Writing a HID Corporate 1000 35bit to NExT?

I asked for help on the discord, cross posting here to hopefully get more info-

Is it possible to clone a card that comes up as HID Corporate 1000 35 bit? My proxmark easy returns a “raw” field with what I assume is the info that is needed, but how would I clone this to my Next via proxmark3? All of the videos show an id that is much smaller that is retrievable, I have not seen a tutorial with this type of card.

Appreciate the help! Looking to clone this to my next implant for access at work.

Going with the odds of HID being LF
Have you done a

lf search

What are the results?

The NExT will be in EM41xx mode with a 40 bit unique ID from factory (DT)
So you will need to change it to HID

I’m guessing it will be something like

lf hid read
lf hid clone *****************..... 

I’m not sure if you will have to go back to T5577 before going to HID or if you can go straight to HID from EM4***

I don’t have a PM3 in front of me ( but probably should start to leave one set up and accesdible)
But you should be able to step by step you way to change to HID and then add your UID

I am assuming it is LF, but if no success, it may be iClass have you tried

hf search
What are the results?

This is what the lf search returns, with some stuff censored of course.

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] Checking for known tags...
[=] We'll stop at first hit
[+] [C1k35s] - HID Corporate 1000 35-bit std;  FC: 1*7  CN: 387***    parity: valid
[=] raw: 00000000000000**********

[+] Valid HID Prox ID found!

[=] Couldn't identify a chipset

That’s how I found out it is a HID 1000 card.

Any insight on what I should do here? My results look different compared to what every tutorial I’ve seen shows, hence the reason why I’m stuck. Appreciate the help!

Edit, got it, will summarize in a bit.

1 Like


Long story short, what threw me for a loop was the fact that lf search did not return an ID, like all of the tutorials have shown, at least directly. What I did get, was the output I pasted above. The last 10 characters are what I needed from the raw field (the IDs in the tutorials were 10 characters as well).

The longest part of trying to write it was actually getting a good read from my NeXT from the proxmark easy. I kept changing orientations, with the proxmark held tightly against my hand and once I got a good read, I did not remove it. The command was

lf hid clone -r **********

and that was it. The lf search on the NeXT shows the same thing as the output above, except it is able to identify the chipset as the T55xx. So you are able to change the chipset emulation and apply a new uid in one go. Thanks again

1 Like

Made a throw away account just to say your a saint for coming back after you found a solution instead of leaving it at “got it”, <3