Ok I’ve been reading through the PCF7936 data sheet and this is my understanding. The chip UID is read access only. Buying a PCF7936 from China is no good unless the UID that comes on it can be entered into the system.
The transponder and basestation have a stored password. Before the transponder outputs its UID the basestation sends a password. The transponder compares the basestation password with its stored password. If they match it will output UID.
To clone the fob I will need to know the password. It looks like there’s no way to access it on the fobs memory without already knowing it, anyone know if there’s any exploits here? At the base station I’m assuming this can be found using ‘lf hitag stiff’. Then I’ll need to find a hitag chip that allows read write access for the UID. I’m assuming the linked xHT does that, I’ll read that datasheet tomorrow.
The Hitag and xHT aren’t hugely popular on here, It would be interesting to find out what the sales numbers of the xHT are like from Amal.
but it is awesome you are getting into it (straight into the deep end)
Anyway good news for you Even more reading for you ( you will become the forum expert on HiTags soon )
I don’t think this is how it works… otherwise you could just listen for the reader to give you the password. I’m pretty sure the password is a key and that key is used to generate and validate challenges and responses. They are 40bit from what I remember and easy to crack… but dunno if the proxmark3 firmware has any facility to do that job or not. Either way though you won’t be able to emulate that on the t5577
The reader sends an authentication command to initiate communication. Transponder responds with its ID. In password mode the reader then sends password in plane, and the authentication sequence continues. In crypto mode the all communication after the ID is encrypted.
I do not know if my transponder is set to password or crypto mode, I suspect sniffing the reader will give me that information.
There’s a hitag2 cracking suit. It’s it my folder on the firmware I’m using but the ‘ht2crack’ doesn’t show up under my available commands , not sure what I’m missing.
‘lf hitag cc’ doesn’t return anything for me.
I’ll sniff the reader and see if that gives me any leads to work on.
The datasheet says it takes 39ms to authenticate. I think it might be easiest just to brute force passwords until one authenticates, shouldn’t take long.
haha not to harp on it… but I think in crypto mode it’s just a challenge / response mechanism… it’s not encrypted per say… but still not really possible to use replay attacks or anything against it… but what you can do is capture many of these together and then brute force the key… because it is still only 40 bits of entropy.
I’ve successfully cloned a Paxton net2 fob to a hitag2 card using a Proxmark3 easy. The trick is knowing the correct password. It seems to be the same for all Paxton net2 systems. The password is:
BDF5E846
Next step is to program a hitag2 car transponder that I can embed in my watch strap. I don’t think implants aren’t for me and anyway hitag2 implants seem to require special ordering, unless anyone else knows different?
Hi, I’m new and I have been trying to clone a HTAG2 fob with my Proxmark3 Easy but when I try to write a page it gets filled with 1’s (FFFFFFFF). I have only tried writing to page 7 and I wondered if there was a difference in the pages?
I have tried this with the standard PM3easy antenna and 2 different ones that I have wound myself, and the same thing happens each time, so I was wondering if I was getting something wrong with the command in the software?
If you get a load of F’s or incorrect values your tag is not correctly working with the lf aerial/coil. With the Proxmark3 easy standard aerial I managed to write all but page 7 of the Paxton tag. When I made my own aerial/coil I managed to write all pages of the paxton fob but it took multiple attempts.
Thanks for that - I will experiment more with my coil. I was just starting to wonder if it was something else. How weird that only page 7 fails (and unlucky/lucky that I tried that one first! ) - how is pg7 different from the rest - surely it’s just a different address in the same memory?
It is just another address but each page write operation is a separate command sent from the transmitter to the tag. You could have just been unlucky to get interference on this one.
I’m really not sure with page 7. Perhaps another forum member knows. I just know I have consistent problems with it with multiple tags. I have another disk hitag2 token which also will not write page 7. I may have to make another coil. Perhaps the more expensive Proxmark3 rdv4 would solve the issue as I believe it has a higher transmit power.
Thats all I did too. I wrapped my coil around a plastic tube that the tag just fit inside. I moved the tag around in the coil until I got it to write successfully I’ve written a few paxton tags now so it is working consistently once you get the right place in the coil. I cannot however write a hitag2 disk tag despite wrapping a coil to work with it.
Have you also tried running lf tune and then playing with the tag placement around the coil?
Yes - I was using both the multimember to measure the inductance and then hw tune on the proxmark3.
I have made a little progress - after reading your comment about the power output being higher on the RDV4 I wondered, if the USB port power from the laptop might be limiting it. I connected the side USB port to a USB charger as well as the data/power USB to the PC and that made a significant difference. I have now successfully written page 6 and I have had data in page 7 that is not FFFF’s but it is still not correct.
As power supply clearly made a difference I tried adding a 100uF capacitor just inside the USB port to see if that would help further to stabilise the power rails. The capacitor on the 5V rail has not made any further difference, so I was going to add one to the 3.3V rail as well, as I presume the data transmission bursts on the coil give the power rails a hard time.
I have also started a larger coil in the hope that changing the position of the fob more might yield better results.
) - how is pg7 different from the rest - surely it’s just a different address in the same memory?
