Hello everyone,
I’m a recent user of the proxmark3 easy and I’m trying to copy my apartment door key fob which Is an HID Prox on a NON-PROGRAMMED Linear IEI ProxKey III 125KHz 26-bit Proximity Key Fobs that I bought on eBay.
I’m using the latest iceman firmware but for some reason that I don’t understand, I can’t clone my key fob.
Here are the output I’m getting.
On the source key fob:
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] [H10301 ] HID H10301 26-bit FC: XXX CN: XXXXX parity ( ok )
[+] [ind26 ] Indala 26-bit FC: XXXX CN: XXXX parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D555955556A96A65A59AA9A
[=] raw: 00000000000000XXXXXXX
[+] Valid HID Prox ID found!
On the empty key fob:
[ usb ] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[!] 
Wiegand unknown bit len 43
[?] Try 0xFFFF’s http://cardinfo.barkweb.com.au/
[+] DemodBuffer:
[+] 1DAAAAAAAAAAAAAAAAAAAAAA
[=] raw: 0000000000000fffffffffff
[+] Valid HID Prox ID found!
[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try lf em 4x05 commands
After using trying both commands :
lf hid clone -r XXXXXX
or
lf hid clone -w H10301 --fc XXX --cn XXXXX
I keep getting the same values on my empty key fob
Is it because the key fobs I bought are not compatible ?
I don’t understand already managed to clone different badge but for this HID Prox ID I’m getting so much trouble.
In any case, thank you for your help
1 Like
you can’t clone from one HID fob to another. they’re read only. to skirt this you need to use an T5577 which is a dead write emulator chip.
1 Like
Thank you for your answer.
So I have these fobs that seems to be T5577.
output for T5577 chip:
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 0200001450
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 400000280A
[=] HoneyWell IdentKey
[+] DEZ 8 : 00005200
[+] DEZ 10 : 0000005200
[+] DEZ 5.5 : 00000.05200
[+] DEZ 3.5A : 002.05200
[+] DEZ 3.5B : 000.05200
[+] DEZ 3.5C : 000.05200
[+] DEZ 14/IK2 : 00008589939792
[+] DEZ 15/IK3 : 000274877917194
[+] DEZ 20/ZK : 04000000000002080010
[=]
[+] Other : 05200_000_00005200
[+] Pattern Paxton : 34886224 [0x2145250]
[+] Pattern 1 : 16652 [0x410C]
[+] Pattern Sebury : 5200 0 5200 [0x1450 0x0 0x1450]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn’t identify a chipset
[usb] pm3 → lf t55xx info
[=] — T55x7 Configuration & Information ---------
[=] Safer key : 0
[=] reserved : 0
[=] Data bit rate : 5 - RF/64
[=] eXtended mode : No
[=] Modulation : 8 - Manchester
[=] PSK clock frequency : 0 - RF/2
[=] AOR - Answer on Request : No
[=] OTP - One Time Pad : No
[=] Max block : 2
[=] Password mode : No
[=] Sequence Terminator : No
[=] Fast Write : No
[=] Inverse data : No
[=] POR-Delay : No
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] 00148040 - 00000000000101001000000001000000
[=] — Fingerprint ------------
[+] Config block match : EM unique, Paxton
[usb] pm3 → lf t55xx detect
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 5 - RF/64
[=] Inverted… No
[=] Offset… 33
[=] Seq. terminator… Yes
[=] Block0… 00148040 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… No
How should I do to clone the hid, because after using
lf hid clone -r XXXXXXX
I can’t even detect the tag anymore
[ usb ] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] 
No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset
[ usb ] pm3 →
Thank you for your help
do t55 wipe on it and try from there
Still have the same issue
pm3 → lf t55 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping…
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[ usb ] pm3 → lf hid clone -r XXXXXX
[=] Preparing to clone HID tag using raw XXXXXXX
[=] Done
[?] Hint: try lf hid reader to verify
[ usb ] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset
[ usb ] pm3 →
you’re positioning it on your proxmark i nthe correct place right? on the big red circle?
after your wipe do lf t55 detect
Yes it is on the low frequency antenna
[ usb ] pm3 → lf t55 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping…
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[ usb ] pm3 → lf t55 detect
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 2 - RF/32
[=] Inverted… No
[=] Offset… 33
[=] Seq. terminator… Yes
[=] Block0… 000880E0 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… No
[ usb ] pm3 →