Welcome, fellow cyborg! So you want to get to know your Proxmark and clone a badge? You’ve come to the right place!
This Wiki is a work in progress, there may not be instructions for cloning your tag yet, and we’re still improving the instructions to make them easier to follow. If the information you need isn’t here, make a forum post and we’ll try to help you out - and of course update that info into this wiki!
INTRODUCTIONS:
What this Wiki IS
We’ll cover out of box setup, running your first commands to tune your antenna and check everything is working, identifying common tags and copying their UID and data to compatible implants.
What this Wiki ISN’T
-
A discussion of pros and cons of different proxmark versions - from a commands sense, they all run the same. We will have sections with tips for each specific proxmark model including recommended positioning, but all proxmark owners are welcome here.
-
An individual advice thread - if you need help, we’re happy to do our best! Please make a forum account and create your own post. This helps us keep reply’s neat and information clear.
-
An invitation to my Animal Crossing island, my turnip prices are horrid anyway.
Now that we’ve got the introductions out of the way, let’s begin!
SETTING UP AND GETTING STARTED:
First things first, let’s set up the software and firmware on your proxmark! We recommend the Iceman/RFID Research Group fork.
What’s firmware? What’s a fork? What’s an Iceman? I’m already lost!
The Proxmark software comes in two parts - one half of it sits on your computer (PM software) and the other half gets ‘flashed’ (installed) to a chip on the Proxmark itself (PM firmware)
The firmware handles all the hardware functionality and does most of the heavy lifting, but humans can’t directly control electrons telepathically yet! We use the software to send commands to the firmware, and the RFID magic begins there.
‘Forks’ are different copies of code, where one group or person takes code and changes it to improve or customise it. In the Proxmark world there are two main forks. The ‘Offical’ fork is the starting point, but we’ll be using the Iceman fork.
Iceman is an RFID researcher who maintains a very popular fork with his team at the RFID Research Group. Their fork has more functions for scanning different tag types and is regarded as the definitive edition by many.
Sounds great! Let’s install some software and firmware!
Installing Iceman fork on your Proxmark
The code for the Iceman/RRG fork is on their github page - It has plenty of great information, but can be a bit overwhelming. We’ll follow their instructions for setting up the software and firmware on your PM3, since they know it best! Make sure to follow along with each step carefully and in order. This gets a bit dry, but it’s important to get this right now so we can have some fun later!
When you’re done there, come on back! Once you’re in the Proxmark software on your computer of choice, the commands are all the same for Windows, Mac and Linux.
I’m in the Proxmark software! What do I do?
Scanning your first tag
You’ve made it this far, that was the hard part, now to have some RFID fun!
The first command you’ll want to run on your Proxmark every time you use it is…
hw tune
The ‘hw’ at the start indicates this is a hardware command - it sets up your proxmark to do something! In the case of this ‘tune’ command, it should be run without any tags on or near your proxmark. It does measurements of your Proxmark antennas and tunes them for best performance. Normally this isn’t so critical for cards and fobs, but with implants we have much tighter tolerances due to the small antennas and the way the coils are wound. Always tune to give yourself the best chance of success!
Next, we’ll put a card on the antenna and do a search. There are two antennas on your Proxmark, one for LF and one for HF tags. For this example scan, we’ll read an LF key fob to get its UID. As implants are more challenging, we’ll come to them once we know how to use the proxmark.
- Place the tag or fob you want to read on the correct antenna. In my case, this is the LF antenna.
