Skip to content

Instantly share code, notes, and snippets.

@natmchugh

natmchugh/copying-Paxton-fobs.md

Last active March 14, 2025 01:45
Download ZIP

Revisions

  1. natmchugh revised this gist Apr 24, 2023. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,5 +1,7 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    A newer version of this info is available at https://badcfe.org/how-to-paxton-with-rfidler/

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring:
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/fob.jpg "Paxton Fob")

  2. natmchugh revised this gist Nov 15, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -95,7 +95,7 @@ Once you have this data you have all the info you need to clone the tag. The imp
    ## Can I Emulate a Paxton tag?
    You cannot currently emulate hitag2 with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://badcfe.org/paxton-covert.html). There is more info on using a flipper to open Paxton doors [here] (https://badcfe.org/how-to-flipper-a-paxton.html).
    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://badcfe.org/paxton-covert.html). There is more info on using a flipper to open Paxton doors [here](https://badcfe.org/how-to-flipper-a-paxton.html).

    ![emulating em41x](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/flip.gif "emulating ex41x")

  3. natmchugh revised this gist Nov 15, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -95,7 +95,7 @@ Once you have this data you have all the info you need to clone the tag. The imp
    ## Can I Emulate a Paxton tag?
    You cannot currently emulate hitag2 with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://badcfe.org/paxton-covert.html).
    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://badcfe.org/paxton-covert.html). There is more info on using a flipper to open Paxton doors [here] (https://badcfe.org/how-to-flipper-a-paxton.html).

    ![emulating em41x](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/flip.gif "emulating ex41x")

  4. natmchugh revised this gist Nov 6, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -95,7 +95,7 @@ Once you have this data you have all the info you need to clone the tag. The imp
    ## Can I Emulate a Paxton tag?
    You cannot currently emulate hitag2 with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://htmlpreview.github.io/?https://gist.githubusercontent.com/natmchugh/e8f08350a606dc68bbffbc0f6c44017b/raw/paxton-covert.html).
    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://badcfe.org/paxton-covert.html).

    ![emulating em41x](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/flip.gif "emulating ex41x")

  5. Nathaniel McHugh revised this gist Sep 22, 2022. 1 changed file with 0 additions and 0 deletions.
    Binary file added flip.gif
    View file
    Loading
    Sorry, something went wrong. Reload?
    Sorry, we cannot display this file.
    Sorry, this file is invalid so it cannot be displayed.
  6. natmchugh revised this gist Sep 22, 2022. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -97,6 +97,8 @@ You cannot currently emulate hitag2 with an RFIDler. The data flow is more compl

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://htmlpreview.github.io/?https://gist.githubusercontent.com/natmchugh/e8f08350a606dc68bbffbc0f6c44017b/raw/paxton-covert.html).

    ![emulating em41x](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/flip.gif "emulating ex41x")

    ## Writing a Tag

    Despite not being able to emulate hitag2, to write a tag you need to load your tag data into the virtual tag or VTag.
  7. natmchugh revised this gist Sep 19, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -95,7 +95,7 @@ Once you have this data you have all the info you need to clone the tag. The imp
    ## Can I Emulate a Paxton tag?
    You cannot currently emulate hitag2 with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here] (https://htmlpreview.github.io/?https://gist.githubusercontent.com/natmchugh/e8f08350a606dc68bbffbc0f6c44017b/raw/paxton-covert.html).
    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here](https://htmlpreview.github.io/?https://gist.githubusercontent.com/natmchugh/e8f08350a606dc68bbffbc0f6c44017b/raw/paxton-covert.html).

    ## Writing a Tag

  8. natmchugh revised this gist Sep 19, 2022. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -93,7 +93,9 @@ Repeat the read commands all the way up to page 7.
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data which the reader identifies for access.

    ## Can I Emulate a Paxton tag?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.
    You cannot currently emulate hitag2 with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    Another alternative is to convert the data on a paxton tag to an 8 bit id used by the EM41x system. Most paxton readers will read EM41x tags and it can be widely emulated for instance by a flipper zero. I have written a tool for converting the data held on pages 4 and 5 of a hitag fob to the id. It is available [here] (https://htmlpreview.github.io/?https://gist.githubusercontent.com/natmchugh/e8f08350a606dc68bbffbc0f6c44017b/raw/paxton-covert.html).

