Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#1 2011-10-09 08:35:00

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Clone HID card to T55x7

Hello,

As it looks like the previous thread on this topic has disappear find here the link to the modified code and binaries supporting this (based on r497):

http://www.proxmark.org/files/index.php … _T55x7.zip

It features a new command to clone HID tags (the T55x7 card must be placed on the antenna before summiting the command):

lf hid clone <ID>, where <ID> is the 44-bit card ID to be cloned in HEX, as retruned by 'lf hid fskdemod'

Regards,
Cex.

Offline

#2 2011-10-09 11:32:52

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

I tried this but it didn't work
please send a command screenshot
thanks

Offline

#3 2011-10-09 11:36:18

vivat
Contributor
Registered: 2010-10-26
Posts: 302

Re: Clone HID card to T55x7

Cex
Contact to Roel and ask him to gain access to SVN, please

Offline

#4 2011-10-09 13:06:55

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

The link worked for me and the clone feature is fantastic!

Offline

#5 2011-10-09 15:10:20

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

img0931so.th.jpg

~/RFID/proxmark3-498/client$ ./proxmark3

Connected units:
    1. SN: ChangeMe [003/003]

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 486-suspect 2011-07-31 00:16:23                 
#db# os: svn 498-unclean 2011-09-29 09:01:36                 
#db# FPGA image built on 2009/12/ 8 at  8: 3:54
proxmark3>

proxmark3> hw tune
#db# Measuring antenna characteristics, please wait.                 
         
# LF antenna: 27,93 V @   125.00 kHz         
# LF antenna: 18,26 V @   134.00 kHz         
# LF optimal: 27,93 V @   125,00 kHz         
# HF antenna: 10,12 V @    13.56 MHz         
proxmark3>

proxmark3> lf em4x em410xwatch
#db# buffer samples: ff ff ff ff ff ff ff ff ...                 
Reading 2000 samples
         
Done!
         
Auto-detected clock rate: 64         
EM410x Tag ID: 0000000001         
proxmark3>

proxmark3> lf hid clone FFFFFFFFF
Cloning tag with ID fffffffff         
#db# DONE!                 

proxmark3> lf hid fskdemod
proxmark3>



The orange LED is on and the red LED flashes but no response ... why ???
thanks

Offline

#6 2011-10-09 15:57:55

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

First of all, why would you try to clone FFFFFFFFF? That ID can't possibly be valid. What kind of blank tag are you using? Also, try reading an HID tag and write down the ID on paper. My HID LF tags have 10 digits, not 9 as you show above.

Offline

#7 2011-10-09 16:22:02

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks

Offline

#8 2011-10-09 16:28:22

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

spinoinside wrote:

I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks

20042ea607


Tell me what decimal number it produces with the proxmark3 after the clone command and I'll let you know if it is right?

Offline

#9 2011-10-09 16:41:38

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

Bugman1400 wrote:
spinoinside wrote:

I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks

20042ea607


Tell me what decimal number it produces with the proxmark3 after the clone command and I'll let you know if it is right?

proxmark3> lf hid clone 20042ea607
Cloning tag with ID 20042ea607         
#db# DONE!                 
proxmark3>
proxmark3> lf hid fskdemod
proxmark3>

The orange LED is on and the red LED flashes but no response

Offline

#10 2011-10-09 18:28:31

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

Are you using the proxmark3.exe that came with the PM3_T55x7 zip file?

How do you know that you have a T5577 and not a T5567?

It appears that the blank tag is not being programmed. Or, it is not a T55x7 lf blank tag. Are you sure the lf tag is blank and can be programmed? I think the tags can be programmed to be protected so, if something went wrong when you tried an invalid ID then, the tag may not be able to be programmed again. I do not know what kind of checking that Cex put into the program.

Also, I do remember having trouble my first few tries. For me, I use the lf antennae that came with my PM3. It is the one that looks like a black CD/DVD. I was able to get results when I laid the blank tag on the antennae and just left it. Before, I was holding it above the antennae like I do when I want to read a tag.

I just tried to reprogram my T55x7 tag with 20042ea777 and it worked great! However, after I did the clone command and went into the lf hid fskdemod command and it did nothing until I picked up the card off of the antennae.

Hope that helps.

Offline

#11 2011-10-10 19:24:56

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

Bugman1400 wrote:

Are you using the proxmark3.exe that came with the PM3_T55x7 zip file?

How do you know that you have a T5577 and not a T5567?

It appears that the blank tag is not being programmed. Or, it is not a T55x7 lf blank tag. Are you sure the lf tag is blank and can be programmed? I think the tags can be programmed to be protected so, if something went wrong when you tried an invalid ID then, the tag may not be able to be programmed again. I do not know what kind of checking that Cex put into the program.

Also, I do remember having trouble my first few tries. For me, I use the lf antennae that came with my PM3. It is the one that looks like a black CD/DVD. I was able to get results when I laid the blank tag on the antennae and just left it. Before, I was holding it above the antennae like I do when I want to read a tag.

I just tried to reprogram my T55x7 tag with 20042ea777 and it worked great! However, after I did the clone command and went into the lf hid fskdemod command and it did nothing until I picked up the card off of the antennae.

Hope that helps.

I'm compiled under linux and tried it but no result, then i tried proxmark3.exe that came with the PM3_T55x7.zip file but nothing.

