Hey everyone!
I have been searching the forums for information on this and while I have found similar information, nothing that is exact to mine except one, but that one never got any replies.
I’m trying to clone my work badge that comes up as a HID corporate 1000 card.
I am brand new here and this is my first time using the proxmark and trying to clone anything.
Any guidance would be appreciated.
Currently I have an xEM and an xNT. Not implanted yet as I am debating buying a NExT instead.
Yes I know about the flexClass Implant as well and will get that if it ends up being necessary of course.
Here is the info I have so far:
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[=] Odd size, false positive?
[+] Indala (len 575) Raw: 80000000802002000000000024000808800200080300000000000300
[+] Valid Indala ID found!
[=] Couldn’t identify a chipset
[usb] pm3 → hf search
[|] Searching for iCLASS / PicoPass tag…
[+] iCLASS / Picopass CSN: B8 D4 F2 12 FF FF 12 E0
[+] Valid iCLASS tag / PicoPass tag found
[usb] pm3 → hf iclass dump --ki 0
[+] Using AA1 (debit) key[0] AE A6 84 A6 DA B2 32 78
[=] Card has at least 2 application areas. AA1 limit 18 (0x12) AA2 limit 31 (0x1F)
.
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------±------------------------±---------±–±---------------
[=] 0/0x00 | B8 D4 F2 12 FF FF 12 E0 | … | | CSN
[=] 1/0x01 | 12 FF FF FF E9 1F FF 3C | …< | | Config
[=] 2/0x02 | FF FF FF FF B9 F9 FF FF | … | | E-purse
[=] 3/0x03 | 68 01 1A B7 EF 33 9C F8 | h…3… | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | … | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | … | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | … | | User / Cred
[=] 7/0x07 | F9 2C 72 DC 6B 6A 0A D2 | .,r.kj… | | User / Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | … | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | … | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | … | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | … | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | … | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | … | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | … | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | … | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | … | | User
[=] ---------±------------------------±---------±–±---------------
[?] yellow = legacy credential
[+] saving dump file - 19 blocks read
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-3.bin
[+] saved 152 bytes to binary file hf-iclass-B8D4F212FFFF12E0-dump-3.bin
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-3.eml
[+] saved 19 blocks to text file hf-iclass-B8D4F212FFFF12E0-dump-3.eml
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-3.json
[+] saved to json file hf-iclass-B8D4F212FFFF12E0-dump-3.json
[?] Try hf iclass decrypt -f
to decrypt dump file
[?] Try hf iclass view -f
to view dump file
[usb] pm3 → hf iclass decrypt -f hf-iclass-B8D4F212FFFF12E0-dump
[+] loaded 152 bytes from binary file hf-iclass-B8D4F212FFFF12E0-dump
[+] loaded 16 bytes from binary file iclass_decryptionkey.bin
[!] Actual file len 152 vs HID app-limit len 144
[=] Setting limit to 144
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.bin
[+] saved 152 bytes to binary file hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.bin
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.eml
[+] saved 19 blocks to text file hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.eml
[=] FILE PATH: hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.json
[+] saved to json file hf-iclass-B8D4F212FFFF12E0-dump-decrypted-2.json
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------±------------------------±---------±–±---------------
[=] 0/0x00 | B8 D4 F2 12 FF FF 12 E0 | … | | CSN
[=] 1/0x01 | 12 FF FF FF E9 1F FF 3C | …< | | Config
