Comment by A4ET8a8uTh0

Step 1 of reverse engineering anything: Figure out the make and model of the thing. ;)

"Employee badges" can be implemented in a number of ways, from simple broadcasted rfids down to having secret challenge responses that aren't breakable without going down the jlsca route since the secret is on the device and never leaves it.

So, step 1: figure out what exactly the model your 'employee badge' is using and what protocol it uses. There's probably some marking on it that should give you the manufactuerer at least.

CEO of Lab401.com / Flipper Distributor / RFID geek.

One of the best resources is probably the Discord channels. There is the official channel, and the non-official (for non-official firmware). YMMV, but the non-official seems to be more active.

The Flipper is "somewhat underpowered" in terms of hardware for RFID, or specifically 13.56MHz, but makes up for it in a very active development community.

"Access badges" is a fairly vast blanket term. Anything that's not an exhaustive, lengthy breakdown will be inherently over-generalised, but here we go:

125KHz: Low Frequency: _usually_ cards with "just" an ID or very limited memory. _Usually_ much simpler technology. _Usually_ without security, and much easier to copy.

There are multiple encoding and modulation methods in this family, almost all of which are encompassed in a (fairly amazing) tag that can emulate them all - meaning they can be cloned easily : the T5577 chipset.

There's much more penetration of these chipsets in non-EU markets (US, Canada, etc). Key brands and tags: HID Prox, EM4XXX, Hitag, etc.

The FlipperZero handles most / if not all of these very well (read / save / emulate / write).

High-Frequency tags (13.56MHz) : encompasses multiple ISO Standards : 14443-A/B/C (lots of access cards), also ISO15693 (Slightly Longer read range, more industrial tags, ski-passes, etc), and EMV (Payment Cards) among others.

There are many sub-protocols and implementations of these higher level standards. But these can be generalised as : small memory units / computing units on a chip. As such : larger functionality, and various security.

The most well-known family is probably MIFARE (1K/4K Classic..). Chances are, if you've got one somewhere. Encryption is totally broken.

Ultralight / NTAG: Cheaper, no / not much security (password + signatures on some tags, and counters). Typically used for ticketing etc.

These are handled in Flipper.

Other implementations: DESFIRE: Uncracked. iCLASS (Commercial Access Control - iCLASS SE / ELITE / SEOS ..). Can be cloned, or suffer from downgrade attacks. Not handled by Flipper by default.

The Flipper has a fundamental 'flaw' with high-frequency tags: it can't handle emulation on chip, and its clock isn't evenly divisible by 13.56MHz, so emulation and some functions are always going to be limited. With that said, the 13.56MHz stack is always improving - the community has done amazing things.

Likewise, cracking (typically: MIFARE) is CPU / memory intensive. The Flipper can limp through some implementations, and can team up with a PC for others.

However, more specialised devices (Proxmark, iCopy-X) pick up where the Flipper leaves off.

In summary, it's a very useful tool for RFID (LF + HF) - can handle most LF operations, and quite a few HF operations - before you have to reach for much more expensive hardware (Proxmark : ~300 EU).

Some people to check out on YT: https://www.youtube.com/@TalkingSasquach https://www.youtube.com/watch?v=VF3xlAm_tdo

Feel free to reach out for more questions.

I asked our IT manager and our employee badges have RFID plus some kind of timestamp check or something. The secret handshake is actually secret I guess. Lot of information out there but mostly guarded by radio nerds who talk like you should already have an EE degree.

Depends on the system your work uses. Lots of them just have unencrypted strings.