Crack HID password

bruno84 · 2016-07-26 10:21:53

I have a chinese card writer http://www.aliexpress.com/item/Handhold-Portable-125khz-RFID-H-ID-PROX-CARD-PROX-KEY-Card-Reader-Writer-Copier-Duplicate-Duplicator/32599892297.html
and when I copy a HID card using it, I can no longer clone the card using proxmark3. Reading the forums I discovered that the device may set a password on the card and then I'm unable to use proxmark to write to it.

proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123

Valid HID Prox ID Found!
proxmark3> lf hid clone 1122334455
Cloning tag with ID 1122334455
#db# DONE!
proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123

So my question is: is this possible to sniff the data writter to the card using lf snoop?

if I type lf snoop nothing happens... what's the correct way of using it?

iceman · 2016-07-26 10:26:12

its known that some cloners sets the password on the t55xx card, locking it.

However due to some users there is two known passwords you can use to see if you can re-write your block0 on the t55xx card with.

Search and you will find here on the forum.

bruno84 · 2016-07-26 11:01:20

Found it, but they don't work... Sniffing is not possible the?

bruno84 · 2016-07-26 11:05:37

I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

btw, I posted the wrong link to the card writer, the correct is: http://www.aliexpress.com/item/Updated-Version-English-10-Frequency-ID-IC-RFID-Copier-Reader-Writer-Copy-125KHZ-Keyfbobs-HID-Cards/32654441916.html?spm=2114.13010608.0.72.Ymg7fn

Last edited by bruno84 (2016-07-26 11:30:59)

bruno84 · 2016-07-26 12:06:31

in case someone is interested...

I tried to manually enter the card number on the writer, and then I read using proxmark and here is the result:

proxmark3> lf hid fskdemod
#db# DownloadFPGA(len: 42096)
#db# TAG ID: 2007fc0002 (1) - Format Len: 26bit - FC: 254 - Card: 1
#db# TAG ID: 2007fc0004 (2) - Format Len: 26bit - FC: 254 - Card: 2
#db# TAG ID: 2007fc0064 (50) - Format Len: 26bit - FC: 254 - Card: 50
#db# TAG ID: 2007fc0379 (444) - Format Len: 26bit - FC: 254 - Card: 444
#db# TAG ID: 2007fc07cf (999) - Format Len: 26bit - FC: 254 - Card: 999

//here I entered 1234567890
#db# TAG ID: 2004721264 (2354) - Format Len: 26bit - FC: 57 - Card: 2354
#db# Stopped

marshmellow · 2016-07-26 12:13:29

Snooping the password is possible, but it is not automatic. It will take a bit of manual work to demod the wave snooped. Dig into the lf snoop cmd. I helped someone use it in a post on here somewhere. Sorry can't look for it atm.

iceman · 2016-07-26 12:17:44

No, don't do what you did there.
Never write all zeros to the block0 (configuration) that could render your tag perma locked.

However, do the snoop as @marshmellow mentioned, thats how we found the previous passwords for cloners.

marshmellow · 2016-07-26 12:19:54

@iceman, I believe he is referring to writing the tag from his cloner not the pm3

iceman · 2016-07-26 12:41:47

That looks like PM3 commands to me...

I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

bruno84 · 2016-07-26 12:48:19

yes yes... I tried those commands on the tags that I copied using the hand held writer but no success.
thanks for the hint about writing 0s

iceman · 2016-07-26 12:55:21

@op, since you have both a PM3 and the cloner, this will be an perfect time to practise LF. Go for the snoop while the cloner writes to a tag, save the trace, post it here (via a filesharing place, please) so we all can join in.

bruno84 · 2016-07-26 13:02:31

that's the problem iceman...

lf snoop does nothing:

proxmark3> lf snoop
proxmark3>

what am I missing here to capture the trace?

btw I have 3 different cloners...

iceman · 2016-07-26 13:12:51

three cloners, sweet, even more to play with your PM3 then.

You'll need to configure the LF first.

"lf configure h" will give you good starting point.

marshmellow · 2016-07-26 19:22:54

iceman wrote:

That looks like PM3 commands to me...
I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787

yep sorry. missed that.

Proxmark3 community

Announcement

#1 2016-07-26 10:21:53

Crack HID password

#2 2016-07-26 10:26:12

Re: Crack HID password

#3 2016-07-26 11:01:20

Re: Crack HID password

#4 2016-07-26 11:05:37

Re: Crack HID password

#5 2016-07-26 12:06:31

Re: Crack HID password

#6 2016-07-26 12:13:29

Re: Crack HID password

#7 2016-07-26 12:17:44

Re: Crack HID password

#8 2016-07-26 12:19:54

Re: Crack HID password

#9 2016-07-26 12:41:47

Re: Crack HID password

#10 2016-07-26 12:48:19

Re: Crack HID password

#11 2016-07-26 12:55:21

Re: Crack HID password

#12 2016-07-26 13:02:31

Re: Crack HID password

#13 2016-07-26 13:12:51

Re: Crack HID password

#14 2016-07-26 19:22:54

Re: Crack HID password

Board footer