOL no matter what methink. But perhaps not: were you thinking of sniffing the traffic between the card and a genuine reader?

The concern isn’t so much that you might be one of the employees on the photos, it’s more that someone at your company sees pictures from your company’s blog posted in a thread about cloning one of their company-issued security cards, and that they trace the thread back to you.

were you thinking of sniffing the traffic between the card and a genuine reader?

Yes pretty much. There are some know weaknesses if you can sniff the traffic. Some are even implemented in pm.

That’s a fair point.

I’m pulling the image but more so someone external doesn’t find out too much about our badges. If work has an issue I feel like me scanning my hand might be an easier way to trace me :sweat_smile:

Lots of good information here.

The legacy iclass legacy master key has been leaked making cloning these cards trvial if you can get a blank one. However there isn’t a compatible implant.

1 Like