Proxmark3 community

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

"I don't own the Proxmark yet. I'd get one if I could sniff the password that is passed by the Paxton bullet fob to the reader and vice a versa as that's one of the last fobs I'm stuck on."
Even when you have PM3 how could you sniff the communication, buying a reader and do it in your room wont work, you need the reader connected to the real system to have a real communication from card to reader in order to have a good useful sniff.

Where such fob is used, I saw camera at entrance on top of the reader. It would not be much time to perform a sniff at that door, before s.o. asks what you are doing. Once I drove my car near the building and pretend to stroll around for looking at scenery some guards already came to ask me to leave as "you are trespassing private premise" I would like to know there must be some ways or what kind of PM3 you have to perform a sniff at such Net2 reader? not one which is connected to a laptop

Last edited by ntk (2017-04-04 00:27:46)

Onisan

Contributor

From: London

Registered: 2016-07-18

Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Buy a standard Paxton Desktop Reader PAX 514-326
https://www.mayflex.com/product/PAX-514-326/paxton-net2-desktop-reader-usb

Download the free Net2 Software
http://paxton.info/1438

Then register the fob on the software as anyone, joe bloggs

Now you have a legitimate system that you can sniff.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

thanks you Onisan, I will order and try it out

Do you know similar trick for DESFIRE EV1 reader too.

Or just in case you have solution, also  for Mifare classic tag?

Last edited by ntk (2017-04-04 14:35:23)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

thanks you @Onisan, could you pls email me.

Is there usable info in this trace?

Pls contact if you are interested

Last edited by ntk (2017-04-17 10:14:38)

GerryO

Contributor

Registered: 2017-10-28

Posts: 6

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Hi, everyone we have a Paxton Net2 system at our community club. I was wanting to get cheap fobs/cards from China and use with the system. I have a Chinese icopy machine and a few blank cards I have been testing. When I present the card to the Net2 reader attached to the computer add new user window pops up as normal. I add the user but when I present the Chinese fobs or cards to the door reader nothing happens. I can also amend an existing users fob number to a card or fob from china (using the icopy machine) and when presented to the fob net2 reader at the computer that user's details windows opens in the net2 software.

What am I missing?

Why will the door readers not recognise the card or fob from China yet the reader at the computer will?

Thank you.

rmk83

Contributor

Registered: 2017-09-14

Posts: 3

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The newer Paxton USB readers are multi format whereas it’s likely the Proximity readers you have are HiTag/Net2 only.

Some Paxton readers also support HID but you need to buy a license for them, enabled by presenting the licensing card to the reader. This doesn’t work on the older readers though.

GerryO

Contributor

Registered: 2017-10-28

Posts: 6

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Ok, thank you, would a Hitag2 card work with the door entry reader then (it is the older net 2 blue fob we have had quite some years now). I was beginning to think the cards/fobs had some kind of unique code on them that told the reader it was a genuine Paxton card/fob.

Thanks again

Last edited by GerryO (2017-10-28 13:38:57)

rmk83

Contributor

Registered: 2017-09-14

Posts: 3

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

No idea. I’ve only ever used genuine Paxton fobs.

They ones from the standalone system (red/yellow/green) are all compatible with Net2 but have a site code that Net2 doesn’t see... but not sure either are standard hitag2

danyc0

Contributor

Registered: 2017-08-11

Posts: 4

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The tags from china will likely not be HITAG2. The Multiformat reader will read whatever standard the chinese tags will use, because it's designed to, but the standard Net2 door readers only support a subset. The other thing is that to use other tag types (those which aren't HITAG2), even if they are supported by the door reader, they have to be enabled in the Net2 software. I can't remember where the option is, but have a browse.

GerryO

Contributor

Registered: 2017-10-28

Posts: 6

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I think I missed the requirements that have been pointed out by @rmk83 and @danyc0, we have had this (blue fob) system going into 9 years.
1) I do not believe it has the licence which each reader needs.
2) I have not checked to enable this feature in software.

I am now confused as to what licence would be best for readers that will allow me to use 3rd party cards, anyone aware of what card options either of the below licence would give?
HID™ Activation
Wiegand Activation
Thank you.

GerryO

Contributor

Registered: 2017-10-28

Posts: 6

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Can someone please advise: On Mifare card it has a UID number that cannot be changed but can the user tag number be changed on the card that the door system will see for the user. (is this correct)
As opposed to the EM4100 card that has the UID and tag number printed on the card.

Thank you.

Last edited by GerryO (2017-11-04 20:10:47)

Onisan

Contributor

From: London

Registered: 2016-07-18

Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

GerryO,
You need to post this in the Mifare Section, the Paxton Bullet fob is not Mifare.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

thank you hexa3e8.

This raw command "11000" I have also tried long time ago. According to the HT2 protocol, after reader sendig "11000" START_AUTH tag should respond with with a start sequence (5 bits „1“) followed by their 32 bit ID number.

