Making a physical HID Prox 2 Clone - Firmware V2.2

March 16, 2016

What you will need:

1x Proxmark3
1x LF Antenna
1x HID 1326
1x T5577

1. Connect your Proxmark3 to your computer.

2. Launch the Proxmark3 client. If you do not have the Proxmark3 client setup check out our Getting Started Guide.

3. Once connected to the client run the 'hw ver' command. You should see output similar to what is shown below. If the version is not v2.2 your steps and commands may differ from the ones below.

proxmark3> hw ver
Prox/RFID mark3 RFID instrument          
bootrom: master/v2.2 2015-07-31 11:28:11
os: master/v2.2 2015-07-31 11:28:12
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 162219 bytes (31). Free: 362069 bytes (69).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

4. Connect an LF Antenna to the Proxmark3 and run the 'hw tune' command in the client. You should see output similar to the one below.

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
#db# DownloadFPGA(len: 42096)                 
          
# LF antenna: 14.44 V @   125.00 kHz          
# LF antenna: 27.77 V @   134.00 kHz          
# LF optimal: 29.15 V @   131.87 kHz          
# HF antenna:  0.74 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

5. After confirming that your LF Antenna is functioning correctly place your HID 1326 tag on the LF Antenna. Now run the 'lf hid fsk 1' command. Note and copy the TAG ID you will need this later for cloning your card. In this example, the TAG ID is 2004e20750.

proxmark3> lf hid fsk 1
#db# DownloadFPGA(len: 42096)                 
#db# TAG ID: 2004e20750 (936) - Format Len: 26bit - FC: 113 - Card: 93

6. Place your T5577 tag on the LF Antenna. Run the 'lf hid clone <TAG ID>' command adding your Tag ID at the end.

proxmark3> lf hid clone 2004e20750
Cloning tag with ID 2004e20750          
#db# DONE!

7. Run the 'lf hid fsk 1' command again to prove that the tag was programmed correctly. Your Tag ID on the T5577 should now match what you had on your HID tag.

proxmark3> lf hid fsk 1
#db# TAG ID: 2004e20750 (936) - Format Len: 26bit - FC: 113 - Card: 936

Share:

Also in Blog

ProxmarkPro - General Tag Operations - Getting Started

October 15, 2019

This blog post covers operations you can do with tags in Unchained Mode with the ProxmarkPro.

View full article →

ProxmarkPro - Unchained Mode - Getting Started

October 15, 2019

Unchained mode is a user friendly on-screen menu to perform various tag operations. This blog post covers the main menus of these operations.

View full article →

ProxmarkPro - Client Setup - Getting Started

October 15, 2019

Follow this guide to learn how to setup the client with the ProxmarkPro. The client is a way to communicate over USB with the ProxmarkPro, you can issue commands and the ProxmarkPro will output the results. The client is accessed through a terminal or command prompt.

View full article →

Contact Us

sales@ryscc.com
support@ryscc.com
tel: 888-828-8497

10307 West Broad Street
Suite 250
Glen Allen VA 23060 USA

About Us

Rysc Corp is your one stop shop for security research hardware. We’ve been creating, distributing and supporting security research devices since 2009. Our commitment to customer service and quality means you can count on us when it counts.