Hitag2 Cloning to NExT Implant

Hi All,

I’ve just got my own Proxmark 3 and I’m tinkering around with it trying to clone my Work fob.

I managed to get a read of the following:

Valid Hitag2 tag found - UID: a7c38g40

I’ve changed the UID for security reasons.
Is this something I could possibly clone onto my NExT Chip?

Thanks!

1 Like

If it it just a standard HID Low frequency RFID tag, then yes, It would be clone-able onto the LF side of the NExT implant.

That’s very good to know.

Is someone able to just give me a little help actually doing this?
I’ve looked around online and Can’t find anything too obvious to me and I don’t want to fuck up my Implant.

Just looking for some guidance actually getting the Fob data onto my Chip.

Cheers all :slight_smile:

1 Like

HiTags are crypto chips. Not compatible with the NeXT.

1 Like

Edit: Please ignore this post. While it is true, it is incorrect in this thread. I misread the original post and was mistaken. Please see below for clarification.

This is not entirely true, LF hid chips are simply broadcasting their UIDs and they can be easily cloned to a compatible chip, such as the T5577 (the LF chip in the NExT). However, we have yet to figure out how to clone the HF HID chips such as the iSeries and Seos cards, as they are encrypted. LF HID cards however are some of the easiest cards to clone.

3 Likes

HID use Hitag chips? The OP said its a Hitag, not HID.

1 Like

No, youre right, I mistakenly read hitag as hidtag for some reason.

I went and did some research quick, and they aren’t necessarily encrypted, it is just a possible mode. I suppose we would need some more data, and possibly the full memory dump from the chip. It is a LF chip with less memory than a T5577 and the modulation/coding of the two chips could be lined up, as the T5577 has bi-phase and manchester modes, which are the two possible modes of modulation used by the HT2, so I could see cloning it being a possibility for sure, unless I am misunderstanding again. Maybe not as simple as a HID card, but I think it could be done with a bit of work and experimentation, perhaps with a T5577 card to test with so as not to brick the implant.

links to the spec sheets for both chips
HT2
T5577

Edit was for spelling

Hey again!

I’ve taken a look at the Spec Sheets, I’m just trying to understand the Data at the Handshake now.

I went to the reader with my working token and ‘LF Hitag Snoop’ alongside an ‘LF Hitag SimS’

Not sure how helpful this is but If this means anything to you, a breakdown would be extremely appreciated, the last few lines are the Snoop results.

https://pastebin.com/4Ge5SSQk

Hi,
Sorry to bump a nearly year old post, but I was hoping that the OP or someone else had found a solution to this problem (that didn"t involve implanting the other chip as in Hitag2 & xEM | White Chinese Cloner & PM3Easy)

I’ve just recently got a Next implant for tinkering with and I was hoping to be able to use it at work as well.
The badge i use at work reads as an Hitag2 but the UID is about all I can seem get from it with my PM3 Rv4.

Thanks for any info, even if it’s just to say it can’t be done,

-CI

I’m pretty sure the solution ended up being the hitag implant as even though the theory is the t5577 supports it the big on to overcome is that it is not a smart tag and will just “shout” the uid rather than waiting for a request.

As @Devilclarke said, HiTag uses a challenge/response authentication,

I don’t know a lot about HiTag, so take the below with a pinch of salt

The xEM side in EM41xx mode has a 40 bit ID; HiTag uses 48 bit so there could be some issues there but you MAY be able to write more???
HiTag uses ISO14223
Also I am STILL GUESSING here, But Amal released the xHT to probably fill the gap, because there would be no real point dong it if the xEM/ NExT… ( T5577) could emulate the HiTag.

So wait to see if anybody else has some more concrete information for you, otherwise, I guess you have 2 main options
Give it a try ( and let us know )
or
Grab an xHT

I hope you find a solution :+1:

1 Like

I tried a test card Hitag s2048 with a Paxton reader at work and it didn’t even beep, however this means nothing as even a new hitag2 card didn’t beep.

I’m now wondering if it is possible to emulate the hitag 2 tag on the hitag s card and maybe clone my work fob to the card and then eventually my xHT.

Thanks for the replies.

I’ve bought the other implant :grin:
Now I just need to find the right time to get it implanted.

Just wish I could test it with the readers at work before getting it implanted.
I’ll just have to buy some cards with the same chip and see if I can get those to work I guess.

1 Like

You can pick up what you need from ebay, amazon etc. but handily for today and your possible future purchases
KSEC do a complete bundle pack of cards

https://labs.ksec.co.uk/product/complete-test-card-bundle/

1 Like

Unfortunately it doesn’t include a hitag s2048 card.
I got one here

You can clone a paxton credential to a Hitag S256

2 Likes