Paxton Tokens at work

Colezy · February 5, 2017, 11:41pm

Hello fellow biohackers, I already have the xNTi tag in my hand and thinking of getting another tag. We have these tags and door readers I used a 125khz tag to test before buying a kit but the tag wasn’t found on the security s reader/writer. Anyone got an idea why not? And which would be the best kit to buy? Thank you in advance

amal · February 15, 2017, 5:20pm

It’s tough to say what kind of chip is actually used in those tags. The problem is compounded by the fact that most security companies want to keep that information secret because they want to trap the customer into buying new tags for the system from them, not off the shelf tags for much lower cost from somewhere else.

After reading door reader page, it says it reads their “paxton net2” tags, but also Mifare and EM4100… that’s surprising because those two tag types are different frequencies. So, the reader might be multi-frequency… my bet as to why it’s not reading your xNT is that the reader hardware is not configured to, or the host software is not configured to respond to ISO14443A tag IDs.

Colezy · February 20, 2017, 10:43pm

Hello Amal thank you for your reply, I hope your doing well. Just want to clear up I’m not using the xNTi I was thinking about buying the xEMi and using that. I am able to get security to write to the tags but I tested it with a 125khz key chain tag and the writer didn’t pick it up. I guessing that the Paxton tags have some sort of ID that only work with each other. But there must be some way to mimic that right?

amal · February 22, 2017, 7:03pm

It would be strange for the security system to write something to an EM 125khz tag, since most all of them are read only… at best the security system should read the EM 125khz tag and put that ID into the system. The xEM can be written to only because it’s an ATA5577 chip, but it will operate in EM mode by default with an EM ID pre-programmed.

Fred · September 19, 2017, 10:03pm

Paxton tags are 125kHz but are a proprietary system. They’re not compatible with EM4100 or any other commonly available 125kHz tags that I know of. (We have Paxton at work.)

They apparently also make a dual reader that also reads 13.56Mhz tags - no idea if these will work with the xNT or not.

amal · September 21, 2017, 6:57pm

Hmm… after reading about Paxton, I would bet they are just rebranded HID ProxCard II cards… use a Proxmark3 to try to read them… I bet one could be cloned to an xEM

peter1970 · March 20, 2019, 1:08pm

i know this is an old post but we use paxton in my school and i would love to get an implant to open all the doors so was wondering if anyone has got there implant working on paxton systems.
i can enroll new fobs onto the system as i have the enrollment card so if i could get the implant to work as a paxton fob i can then add that to the system perhaps.
but i dont want to get implanted if i cant use it for this.

JamesW · March 20, 2019, 1:12pm

I think the best way to do it might be to enroll an existing Paxton fob and then clone it over to the xEM for simplicity’s sake.

The only thing is I am not sure how well Paxton fobs clone as I know quite a few UK companies say they cannot clone Paxton but they can clone HID-II fine.

I’ll try and do some investigation for you tonight as Paxton are purposely mysterious as fuck about their fobs so you don’t go elsewhere.

peter1970 · March 20, 2019, 1:15pm

found this selling wrist bands that are compatible it may give more information about the fobs
https://www.jmprime.co.uk/product_info.php/hitag2-wristband-125khz-rfid-compatible-with-paxton-net2-access-control-wristbands-pack-of-10-p-233

JamesW · March 21, 2019, 1:33am

My apartment is Paxton, I’m going to buy a few bits in due course (such as a Proxmark 3 easy!) and give cloning a go

bepiswriter · March 21, 2019, 1:48am

I think the easiest way to see if it’s HID or not would just be to scan a random HID tag and see if it at minimum beeps. Usually they will beep at any card that is its format, just not unlock the door.

Based on that link, internally it looks to be a Hitag 2 chip. According to this link it seems to be a 37-bit HID proxcard format - although I may be misunderstanding that forum post a bit. If that first post is relevant, then based on this other post it seems like you can very well emulate a 37 bit HID card with a t5577 based chip. I would however recommend getting a few plain t5577 tags to clone onto in case you brick one, so that you don’t brick your hand.

A Proxmark can work with both an Hitag and T5577 based tag. @amal do you think we’ll be seeing a flexHT in the future? or maybe just wait for vivokey flexone first.

JamesW · March 26, 2019, 12:50am

Definitely something funky going on with my Paxton system, each fob comes with a “card” which the landlord keeps, if the fob is broken/lost/stolen you scan the associated card (which they write your door number in normally) and it deactivates the fob.

bepiswriter · March 26, 2019, 1:38pm

That makes sense - when you say scan I’m assuming you mean a barcode?

Most likely the barcode is basically the UID of the tag and the landlord scans that which takes the UID of the tag out of the system so it won’t work.

JamesW · March 26, 2019, 1:51pm

Sorry by scan I mean RFID scan, they hold the associated card to the same reader to deactivate the “paired” fob

bepiswriter · March 26, 2019, 2:34pm

Oh huh. That’s a bit intriguing. I wonder how that works - I have a few guesses but no real hard ideas. I’ve never heard of Paxton until now.

peter1970 · April 8, 2019, 12:15pm

took the plunge bought a proxmark 3 but no idea what im doing with it lol but scanned a paxton token with it and got the below.
proxmark3> lf search
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample
#db# buffer samples: 66 69 6b 6b 6d 6e 6e 70 …
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
proxmark3>
does that mean anything to anyone

peter1970 · April 22, 2019, 10:02am

looks like paxton is a no go for implants then im glad i checked before i got the implant

nanna · October 17, 2019, 9:16pm

We have the Paxton Net2 Access control system.

If you have the P50/KP50 with the EX printed at the end of the model number - Paxton have opend for EM41xx tags.

The EX is not sold in the UK - The UK model is without the EX and are only working with Paxton Properterian Tags.

The KP50 has a keyboard, and makes the distance from the LF antenna to far - I haven’t been able to get a good coupler with those.

I can enroll the UID from my NexT implant to the system, so I didn’t bothered the cloning.

Cyberprog · July 12, 2022, 8:13pm

This is known as Switch2 - and it’s a weird system where you enrol a token/card and have a barring card. But you go to each device to program it, not to a central system.

The really interesting thing about this system is that you used to be able to encode this using a desktop reader and some software.

(Sorry, I know this is years old, but figured this might be useful info).