Cloning HID Prox When Parity Fails?

Just received my Magic Ring in the mail and I’m trying to clone my HID Prox credential to the T5577. Proxmark3 Easy tells me that the chipset used in the credential is EM4305.

[IDs have been redacted to X]


[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] [PW39    ] Pyramid 39-bit wiegand format    FC: XXXXX  CN: XXXXXX  parity ( fail )
[+] [BC40    ] Bundy TimeClock 40-bit           FC: XXXX  CN: XXXXXX  OEM: X  parity ( fail )
[=] found 2 matching formats
[+] DemodBuffer:
[+] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[=] raw: 09e00000000000XXXXXXXXXX

[+] Valid HID Prox ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands

Most guides for cloning HID Prox cards will find a wiegand protocol like H10301 or ind26, and always have valid parity. I have never seen a guide with PW39 or BC40 and I don’t know which one, if any, that I should use the facility code from in cloning. Cloning the raw data does not work, and doesn’t even get a beep from the reader.

Any ideas?

The parity fail suggests an issue reading to me. Can you check that the firmware/software versions match and that hw tune shows that the antenna is good?

Are there any model numbers on your HIDprox card? (Are there printed credential numbers on there?)

Can you try moving your card around and scanning it multiple times to see if you always get the same answer?

1 Like

I’ve scanned the card in every way possible and all read the same data with failed parity. The prox card has a number on it but that number is not found in the read data at all. I am reading broken data from my T5577 now, I don’t know if this is the antenna or due to my experimenting with it. I should probably make a new topic for that issue.

EDIT: I just read one of the included T5577 cards with the proxmark and it reads exactly as expected. Not an antenna issue.

To be clear, the data with failed parity is the ring after your clone attempt? Or is it the source card?

The failed parity is on the source card.

Oh that’s weird… normally I’d say that points to a coupling problem and data error, but if you’re getting that consistently along with a consistent ID… then maybe it’s just wrong? Like maybe the parody is just wrong on the card? Or possibly the parity calculation being done by the proxmark client is buggy or something? I really don’t know.

I’ll see if I can pull in Iceman on this one… But a video of you putting the card on the proxmark3 and doing the search might help.

I’ve recorded a video of me reading the card. The screen is hard to read but the output in console is

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
[|]  9
[=] ---------- LF Antenna ----------
[+] LF antenna: 15.29 V - 125.00 kHz
[+] LF antenna: 20.95 V - 134.83 kHz
[+] LF optimal: 21.54 V - 136.36 kHz
[+] Approx. Q factor (*): 5.3 by frequency bandwidth measurement
[+] Approx. Q factor (*): 6.3 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.16 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] [PW39    ] Pyramid 39-bit wiegand format    FC: 15812  CN: 994835  parity ( fail )
[+] [BC40    ] Bundy TimeClock 40-bit           FC: 2953  CN: 470547  OEM: 7  parity ( fail )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D96A95555555555555555555555956A9A9596A966A55969

[=] raw: 09e0000000000087b89e5c26

[+] Valid HID Prox ID found!

[+] Chipset detection: EM4x05 / EM4x69
[?] Hint: try `lf em 4x05` commands

I also borrowed a friend’s credential to a different building on property to see what was on it. It is a T5577 that is also storing Prox, but proxmark can’t detect the wiegand protocol and the raw data is too long to use in lf hid clone -r.

Are you sure it’s a t5577? What’s lf t5 detect come up with?

If it is, you might be able to just dump the t5 and write that to make a clone vs using a specific chip clone function.

I would like to clone my own credential, which is an EM4305. I checked passwords on it and it uses the default “PROX” so I can dump the data. Would simply cloning b0-b0, b1-b1 work? Also, would I use the T55xx write command or the EMx05 write command?

I’d explore the dump and restore commands under the lf t5 menu…

lf t5 dump -p XXXXXXXX

then

lf t5 restore -f BLK0FILE

Cloning other T5577 credentials works perfectly. The look on my friend’s face when I tap my ring against the reader and get let in is priceless. My personal credential is an EM4305 chip and those chips have 15 blocks as opposed to the 8 page 0 + 4 page 1 that a T5577 has. Would restoring a dump from an EM4305 potentially break my T5577 or would that work? It appears that only 10 blocks of he EM4305 memory are actually populated with data so it could fit on the T5577 but I am concerned of writing to a block that is reserved such as block 7 password. How would I go about cloning the EM4305 to my T5577?