Paxton Tokens at work


Hello fellow biohackers, I already have the xNTi tag in my hand and thinking of getting another tag. We have these tags and door readers I used a 125khz tag to test before buying a kit but the tag wasn’t found on the security s reader/writer. Anyone got an idea why not? And which would be the best kit to buy? Thank you in advance


It’s tough to say what kind of chip is actually used in those tags. The problem is compounded by the fact that most security companies want to keep that information secret because they want to trap the customer into buying new tags for the system from them, not off the shelf tags for much lower cost from somewhere else.

After reading door reader page, it says it reads their “paxton net2” tags, but also Mifare and EM4100… that’s surprising because those two tag types are different frequencies. So, the reader might be multi-frequency… my bet as to why it’s not reading your xNT is that the reader hardware is not configured to, or the host software is not configured to respond to ISO14443A tag IDs.


Hello Amal thank you for your reply, I hope your doing well. Just want to clear up I’m not using the xNTi I was thinking about buying the xEMi and using that. I am able to get security to write to the tags but I tested it with a 125khz key chain tag and the writer didn’t pick it up. I guessing that the Paxton tags have some sort of ID that only work with each other. But there must be some way to mimic that right?


It would be strange for the security system to write something to an EM 125khz tag, since most all of them are read only… at best the security system should read the EM 125khz tag and put that ID into the system. The xEM can be written to only because it’s an ATA5577 chip, but it will operate in EM mode by default with an EM ID pre-programmed.


Paxton tags are 125kHz but are a proprietary system. They’re not compatible with EM4100 or any other commonly available 125kHz tags that I know of. (We have Paxton at work.)

They apparently also make a dual reader that also reads 13.56Mhz tags - no idea if these will work with the xNT or not.


Hmm… after reading about Paxton, I would bet they are just rebranded HID ProxCard II cards… use a Proxmark3 to try to read them… I bet one could be cloned to an xEM :slight_smile:


i know this is an old post but we use paxton in my school and i would love to get an implant to open all the doors so was wondering if anyone has got there implant working on paxton systems.
i can enroll new fobs onto the system as i have the enrollment card so if i could get the implant to work as a paxton fob i can then add that to the system perhaps.
but i dont want to get implanted if i cant use it for this.


I think the best way to do it might be to enroll an existing Paxton fob and then clone it over to the xEM for simplicity’s sake.

The only thing is I am not sure how well Paxton fobs clone as I know quite a few UK companies say they cannot clone Paxton but they can clone HID-II fine.

I’ll try and do some investigation for you tonight as Paxton are purposely mysterious as fuck about their fobs so you don’t go elsewhere.


found this selling wrist bands that are compatible it may give more information about the fobs


My apartment is Paxton, I’m going to buy a few bits in due course (such as a Proxmark 3 easy!) and give cloning a go


I think the easiest way to see if it’s HID or not would just be to scan a random HID tag and see if it at minimum beeps. Usually they will beep at any card that is its format, just not unlock the door.

Based on that link, internally it looks to be a Hitag 2 chip. According to this link it seems to be a 37-bit HID proxcard format - although I may be misunderstanding that forum post a bit. If that first post is relevant, then based on this other post it seems like you can very well emulate a 37 bit HID card with a t5577 based chip. I would however recommend getting a few plain t5577 tags to clone onto in case you brick one, so that you don’t brick your hand.

A Proxmark can work with both an Hitag and T5577 based tag. @amal do you think we’ll be seeing a flexHT in the future? or maybe just wait for vivokey flexone first.


Definitely something funky going on with my Paxton system, each fob comes with a “card” which the landlord keeps, if the fob is broken/lost/stolen you scan the associated card (which they write your door number in normally) and it deactivates the fob.


That makes sense - when you say scan I’m assuming you mean a barcode?

Most likely the barcode is basically the UID of the tag and the landlord scans that which takes the UID of the tag out of the system so it won’t work.


Sorry by scan I mean RFID scan, they hold the associated card to the same reader to deactivate the “paired” fob


Oh huh. That’s a bit intriguing. I wonder how that works - I have a few guesses but no real hard ideas. I’ve never heard of Paxton until now.


took the plunge bought a proxmark 3 but no idea what im doing with it lol but scanned a paxton token with it and got the below.
proxmark3> lf search
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample
#db# buffer samples: 66 69 6b 6b 6d 6e 6e 70 …
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
does that mean anything to anyone