Cloning Hitag2 PCF7936

Hello, this is my first venture into RFID. Attempting to clone the fob for my condo.

Running ‘lf search’:

UID: 87d62b1f
Valid Hitag found!

So it’s a Hitag with the UID of 87d62b1f.

I wrote 87d62b1f to a EM410X. When trying to use the EM410X the door reader blinks red and doesn’t open the door. The EM410x is 5 hex bytes, I wrote 4. Reading the EM410X I get the id 0087d62b1f. I didn’t know if the reader was being sent the preceding 00 so I wrote 87d62b1f00 to the fob so the first four bytes would be sent first. Still didn’t work. Is there a way to set the EM410x to 4 bytes?

‘lf hitag info’ tells me: “TYPE: PCF 7936”. From this I found that it a Paxton Net2 fob. I looked around others have tried to clone this with no luck.

Anyone have any ideas to try?


I think that was my shortest ever reply to anybody ever… But I hope it helps

here is the data sheet

1 Like

Assuming you are using a Proxmark3 then you will find there is no lf hitag clone command. Due to the Challenge Response mechanism it cannot (afaik) be emulated by a T55x7.

Ok I’ve been reading through the PCF7936 data sheet and this is my understanding. The chip UID is read access only. Buying a PCF7936 from China is no good unless the UID that comes on it can be entered into the system.

The transponder and basestation have a stored password. Before the transponder outputs its UID the basestation sends a password. The transponder compares the basestation password with its stored password. If they match it will output UID.

To clone the fob I will need to know the password. It looks like there’s no way to access it on the fobs memory without already knowing it, anyone know if there’s any exploits here? At the base station I’m assuming this can be found using ‘lf hitag stiff’. Then I’ll need to find a hitag chip that allows read write access for the UID. I’m assuming the linked xHT does that, I’ll read that datasheet tomorrow.

The Hitag and xHT aren’t hugely popular on here, It would be interesting to find out what the sales numbers of the xHT are like from Amal.
but it is awesome you are getting into it (straight into the deep end)

Anyway good news for you Even more reading for you ( you will become the forum expert on HiTags soon )

I don’t think that it does. The UID is usually not changeable.

You might want to check the Hitag commands in particular lf hitag cc

I don’t think this is how it works… otherwise you could just listen for the reader to give you the password. I’m pretty sure the password is a key and that key is used to generate and validate challenges and responses. They are 40bit from what I remember and easy to crack… but dunno if the proxmark3 firmware has any facility to do that job or not. Either way though you won’t be able to emulate that on the t5577

Yeah I had it wrong.

The reader sends an authentication command to initiate communication. Transponder responds with its ID. In password mode the reader then sends password in plane, and the authentication sequence continues. In crypto mode the all communication after the ID is encrypted.

I do not know if my transponder is set to password or crypto mode, I suspect sniffing the reader will give me that information.

There’s a hitag2 cracking suit. It’s it my folder on the firmware I’m using but the ‘ht2crack’ doesn’t show up under my available commands , not sure what I’m missing.

‘lf hitag cc’ doesn’t return anything for me.

I’ll sniff the reader and see if that gives me any leads to work on.

The datasheet says it takes 39ms to authenticate. I think it might be easiest just to brute force passwords until one authenticates, shouldn’t take long.

I don’t think this is how it works…

haha not to harp on it… but I think in crypto mode it’s just a challenge / response mechanism… it’s not encrypted per say… but still not really possible to use replay attacks or anything against it… but what you can do is capture many of these together and then brute force the key… because it is still only 40 bits of entropy.

Ah nice!

I’ve successfully cloned a Paxton net2 fob to a hitag2 card using a Proxmark3 easy. The trick is knowing the correct password. It seems to be the same for all Paxton net2 systems. The password is:

Thanks to this article for the info: How to copy, read and write Paxton fobs and cards with an RFIDler · GitHub


To read a Paxton fob in Proxmark3 use: lf hitag reader —21 -k BDF5E846


I’ve managed to write Paxton fobs now too with a custom made 500uH coil that I can put the fob inside.

