Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2018-02-28 10:59:40
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Possibly password protected HID Prox II tag
Hello guys,
I got some HID prox II fobs off ebay recently and l cannot seem to write on them.
They are 26bit basic Prox II fobs, Look unused but, they are sequentially numbered.
When I write "lf hid clone ABACDEEA" , it seems it takes it, However, when I re-read , nothing changed.
If its indeed password protected, is there a way to reset the password and re-format these fobs anyhow?
Thanks for your valuable input.
Last edited by Heru (2018-02-28 12:11:18)
Offline
#2 2018-02-28 11:00:45
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
For the record, I've tried the bruteforce command with the default_pwd.dic. No luck,
Offline
#3 2018-02-28 11:03:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
Are you sure they are T55x7 tags?? Could be EM4x05 / 4x50 ...
Offline
#4 2018-02-28 11:08:51
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
"lf hid demod" reads it and shows the corresponding ID number on proxmark, TIA
Offline
#5 2018-02-28 11:32:34
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
still doesn't answer my question...
Offline
#6 2018-02-28 11:37:24
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
Hello, Iceman
"lf search" returns with "Valid HID Prox ID found!
"lf hid demod" confirms it and shows its ID,
Offline
#7 2018-02-28 11:44:14
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
yes, I get that the tag gets identifed as a HID encoded tag. but that is not what I asked.
Offline
#8 2018-02-28 11:46:31
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
Ok, not sure how do I find out that,
I've just tried "lf em 4x50read". It does not yield any output
Offline
#9 2018-02-28 11:49:24
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
lf em 4x05dump
Read Address 00 | failed
Read Address 01 | failed
PWD Address 02 | cannot read
Offline
#10 2018-02-28 11:54:31
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
t55x7
lf t55 detect
-- if ok, try
lf t55 infoEM, there is also the 4x50 to try
Offline
#11 2018-02-28 12:05:34
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
t55x7
lf t55 detect -- if ok, try lf t55 infoEM, there is also the 4x50 to try
Iceman, thanks ,tried them all. they're all no use,unfortunately
Now my question is, Is it even possible to re-program these fobs at all on proxmark?, for example, to change its TAG ID numbers and Facility Code ect? Even if we had the password
HID Prox TAG ID: 2004da883a ( 09211) - Format Len:26bit - FC:109 - Card 09211TIA
Last edited by Heru (2018-02-28 12:09:39)
Offline
#12 2018-02-28 12:10:04
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
Not until the chipset is used for this tag is identified. If they are based on t55x7 / t5555 / em4x50 / em 4x05 without password, you could .. As it looks now, its unknown.
Offline
#13 2018-02-28 14:05:32
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Possibly password protected HID Prox II tag
Those tags will be password protected. There is no crack. Brute Force might take 3 years or you might get lucky.
Also iirc they are t55x7 chips.
Offline
#14 2018-02-28 14:08:16
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
t55x7 and no respond. Configured with wakeup?
Offline
#15 2018-02-28 14:09:33
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Possibly password protected HID Prox II tag
Likely the tag won't have the "correct" traceability values as hid often changed them. (Which is what is read to ID the chip.)
Offline
#16 2018-02-28 14:20:19
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Possibly password protected HID Prox II tag
cool, I learn something new everyday
Offline
#17 2018-02-28 14:28:16
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Possibly password protected HID Prox II tag
The other problem with those tags is the Chip's antenna is incredibly small and weak. (The reason hid discontinued that line). iirc about the only way to talk to them with the pm3 is to have the tip of the tag inside the pm3 antenna winding.
Obviously depends on your antenna
So even if the traceability values were "Correct" the tag likely didn't even "hear" the readblk cmd.
Offline
#18 2018-03-01 01:11:06
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Possibly password protected HID Prox II tag
Those tags will be password protected. There is no crack. Brute Force might take 3 years or you might get lucky.
Also iirc they are t55x7 chips.
HI marsh, thanks for confirming,
Last edited by Heru (2018-03-01 01:11:28)
Offline