- Run the command
lf searchorhf searchdepending on what type of tag you are using for your tests. - Let’s check the results to see if we’ve had any luck…
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Detected incorrect header, the bit [0] is zero instead of one, abort
#db# TX/RX frames recorded: 1
[+] EM410x pattern found
EM TAG ID : BDBDBDBDBD
Possible de-scramble patterns
Unique TAG ID : BDBDBDBDBD
HoneyWell IdentKey {
DEZ 8 : 12434877
DEZ 10 : 3183328701
DEZ 5.5 : 48573.48573
DEZ 3.5A : 189.48573
DEZ 3.5B : 189.48573
DEZ 3.5C : 189.48573
DEZ 14/IK2 : 00814932147645
DEZ 15/IK3 : 000814932147645
DEZ 20/ZK : 11131113111311131113
}
Other : 48573_189_12434877
Pattern Paxton : 3184655293 [0xBDD1FBBD]
Pattern 1 : 7831135 [0x777E5F]
Pattern Sebury : 48573 61 4046269 [0xBDBD 0x3D 0x3DBDBD]
[+] Valid EM410x ID found!
Success! We’ve read an ID! At this stage it doesn’t matter what sort of card you’ve tested with as long as you get a Valid ID found message - if you didn’t have luck try putting it on the HF antenna and running hf search
Great! We’ve now got your Proxmark set up and confirmed it’s working by reading the ID off a tag, now to make a clone! At this point, the instructions differ for each card type - if you aren’t sure what type your card is, scan it following the directions above and look at what tag type it finds. You may need to try both HF and LF searches if you are unsure of the frequency of your tag.
CLONING CARDS TO IMPLANTS:
HID Prox II to xEM/NExT
WARNING FOR CLONING TO T5577 BASED IMPLANTS! Your implant does not have tear protection! Follow these instructions carefully and make sure you only proceed with these steps once the previous step has worked. Attempting writes with bad coupling can make your job harder in the long run, so take your time!
Make sure before you begin to always run hw tune every time you use your Proxmark for optimal performance.
Place the tag you’d like to clone on the Proxmark LF antenna and run lf search - your Proxmark should return a success message with your HID TAG ID, keep note of this for later
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 0a1b2c3d4e (0) - Format Len: 33bit - OEM: 000 - FC: 0 - Card: 0
[+] Valid HID Prox ID Found!
Great, you now know your HID code! Step one complete, put your source tag away, it’s implant time. Position your implant over the reader and run the following commands to make sure you’ve found the right spot.
We’ll use lf search to find the rough location, we’ll know we’re almost there once we get the message at the bottom letting us know it detected a t55xx chipset - don’t worry about the rest of the output or if it says no valid tag found, we haven’t programmed it with your badge yet! It will most likely say it found an EM4100 tag if you haven’t attempted programming before, this is how DT ship their implants. We’re only concerned with the T55xx chipset detection for now.
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No known 125/134 KHz tags Found!
Valid T55xx Chip Found
Try lf t55xx commands
Proxmark is now suggesting we use lf t55xx commands - great idea! Let’s use the detect command to make sure we are in the right spot, and also configure our proxmark to write to the implant. This can take some time, positioning must be perfect for this to work - if this fails, move the antenna by a millimetre or so and try again.
lf t55xx detect
Now we’ve found the spot, don’t move it at all! Millimetres often matter here! Time to write the ID you found earlier on, replace the ID in the command below with yours before running.
lf hid clone 0a1b2c3d4e
If you don’t see any error messages, it should be done! Run the lf search again to see if it worked, it should look the same as the scan you did on your work badge, but may have down the bottom that it detected the T55xx chipset.
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 0a1b2c3d4e (0) - Format Len: 33bit - OEM: 000 - FC: 0 - Card: 0
[+] Valid HID Prox ID Found!
Valid T55xx Chip Found
Try lf t55xx commands
If your implant detects as a HID Prox TAG and has the ID you set, you’re done! If not, try these steps again. If you’re still having problems, make a post on the forums and we’ll try to help you out.
EM410x to xEM/NExT
WARNING FOR CLONING TO T5577 BASED IMPLANTS! Your implant does not have tear protection! Follow these instructions carefully and make sure you only proceed with these steps once the previous step has worked. Attempting writes with bad coupling can make your job harder in the long run, so take your time!
Make sure before you begin to always run hw tune every time you use your Proxmark for optimal performance.
