Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-02-28 10:59:40

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Possibly password protected HID Prox II tag

Hello guys,

I got some HID prox II fobs off ebay recently and l cannot seem to write on them.

They are 26bit basic Prox II fobs, Look unused but, they are sequentially numbered.

When I write "lf hid clone ABACDEEA" , it seems it takes it, However, when I re-read , nothing changed.

If its indeed password protected, is there a way to reset the password and re-format these fobs anyhow?

Thanks for your valuable input.

s_l1600_3.jpg

Last edited by Heru (2018-02-28 12:11:18)

Offline

#2 2018-02-28 11:00:45

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

For the record, I've tried the bruteforce command with the default_pwd.dic. No luck,

Offline

#3 2018-02-28 11:03:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

Are you sure they are T55x7 tags??   Could be EM4x05 / 4x50 ...

Offline

#4 2018-02-28 11:08:51

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

"lf hid demod" reads it and shows the corresponding ID number on proxmark, TIA

Offline

#5 2018-02-28 11:32:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

still doesn't answer my question...

Offline

#6 2018-02-28 11:37:24

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

Hello, Iceman

"lf search" returns with "Valid HID Prox ID found!
"lf hid demod" confirms it and shows its ID,

Offline

#7 2018-02-28 11:44:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

yes, I get that the tag gets identifed as a HID encoded tag.   but that is not what I asked.

Offline

#8 2018-02-28 11:46:31

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

Ok, not sure how do I find out that,

I've just tried "lf em 4x50read". It does not yield any output

Offline

#9 2018-02-28 11:49:24

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

lf em 4x05dump

Read Address 00 | failed
Read Address 01 | failed
PWD Address 02 | cannot read

Offline

#10 2018-02-28 11:54:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

t55x7

lf t55 detect

-- if ok,  try
lf t55 info

EM,   there is also the 4x50 to try

Offline

#11 2018-02-28 12:05:34

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

iceman wrote:

t55x7

lf t55 detect

-- if ok,  try
lf t55 info

EM,   there is also the 4x50 to try

Iceman, thanks ,tried them all.  they're all no use,unfortunately


Now my question is, Is it even possible to re-program these fobs at all on proxmark?, for example, to change its TAG ID numbers and  Facility Code ect? Even if we had the password

HID Prox TAG ID: 2004da883a ( 09211) - Format Len:26bit - FC:109 - Card 09211

TIA

Last edited by Heru (2018-02-28 12:09:39)

Offline

#12 2018-02-28 12:10:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

Not until the chipset is used for this tag is identified.   If they are based on t55x7 / t5555  / em4x50 / em 4x05  without password, you could ..  As it looks now, its unknown.

Offline

#13 2018-02-28 14:05:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Possibly password protected HID Prox II tag

Those tags will be password protected.  There is no crack.  Brute Force might take 3 years or you might get lucky.

Also iirc they are t55x7 chips.

Offline

#14 2018-02-28 14:08:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

t55x7  and no respond. Configured with wakeup?

Offline

#15 2018-02-28 14:09:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Possibly password protected HID Prox II tag

Likely the tag won't have the "correct" traceability values as hid often changed them.  (Which is what is read to ID the chip.)

Offline

#16 2018-02-28 14:20:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Possibly password protected HID Prox II tag

cool, I learn something new everyday

Offline

#17 2018-02-28 14:28:16

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Possibly password protected HID Prox II tag

The other problem with those tags is the Chip's antenna is incredibly small and weak. (The reason hid discontinued that line). iirc about the only way to talk to them with the pm3 is to have the tip of the tag inside the pm3 antenna winding.
Obviously depends on your antenna

So even if the traceability values were "Correct" the tag likely didn't even "hear" the readblk cmd.

Offline

#18 2018-03-01 01:11:06

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Possibly password protected HID Prox II tag

marshmellow wrote:

Those tags will be password protected.  There is no crack.  Brute Force might take 3 years or you might get lucky.

Also iirc they are t55x7 chips.

HI marsh, thanks for confirming,

Last edited by Heru (2018-03-01 01:11:28)

Offline

Board footer

Powered by FluxBB