Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-06-09 19:09:09

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

new HID blank fob

I got new blank HID fob, they said rewritable. With lf search, it is ffffffffffff and 36 bits, but used one has 27 bits, like 20090a0b0c
Tried with lf hid clone 20090a0b0c to new blank, not changed ID.

From iceman fork, no suitable commands for lf hid, is there any format or program needed for new hid blank fob?

Thanks.

Offline

#2 2019-06-11 05:21:40

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: new HID blank fob

what is the full output of lf search?

Offline

#3 2019-06-12 18:01:14

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Re: new HID blank fob

Hi marshmellow, result below:

HID Prox TAG ID: fffffffffff
Invalid or unsupported tag length.

Valid HID Prox ID Found!

(with official)

HID Prox TAG ID: fffffffffff (65535) Format Len: 36bit - OEM: 003 - FC: 65535 - Card: 65535

[+] Valid HID Prox ID Found!

(with iceman)

They said it ir writable and blank one, but when I try to write with

hf HID clone xxxxxx

tag ID is same smile not writable, maybe with only HID device?

Thanks.

Offline

#4 2019-06-12 19:41:48

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: new HID blank fob

i was looking for the chip detection output,  it looks like either you omitted it or your antenna to tag coupling isn't good enough to get it.  (which is common for fobs..)

without your pm3 able to detect the internal chip type there is little you will be able to do with it.
but even with that you would likely still need HID's password to modify the chip memory

if it is a genuine HID (branded) tag then it is intended only to be written by HID's device and software.

however, with the password and a properly coupling antenna the pm3 can write these...

Last edited by marshmellow (2019-06-12 19:44:00)

Offline

#5 2019-06-13 06:46:33

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Re: new HID blank fob

Thanks for checking it marshmellow
This is genuine blank fob wholesaler supplied, so I do not know the password, how can I get it? Is it common password or all different? Or I never heard hid device, one day I asked if they supply any cloner or writer for iclass or any thng, they said no... not sure of it. smile

Offline

#6 2019-06-24 02:18:57

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: new HID blank fob

marshmellow wrote:

i was looking for the chip detection output,  it looks like either you omitted it or your antenna to tag coupling isn't good enough to get it.  (which is common for fobs..)

without your pm3 able to detect the internal chip type there is little you will be able to do with it.
but even with that you would likely still need HID's password to modify the chip memory

if it is a genuine HID (branded) tag then it is intended only to be written by HID's device and software.

however, with the password and a properly coupling antenna the pm3 can write these...

Do you have any advice on how to figure out what type of chip is inside a genuine HID prox credential? With both cards and fobs I've never seen chip info detected for genuine HID credentials.

Offline

#7 2019-06-25 00:15:46

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: new HID blank fob

I'm almost 100% certain it is an EM4305.
Decapped one a while back. I couldn't locate the die photo but could always do it again.

Offline

#8 2019-06-25 03:50:42

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: new HID blank fob

0xFFFF wrote:

I'm almost 100% certain it is an EM4305.
Decapped one a while back. I couldn't locate the die photo but could always do it again.

I'd heard that elsewhere but I haven't been able to get one to respond to any EM4305 commands.... curious how they disable that

Offline

#9 2019-06-25 04:49:35

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: new HID blank fob

Interesting. I've never spend much time on LF.
Think I might take a few cards for a swim in acid just to confirm what is being used...

Offline

#10 2019-06-25 14:10:00

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: new HID blank fob

You can't get the chip to respond because your tag isn't coupling well enough with your pm3 antenna.
HID mostly uses a special EM4305 chip that has fsk modulation (unlike the std EM4305)  this chip afaik is exclusive to HID.
These are more sensitive to antenna quality.

Offline

#11 2019-06-25 17:32:30

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: new HID blank fob

marshmellow wrote:

You can't get the chip to respond because your tag isn't coupling well enough with your pm3 antenna.
HID mostly uses a special EM4305 chip that has fsk modulation (unlike the std EM4305)  this chip afaik is exclusive to HID.
These are more sensitive to antenna quality.

Interesting.... why would that be the case with official HID cards/tags but not with other generic T5577 cards, etc.? I know fobs in particular can be more challenging to couple with, but I've tried cards also with the same results.

EDIT: I missed (somehow) your saying "These are more sensitive to antenna quality." smile

Do you have advice on getting a better antenna, etc. to get sufficient coupling to get the chip to respond?

Also, do you think it would be possible to use PM3 to snoop/sniff the password as an official HID encoder is programming it, and then use that password to manually write to HID tags in the future using the PM3 CLI (with the EM4x05 commands)?

Last edited by aaronml (2019-06-25 17:41:13)

Offline

Board footer

Powered by FluxBB