HID Proxy clone using Proxmark3

Projects
1

before I begin… basically I am trying to clone my work ID to some keychain fob’s that came with an old cheap “blue cloner” tool. I have a terrible habit of leaving my card everywhere but where it should be and I need to clone it to these keychain fob’s.
Things I have done:
I was able to use the commands
"lf hid read"
to get my work ID read and it is in fact a HID Prox card.
I was able to use commands to clone this card to
what I know is actually a T5577 card (not key fob type)
"lf hid clone -r (xxxxxxx my card raw data)
and it worked and was readable with the same command
"lf hid read".

now trying to read the keychain fob to get some info and then attempt to clone my HID prox card to it

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 3D00D51E2C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : BC00AB7834
[=] HoneyWell IdentKey
[+] DEZ 8 : 13966892
[+] DEZ 10 : 0013966892
[+] DEZ 5.5 : 00213.07724
[+] DEZ 3.5A : 061.07724
[+] DEZ 3.5B : 000.07724
[+] DEZ 3.5C : 213.07724
[+] DEZ 14/IK2 : 00262006971948
[+] DEZ 15/IK3 : 000807465089076
[+] DEZ 20/ZK : 11120000101107080304
[=]
[+] Other : 07724_213_13966892
[+] Pattern Paxton : 1038703660 [0x3DE95C2C]
[+] Pattern 1 : 14896340 [0xE34CD4]
[+] Pattern Sebury : 7724 85 5578284 [0x1E2C 0x55 0x551E2C]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset

I see it did not identify the chipset
Now, does this mean that the blank t55xx is written or emulating a em410x??
I just don’t know how to determine this.
so I tried some em 410x commands to read the fob.

[usb] pm3 → lf em 410x read
[+] EM 410x ID 3D00D51E2C
[usb] pm3 →

now this show’s a em 410x id of 3D00D51E2C
when the earlier command “lf search” showed the UNIQUE TAG ID to be BC00AB7834.
I am not sure what’s the difference between em 410x id and a UNIQUE TAG ID or if any of that info is even useful for my purposes.

so with more online searching I tried to following command

[usb] pm3 → lf t55xx config
[=] — current t55xx config --------------------------
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 0 - RF/8
[=] Inverted… No
[=] Offset… 0
[=] Seq. terminator… No
[=] Block0… 00000000 (n/a)
[=] Downlink mode… default/fixed bit length
[=] Password set… No

I am assuming since this command actually show’s me the “chip type” that it is a T5577??

just going to see if I can actually wipe the data…in case it’s password protected by default

[usb] pm3 → lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping…
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[usb] pm3 →

seemed to actually wipe the data. Let’s read it again.

[usb] pm3 → lf t55xx config
[=] — current t55xx config --------------------------
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 0 - RF/8
[=] Inverted… No
[=] Offset… 0
[=] Seq. terminator… No
[=] Block0… 00000000 (n/a)
[=] Downlink mode… default/fixed bit length
[=] Password set… No

[usb] pm3 →

so I am kinda at a loss here. It would seem from this information there is no password yet on the chip , which makes sense since I have never used the cheap rfid reader on it… I am just still not sure where to go from here, so I’m at a loss. I am not very versed at this type of thing but I am trying to learn. I could just copy to several T5577 cards but the key fob’s I won’t lose since I have yet to ever lose my car keys. I would appreciate any kind of help to guide me in the right direction. I am still reading as much info on all this I can. Thanks

2

I guess the first question is… can you take one of these keyfobs and set it aside or mark it, then try using the cheap cloner you bought? I guess the first question is, does the cloner read your work badge successfully?

1 Like
3

I don’t think it will read it. I remember trying this… but I will give it another shot.

4

just tried… blue cloner will not read my HID prox work card

5

Ok so the cloner is prob only EM support… so yes the proxmark3 is your best bet at this point. Can you show a photo of the keyfob on the proxmark3 when trying to program it?

1 Like
6

From the output you showed, I am guessing that your T55x7 keyfobs are blank.

