dandri/proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2026-06-06 22:01:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bc91c54d5bd01a044e987f9b44f023c23061ba30
proxmark3/doc/standalone/lf_hidbrute.md
T

2.9 KiB
Raw Blame History

LF_HIDBRUTE — HID Corporate 1000 Bruteforce

Authors: Federico Dotta & Maurizio Agazzini Frequency: LF (125 kHz) Hardware: Generic Proxmark3

Back to Standalone Modes Index | Source Code | Development Guide

What

Reads an HID Corporate 1000 (35-bit) card, then brute forces the card number up/down from the captured value while preserving the facility code. Also supports direct simulation and cloning.

Why

HID Corporate 1000 uses a 35-bit format with a facility code and card number. If you can read one card, you likely know the facility code for that site. By brute forcing the card number, you can test other valid badge numbers in the same facility — for example, finding an admin badge number when you only have a standard user badge.

Use cases:

  • Privilege escalation: Find higher-privilege card numbers in the same facility
  • Adjacent badge discovery: Walk through card numbers near a known-good badge
  • Access control testing: Verify whether sequential card numbers are provisioned

How

  1. Record: Read an HID Corporate 1000 card to capture facility code + card number
  2. Clone: Write the captured credentials to a T55x7 card
  3. Brute: Simulate incrementing/decrementing card numbers with the same facility code

The brute force iterates the card number portion while keeping the facility code constant from the originally recorded card.

LED Indicators

LED Meaning
A (solid) Slot 0 selected / cloning active
B (solid) Slot 1 selected / simulation active
C (solid) Slot 2 selected
D (solid) Status indicator
LED(slot+1) Indicates currently active slot during recording

Button Controls

Action Effect
Hold 280ms Advance state (select → record → clone/brute → repeat)
USB command Exit standalone mode

State Machine

stateDiagram-v2
    [*] --> SlotSelect : Startup

    SlotSelect --> Record : Button hold (280ms)
    Record --> Clone : Button hold (card captured)
    Record --> Record : Button hold (no card)
    
    Clone --> BruteForce : Button hold
    BruteForce --> Record : Button hold (exit brute)
    
    Clone --> SlotSelect : Operation complete
    
    SlotSelect --> [*] : USB data received
    Record --> [*] : USB data received

Compilation

make clean
make STANDALONE=LF_HIDBRUTE -j
./pm3-flash-fullimage

Related

Reference in New Issue View Git Blame Copy Permalink