Stubborn Honeywell 125khz reader

So someone on the forum graciously help me flash my pm3 to the latest version of iceman and all that

But he and I both noticed it’s not showing the HID prox uid like it normally would…

1st can someone show me what YOU see when you lf search a prox card?

2nd… assuming mine is wrong, now what?

Cloned my prox to my NEXT as it appeared in iceman, but the reader isn’t registering anything

1 Like

So confused,

I somehow cloned this card before when my pm3 was properly set up, and the clone worked perfectly,

Now that I have it setup correctly, it won’t clone for shit, and it’s trying to tell me what was previously just a t5577 card is now a em4x05

I have a few options to try next time I badge in

I “cloned” a new badge and confirmed it reads bit for bit according to “updated” firmware

If it works, it’s likely not the coding, but something with the chip

If it doesn’t work it’s something with the coding

For what it’s worth, this is being written onto a next, so if the CARD clone works, it’s either read range or if I read correctly there are multi class readers, so it could be getting scrambled since my chip is lf and he at the same time?

Just thinking outloud and trying to wrap my head around this stuff when I should have been asleep many hours ago

I sorta liked the old interface I was using, but it lacked all the tuning functions

Which exact commands did you use for card cloning? I believe the proxmark, while capable of HF and LF, only ever works with one at a time, the the frequencies are sufficiently different that the field of one should have a negligible effect on the other

What commands did you use?
Can you upload what you get from lf sea and lf t55 det.
Tested on my when i got home.


teeny@ubuntu:~$ pm3
[=] Session log /home/teeny/.proxmark3/logs/log_20201027.txt
[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ :snowflake:
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge :coffee:

[ Proxmark3 RFID instrument ]

client: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:44:49
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

external flash: present
smartcard reader: present

[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:45:10
os: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:45:22
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 287800 bytes (55%) Free: 236488 bytes (45%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait…
:clock1: 8
[=] ---------- LF Antenna ----------
[+] LF antenna: 27,52 V - 125,00 kHz
[+] LF antenna: 26,87 V - 134,83 kHz
[+] LF optimal: 28,33 V - 127,66 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[!] :warning: HF antenna is UNUSABLE

[+] Displaying LF tuning graph. Divisor 88 is 134,83 kHz, 95 is 125,00 kHz.

[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] Checking for known tags…
[+] EM410x pattern found

EM TAG ID : 0F0368568B

Possible de-scramble patterns

Unique TAG ID : F0C0166AD1
HoneyWell IdentKey {
DEZ 8 : 06837899
DEZ 10 : 0057169547
DEZ 5.5 : 00872.22155
DEZ 3.5A : 015.22155
DEZ 3.5B : 003.22155
DEZ 3.5C : 104.22155
DEZ 14/IK2 : 00064481678987
DEZ 15/IK3 : 001034014845649
DEZ 20/ZK : 15001200010606101301
Other : 22155_104_06837899
Pattern Paxton : 259822731 [0xF7C948B]
Pattern 1 : 9750181 [0x94C6A5]
Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]

[+] Valid EM410x ID found!

[usb] pm3 --> lf hid clone l
[=] Preparing to clone HID tag with long ID: 00000000000000000
[+] Done
[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] Checking for known tags…
[+] HID Prox - 9e000000000000000000000 (0)

[+] Valid HID Prox ID found!

[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] Checking for known tags…
[+] HID Prox - 9e000000000000000000000 (0)

[+] Valid HID Prox ID found!

[usb] pm3 --> lf hid clone 2006ec0c86
[=] Preparing to clone HID tag with ID: 2006ec0c86
[+] Done
[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] Checking for known tags…
[+] HID Prox - 2006ec0c86 (1603) - len: 26 bit - OEM: 000 FC: 118 Card: 1603

[+] Valid HID Prox ID found!

[usb] pm3 -->

Your situation is definitely odd, for sure.

is this correct?

Original card works admin loaded

Cloned Card works Proxmark Previous firmware

NExT Doesnt work Proxmark NEW Iceman firmware

Do you have another T5577 card you can clone with the new firmware version?

As the guys above said, it would be good to see the Proxmark3 results from your Card and NExT to compare.