Next step is to program a hitag2 car transponder that I can embed in my watch strap. I don’t think implants aren’t for me and anyway hitag2 implants seem to require special ordering, unless anyone else knows different?


Hi, I’m new and I have been trying to clone a HTAG2 fob with my Proxmark3 Easy but when I try to write a page it gets filled with 1’s (FFFFFFFF). I have only tried writing to page 7 and I wondered if there was a difference in the pages?
I have tried this with the standard PM3easy antenna and 2 different ones that I have wound myself, and the same thing happens each time, so I was wondering if I was getting something wrong with the command in the software?

To write I did -

[usb] pm3 → lf hitag writer --27 -k BDF5E846 -p 7 -d 00000001
[#] Authenticating using password:
[#] bd f5 e8 46
[#] Configured for hitag2 writer

And to read back (you can see page 7 is all F’s , it had other data before I wrote to it) -

[usb] pm3 → lf hitag reader --21 -k BDF5E846
[+] UID: cb883113

[=] Hitag2 tag information

[=] ------------------------------------
[+] Config byte : 0x06 [ 00000110 ]
[+] Encoding : Manchester
[+] Version : Hitag2
[+] Coding in HITAG 2 operation: manchester
[+] Tag is in : Password mode
[+] Page 6,7 : RW
[+] Page 4,5 : RW
[+] Page 3 : RW
[+] Page 1,2 : RW
[=] ------------------------------------
[=] 00 | CB 88 31 13 | …1.
[=] 01 | BD F5 E8 46 | …F
[=] 02 | 20 F0 4F 4E | .ON
[=] 03 | 06 F9 07 C2 | …
[=] 04 | 3C C4 8B 40 | <…@
[=] 05 | A8 7F 00 03 | …
[=] 06 | 00 30 00 06 | .0…
[=] 07 | FF FF FF FF | …
[=] 08 | 00 00 00 00 | …
[=] 09 | 00 00 00 00 | …
[=] 10 | 00 00 00 00 | …
[=] 11 | 00 00 00 00 | …
[usb] pm3 →

Any suggestions wold be most appreciated,

If you get a load of F’s or incorrect values your tag is not correctly working with the lf aerial/coil. With the Proxmark3 easy standard aerial I managed to write all but page 7 of the Paxton tag. When I made my own aerial/coil I managed to write all pages of the paxton fob but it took multiple attempts.

Thanks for that - I will experiment more with my coil. I was just starting to wonder if it was something else. How weird that only page 7 fails (and unlucky/lucky that I tried that one first! :slight_smile: ) - how is pg7 different from the rest - surely it’s just a different address in the same memory?

It is just another address but each page write operation is a separate command sent from the transmitter to the tag. You could have just been unlucky to get interference on this one.

I’m really not sure with page 7. Perhaps another forum member knows. I just know I have consistent problems with it with multiple tags. I have another disk hitag2 token which also will not write page 7. I may have to make another coil. Perhaps the more expensive Proxmark3 rdv4 would solve the issue as I believe it has a higher transmit power.

This is the coil in the official Paxton fob/card writer

Well, 2 more coils wound, and tested and still all FFFF’s - I even tried page 6, but it’s all FFS now too! :slight_smile:

The two new coils give the following HW tune results - (I was trying to get the LF optimal as close to 125kHz as possible - is that correct?)

Coil 3 -

[=] ---------- LF Antenna ----------
[+] LF antenna: 27.60 V - 125.00 kHz
[+] LF antenna: 19.83 V - 134.83 kHz
[+] LF optimal: 27.60 V - 125.00 kHz
[+] Approx. Q factor (): 7.3 by frequency bandwidth measurement
[+] Approx. Q factor (
): 8.0 by peak voltage measurement
[+] LF antenna is OK

and coil 4 -

[=] ---------- LF Antenna ----------
[+] LF antenna: 29.60 V - 125.00 kHz
[+] LF antenna: 21.98 V - 134.83 kHz
[+] LF optimal: 30.02 V - 126.32 kHz
[+] Approx. Q factor (): 8.0 by frequency bandwidth measurement
[+] Approx. Q factor (
): 8.7 by peak voltage measurement
[+] LF antenna is OK

Is there a different parameter I should be tuning too?