HID Proxy clone using Proxmark3

Zwack · July 26, 2021, 5:43am

OK, so if you aren’t interested in lots of proxmark3 output you will want to skip this post…

HID cloning

First I updated my version of the proxmark3 client, and flashed the latest version to my proxmark3 easy… You don’t need to do this, but if a command I use doesn’t exist then you should update.

./pm3
[=] Session log /home/kali/.proxmark3/logs/log_20210726.txt
[+] loaded from JSON file /home/kali/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC


  ██████╗ ███╗   ███╗█████╗ 
  ██╔══██╗████╗ ████║╚═══██╗
  ██████╔╝██╔████╔██║ ████╔╝
  ██╔═══╝ ██║╚██╔╝██║ ╚══██╗
  ██║     ██║ ╚═╝ ██║█████╔╝       Iceman ☕
  ╚═╝     ╚═╝     ╚═╝╚════╝    ❄ bleeding edge

  https://github.com/rfidresearchgroup/proxmark3/


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:20:20
  compiled with GCC 10.2.1 20210110 OS:Linux ARCH:aarch64

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:19:52
       os: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:22:06
  compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

 [ FPGA ] 
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDM
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

Now I put a T5577 that I had previously wiped on the lf antenna and ran lf t5 info

[usb] pm3 --> lf t5 info
[usb] pm3 -->

As you can see I get absolutely no output…
So let’s make this into an HID card for further testing.

[usb] pm3 --> lf hid clone -w H10301 --fc 118 --cn 1603
[=] Preparing to clone HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 --> lf t5 info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 8
[=]  reserved                  : 0
[=]  Data bit rate             : 0 - RF/8
[=]  eXtended mode             : No
[=]  Modulation                : 0 - DIRECT (ASK/NRZ)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 0
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  80000000 - .0000000000000000000000000000000
[=] --- Fingerprint ------------

[usb] pm3 -->

So I now have a t5577 pretending to be an hid card, and lf t5 info actually gives me some info. Now onto the cloning.

First we need information from the card we are wanting to clone…

[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 -->

Now I’m going to grab the entire raw string and use that…

[usb] pm3 --> lf hid clone -r 000000000000002006ec0c86
[=] Preparing to clone HID tag using raw 000000000000002006ec0c86
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301  ] HID H10301 26-bit                FC: 118  CN: 1603  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 1888  CN: 1603  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569

[=] raw: 000000000000002006ec0c86
[usb] pm3 -->

Now so far it has worked, but your card uses a different format. So I’ll try and create one of those…

usb] pm3 --> lf hid clone -r 000000000000002100760643
[=] Preparing to clone HID tag using raw 000000000000002100760643
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [HCP32   ] HID Check Point 32-bit           FC: 0  CN: 60428
[+] [HPP32   ] HID Hewlett-Packard 32-bit       FC: 14  CN: 404294656
[+] [Kantech ] Indala/Kantech KFS 32-bit        FC: 59  CN: 801
[+] [WIE32   ] Wiegand 32-bit                   FC: 118  CN: 1603
[=] found 4 matching formats
[+] DemodBuffer:
[+] 1D55595655556A695569655A

[=] raw: 000000000000002100760643
[usb] pm3 -->

I also tried to clone using the other formats but neither HCP32 nor HPP32 would encode properly.

I could use both lf hid clone -w Kantech --fc 59 --cn 801 and lf hid clone -w WIE32 --fc 118 --cn 1603