I have a GDX Indigo bullet fob and a Paxton Net2 blank card, both using Hitag2 PCF7936 ICs. I successfully read the card content using my Proxmark 3 and the known password (0xBDF5E846) and the default one (0x4D494B52), but I wasn’t able to read the bullet fob. I suspect this is because the fob uses a different password. Can anyone confirm if that’s the case? And by any chance, does anyone have the password for these GDX Indigo fobs?
GDX bullet fobs password is not documented and isn’t known to be global AFAIK.
RE the paxton bullet fob, assuming you have a proxmark 3 easy, put the fob so it intersects the red ring antenna forming a little + cross shape, and then go get a metal table spoon and cover the fob so its being domed by the spoon and re run the command, if youre still having trouble try adjusting the position but this is the way to get it to work.
i know it sounds ridiculous but i am being fully serious, the spoon acts as a waveguide because the bulletfobs are tricky to couple with and the pm3 easy LF antenna is not optimised for use with them.
2 Likes
I am using the Proxmark 3 RDV4, and the device is able to retrieve the UID from the fob, which suggests that this likely isn’t a coupling issue. I have several of these fobs and have never had any trouble getting their UIDs.
“this suggests it isn’t a coupling issue”
no it doesn’t. authorising with a password vs waking up a hitag are very different in terms of coupling and ensuring CRC across the board.
try the spoon, alternatively with the Rdv4 you can flip the antenna out like so;
and use the short end that sticks out as a probe to read the fob by placing it perpendicular at the midsection of the fob.
i’ve got a lot of experience with paxton systems and i’ve got an RDV4, trust me the fobs are specially difficult to couple with.
3 Likes
I can confirm that the spoon method surprisingly worked 
, the password is the same as the Paxton one, thanks everyone.
3 Likes
it’s ridiculous isnt it 
such quirks are always funny.
are you looking to clone or use them with implants?
edit: asked above because there is PACs downgrades you can do relevant to net2 and switch2 where you can write an ID to em4100 if the support for it is enabled which it does tend to be.
not looking for you to expose your PACs but if the 2nd nibble of the second byte in block 5 is an F, its net2 which means you can use the paxton ID printed at the bottom of the hitag dump screen.
2 Likes
Good to know, Thanks. I was just curious to see what these bullet fobs have as passwords since the Paxton ones are already known.
1 Like