Thats all I did too. I wrapped my coil around a plastic tube that the tag just fit inside. I moved the tag around in the coil until I got it to write successfully I’ve written a few paxton tags now so it is working consistently once you get the right place in the coil. I cannot however write a hitag2 disk tag despite wrapping a coil to work with it.
Have you also tried running lf tune and then playing with the tag placement around the coil?
Do you have an LC meter? I’ve been using that to get my coil to exactly 500uH.
Yes - I was using both the multimember to measure the inductance and then hw tune on the proxmark3.
I have made a little progress - after reading your comment about the power output being higher on the RDV4 I wondered, if the USB port power from the laptop might be limiting it. I connected the side USB port to a USB charger as well as the data/power USB to the PC and that made a significant difference. I have now successfully written page 6 and I have had data in page 7 that is not FFFF’s but it is still not correct.
As power supply clearly made a difference I tried adding a 100uF capacitor just inside the USB port to see if that would help further to stabilise the power rails. The capacitor on the 5V rail has not made any further difference, so I was going to add one to the 3.3V rail as well, as I presume the data transmission bursts on the coil give the power rails a hard time.
I have also started a larger coil in the hope that changing the position of the fob more might yield better results.
Here is the capacitor on the 5V and the larger coil. I have wound it higher, and then unwind to 500uH.
I have still only managed to write page 6 on one tag. I can’t get repeatable performance. Improving the USB power was the biggest performance difference, so it leads me to think is an RDV4 with it’s more powerful antenna the answer?
I tried a neater antenna on a 3D printed former, but no change to writes - all FFFFF’s and it measures 501uH.
I’m really not sure about the RDV4 but good find on the laptop power supply. I may try that too. Currently I’m investigating some PCF7937 chips which are in crypto mode. I can read them but I’m not sure how successful I’m going to be changing them to password mode. I’ll report back.
I just found out you can normally use a EM41X token instead of a hitag2 token with most paxton readers. You can also take the number off the hitag2 tag convert it to a valid EM41X code and then use that to open the door. More info here How to copy, read and write Paxton fobs and cards with an RFIDler · GitHub
Wondered if anyone could help with a few queries.
I wanted to learn more how these systems work which led me to trying to open a door with a paxton keyfob, proxymark3 easy and/or flipper zero. Realised quickly that the paxton key fob was a hard one to do (I like the challenge though) and that the door/reader didn’t flash red when sending in false ‘EM4100’ emulations with my flipper as apparently old readers allow this. This lead me to this forum (extremely helpful I must say) which helped me understand more about my fob.
My situations;
Below shows my output for the command stated above but I don’t really know what to do with this e.g how to clone this onto another paxton keyfob with the proxymark3 easy or do I need some other software/equipment. I’m guessing I ‘BDF5E846’ is the default password for these type of fobs meaning not all will be the same, but is this the password which is given out after the reader asks for the UID to accept the connection and then the password is transferred as well as the data (guessing this is the communication thathz was talking about). I also thought maybe with this information I could use one of the cracking techniques mentioned in Cracking Suite. Last thing I’ll say is the github repo https://gist.github.com/natmchugh/18e82761dbce52fa284c87c190dc926f does mention a way to copy this data so does anyone know the best device to use with this software would be (link would be helpful please) but it would be amazing if I don’t need too as I’m student on a budget and would b e brill to keep using my proxymark3 (already cost me a small fortune)
'[usb] pm3 → lf hitag reader --21 -k BDF5E846
[+] UID: 7c255713
[=] Hitag2 tag information
[=] ------------------------------------
[+] Config byte : 0x06 [ 00000110 ]
[+] Encoding : Manchester
[+] Version : Hitag2
[+] Coding in HITAG 2 operation: manchester
[+] Tag is in : Password mode
[+] Page 6,7 : RW
[+] Page 4,5 : RW
[+] Page 3 : RW
[+] Page 1,2 : RW
[=] ------------------------------------
[=] 00 | 7C 25 57 13 | |%W.
[=] 01 | BD F5 E8 46 | …F
[=] 02 | 20 F0 4F 4E | .ON
[=] 03 | 06 F9 07 C2 | …
[=] 04 | 9D 4F 5B 54 | .O[T
[=] 05 | 12 3F 00 03 | .?..
[=] 06 | 00 30 00 06 | .0…
[=] 07 | D0 0C 00 10 | …
[=] 08 | 00 00 00 00 | …
[=] 09 | 00 00 00 00 | …
[=] 10 | 00 00 00 00 | …
[=] 11 | 00 00 00 00 | …
’
You do not need any more equipment other than a proxmark. The write command is actually very similar to the read command and covered here How to copy, read and write Paxton fobs and cards with a Proxmark | Badcfe.org - too small to not fail . But be careful as others have noted sometimes the data gets written as 0xFFFFFFFF for some reason with the proxmark. Never try overwrite the tag password as this can brick the tag. Once you have written to the tag read it again to check it has the correct data.
Thank you!!!
This is an extremely helpful article (I somehow didn’t come across it before) and I shall try it after I overcome my current problem.
Edit:
Just seen this has only just been released which explains why I couldn’t find it before
Current Problem:
My paxton fob had the default password ‘lf hitag reader --21 -k BDF5E846’ but after some time the password no longer works. I think I may have bricked it :(. This leads me to a couple of questions
I remember trying lots of commands but it suddenly not working after a repeated read command. Don’t know if that’s any help?
hitags are notoriously difficult to successfully couple with, don’t worry it’s probably only soft bricked but you won’t get far with a proxmark3easy antenna. you may want to wind your own
i use the rdv4.01 and proxLF to write to bullet fobs and the 4.01’s default flipped out LF antenna to write to cards
ProxLF never worked for me but that was with NeXT so not sure about this case.
There is a bug in the proxmark hitag code where it sometimes writes 0xFFFFFFFF in place of the correct value. It is thought to be to do with the timings. I use this branch of the code that is waiting for merge and it seems more reliable 'Fix' writing on hitag2 in password mode by 0xdanneh · Pull Request #1983 · RfidResearchGroup/proxmark3 · GitHub
If you wrote to the password on page1 with a proxmark there is a strong possibility the tag password is now FFFFFFFF so try that.