[=] 2/0x02 | FF FF FF FF B9 F9 FF FF | … | | E-purse
[=] 3/0x03 | 68 01 1A B7 EF 33 9C F8 | h…3… | | Debit
[=] 4/0x04 | FF FF FF FF FF FF FF FF | … | | Credit
[=] 5/0x05 | FF FF FF FF FF FF FF FF | … | | AIA
[=] 6/0x06 | 03 03 03 03 00 03 E0 14 | … | | User / Cred
[=] 7/0x07 | 00 00 00 0E 49 46 90 7A | …IF.z | | User / Cred
[=] 8/0x08 | 00 00 00 00 00 00 00 00 | … | | User / Cred
[=] 9/0x09 | 00 00 00 00 00 00 00 00 | … | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | … | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | … | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | … | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | … | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | … | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | … | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | … | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | … | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | … | | User
[=] ---------±------------------------±---------±–±---------------
[?] yellow = legacy credential
[=] Block 7 decoder
[+] Binary… 111001001001010001101001000001111010
[=] Wiegand decode
hid preamble detected
[+] [C1k35s ] HID Corporate 1000 35-bit std FC: 586 CN: 215101 parity ( ok )
[=] found 1 matching format
[=] -----------------------------------------------------------------
[usb] pm3 → hf iclass view -f hf-iclass-B8D4F212FFFF12E0-dump
[+] loaded 152 bytes from binary file hf-iclass-B8D4F212FFFF12E0-dump
[=] --------------------------- card ---------------------------
[+] CSN: B8 D4 F2 12 FF FF 12 E0 uid
[+] Config: 12 FF FF FF E9 1F FF 3C Card configuration
[+] E-purse: FF FF FF FF B9 F9 FF FF Card challenge, CC
[+] Kd: 68 01 1A B7 EF 33 9C F8 debit key
[+] Kc: FF FF FF FF FF FF FF FF credit key ( hidden )
[+] AIA: FF FF FF FF FF FF FF FF Application Issuer area
[=] -------------------- card configuration --------------------
[=] Raw: 12 FF FF FF E9 1F FF 3C
[=] 12… app limit
[=] FFFF ( 65535 )… OTP
[=] FF… block write lock
[=] E9… chip
[=] 1F… mem
[=] FF… EAS
[=] 3C fuses
[=] Fuses:
[+] mode… Application (locked)
[+] coding… ISO 14443-2 B / 15693
[+] crypt… Secured page, keys not locked
[=] RA… Read access not enabled
[=] PROD0/1… Default production fuses
[=] -------------------------- Memory --------------------------
[=] 16 KBits/16 App Areas ( 2048 bytes )
[=] 1 books / 8 pages
[=] First book / first page configuration
[=] Config | 0 - 5 ( 0x00 - 0x05 ) - 6 blocks
[=] AA1 | 6 - 18 ( 0x06 - 0x12 ) - 13 blocks
[=] AA2 | 19 - 31 ( 0x13 - 0x1F ) - 18 blocks
[=] ------------------------- KeyAccess ------------------------
[=] * Kd, Debit key, AA1 Kc, Credit key, AA2 *
[=] Read AA1… debit
[=] Write AA1… debit
[=] Read AA2… credit
[=] Write AA2… credit
[=] Debit… debit or credit
[=] Credit… credit
[=] --------------------------- Tag memory ----------------------------
[=] block# | data | ascii |lck| info
[=] ---------±------------------------±---------±–±---------------
[=] 0/0x00 | B8 D4 F2 12 FF FF 12 E0 | … | | CSN
[=] …
[=] 6/0x06 | 03 03 03 03 00 03 E0 17 | … | | User / Cred
[=] 7/0x07 | F9 2C 72 DC 6B 6A 0A D2 | .,r.kj… | | User / Cred
[=] 8/0x08 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 9/0x09 | 2A D4 C8 21 1F 99 68 71 | *…!..hq | | User / Cred
[=] 10/0x0A | FF FF FF FF FF FF FF FF | … | | User
[=] 11/0x0B | FF FF FF FF FF FF FF FF | … | | User
[=] 12/0x0C | FF FF FF FF FF FF FF FF | … | | User
[=] 13/0x0D | FF FF FF FF FF FF FF FF | … | | User
[=] 14/0x0E | FF FF FF FF FF FF FF FF | … | | User
[=] 15/0x0F | FF FF FF FF FF FF FF FF | … | | User
[=] 16/0x10 | FF FF FF FF FF FF FF FF | … | | User
[=] 17/0x11 | FF FF FF FF FF FF FF FF | … | | User
[=] 18/0x12 | FF FF FF FF FF FF FF FF | … | | User
[=] ---------±------------------------±---------±–±---------------
[?] yellow = legacy credential
[=] No credential found