Hitag cloning via Proxmark3?

I’ve checked historical posts here, and read the paper at:
https://www.researchgate.net/publication/235916472_Gone_in_360_Seconds_Hijacking_with_Hitag2
but I have to admit that it’s beyond me as far as actually implementing it with my Proxmark3.

What I am looking to do is to “clone” the proximity fob from my 2015 GM car to a smaller backup fob or card. Putting my fob on my PM3 Easy and doing an “auto” command found “Valid Hitag” and the 4-hex-byte UID for it.

Can someone here tell me how to actually implement a clone, and to what medium (chipset) I’d need to use?

Thanks in advance…

As nobody else has responded…

The paper you are referring to used a hitag emulator to pretend to be the chip that they were “cloning”.

You can program a new hitag transponder, and some programmers will even work from a dump of a working key. Hitag programmers seem to vary in cost from ~$60 to ~$1,000.

Most locksmiths will clone a key for less than the cost of a programmer. The chip itself is harder to buy singly but I did find some for sale for about $25.

None of these solutions are implantable. I don’t know if they could be made implantable.

What part(s) of the process is the Proxmark3 capable of, other than reading the UID?

I see that there are multi-chip (or at least multi-format) fobs available that include Hitag… Here’s an example (though out of Korea):
https://www.tradekorea.com/product/detail/P731968/125khz-HITAG2-personalised-rfid-key-fobs.html

The product specs state:
RFID keyfob Tag: -125KHZ chips: EM4102,EM4200,EM4550,T5577,TK4100,Hitag1, Hitag2,etc

Or another with rewritable Hitag cards:
LF 125Khz RFID rewritable PVC Hitag1 Hitag2 card smart RFID card with By Uniontags Technology Limited, China (tradekey.com)

And another in fob format:
https://www.globalsources.com/Global-Sources/RFID-Key-Tag-1172424207p.htm

those are for enrolling onto a system not cloning onto

2 Likes

Are you sure? At least some of them say re-writable, such as “LF 125Khz RFID rewritable PVC Hitag1 Hitag2 card”

theyre for writing fresh data onto, for adding into a system not for cloning other data onto, its a crypto chip and not as simple as other forms of LF.

it has challenge-response and therefore cannot be simply written to a t5577. you need the afformentioned HITAG encoder and blank chips.

2 Likes

~"…have a way to bypass the HiTag chip to start my vehicle"

I had the same setup, looked at that document and went to the RFID Discord for help.

I put enough time into it, to realise I should look at alternatives.

2 Very easy ones to start you off


The way he does this is not personally how I did, or would do mine, but it works so worth a share

Or in my opinion, a better option

The second ones would be a good option if you wanted to add an xAC :xac_v2: into the system
Scan - { xAC powers Bypass } - Turn non chipped key or press Push to start etc