Place the tag you’d like to clone on the Proxmark LF antenna and run lf search - your Proxmark should return a success message with your EM TAG ID, keep note of this for later
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Detected incorrect header, the bit [0] is zero instead of one, abort
#db# TX/RX frames recorded: 1
[+] EM410x pattern found
EM TAG ID : BDBDBDBDBD
Possible de-scramble patterns
Unique TAG ID : BDBDBDBDBD
HoneyWell IdentKey {
DEZ 8 : 12434877
DEZ 10 : 3183328701
DEZ 5.5 : 48573.48573
DEZ 3.5A : 189.48573
DEZ 3.5B : 189.48573
DEZ 3.5C : 189.48573
DEZ 14/IK2 : 00814932147645
DEZ 15/IK3 : 000814932147645
DEZ 20/ZK : 11131113111311131113
}
Other : 48573_189_12434877
Pattern Paxton : 3184655293 [0xBDD1FBBD]
Pattern 1 : 7831135 [0x777E5F]
Pattern Sebury : 48573 61 4046269 [0xBDBD 0x3D 0x3DBDBD]
[+] Valid EM410x ID found!
Great, you now know your EM code! Step one complete, put your source tag away, it’s implant time. Position your implant over the reader and run the following commands to make sure you’ve found the right spot.
We’ll use lf search to find the rough location, we’ll know we’re almost there once we get the message at the bottom letting us know it detected a t55xx chipset - don’t worry about the rest of the output or if it says no valid tag found, we haven’t programmed it with your badge yet! It will most likely say it found an EM4100 tag if you haven’t attempted programming before but it will have a different number to the tag you are trying to clone, this is how DT ship their implants. We’re only concerned with the T55xx chipset detection for now.
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No known 125/134 KHz tags Found!
Valid T55xx Chip Found
Try lf t55xx commands
Proxmark is now suggesting we use lf t55xx commands - great idea! Let’s use the detect command to make sure we are in the right spot, and also configure our proxmark to write to the implant. This can take some time, positioning must be perfect for this to work - if this fails, move the antenna by a millimetre or so and try again.
lf t55xx detect
Now we’ve found the spot, don’t move it at all! Millimetres often matter here! Time to write the ID you found earlier on, replace the ID in the command below with yours before running. Note the ‘1’ at the end, this is required and tells the proxmark what sort of chip you are writing to.
lf em 410x_write BDBDBDBDBD 1
If you don’t see any error messages, it should be done! Run the lf search again to see if it worked, it should look the same as the scan you did on your work badge, but may have down the bottom that it detected the T55xx chipset.
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Detected incorrect header, the bit [0] is zero instead of one, abort
#db# TX/RX frames recorded: 1
[+] EM410x pattern found
EM TAG ID : BDBDBDBDBD
Possible de-scramble patterns
Unique TAG ID : BDBDBDBDBD
HoneyWell IdentKey {
DEZ 8 : 12434877
DEZ 10 : 3183328701
DEZ 5.5 : 48573.48573
DEZ 3.5A : 189.48573
DEZ 3.5B : 189.48573
DEZ 3.5C : 189.48573
DEZ 14/IK2 : 00814932147645
DEZ 15/IK3 : 000814932147645
DEZ 20/ZK : 11131113111311131113
}
Other : 48573_189_12434877
Pattern Paxton : 3184655293 [0xBDD1FBBD]
Pattern 1 : 7831135 [0x777E5F]
Pattern Sebury : 48573 61 4046269 [0xBDBD 0x3D 0x3DBDBD]
[+] Valid EM410x ID found!
Valid T55xx Chip Found
Try lf t55xx commands
If your implant detects as an EM410x tag and has the ID you set, you’re done! If not, try these steps again. If you’re still having problems, make a post on the forums and we’ll try to help you out.
I WANT TO KNOW MORE!
Check out these handy resources for more great information.
TagBase - This site has a wealth of information on basically every type of RFID tag you can imagine, maintained by @KaiCastledine and the team at KSEC (friends of Dangerous Things and cyborgs in Europe!)