GDX Indigo HITAG2 fob password

Support
21

Switch 2/ p10 Downgrade selection tutorial

→ Blocks 4/5/6/7:

84030140
20422820
3D824840
0C201084

→ Convert to binary, split into 5 bit chunks, disregard the last two bits of each block, they mean nothing.

10000 10000 00001 10000 00010 10000 00
00100 00001 00001 00010 10000 01000 00
00111 10110 00001 00100 10000 10000 00
00001 10000 10000 00001 00001 00001 00

→ the first bit of every 5bit pad is an odd-parity bit. remove it and convert every nibble into decimal.

result:

0000 0000 0001 0000 0010 0000 
0100 0001 0001 0010 0000 1000 
0111 0110 0001 0100 0000 0000 
0001 0000 0000 0001 0001 0001 

converted nibbles: 001020411208761400100111

apply this funky selection mask (capped because trying to align text with spaces is so hard its easier to do in a sheet)

image
image687×138 7.09 KB

resultant switch2 ID: 10710001 (decimal)
convert to hex: A36BF1
pad with leading 0s to reach 5 bytes for em4100 ID:0000A36BF1

for NET2

net2 is exactly the same but actually way easier, the second nibble of the second byte in block 5 will always be F, you do the same conversion and removal of the off parity but instead of selecting the digits in a mask you just take all the digits in order leading up to the F.

42 2C 1C 88
01000 01000 10110 00001 11001 00010 00
  8     8     6     1     9     2

82 3F 08 40
10000 01000 11111 10000 10000 10000 00
  0     8     F     0     0     0

84 21 08 40
10000 10000 10000 10000 10000 10000 00
  0     0     0     0     0     0

84 21 08 10
10000 10000 10000 10000 10000 00100 00
  0     0     0     0     0     4

net2 ID:88619208
em4100 ID (hex with padding): 00054838C8

@amal sorry for the delay good sire my brain took a bit to upload

if anyone needs further clarification on anything lmk, this was speedy but i hope it gets the method across.

E2A fun fact, if youre using multi tech readers you can encode this as mifare classic 4Byte UID so long as you use little endian (reverse the byte order)

6 Likes
22

I made a python script for Paxton Net. Out of curiosity, will the output data be the same as read by Proxmark3. And everything is fine. The script is not really necessary because the same thing can be done by reading Paxton Net via Proxmark3. The next step is a script for Paxton Switch2, unless the author of the tutorial has anything against it.

txt → py
PAXTON_NET.txt (2.5 KB)

2 Likes
23

I added .py extensions to the forum :slight_smile:

3 Likes
24

Proxmark3 does the same for net2. Target automatic script. Reading blocks. Paxton identification, depending on the type, script for net2 or switch2 and copying to T5577. For switch2 I need to add a mask. This is very simple… to code. If the author agrees.

25

I hope Equipter won’t be angry since he released the tutorial anyway.

Paxton_switch.py.txt (2.3 KB)

2 Likes
26

oh yah idc

3 Likes
27

Paxton_convert.py.txt (3.8 KB)

----correction----

Small changes. After entering data for blocks 4 and 5, the script identifies Paxton and performs appropriate calculations for Net2 or Switch2.

28

I already have a script in Lua ready to read blocks from Paxton fob. The script will read data from fob and ask whether to copy it. Paxton on Paxton or Paxton on EM4102. That is, full automation.

a
a665×438 7.32 KB

b
b772×664 18.7 KB

c
c939×619 17.5 KB

d
d811×472 7.62 KB

1 Like
30

why not put it on github

32

Log Date: 2025-01-18 17:23:32
Block 4: 84030088
Block 5: C9201984
Block 6: C86D5840
Block 7: 0C201084
EM4102 ID: 00003C6CD8

In case of incorrect Paxton Fob position and incorrect blocks reading, a message is displayed…
------------------------------------------------------------------------------------------
Adjust the Fob position on the coil. Press ENTER to continue…
-------------------------------------------------------------------------------------------

I added the generated value EM4102 ID to the log file
Paxton_clone.lua.txt (10.7 KB)

1 Like
33

Hey Jeybee,

@Equipter was brilliant at helping me copy paxton net2 to new Paxton fobs and he suggested I could clone to EM chip but found the downgrading calcs a little bit much for me.

I then came across your script which I beleive does the job for you :slight_smile:

Im trying to use your lua script but the resultant Em410 or T55XX chip doesnt seem to work. Is there any way of reading the new fob to see if it had the correct data on it?

I used LF Search and got the following result:

Paxton Script result
Paxton Script result488×640 11.3 KB

And the original Paxton Fob Dump is:

ID
ID454×479 9.43 KB

34

I don’t know where you got this ID from - 30704EB228???
The script works correctly. If the data from the blocks was read incorrectly, the calculated ID for EM4102 will obviously be wrong.
Based on your blocks, I made a copy of Paxton and used my script. The script generated correct data:

clone EM4102 to T55x7 tag with EM Tag ID 0002D5F3D6

Paxton net support is implemented in proxmark3 and you do not need to use additional scripts - lf search and the result:

[usb] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] Paxton id… 47576022 | 0x2d5f3d6 ( C╜{ifob )

[+] Valid Paxton ID found!

[+] UID… D597D913
[+] TYPE… PCF 7936
[+] Chipset detection: Hitag 2
[?] Hint: try lf hitag commands

you run my script in proxmark 3 by typing: script run paxton_clone

If T5577 made this way does not work, it means that EM4102 support is disabled.

Capture_2025_01_24_14_42_11_798
Capture_2025_01_24_14_42_11_798704×399 8.23 KB

35

That ID just came when the reader read the chip using LF Search so could it be that the chip isnt compatible maybe? Maybe I need to order some different ones?

36

This is a link to the fobs I bought… Link

37

The purchased blank T5577 tags give this reading:

[usb] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset
[usb] pm3

Applying the command:

[usb] pm3 → lf t55 detect
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 2 - RF/32
[=] Inverted… No
[=] Offset… 33
[=] Seq. terminator… Yes
[=] Block0… 000880E0 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… No

Check other T5577s, check if they have a password before writing

38

Thanks again for your help! Can’t seem to get it to work on the T557 chips i have but perhaps it is because they have been used on a different system before. I did try to wipe them but no luck!

Think I will try to order some new ones and see if that helps :slight_smile:

39

[usb] pm3 → lf t55 chk
[=] Press to exit

[+] Loaded 125 keys from dictionary file C:\proxmark3\ProxSpace\pm3\proxmark3\client\dictionaries/t55xx_default_pwds.dic
[=] Press to exit
[=] testing 00000000
[=] testing 51243648
[=] testing 000D8787
[=] testing 19920427
[=] testing 002BCFCF
[=] testing 50524F58
[=] testing F9DCEBA0
[=] testing 65857569
[=] testing 05D73B9F
[=] testing 89A69E60

or
txt rename to lua. The original is different. I modified it a bit. Rename or replace.
lf_t55xx_reset.txt (2.0 KB)

40

Sorry Im not sure I understand @Jeybee

41

strong textAh yes it seems to have a password. 51243648

This must be because the original fob was written with a blue cloner.

Can I parse this into the wipe command or would you say it’s easier to just buy new?

Cheers

P.s. apolgies for the late reply as a newbie I can only post 5 times within the first 24 hrs so had to wait :slight_smile:

42

lf_t55xx_reset.lua.txt (2.1 KB)

use tihis
or
lf t55 wipe -p 51243648