Clone HID Prox II Card to T55x7/EM4x05 Ring

Hello everyone!
I would like to clone my HID Prox Card II (00009P) on T55x7 ring.
When I read HID Card, I have these results:

[=] Checking for known tags...
[=]
[+] [H10301  ] HID H10301 26-bit                FC: XXX  CN: XXXXX  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC:XXXX  CN: XXXX  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] **

[=] raw: 00000000000000XXXXXXXXXX

[+] Valid HID Prox ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try lf em 4x05 commands

Why can’t I find the Tag but only the RAW format?
Should I copy only the last part of the RAW string?

Now, if I read my ring, I find these results:

[+] EM 410x ID 2600E43EE2
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 6400277C47
[=] HoneyWell IdentKey
[+]     DEZ 8          : 14958306
[+]     DEZ 10         : 0014958306
[+]     DEZ 5.5        : 00228.16098
[+]     DEZ 3.5A       : 038.16098
[+]     DEZ 3.5B       : 000.16098
[+]     DEZ 3.5C       : 228.16098
[+]     DEZ 14/IK2     : 00163223715554
[+]     DEZ 15/IK3     : 000429499317319
[+]     DEZ 20/ZK      : 06040000020707120407
[=]
[+] Other              : 16098_228_14958306
[+] Pattern Paxton     : 653819106 [0x26F87CE2]
[+] Pattern 1          : 11622885 [0xB159E5]
[+] Pattern Sebury     : 16098 100 6569698  [0x3EE2 0x64 0x643EE2]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands

How can I clone the card on the ring?
Can anyone help me?

This bit is the Facility Code and Card number along with the card type.

To write this to a T55x7

You just use

lf hid clone -w H10301 --fc XXX --cn YYYYY

Remember to do an lf search afterwards to check the ring was written properly.

Hi Zwack… This is my mistake. The Ring has EM4x05 chip! The HID clone to EM4x05 chip is disabled!

Where did you get this ring from?
Did you et it from Dangerous Things

If so the Chip is a T5577, which can emulate many LF Chips, by default from DT, I assume it is pre-programmed in EM41xx mode with a 40 bit unique ID

1 Like

Time to upgrade your ring then…

I don’t know if the em4x05 has a programmable UID. The t5577 can be programmed to emulate a variety of other cards.

I use that very ring, and yes it comes preprogrammed as an em41xx.

1 Like

I couldn’t edit my post :thinking:

anyway,

If you got it from somebody / somewhere else, it may just have a EM4x05 in it, so locked in that mode. But this is not too likely, as it is easier for manufacturers to “just throw in a T5577” and program it to whatever they like.
You might need to Wipe it back to T5577, to see if it has a T5577 chip, then you can write to it like @zwak said above.

The commands will be

lf t5

Then follow the options ( I dont know off the top of my head )

But something like lf t5 wipe

Check out…

https://www.google.com/search?q=em4x05+tearoff

1 Like

So

lf em 4x05_unlock

As of Nov 19th 2020.

Not actually a “reprogrammable” UID, more a security vulnerability that allows for reprogramming.

2 Likes

Of course this doesn’t provide you with an easy way of making the card act like an HID card if it isn’t really a T5577.

The best way to start would be to see if

lf t55xx wipe

works. If it does then you really have a T5577 and you can just do a

lf hid clone -w H10301 --fc XXX --cn YYYYY

Otherwise you are looking at

lf em 4x05 unlock

Followed by a series of

lf em 4x05 write <data> <block>

And I don’t know enough about the configuration of an em4105 to know exactly what you would want to write.

Given that both cards look like they use the same chipset, you should be able to dump the hid card AS AN EM4105, and then write that block by block using the above command.

lf em 4x05 dump

...Change cards and...

lf em 4x05 unlock
lf em 4x05 write <data> <block>
2 Likes

Hi Zwack,

unfortunately my ring has an EM4305 chip.
If I try to clone with lf hid clone command, the results are:

[=] Preparing to clone HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 123  CN: 12345  parity ( ok )
[#] Clone HID Prox to EM4x05 is untested and disabled until verified
[=] Done
[?] Hint: try `lf hid reader` to verify

So the clone is not possible.
Is there any way to unlock HID copy on EM4305?

Go read the second half. Clone requires a t55xx but you should be able to unlock the ring using the unlock command, get a dump from the card and write it block by block to the ring.

Edited to add:

If you’re lucky (and you probably are) most blocks are blank so you should only have to write a few blocks to emulate your card to your ring.

1 Like

Do you know approximately how long it takes to unlock a card? (It’s been running for approx. 20min. now for me on an em 4305) showing this over, and over.

Tried to find info on that in other threads, but couldn’t, so I thought I’d ask here, since it’s about that chip. Also figured it best to find out if interrupting that would “brick” the chip. :sweat_smile:

…some say he’s still unlocking to this day…

1 Like