Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2020-09-18 05:49:17

victorhooi
Contributor
Registered: 2019-01-22
Posts: 9

Prox HID card with 24-character ID? Read isn't returning data?

I'm trying to clone a Prox HID card to do some tests with.

When I do an lf search, I see:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[+] HID Prox - 9e00000001c0009a8c01051 (2088)

[+] Valid HID Prox ID found!

Couldn't identify a chipset

However, if I do a lf hid read, nothing comes back

[usb] pm3 --> lf hid read

Does anybody know why that is?

Also - how would one go about cloning this card?

What does the 24-character string (9e0...) represent?

Thanks,
Victor

Offline

#2 2020-09-18 06:55:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,506
Website

Re: Prox HID card with 24-character ID? Read isn't returning data?

1. don't post multiple times, please.  I removed your other posts.
2. looks like the wiegand format used isn't identified by the Pm3 client.

Offline

#3 2020-09-18 23:59:09

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Prox HID card with 24-character ID? Read isn't returning data?

This looks like an unknown HID Extended-compatible card. The 9E is the data header identifying it as HID compatible. Everything following the header and prior to the first '1' bit is blank, and is not part of the credential itself. The first '1' bit indicates the start of data. Therefore, the actual card value is:

   C    0    0    0    9    A    8    C    0    1    0    5    1
1100 0000 0000 0000 1001 1010 1000 1100 0000 0001 0000 0101 0001

The client application doesn't know of any 52-bit HID card formats, so it can't decode (read) it. All it can do is present the received data in the raw, which the search function has done.

You should be able to clone the card with the whole string returned from the search. That's the data that was directly encoded. Even if you can't read what it means, you do have the content.

Offline

#4 2020-10-02 21:51:15

victorhooi
Contributor
Registered: 2019-01-22
Posts: 9

Re: Prox HID card with 24-character ID? Read isn't returning data?

Hi,

iceman - Sorry the forum webpage seemed to time out and return me back to the same page with my data still there, I must have hit Submit again.

Interesting - is there any chance support for this Wiegand format could be added in the future?

grauerfuchs - Do you know how you would write this onto a new T5577 card? Is it:

lf em4x em410xwrite <value>

or

lf hid clone <value>

(I'm seeing different commands when I search online).

And should I use the full value, or just the last part you identified? (c0009a8c01051).

Also - out of curiosity - what does the the last 2088 represent?

Thanks,
Victor

Offline

#5 2020-10-03 00:21:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,506
Website

Re: Prox HID card with 24-character ID? Read isn't returning data?

If you can,   how about you save a trace and share it here?

lf hid read
data save lf_hid_c0009a8c01051.pm3

Offline

#6 2020-11-04 05:21:53

victorhooi
Contributor
Registered: 2019-01-22
Posts: 9

Re: Prox HID card with 24-character ID? Read isn't returning data?

I just updated my Proxmark3 repo, and also the firmware on the device:

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.9237-1145-g30f9e2d2 2020-09-18 12:47:32
  compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

 [ PROXMARK3 ]
  firmware.................. PM3RDV4
  external flash............ present
  smartcard reader.......... present
  FPC USART for BT add-on... absent

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-1145-g30f9e2d2 2020-09-18 12:47:57
       os: RRG/Iceman/master/v4.9237-1938-g59a68dc4e 2020-11-04 15:02:35
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
  HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 296080 bytes (56%) Free: 228208 bytes (44%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

However, now when I try to read the card, I don't get the numbers as before - it says it can't identify a chipset and doesn't return the numbers:

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[+] Unknown. Bit len 52

[+] Valid HID Prox ID found!

Couldn't identify a chipset

Is there a reason it can't read the card now, or doesn't display the numbers anymore?

Offline

Pages: 1

Board footer

Powered by FluxBB