From that description I check lf hitag list afterwards I could not see this sequence. So somehow it does not work right. 

On the otherhand, with reader which can read PX I receive "1F 8B 0F AF" or "11 1C C1 EE" from an other PX tag those are undoubtly the 32 bit serial numbers the protocol talks about.

So I performed snoop and hope something else we can see.
 
I have here some snoop traces I am not sure someone can make any sense of it

https://www.dropbox.com/s/286fth1rfmj5h … 8.txt?dl=0
https://www.dropbox.com/s/oau1vnsqoa5ou … 6.txt?dl=0
https://www.dropbox.com/s/6nlbv86ax80fq … 5.txt?dl=0
https://www.dropbox.com/s/slp0xmr11nbd9 … 4.txt?dl=0
https://www.dropbox.com/s/64dcgqeuoxby0 … 2.txt?dl=0
https://www.dropbox.com/s/zs203bdnc5xb3 … 1.txt?dl=0

FYI:
with the reader I have tried also to read EM tag. The result is the  07001D491A , and when inspect with PM3 I receive  "EM TAG ID      : 07001D491A". So the 8 bytes ID from reading a PX tag  equally is the tag ID, the 32 bits serial number of the tag.

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Paxton bullet fob copying is simple, if anyone is still interested.

rab

Contributor

Registered: 2021-06-30

Posts: 5

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I'm interested if you know how, I have one that I want to copy. Couldn't seem to get any response out of it when I played with it last year and figured it was probably not a compatible frequency for PM so gave it up. At the time I didn't know it was a paxton (well I'm not 100% sure still I suppose).

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

First thing is to identify whether it is Paxton, GDX Indigo or AAPROX em.
What colour is the band on the fob you have?.

rab

Contributor

Registered: 2021-06-30

Posts: 5

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Thanks. Pretty sure it's dark blue. I don't have it to hand now but will have next week when I'm on holiday (it's for a car park barrier there), so can take a closer look and get picture of reader too if that's useful.

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

A picture of the fob and reader would narrow it down considerably.

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Paxton use green, amber and red band encoded for Compact or Switch2 systems.
Paxton use blue encoded for Net2 system.
Paxton use white encoded for Paxton10 system.
Paxton10 and Net2 fobs are identical to any Paxton reader (Paxton10 data = Net2 data).
Paxton10 system used with Paxton10 reader has the option to store the IDE with the "Net2 data".

GDX use green, amber, red, blue and black all encoded as Paxton Net2.
Standalone reader only requires IDE, a networked system also requires the "Net2 data".

AAPROX use grey and configure to emulate EM with all Hitag2 OTP configured no read no write.
Any cheap chinese copier will copy it to a T5577.

Last edited by GlennGlenn (2021-07-01 15:56:30)

rab

Contributor

Registered: 2021-06-30

Posts: 5

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

On looking again (having researched Paxton stuff since I was last up here) I'm quite sure that's what it is. Looks to be a Net2 tag and a Paxton 'Marine' reader:
tag: https://ibb.co/BNBZF6B
reader: https://ibb.co/rM2ywrG

I'm assuming, from the little info on the Paxton website, these are Hitag 2 in password mode. If you've been able to clone them, I assume it doesn't just use the tag Serial Number, but instead the "Net2 Data" you mention is presumably the key. What can you tell me about the data on the fob? Also, what RWD Password do the Paton readers use? This reader isn't in a very discrete location for sniffing...

Thx.

Last edited by rab (2021-07-10 12:15:37)

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

You do not need to know anything about the Net2 Data" to clone your blue fob to any token supplied by Paxton.
If you present any Paxton token, to any Paxton reader, the reader will give out the Paxton password in challenging the token.
The simplest way to sniff a Paxton token was described earlier in this post (£10 desktop reader and free Net2 software).

A word of caution, all this is based on assuming that this Paxton marine reader is actually connected to a Paxton controller.
If your blue fob can be read by PM3 as an EM4X token, then your blue fob is configured to operate with a non-Paxton controller.
In that case just clone the fob to a T55X7.

rab

Contributor

Registered: 2021-06-30

Posts: 5

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

It's not EM, and I'm pretty sure it will be connected to a Paxton system (I got a glimpse when it was being serviced once and have since looked at pictures of Paxton controllers). Anyway, I'll go that route and buy a reader, but not sure where you get them for £10 though! However, Paxton seem to have taken down the paxton.info site where the net2 downloads are normally hosted and the support section of their site is under maintainance. Any chance you or someone could share a copy (just of the free version)? You can mail me through the forum if you prefer.

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The desktop readers do turn up on ebay for £10.
I have sent email with Net2 software zip

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Do you know you can have a copy made for a few £

GlennGlenn

Contributor

Registered: 2021-02-09

Posts: 10

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Wow, just had a look at Paxton, you are correct, they have removed all traces of the free version.