In the meantime, there are some quick and easy tests to do at the reader.

It won’t be getting scrambled, but
My GUESS is that it is not a multiclass reader issue. So to rule that out, can you use you DT Diagnostic card on the reader(s) to confirm.

I think we should explore this also.
Have you ever used an implant on your system?

Use your xFD on the reader to find the sweetspot (LED at it’s brightest) and replicate this position(s) and orientation when you present your NExT.

Do you have a good relationship with your system admin people?

We will get there buddy :+1:

Just to add some detail to help with troubleshooting (I’m the one that got him set up with Iceman), he’s running the newest version of iceman, compiled from source (with the PM3OTHER flag), and connecting via an Ubuntu install through WSL 1. Everything flashed fine, and the PM3 connects fine over serial. When originally scanned, the card claimed to be H10301 HID prox. I’m not too experienced with cloning HID cards, but it didn’t show a UID, just the wiegand format FC and CN numbers. He said that with his old tool, it gave him a UID. I had him try the command “lf hid clone --fc XX --cn XX”, obviously with his FC and CN. It then read the same via both lf search along with various hid commands I tried (same as his original card). Again, not super familiar with HID cloning, not sure if that was all that should have been needed. Also to be clear, I did have him run a hw tune before every scanning and cloning attempt. Hopefully this helps with figuring out his issue.

First, sorry I intended to post what the pm3 is showing me, but I had far less time than I planned this morning

So, the newest cloned t5577 cards works
Even though it looks reads vastly different in the pm3 window

scratches head

So it either hates my next or it’s read range is terrible but I was massaging my hand on the reader previous

I’ll try the XFD at some point but it’s hard to be convert about that
I do have a diagnostic card also, so I can see if it’s doing hf things

Alternatively I could clone to my xEM and see if that makes a difference tomorrow

Also I now have a brainstorm of a 3D printed card I can put the original xfd chips in

1 Like

Were the logs still available from the original firmware, or are they wiped /overwritten when

Otherwise know as…

As far as I know, the original logs are not available

So we can possibly just blame me

Yea but that isn’t useful for alignment and positioning

1 Like

I think the reader just has an absolute shit antenna

I just ran out for food and made sure to let the door shut so I could “buzz” back in

Diagnostic card shows only LF at a very fast pulse

Did a cursory swipe with the XFD, and I couldn’t find any sweet spot

I might fiddle a bit more after work, there’s a couple coworkers I chat with near said door I can use as an excuse to be loitering near the door, and they know I’m a cyborg and and down with it

No blame needed

Good point, I am suddenly liking your idea.

at least we can officially rule out multiclass.

Next opportunity you get, rather than a swipe, try a perimeter “scan”


Yea what I tried was this motion with it laying horizontally, figured I’d cross the antenna at some point

But I only had about 10 seconds

I can’t fault your logic, But from my experience, not all positions are created equal.
I would go perimiter, but upto you how you do it,

My previous readers were a horizontal read better, my new readers a vertical approach much better.

You don’t have to do it all in one visit.
if you try a different section a little bit at a time. eventually you will build up that intel picture.
The fact that your readers are “reading” very quickly makes it easier, but possibly they are just low powered “pulses”

On your DT DC how bright was the LED?

Can you try placing your DT card underneath (with LEDs above/visible) your Original card.
Do you get a brighter LED when it scans open.

It was pretty bright, good powerful field

That’s good news.
We are getting there.

Have you tried writing a different mode card to your next, like an EM41xx, and then back to your HID Prox?

I think it’s the reader…

I’ll try and get a picture of it tomorrow, but geez

I couldn’t get the XFD to even flicker with 60 seconds of playing around with it

Fwiw, I have now crammed my clone card inside my phone case, bwahaha cellphone trickery

Made by Honeywell

Any insight or experience with this little uncooperative bastard?

Is there any chance you could try using the xFD with the RDC behind it? There’s a small chance its only waking up when the field is sufficiently disturbed? (though it’s not battery powered, so no idea why it’d sleep like that)

Isnt the DC going to mess up the field, similar to how we were talking about making amplifying stickers ?

Also appears to be a Honeywell op30