Rewriteable Hitag (2) tags?

Carnivex · April 24, 2026, 7:02pm

Im trying to clone my Hitag tag for work both as an experiment but also because I want a second tag. I am under the impression that the system we use at work are only utilising the UID of the card since there are a reader both on the entry gate as well as the admin building.

My primary concern is getting it to work on the entry gate, as I have a code that also works for the admin building (ie either using the tag or code will give me entry into the building). But the entry gate is badge only, reading the existing tag is peachy enough, but actually getting the UID written to a hitag(2) protocol can, AND finding such a card is where I am stuck at.

Because I tried writing it to a TS5557 card and while the UID got applied, the both readers refuse to acknowledge the card making me suspect that the reader ONLY listens for an accepts hitag protocols.

amal · April 24, 2026, 8:21pm

is it a HITAG S? those support challenge / response security features based on 40 bit keys and you can’t clone that to a T5577.. it doesn’t have the feature set.

Carnivex · April 25, 2026, 7:49pm

Well I was under the impression you couldn’t copy hitags to “simple” T5577 tags simple because there was a protocol mismatch?

Carnivex · April 25, 2026, 7:55pm

This is what lf search says for the specific card:

[usb] pm3 → lf search

[=] Note: False Positives ARE possible

=

[=] Checking for known tags…

=

[=] Odd size, false positive?
[+] Indala (len 204) Raw: 7ffffffffffffffffffffffffffffffffffffffffffffffffff554aa

[+] Valid Indala ID found!

[=] Searching for auth LF and special cases…
[+] UID… 707E5F1F
[+] TYPE… PCF 7936
[+] Chipset… Hitag 2
[?] Hint: Try lf hitag commands

Carnivex · April 25, 2026, 7:56pm

And lf hitag info

[usb] pm3 → lf hitag info

[=] — Tag Information ---------------------------
[+] UID… 707E5F1F
[+] TYPE… PCF 7936
[+] Config… 0x06
[+] 00000110
[+] 0000 … - RFU
[+] …0 .. - Password mode
[+] …11 - Hitag 2
[+] …0 - Manchester

[=] — Fingerprint
[=] n/a

amal · April 25, 2026, 9:18pm

The problem is that HITAG chips are “reader talk first” chips, while T5577 chips are chip talk first. When a T5577, EM41xx, HID Prox, etc. are powered up, they just start yelling their ID into the void. The HITAG is a gentleman.. it waits for the reader to specifically call for IDs using an anti-collision sequence.

Bits 7-4; RFU (always 0)
Bit 3; 0 = Password Mode (not Crypto Mode so no Crypto1)
Bits 2-1; 11 = Hitag 2 type
Bit 0; 0 = Manchester encoding (not Biphase)

So the chip is a HITAG 2. There is a mode called Public TTF mode these chips can be in which dose not utilize the password feature so it might be possible for a T5577 to emulate the UID. Unfortunately your HITAG 2 chip is in password mode, not public mode. It is not using crypto challenge / response, just plain password mode.. which is something.. but still the T5577 does not have a way to handle password authentication commands.

If you’re using a recent Iceman firmware and client you could try using lf hitag clone --t55x7 -u 707E5F1F to write the UID to your T5577. If not, you can manually configure your T5577 using;

  lf t55xx detect
  lf t55xx wipe
  lf t55xx write -b 0 -d 00148040
  lf t55xx write -b 1 -d F87E5F1F

But, given your source chip is using Password Mode, it’s unlikely to work.

Carnivex · April 25, 2026, 10:00pm

I already have a T5577 that has the UID written to it and it didn’t work. So is there anything I can do from this point to progress?. I just find it odd that we have 2 different readers, one for the gate and one of the office that isn’t the same ones, and ideally I would be more than happy if I could just get the gate working.

But I take it the way forward from this point won’t be easy with the Proxmark3 unless I want to drag it with me to emulate the card, which isn’t going to work.

amal · April 25, 2026, 10:05pm

Nope

Given the information above, this is very likely inaccurate. Your source FOB has password mode enabled. You’ve copied the UID to a T5577. The clone doesn’t work at either reader. To me, this means the access system that controls both the door and gate are actually using the password feature enabled on your fob. Your T5577 chip lacks this feature, hence it does not work.

Carnivex · April 25, 2026, 10:10pm

And there are no “chinese” fobs that allows you to clone a hitag tag? or some tag that would work?

Pilgrimsmaster · April 25, 2026, 10:39pm

You have mentioned T5577 a number of times, Just 100% confirming you have it in HiTag mode?

Check out this thread with some replies from IceMan, there might be some info in there that will help you out.

Carnivex · April 26, 2026, 9:48pm

I am unsure what you mean in regards to the T5577 being in hitag mode. I was under the impression that wasnt possible?

Pilgrimsmaster · April 27, 2026, 12:54am

You could be correct

I haven’t played with HiTag for a while and it was not very successful, it was for a car, and I found some good documentation (you woukd need access to the reader to use it) but at the same time I found a workaround and didn’t have to deal with the HiTag again…

What I would try is rather than drill down in the HiTag menu, go via the T5577 commands.

Maybe something like

lf t55xx clone -t hitag2 -u [UID]

Al though, as mentioned above, the UID only probably wont work
BUT
You might be able to manually write the block

something like

lf hitag info

lf t5 write

amal · April 27, 2026, 2:35am

amal:

If you’re using a recent Iceman firmware and client you could try using lf hitag clone --t55x7 -u 707E5F1F to write the UID to your T5577. If not, you can manually configure your T5577 using;
  lf t55xx detect
  lf t55xx wipe
  lf t55xx write -b 0 -d 00148040
  lf t55xx write -b 1 -d F87E5F1F
But, given your source chip is using Password Mode, it’s unlikely to work.

I detailed this already. The manual process of writing block 0 is what puts the T5577 into “hitag mode”.. it configures the analog front-end of the chip to operate in a similar fashion to how hitag chips work, however they still do not support reader-talk-first like real hitag chips do.. so ymmv. Writing block 1 is what actually programs the memory correctly to output what the hitag read expects as a response.. so if you’re timing is lucky the chip will transmit just after the reader makes its request.. even though the chip won’t hear it. It’s all about timing.

That said, like I mentioned above, the T5577 doesn’t have any idea how to do the password operation the real hitag does.. and since your hitag is in password mode, chances are even if you got lucky and the reader received the UID at just the right timing, the next operation would likely be a password operation and it would fail.

Carnivex · April 27, 2026, 4:43pm

Which brings me back to one of my original questions. Is there some way to clone a hitag tag, much like other tags. And im talking in general here and not just t5577

amal · April 27, 2026, 7:26pm

Not that I’m aware of

Carnivex · April 28, 2026, 6:12pm

Running those 4 commands lands me at:

[usb] pm3 → lf search

[=] Note: False Positives ARE possible

=

[=] Checking for known tags…

=

[-] No known 125/134 kHz tags found!
[=] Searching for auth LF and special cases…
[=] Couldn’t identify a chipset

I assume its the intended result of wiping the card and changing the blocks?

amal · April 28, 2026, 7:42pm

Do “lf search” then “lf t5 detect”

Carnivex · April 28, 2026, 7:55pm

This is after running the 4 commands you posted

[usb] pm3 → lf search

[=] Note: False Positives ARE possible

=

[=] Checking for known tags…

=

[-] No known 125/134 kHz tags found!
[=] Searching for auth LF and special cases…
[=] Couldn’t identify a chipset
[usb] pm3 → lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

amal · April 28, 2026, 10:08pm

Hmm.. try recovery;