Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-10-12 12:19:52

jaeger2000
Contributor
Registered: 2009-09-10
Posts: 17

Help - Clone - 125KHz HID Proximity Tag - PM3

Hello,
-I've read through the various threads.
-I want to clone a 125KHz HID proximity tag using my PM3.
-I have tried separately using the TWO methods available
Method i.) "hidfskdemod" then "hidsimtag"
Method ii.) "loread" then "losamples" then "losim"

-My measure of success is if the security reader accepts the second 'cloned' card.
-In each method I was unsuccessful.

QUESTION:  What have I done wrong?

NOTE: Procedure for Method (i) and (ii) below.

Method (i):
1.) Run command "hidfskdemod" which records and interprets (demodulator) the signal
for a HID proximity cards (when the RFID tag is read I press the button on the PM3).

> hidfskdemod
#db# TAG ID
#db# 00000020, 06c6384a, 00001c25
#db# Stopped

2.) I simulated the record by "hidsimtag" and placed a 125KHz tag I wanted to write to near my aerial
wait a few seconds then press the button on the PM3.

> hidsimtag
Emulating tag with ID 0               0
#db# Stopped

Method (ii)
1.) Run "loread"
> loread
#db# 00000000, 00000000, 00000000
2.) Run losamples
> losamples
3.) Run losim and press the button on the board after a few seconds (the yellow light on board will come on).
> losim
Auto-detected clock rate: 8


Some other relevant threads:
https://www.lafargue.name/article2754.html
http://www.proxmark.org/forum/topic/280 … it/page/1/

kind regards,
JaEGeR.

Offline

#2 2009-10-12 18:05:30

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

For HIDSIMTAG you need to provide the faculty and card ID as an input parameter i.e.

>hidsimtag 2006c6384a

Offline

#3 2009-10-13 00:34:49

jaeger2000
Contributor
Registered: 2009-09-10
Posts: 17

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

Hello,
-Still no joy.  HID security does not open.
-I ran: "hidfskdemod" on my original card.
-I ran: "hidsimtag 2006c6384a" on my to be cloned HID card.
-I run "plot" then "loread" then "losamples".  The waveform on the original changes slightly each time.  The cloned card also keeps changing.
-QUESTION: Is the target (to be cloned) card suppose to have the same TAG ID as the original after emulation (running hidsimtag)?


After the above I ran "hidfskdemod" on both cards:
-I have two cards.
-An original with:
#db# TAG ID
#db# 00100020, 06c6384a, 00001c25

-The cloned (HID ProxCard II card from http://proxmark3.com/) I run
> hidfskdemod
#db# TAG ID
#db# 00000020, 06e22af7, 0000157b

-The procedure to combine the first two HEX outputs is described in this post: http://www.proxmark.org/forum/topic/96/ … simulator/

Offline

#4 2009-10-13 06:36:20

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

you shouldn't be running plot, loread, losamples after hidsimtag.  hidsimtag emulators the tag - as simple as that.

You can't clone a HID card.  You can only make the Proxmark3 emulate a card.  You run the hidsimtag command, and then your Proxmark3 should operate the access control system the same way as your original card did.

Offline

#5 2009-10-14 16:19:22

tom314
Member
Registered: 2009-07-22
Posts: 2

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

Hello,

jaeger2000 wrote:

-QUESTION: Is the target (to be cloned) card suppose to have the same TAG ID as the original after emulation (running hidsimtag)?

I do not have my own PM3, yet. But I guess the problem is not in the PM3, it is rather rooted in the HID Prox II cards. AFAIK, it is not publicly known whether and how can these cards be completely reloaded. I would suggest you flashing the HID-image into a Q5 card instead. Well, it is not an out-of-the-box solution, since you will need to learn on how to program Q5 and how to encode HID Prox II data for it, but it works (I have tested it already, however not with a PM3).

-HINT: I have seen Q5 data sheet somewhere in the PM3 community documents archive. Or you can google for it quite easily...

Good luck!

Tom

Offline

#6 2010-05-27 08:24:03

tom314
Member
Registered: 2009-07-22
Posts: 2

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

danno wrote:

Tom! Can you please elaborate on this a little bit? This seems like an interesting idea. I have had a hard time finding any information on dumping a HID image to a Q5

Hi Danno,
thank you for being interested in this idea.

The idea is quite straightforward. It is described e.g. in my humble presentation at the SmartCard Forum 2009. It was rather a managerial overview – sorry, I do not have a better text in English just now.

The presentation mentioned above is based on my own research which was detailed here – unfortunately in Czech… On the other hand, I did not verify if somebody else discovered/published this idea, too. I would assume that yes, since it is really simple.

Anyway, I would suggest you looking at slides 17-29 of the presentation linked above. Of course, I would also suggest reading the Q5 datasheet (shall be in the PM3 file archive). Once the idea is clear, the rest is just a technical exercise.

It would be nice to implement HID->Q5 (as well as e.g. INDALA->Q5) cloning right into the PM3 firmware. I have planned to do this, but to be honest, I can hardly find a time to do that. Perhaps, you or somebody else could jump on this idea and do that…

Kind regards,
Tom

Offline

#7 2010-05-27 11:08:33

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

That would be useful Tom (if you ever do find the time).

I can produce a physical clone of an HID and Indala (although not all Indalas for some reason) with a different device, but it would be nice to do it with the PM3 too (which is beyond me skills).

Offline

#8 2010-07-05 00:15:11

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

dayhkr,
I have cloned numerous HID 125 Khz Prox cards using  T5567 Read/write cards.  I can also use a Q5 card but the register settings need to be changed since the bits are arranged differently.
The HID cards do use Manchester encoding but it is not encoded by the embedded IDIC chip. HID encodes the ID data before it is loaded into the tag chip. For example,  the 8-bit facility code of a 26-bit card might be 0x12 but the data loaded into te tag chip is actually 0x5659 (manchester encoded).
The following link is to a HID chart on my website (proxclone.com) that will show you how the HID data translates into a T5567 programmable card. I have used the  "hidfskdemod" data that was provided by jaeger2000 at the top of this thread as an example in my chart. The chart is only applicable to HID's 26-bit format. Other formats are slightly different.
Hope this helps.

http://www.proxclone.com/pdfs/HID_format_example.pdf

Offline

#9 2011-12-03 02:06:25

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: Help - Clone - 125KHz HID Proximity Tag - PM3

jenny wrote:

Hi: can u help me?  can u clone a HID 125 to a blank HID 125? and if so can it be done using a cheap duplicater that picks up and store the code to be transferred?



carl55 wrote:

dayhkr,
I have cloned numerous HID 125 Khz Prox cards using  T5567 Read/write cards.  I can also use a Q5 card but the register settings need to be changed since the bits are arranged differently.
The HID cards do use Manchester encoding but it is not encoded by the embedded IDIC chip. HID encodes the ID data before it is loaded into the tag chip. For example,  the 8-bit facility code of a 26-bit card might be 0x12 but the data loaded into te tag chip is actually 0x5659 (manchester encoded).
The following link is to a HID chart on my website (proxclone.com) that will show you how the HID data translates into a T5567 programmable card. I have used the  "hidfskdemod" data that was provided by jaeger2000 at the top of this thread as an example in my chart. The chart is only applicable to HID's 26-bit format. Other formats are slightly different.
Hope this helps.

http://www.proxclone.com/pdfs/HID_format_example.pdf

Yes, it is quite simple, but what is your definition of cheap?

Offline

Board footer

Powered by FluxBB