Wiping a blank fob results in a blank fob.

As for whether there was a password set, it actually states that there isn’t in the lf t5 info output.

But I don’t see at any point where you tried actually writing your HID data to the card.

Have you tried actually cloning your card to one of these?

7

yes I did… and it does not work. I have at least 10 of these fobs… I will clone to a different one and post the data when trying to clone it. However, the issue has been I am not 100% sure how to clone to the fob because it does not respond to “lf hid” commands which are needed to my understanding to clone my HID prox card to a T55xx blank…

Here is the reading HID prox card and attempt to clone to the FOB. All important data has been replaced with “x’s” not actual data read.

reading of HID PROX card:
[usb] pm3 → lf hid read
[+] [HCP32 ] HID Check Point 32-bit FC: x CN: xxxxxxx
[+] [HPP32 ] HID Hewlett-Packard 32-bit FC: xxx CN: xxxxxxxxx
[+] [Kantech ] Indala/Kantech KFS 32-bit FC: xxx CN: xxxxx
[+] [WIE32 ] Wiegand 32-bit FC: xxxx CN: xxxxx
[=] found 4 matching formats
[+] DemodBuffer:
[+] 1D55595696A5AA99A5A666AA

[=] raw: 00000000000000xxxxxxxxxx

using raw data to attempt to clone to FOB
[usb] pm3 → lf hid clone -r xxxxxxxxxx
[=] Preparing to clone HID tag using raw xxxxxxxxxx
[=] Done
[?] Hint: try lf hid reader to verify
[usb] pm3 → lf hid reader
[usb] pm3 → lf hid read
[usb] pm3 →

as you can see i get no reply. However all the previous commands in earlier post still work and it seems it has not actually cloned to the FOB.
I am not actually sure if I am using the correct commands to write to this fob

8

You could use the proxmark cheat sheet

The command you want is lf hid clone followed by the UID in one of various formats.

Either the raw format with lf hid clone -r 123456789abc (try lf hid read 1 to find it) or with the facility code and card number lf hid clone -w H10301 --fc 10 --cn 1337 (the H10301 is the card type, you should get that from your lf hid read)

9

I tried the lf hid read 1 command it does not work. I know the raw data code as mentioned in earlier posts. I have used the command to clone it as shown in earlier post and in below post however it does not work. Here is the output:

[usb] pm3 → lf hid clone -r 123456789abc (my raw data)
[=] Preparing to clone HID tag using raw 123456789abc
[=] Done
[?] Hint: try lf hid reader to verify

as mentioned earlier… this did not actually write to the FOB because it will not respond to “lf hid read” commands.
moving on … to attempting to write to the FOB anyways with facility code’s and card number does not work either… i also tried this. Here is the output.

[usb] pm3 → lf hid clone -w HCP32 --fc 0 --cn 12345678
[!] The card data could not be encoded in the selected format.
[usb] pm3 →

it says the card data could not be encoded to the selected format. I am making an assumption this means the FOB is not configured to allow this type of encoded structure to be written to it?? I am not sure I worded this correctly. Am I accurate or does format mean the bit structure as in 26 bit or 32 ect ect. If the latter is true I do not know how to write and ensure the data is encoded in the correct bit format. I could be way off track here… lol I am just not really sure.

do i need to try to write each wiegand list along with facility code and card number in one single command or do I attempt to write each one separate? Trying to write just one single wiegand list with fc and nc codes tells me the data could not be encoded in the selected format. There seems to be 4 formats to encode. I am not sure if that’s why it’s throwing this error. I do not know how to send more than one command to the FOB at a time and I am not sure that one can.

10

If lf hid read 1 is not returning the raw code then are you sure that you are reading an hid card?

If you can’t rite -w ‘blah’ that is because you are not providing the correct data to it. Proxmark writing to a tag has been likened to “shouting into the wind”. You don’t know if the tag received the message, or if it actually did anything with it. That is why you write, and then read to confirm that you actually had a successful write.

