GDX Indigo HITAG2 fob password

I have a GDX Indigo bullet fob and a Paxton Net2 blank card, both using Hitag2 PCF7936 ICs. I successfully read the card content using my Proxmark 3 and the known password (0xBDF5E846) and the default one (0x4D494B52), but I wasn’t able to read the bullet fob. I suspect this is because the fob uses a different password. Can anyone confirm if that’s the case? And by any chance, does anyone have the password for these GDX Indigo fobs?

GDX bullet fobs password is not documented and isn’t known to be global AFAIK.

RE the paxton bullet fob, assuming you have a proxmark 3 easy, put the fob so it intersects the red ring antenna forming a little + cross shape, and then go get a metal table spoon and cover the fob so its being domed by the spoon and re run the command, if youre still having trouble try adjusting the position but this is the way to get it to work.

i know it sounds ridiculous but i am being fully serious, the spoon acts as a waveguide because the bulletfobs are tricky to couple with and the pm3 easy LF antenna is not optimised for use with them.

3 Likes

I am using the Proxmark 3 RDV4, and the device is able to retrieve the UID from the fob, which suggests that this likely isn’t a coupling issue. I have several of these fobs and have never had any trouble getting their UIDs.

“this suggests it isn’t a coupling issue”

no it doesn’t. authorising with a password vs waking up a hitag are very different in terms of coupling and ensuring CRC across the board.

try the spoon, alternatively with the Rdv4 you can flip the antenna out like so;

and use the short end that sticks out as a probe to read the fob by placing it perpendicular at the midsection of the fob.

i’ve got a lot of experience with paxton systems and i’ve got an RDV4, trust me the fobs are specially difficult to couple with.

4 Likes

I can confirm that the spoon method surprisingly worked :laughing:, the password is the same as the Paxton one, thanks everyone.

3 Likes

it’s ridiculous isnt it :sweat_smile: such quirks are always funny.

are you looking to clone or use them with implants?

edit: asked above because there is PACs downgrades you can do relevant to net2 and switch2 where you can write an ID to em4100 if the support for it is enabled which it does tend to be.

not looking for you to expose your PACs but if the 2nd nibble of the second byte in block 5 is an F, its net2 which means you can use the paxton ID printed at the bottom of the hitag dump screen.

3 Likes

Good to know, Thanks. I was just curious to see what these bullet fobs have as passwords since the Paxton ones are already known.

1 Like

I wrote privately to Alasa995. Unfortunately he doesn’t want to help. And I asked for information about pages 2 and 3 and whether pages 4, 5, 6, 7 are in use or only 4 and 5 for GDX fobs (PCF7936). Maybe it’s time to stop sharing knowledge and information :thinking:. Thanks to such behavior of people, one can lose the sense of helping others. Good luck.

I still hope that there will be a kind person who will share information about the content of GDX fobs. :slightly_smiling_face:

Why did you write privately and not ask your questions here on the public thread?

Why did you feel the need to publicly shit talk when someone didn’t want to engage in a private conversation? You took the conversation private, but you’re publicly denigrating alaska995?

Then you make this flippant complaint? You do realize that by making your communication private, that any information shared within that private conversation would not be about sharing knowledge. By taking it private, any information communicated as a result would only benefit you and nobody else. This is extremely bad etiquette, and to publicly complain about another user not wanting to help you privately gain knowledge only for yourself… this is not how forums should work.

Think really hard about your next move here.

4 Likes

send me the dump in visible plaintext, i’ll figure out what context is needed

3 Likes

@Jeybee GDX seems to be a redeployment of paxton, your dump requires full 4/5/6/7 blocks to be transferred along with the password to a new tag

same encoding so i’m looking into deriving your ID for downgrades now but it will take me a sec because it’s a manual calculation.

4 Likes

@Equipter how do you do that calculation?

2 Likes

not really a calculation its just decoding the ID from the blocks, strip parity and apply the selection mask relevant to the encoding for the system version to retrieve the ID (can go more in depth if people want it later)

@Jeybee if you want not to use another hitag for this task your EM4100 ID: 00003C6CD8

write this to a T5577 and it should work.

if it doesn’t, em4100 has been disabled on the backend (not very likely to happen)

3 Likes

Interesting. Could you show an example using faux data?

1 Like

i cba to backtrack and fabricate data i’ll find a fob that isn’t in service anymore and show yall.

there’s net2 and switch2 data but it’s different selection masks from the same de-parity’d data

3 Likes

If you could please download the contents of your brain and upload here leaving you a void husk, that would be greeeaaaatee.

giphy (1)

4 Likes

Are you talking about doing a pilgrim conversion?

3 Likes

I just came across your message and response, and I want to clarify that I had no intention of ignoring you or withholding any information. As I mentioned earlier, I simply don’t have any knowledge beyond what I’ve shared. My primary focus was to determine whether commonly known passwords work with GDX keyfobs, and that’s all.