Post

Proxmark3 Card Reading and Cloning

  1. Get Card Info - General
  2. Working with Specific Cards
  3. Cloning
  4. Other

Get Card Info - General

Use these commands if you want to discover what type of card you are working with.

Low Frequency (LF - 125 KHz)

1
lf search

High Frequency (HF - 13.56 MHz)

1
hf search


Working with Specific Cards

If you know the type of card you are working with you can use specific commands to interact with it and perform operations.

EM4100

Get Card Info:

1
lf em 410x read

Example:

1
2
[usb] pm3 --> lf em 410x read
[+] EM 410x ID 520011F5D4

Simulate Card:

1
lf em 410x sim --id 520011F5D4

HID 125 KHz

Get Card Info:

1
lf hid read

Simulate Card:

1
lf hid sim
  • Extra details will be printed for how to select card type and ID

T5577

Use the general low-frequency search command to find out the type of tag the card is emulating.

1
lf search

Example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 520011F5D4
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 4A0088AF2B
[=] HoneyWell IdentKey
[+]     DEZ 8          : 01177044
[+]     DEZ 10         : 0001177044
[+]     DEZ 5.5        : 00017.62932
[+]     DEZ 3.5A       : 082.62932
[+]     DEZ 3.5B       : 000.62932
[+]     DEZ 3.5C       : 017.62932
[+]     DEZ 14/IK2     : 00352188495316
[+]     DEZ 15/IK3     : 000317836537643
[+]     DEZ 20/ZK      : 04100000080810150211
[=]
[+] Other              : 62932_017_01177044
[+] Pattern Paxton     : 1378235348 [0x522633D4]
[+] Pattern 1          : 4387103 [0x42F11F]
[+] Pattern Sebury     : 62932 17 1177044  [0xF5D4 0x11 0x11F5D4]
[+] VD / ID            : 082 / 0001177044
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

Wipe a T5577 Card and Restore to Blank:

1
lf t55xx wipe

MIFARE Classic

Get Card Info:

1
hf 14a info

See the following post for more information regarding MIFARE Classic cards:

MIFARE Ultralight

Get Card Info:

1
hf mfu info

Dump Card Data to File:

1
hf mfu dump

Emulate Card from Dump File:

1
2
hf mfu eload -f DUMP_FILE
hf mfu sim -t 2 --uid 11223344556677
  • -t 2 means type = MIFARE Ultralight

MIFARE DESFire

Get Card Info:

1
hf mfdes info

HID IClass Cards

Get Card Info:

1
hf iclass info

Cloning

EM4100 => T5577

  1. Get EM4100 Card Details

Place the card to be cloned on the Proxmark.

1
lf em 410x read
  • Output should be something like [+] EM 410x ID 520011F5D4.
  • If you already know the card ID Step 1 can be skipped.
  1. Write the ID to a T5577 Card

Place the T5577 card on the Proxmark.

1
lf em 410x clone --id 520011F5D4
  1. Verify
1
lf em 410x read

HID => T55xx

Step 1: Scan Target Card

1
lf hid read

Take Note of either the Raw value, or the Card Type, FC and CN.

1
[+] [H10301  ] HID H10301 26-bit                FC: 12  CN: 1234  parity ( ok )

Step 2: Clone Card

Using a Raw value:

1
lf hid clone -r 2006ec0c86

Using a Card Type, FC, and CN:

1
lf hid clone -w ind26 --fc 12 --cn 1234

T55xx => T55xx

Step 1: Dump Card Info

1
lf t55xx dump

Step 2: Restore Card Info to New Card

1
lf t55xx restore -f <FILE_NAME>


Other

EM4100 FC, CN, & Full Card Number

Printed on many EM4100 cards there will be three numbers:

1
[Full Card Number] [FC],[CN]

Example Card:

1
0014076183 214,51479

Above numbers represented in HEX:

  • Full Card Number: D6C917
  • Facility Code (FC): D6
  • Card Number (CN): C917

The full card number is concatenation of the FC and CN. To calculate the Full Card Number without converting to hex the following formula can be used (all numbers are in decimal):

  • CN + (FN << 16) or CN + (FN * 2**16)

For the above card example:

  • CN + (FN << 16)
  • 51479 + (214 << 16)
  • 51479 + (14024704)
  • 14076183

Going the other way:

  • 14076183
  • CN = 14076183 & 65535 or CN = 14076183 & (2**16 - 1)
  • CN = 51479
  • FN = 14076183 >> 16
  • FN = 214
This post is licensed under CC BY 4.0 by the author.