doc/standalone/lf_hidbrute.md
Authors: Federico Dotta & Maurizio Agazzini Frequency: LF (125 kHz) Hardware: Generic Proxmark3
Back to Standalone Modes Index | Source Code | Development Guide
Reads an HID Corporate 1000 (35-bit) card, then brute forces the card number up/down from the captured value while preserving the facility code. Also supports direct simulation and cloning.
HID Corporate 1000 uses a 35-bit format with a facility code and card number. If you can read one card, you likely know the facility code for that site. By brute forcing the card number, you can test other valid badge numbers in the same facility — for example, finding an admin badge number when you only have a standard user badge.
Use cases:
The brute force iterates the card number portion while keeping the facility code constant from the originally recorded card.
| LED | Meaning |
|---|---|
| A (solid) | Slot 0 selected / cloning active |
| B (solid) | Slot 1 selected / simulation active |
| C (solid) | Slot 2 selected |
| D (solid) | Status indicator |
| LED(slot+1) | Indicates currently active slot during recording |
| Action | Effect |
|---|---|
| Hold 280ms | Advance state (select → record → clone/brute → repeat) |
| USB command | Exit standalone mode |
stateDiagram-v2
[*] --> SlotSelect : Startup
SlotSelect --> Record : Button hold (280ms)
Record --> Clone : Button hold (card captured)
Record --> Record : Button hold (no card)
Clone --> BruteForce : Button hold
BruteForce --> Record : Button hold (exit brute)
Clone --> SlotSelect : Operation complete
SlotSelect --> [*] : USB data received
Record --> [*] : USB data received
make clean
make STANDALONE=LF_HIDBRUTE -j
./pm3-flash-fullimage