if you wanna write this to a T5577 (much cheaper) you can write an em4100 credential, these are often cross compatible so long as the system hasn’t disabled em4100 (most don’t turn it off because they don’t know it’s a security flaw)
your clone command is: lf em 410x --id 0002D5F3D6
@tac0s has enlisted me for the wiki when it goes up and i’ve got some time off work i’ll make sure things like this are documented step by step with correct syntax so there’s no confusion in the future.
Gents I can’t thank you enough! I managed to get it working and copying fobs to cards already 
I had a look at the video about copying to Em410 fob and I’m very interested! I cant seem to understand the 0002D5F3D6 part of the command. Is this the UID of a previous LF searched or dumped card of am I barking up the wrong tree
Thanks again litterally no experience in this so your help has been invaluable!
its the downgraded paxton ID extracted from your memory blocks. you can read more about that here: GDX Indigo HITAG2 fob password - #21 by Equipter
your specific one falling into the net2 umbrella
happy to help feel free to throw any more questions our direction if you have em!
2 posts were merged into an existing topic: The anti:no_entry_sign:-derailment:railway_car: & thread:thread: hijacking:gun: thread:thread: 
Think this might be a little bit about my pay grade (inteligence level) ha but I will take a more indepth look tomororw Thanks again
well hey if you wanna learn about it and what it means i’m always up to yap about such things
Hi all,
I’ve had a read through the forum and its all been very informative!
I’ve been trying to follow along with jonnylyons questions but cant seem to make any progress.
Looks like my proxmark3 easy is reading the paxton fob as shown in the image below. But when I use lf hitag read -2 -k BDF5E846 nothing happens.
Any advice or tips would be greatly appreciated
How are you presenting the fob to the proxmark? can you post a photo or video of your attempt?
Also, what is the firmware / client version you are using (shows on first running the pm3 client)
Ok the thing to note about Indala tags is that they have no CRC or parity checking at all, so if some random noise is close enough to an Indala ID signal, the proxmark3 will “detect” it as an Indala. How you can tell if it really is Indala and not random noise is to repeatedly read the tag… if the ID keeps changing, it’s just random noise being picked up and interpreted as an Indala tag.
In short, I think your coupling is a problem. The green ring indicates this is a “compact” fob so the antenna is probably very small inside there. You will likely have to hang the fob half-way off the LF antenna ring to properly couple. You can use lf tune to try to locate best position by watching for the largest voltage drop. Run the tune command and move the fob around until you see the largest voltage drop… then keep it there and run your command.
Thank you. I had a play around with the tuning and like you said the best place was having the fob hang off the antenna ring.
I can see now it detects a hitag 2 chip but when I run the hitag commands they still dont work!
according to this reddit post;
https://www.reddit.com/r/proxmark3/comments/137x8bi/paxton_net2_system_hitag2/
Paxton access tokens come in various styles and colours which is system dependent.
Paxton10: Bullet fob white ring, plain white card, bluetooth remote, disc/ band, cable tie.
Paxton Net2: Bullet fob blue ring, plain white card, bluetooth remote, disc/ band, cable tie.
Paxton Compact/ Switch2: Bullet fob green/ amber/ red ring, white card green/ amber/ red square.
All are Hitag2 with Paxton basestation password and transponder password changed.
The data stored in pages 4 to 7 is the encoded Paxton credential which is formatted differently for each of the above systems. Paxton10 also uses the unique, locked, Hitag2 IDE as a part of its credential so it cannot be cloned. The Paxton10 anti-cloning is also used by the GDX for their identical “Indigo” fobs.
AAPROX use a Paxton bullet fob with grey ring which contains only a standard EM chip.
There is only one device that can duplicate any of the above. The PX1 by Retag-UK is available through all major locksmith distributors in the UK.
Rfidler, Proxmark, Keysy, iCopy cannot do it, don’t waste your time trying.
with it hanging half over the edge, put a spoon over the top, a spoon you’d eat cereal with.
the easy antenna isn’t a fan of bullet fobs, this sorts it.
bollocks (lies)
oh yeah i forgot about this hack!
Hi all, only got around to this today. But the spoon did the trick! Currently trying to clone the paxton fob to a T5577 which is another issue in itself…
hah omg where can i find one of these fobs… i want to make a little yt short on the spoon trick