I'm not sure that the tag is T5577, on the card is printed "FOR HW688". I'm buy the card from the user laser

I'm use this homemade antenna

thanks for the quick response
I will do other tests wink

Offline

#12 2011-10-10 20:07:07

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

You have too many unknowns. The biggest unknown to me is your 'blank tag'. The "FOR HW688" means nothing to me. All my blank T55x7 cards are plain white and have nothing written on either side. Maybe you need to ask Laser what kind of tag it is?
Secondly, your antennae design looks good but, as I said before, the clone command is very picky as to how the tag is positioned next to the antennae. I don't why this is.

Confirm 'blank tag' first.

Offline

#13 2011-10-11 07:43:05

vivat
Contributor
Registered: 2010-10-26
Posts: 302

Re: Clone HID card to T55x7

The "FOR HW688" means nothing

It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458

Offline

#14 2011-10-11 14:40:21

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

I'm glad vivat pointed that out. It appears that the Hitag2 is ASK modulation and probably won't work. I'm not sure if the Q5 is the same as an ATMEL T5567 or not. I think the clone feature developed by CEX is probably just for 125KHz, FSK, and the ATMEL T5567. I'm guessing that each manufacturer has its own unique way of programming its tags. However, since he included the source code, I think it would be easy to modify for the other tags as well.

Offline

#15 2011-10-11 20:17:50

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

Bugman1400 wrote:

You have too many unknowns. The biggest unknown to me is your 'blank tag'. The "FOR HW688" means nothing to me. All my blank T55x7 cards are plain white and have nothing written on either side. Maybe you need to ask Laser what kind of tag it is?
Secondly, your antennae design looks good but, as I said before, the clone command is very picky as to how the tag is positioned next to the antennae. I don't why this is.

Confirm 'blank tag' first.

laser told me that the tag is a T5557.

Today i have received a tag HID and the command "lf hid fskdemod" works:

#db# TAG ID: 2004dc9993 (19657)                 
#db# TAG ID: 2004dc9993 (19657)                 
#db# TAG ID: 2004dc9993 (19657)                 
#db# TAG ID: 2004dc9993 (19657)                 
#db# TAG ID: 2004dc9993 (19657)                 
#db# Stopped

Offline

#16 2011-10-11 20:28:44

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

Bugman1400 wrote:

The "FOR HW688" means nothing to me.

FOR HW688

Offline

#17 2011-10-11 20:33:03

spinoinside
Member
From: Italy
Registered: 2010-02-06
Posts: 14

Re: Clone HID card to T55x7

vivat wrote:

The "FOR HW688" means nothing

It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458

can i verify if the tag is a Q5 or Htag?

Offline

#18 2011-10-11 22:06:51

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

spinoinside wrote:
vivat wrote:

The "FOR HW688" means nothing

It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458

can i verify if the tag is a Q5 or Htag?

If Laser verified that it is a T5557 then the clone command should work. So, the second thing is the antennae. Try clone the HID tag you have now. If it doesn't work then add non-metalic spacers between your blank tag and the antennae until you get results. Obviously, you may have to remove the spacers to read the tag once you programmed it.

Offline

#19 2011-10-13 15:33:21

Raymond
Member
Registered: 2011-09-14
Posts: 30

Re: Clone HID card to T55x7

Have anybody encounter this before?

6240835112_30682863b0.jpg
lf hid clone problem by raymond2017

#db# unknown commND:: 0X0210

Offline

#20 2011-10-13 17:05:04

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

Try limiting the ID to just 10 digits.

Raymond wrote:

Have anybody encounter this before?

http://farm7.static.flickr.com/6049/6240835112_30682863b0.jpg
lf hid clone problem by raymond2017

#db# unknown commND:: 0X0210

Offline

#21 2011-10-14 01:13:41

Raymond
Member
Registered: 2011-09-14
Posts: 30

Re: Clone HID card to T55x7

Shaved off one digits front & than one digits back.

6241773711_58f7351d4b.jpg
lf hid clone problem 3 by raymond2017

For that HID card.

The hid reader not proxmark3 display:

ID = EDDEEEBBDEF
37-bit 6F775DEF7

I also try to emulating it from proxmark3, the hid reader was not able to detect also.

Arh.......

Offline

#22 2011-10-14 01:29:36

Bugman1400
Moderator
Registered: 2010-12-20
Posts: 125

Re: Clone HID card to T55x7

Could be a Windows 7 issue. Try using ID 20042ea5a0. If that doesn't work, it is a Windows 7 issue. Try again with XP.

Offline

#23 2011-10-14 07:52:38

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

Yes, I got that error sometimes when the card is not read properly.
The SW seems to be interpreting part of the card ID as a command.
Just ignore it.

Offline

#24 2011-10-14 10:52:05

Raymond
Member
Registered: 2011-09-14
Posts: 30

Re: Clone HID card to T55x7

Bugman1400, Try using XP.

6242774761_6225205130.jpg
T55x7 by raymond2017

Same result.

I download the zip file T55x7 and when i try to open the proxmark3.exe, it said that i'am missing some file. The files are those in the r486/win32, so i copy them over.
Or am i doing the wrong thing?

6243290952_eae63e4802.jpg
Xp proxmark3 by raymond2017

Cex

I try to clone the card i buy from proxmark3 also have the same error.

2006e23731

Also thanks for replying.

Offline

#25 2011-10-14 11:14:52

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

Yes, the DLLs are the same.
Surely your antenna do not provide enough voltage, but try out this version with programming times modified, that seems to work better (at least for me):

http://www.proxmark.org/files/index.php?dir=Uploads%2F&download=PM3_T55x7_extended_times.zip

EDIT: Also try to program the card from the other side (it should be the same for both sides, but I have noticed that cards tend to work better from one of its sides).


Regards.

Last edited by Cex (2011-10-14 11:21:11)

Offline

Board footer

Powered by FluxBB