Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-08-01 20:36:10

ovittja
Contributor
From: New York
Registered: 2021-08-01
Posts: 5

Cloning HID H10301 to unprogrammed HID 4305 fobs

Hey all, this is my first post here so go easy as I may mess some things up. I'm fairly new to RFID stuff in general. This weekend I started messing around with some fobs I bought on eBay a while ago. They are stamped "IEI" and have a 4305 in them, pretty sure they are rebranded HID ProxKey III's. They were sold as "un-programmed" and were really cheap. These cards can be read and the raw data is just fffffffffff in lf search. They are H10301 format.

I was able to clone a genuine HID ProxKey III to one of these IEI fobs without any issues but the method is a bit clunky. The first thing I did was lf em 4x05 chk to get the password from the fob. After that you can dump the data and make a note of addresses 0,3,4,5,6,7. I then put the new IEI fob on the proxmark and wrote each address individually exactly as it was from the original. This perfectly (I think) copied the fob and I have tested it on a live system (Honeywell ProWatch based system, OP30 readers). This seems to work pretty well! Maybe there is an easier way to do this but I didn't see many attempting this exact setup, HID 4305 to 4305.

What I am curious about is if I could enroll some of these fobs with different ID's rather than cloning. I'm going to take a look at the data at each address and see what each address corresponds to, facility code and card number. I'd like to be able to program these fobs with individual ID's rather than clone one. I did try and use the em 4x05 unlock but had no success with the tearoff. If the tearoff was successful I think I would be able to use the hid clone command but I am not sure.

Hopefully someone found this useful!

Offline

#2 2021-08-08 03:31:05

ovittja
Contributor
From: New York
Registered: 2021-08-01
Posts: 5

Re: Cloning HID H10301 to unprogrammed HID 4305 fobs

Update to this topic, I am now able to create credentials and write them to HID/IEI 4305 based prox keys. It appears address 6 on these cards is the facility code and address 7 is the card number. However, I still have some digging to do with the facility code. Here's a sample list of card numbers so you can sort of see how the pattern goes:

address 7 96599A96 = CN 52900
address 7 66599A96 = CN 52901
address 7 5A599A96 = CN 52902
address 7 AA599A96 = CN 52903
address 7 95999A96 = CN 52904
address 7 65999A96 = CN 52905
address 7 59999A96 = CN 52906
address 7 A9999A96 = CN 52907
address 7 56999A96 = CN 52908
address 7 A6999A96 = CN 52909
address 7 9A999A96 = CN 52910
address 7 6A999A96 = CN 52911
address 7 95699A96 = CN 52912
address 7 65699A96 = CN 52913
address 7 59699A96 = CN 52914
address 7 A9699A96 = CN 52915
address 7 56699A96 = CN 52916
address 7 A6699A96 = CN 52917
address 7 9A699A96 = CN 52918
address 7 6A699A96 = CN 52919
address 7 55A99A96 = CN 52920

So as you can see there is a pattern that can be followed to generate any card number you would like. The second digit always increases 5->9->6->A. The facility code is stumping me right now as I have some more testing to do. It appears some bits on address 6 can overflow and change the card number and cause failed parity as well. I've also had some changes in address 6 change the format of the card as well.  I am going to look into this topic further. Again, I hope this helps someone who isn't necessarily interested in cloning credentials, but interested in buying blank HID ProxKeys and programming them sequentially.

An update for cloning: The only important addresses are 6 and 7. If your fob is already reading as H10301 in lf search, there is no need to set any other addresses. This will save a bit of time if you are making multiples.

Offline

#3 2021-08-16 14:37:20

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Cloning HID H10301 to unprogrammed HID 4305 fobs

I have a bunch of the IEI fobs as well but couldn’t work out how to write to them as I don’t know the password, would you care to share? Also the steps to copy would be good.
?

Offline

#4 2021-08-18 12:13:52

ovittja
Contributor
From: New York
Registered: 2021-08-01
Posts: 5

Re: Cloning HID H10301 to unprogrammed HID 4305 fobs

Onisan wrote:

I have a bunch of the IEI fobs as well but couldn’t work out how to write to them as I don’t know the password, would you care to share? Also the steps to copy would be good.
?

For the password, perform lf em 4x05 chk. I found that all of mine had the same password "PROX" in hex which is 50524F58. This is the password you will use to write to the fob and to perform the lf em 4x05 dump command.

For example, lets say we want facility code 222 and card number 52900 we would perform the following:

lf em 4x05 write -a 6 -d 9AA69955 -p 50524F58
lf em 4x05 write -a 7 -d 55A99A96 -p 50524F58

Address 6 sets the facility code and address 7 will set the card number. You may need to set address 5 if you are testing the fobs and getting weird results with lf hid reader. This is what normally fixes it: lf em 4x05 write -a 5 -d 55655547 -p 50524F58

Hope this helps!

Offline

#5 2021-08-24 15:27:00

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Cloning HID H10301 to unprogrammed HID 4305 fobs

Ovittja,
Thank you for that. It really does help, I did think I was going to end up with a bunch of fobs I couldn’t use.
You are a star.

Offline

#6 2021-08-27 20:35:31

ovittja
Contributor
From: New York
Registered: 2021-08-01
Posts: 5

Re: Cloning HID H10301 to unprogrammed HID 4305 fobs

Onisan wrote:

Ovittja,
Thank you for that. It really does help, I did think I was going to end up with a bunch of fobs I couldn’t use.
You are a star.

No problem. I am still working on these as I have a stock pile of them. If I find out any more tricks with these EM4305 IEI fobs I will update this thread. I am glad this was able to help!

Offline

Board footer

Powered by FluxBB