11

well when I use my work card and I type “lf hid read 1” it does not read anything because my build for the proxmark3 does not seem to support this command of the “1”. It only shows 2 possible commands after lf hid read which are "lf hid read --help and lf hid read -@ which is a continues read. I am not 100 percent sure my work card is a HID PROX card at this point now because I noticed the following command of lf search does not identify my chipset.

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] [HCP32 ] HID Check Point 32-bit FC: 0 CN: 123456789abc
[+] [HPP32 ] HID Hewlett-Packard 32-bit FC: 123 CN: 123456789abc
[+] [Kantech ] Indala/Kantech KFS 32-bit FC: 123 CN:12345
[+] [WIE32 ] Wiegand 32-bit FC: 1234 CN: 123456
[=] found 4 matching formats
[+] DemodBuffer:
[+] 1D55595696A5AA99A5A666AA

[=] raw: 00000000000000123456789abc

[+] Valid HID Prox ID found!

[=] Couldn’t identify a chipset

so does that mean the card is emulating a PROX id but on some other chipset? now im hella confused lol Like i said… I was able to clone this puppy to a valid blank rewritable t5577 card with no problem. but it just refuses to copy to the damn FOB lol

12

Ok. I will pull out my pm3 tonight and run through the entire sequence I expect to work and document it.

(The lf hid read 1 came from a web site, I haven’t tried that)

It could also be a coupling issue with the fob so I will show you an example lf tune as well.

2 Likes
13

At this point I think I’m willing to donate an implant to @Zwack to finally get him on team cyborg fer realz

3 Likes
14

I can afford to pay for one… I am just waiting for the Apex ultra mega max which I hear might be available SOON™

2 Likes
15

Amal sitting on his hoard of implants:
pq458qH (2)

:wink:

3 Likes
16

Join Us

1 Like
17

OK, so if you aren’t interested in lots of proxmark3 output you will want to skip this post…

HID cloning

First I updated my version of the proxmark3 client, and flashed the latest version to my proxmark3 easy… You don’t need to do this, but if a command I use doesn’t exist then you should update.

./pm3
[=] Session log /home/kali/.proxmark3/logs/log_20210726.txt
[+] loaded from JSON file /home/kali/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗ 
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝       Iceman ☕
  ╚═╝     ╚═╝     ╚═╝╚════╝    ❄ bleeding edge

  https://github.com/rfidresearchgroup/proxmark3/


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:20:20
  compiled with GCC 10.2.1 20210110 OS:Linux ARCH:aarch64

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:19:52
       os: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:22:06
  compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDM
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

Now I put a T5577 that I had previously wiped on the lf antenna and ran lf t5 info

[usb] pm3 --> lf t5 info
[usb] pm3 -->

As you can see I get absolutely no output…
So let’s make this into an HID card for further testing.

[usb] pm3 --> lf hid clone -w H10301 --fc 118 --cn 1603
[=] Preparing to clone HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 --> lf t5 info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 8
[=]  reserved                  : 0
[=]  Data bit rate             : 0 - RF/8
[=]  eXtended mode             : No
[=]  Modulation                : 0 - DIRECT (ASK/NRZ)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 0
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  80000000 - .0000000000000000000000000000000
[=] --- Fingerprint ------------

[usb] pm3 -->

So I now have a t5577 pretending to be an hid card, and lf t5 info actually gives me some info. Now onto the cloning.

First we need information from the card we are wanting to clone…

[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 -->

Now I’m going to grab the entire raw string and use that…

[usb] pm3 --> lf hid clone -r 000000000000002006ec0c86
[=] Preparing to clone HID tag using raw 000000000000002006ec0c86
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 -->

Now so far it has worked, but your card uses a different format. So I’ll try and create one of those…

usb] pm3 --> lf hid clone -r 000000000000002100760643
[=] Preparing to clone HID tag using raw 000000000000002100760643
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [HCP32   ] HID Check Point 32-bit           FC: 0  CN: 60428
[+] [HPP32   ] HID Hewlett-Packard 32-bit       FC: 14  CN: 404294656
[+] [Kantech ] Indala/Kantech KFS 32-bit        FC: 59  CN: 801
[+] [WIE32   ] Wiegand 32-bit                   FC: 118  CN: 1603
[=] found 4 matching formats
[+] DemodBuffer:
[+] 1D55595655556A695569655A

[=] raw: 000000000000002100760643
[usb] pm3 -->

I also tried to clone using the other formats but neither HCP32 nor HPP32 would encode properly.

I could use both lf hid clone -w Kantech --fc 59 --cn 801 and lf hid clone -w WIE32 --fc 118 --cn 1603

2 Likes
18

Sorry for that long and boring post, but that was a complete run through of a read and clone of a couple of “HID cards”. I would suggest trying to run the exact clone commands I ran with one of those fobs. If it doesn’t work then either it is not a T55xx card, or we have something else going on here.

Out of curiosity, can you try putting a fob on the HF antenna and trying an hf search? I am wondering if your fobs are all NFC ones.

If you need me to run through using lf tune @ to find the best position for the tag on the antenna then let me know…

1 Like
19

I know I am replying to myself but I just had a look at the initial post again.

In that you take an alleged T55x7, wipe it using lf t5 wipe and can still see a config on it. When I do that I see nothing until I write a new configuration to the T5577. I am wondering if somehow these T5577 have been somehow modified to only emulate an EM 410x.

Can you try cloning a different EM 410x ID to one of the fobs?

20

I read everything you posted and even tried all of it… nothing works. Yes when I wipe the FOB I can only read it with the lf t5 config command. Looking like just gunna have to give up on these fobs. Anyone want me to send you one and you mess around with it? Anyways… weird thing is the FOB’s and the T5577 cards both have the same “type” of data on them.

reading the T5577 card

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 1E00EA809C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 7800570139
[=] HoneyWell IdentKey
[+] DEZ 8 : 15368348
[+] DEZ 10 : 0015368348
[+] DEZ 5.5 : 00234.32924
[+] DEZ 3.5A : 030.32924
[+] DEZ 3.5B : 000.32924
[+] DEZ 3.5C : 234.32924
[+] DEZ 14/IK2 : 00128864387228
[+] DEZ 15/IK3 : 000515401777465
[+] DEZ 20/ZK : 07080000050700010309
[=]
[+] Other : 32924_234_15368348
[+] Pattern Paxton : 520011420 [0x1EFEBE9C]
[+] Pattern 1 : 12330009 [0xBC2419]
[+] Pattern Sebury : 32924 106 6979740 [0x809C 0x6A 0x6A809C]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset
[usb] pm3 →

now reading the FOB

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 3D00D51E2C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : BC00AB7834
[=] HoneyWell IdentKey
[+] DEZ 8 : 13966892
[+] DEZ 10 : 0013966892
[+] DEZ 5.5 : 00213.07724
[+] DEZ 3.5A : 061.07724
[+] DEZ 3.5B : 000.07724
[+] DEZ 3.5C : 213.07724
[+] DEZ 14/IK2 : 00262006971948
[+] DEZ 15/IK3 : 000807465089076
[+] DEZ 20/ZK : 11120000101107080304
[=]
[+] Other : 07724_213_13966892
[+] Pattern Paxton : 1038703660 [0x3DE95C2C]
[+] Pattern 1 : 14896340 [0xE34CD4]
[+] Pattern Sebury : 7724 85 5578284 [0x1E2C 0x55 0x551E2C]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset
[usb] pm3 →

Now what’s really crazy is I can easily clone my HID prox work card to the one of the T5577 cards… but when I try to clone to the FOB its a no go! Only thing I haven’t tried is to clone to the FOB using the default password cheap cloner uses when it writes. I know it looks like it doesn’t have a password on the FOB’s but seem like I should at least try. I however, do not know how to use the password to clone the HID prox card to the fob.