    ## Writing a Tag

  9. Nathaniel McHugh revised this gist Aug 19, 2022. 2 changed files with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -165,7 +165,7 @@ The new tag should be the same as the old tags as far as the reader is concerned

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. The original coil has an inductance at 374µH.

    ![Original Coil](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/coil.png "Original Coil")
    ![Original Coil](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/original_coil.png "Original Coil")

    With trial and error I created a similar inductance coil with diameter of 2.5cm roughly 140 turns.

    0 coil.png → original_coil.png
    View file
    File renamed without changes
  10. Nathaniel McHugh revised this gist Aug 19, 2022. 1 changed file with 5 additions and 2 deletions.
    7 changes: 5 additions & 2 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -21,7 +21,6 @@ These Paxton tags use hitag2 technology and so can be copied to any hitag2 cards
    ## Antennas
    The RFIDler comes with a coil antenna that works well for reading cards and sniffing readers. It does not however work well with fobs. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).

    ![Coil](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/coil.png "Coil")

    ## Connecting to your RFIDler

    @@ -164,7 +163,11 @@ The new tag should be the same as the old tags as far as the reader is concerned

    ## Creating a DIY antenna for Paxton fobs

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. The original coil has an inductance at 374µH. With trial and error I created a similar inductance coil with diameter of 2.5cm roughly 140 turns.
    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. The original coil has an inductance at 374µH.

    ![Original Coil](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/coil.png "Original Coil")

    With trial and error I created a similar inductance coil with diameter of 2.5cm roughly 140 turns.

    My top tip / life hack for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil and keep it in place.

  11. Nathaniel McHugh revised this gist Aug 19, 2022. 1 changed file with 0 additions and 0 deletions.
    Binary file added coil.png
    View file

    Unable to render rich display

    Invalid image source.
  12. Nathaniel McHugh revised this gist Aug 19, 2022. 1 changed file with 14 additions and 10 deletions.
    24 changes: 14 additions & 10 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,26 +1,28 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring. This guide should also work on other Paxton colours of fob used for the Switch2 system but I have not tested it on those.
    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring:
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/fob.jpg "Paxton Fob")

    Paxton readers often look like this
    Paxton readers often look like this:

    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/reader.jpg "Paxton Reader")


    This guide covers how to read an existing tag and write data to another tag. If the original tag has been authorised with the reader the new tag will be seen by the reader as the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.
    This guide covers how to read the data from an existing Paxton fob or card and also how to write data to a fob or card. If the original fob or card has been authorised with the reader the new fob or card will be seen by the reader as the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.

    These Paxton tags use hitag2 technology and so can be copied to any hitag2 cards, fobs or other tag form factor.

    ## Equipment used
    * An RFIDLer, available here from one of the tools authors http://rfidiot.org/
    * Enamelled copper wire, I used 33swg or ~0.25 mm
    * Some hitag2 tags See notes [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#getting-hold-of-hitag2-tags).
    * (optional) a soldering iron but you my be able to get away without one

    These Paxton tags use hitag2 technology and so can be copied to any hitag2 cards, fobs or other tag form factor.

    ## Antennas
    The RFIDler comes with a coil antenna that works well for reading cards and sniffing readers. It does not however work well with fobs. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).

    ![Coil](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/coil.png "Coil")

    ## Connecting to your RFIDler

    This is done on the command line via a serial communication program. I used minicom which is available on a mac via homebrew or on Linux via a package manager. On windows PuTTY has this functionality.
    @@ -96,7 +98,7 @@ Not currently with an RFIDler. The data flow is more complicated than some other

    ## Writing a Tag

    Despite not being able to emulate a hitag to write a tag you need to load your tag data into the virtual tag or VTag.
    Despite not being able to emulate hitag2, to write a tag you need to load your tag data into the virtual tag or VTag.
    ```
    HITAG2> VWRITE 1 BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    @@ -105,7 +107,7 @@ BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT

    Where PAGE1DAT etc is the 8 hex digits you got by reading the original tag.

    Then check the contents of the VTag
    Once you have written to the VTag you can check the contents by issuing the vtag command

    ```
    HITAG2> vtag
    @@ -143,7 +145,7 @@ HITAG2> vtag
    ```

    If you are happy with the data as shown in the VTAG you can then clone it onto another tag
    Once you are happy with the data as shown in the VTAG you can then clone it onto another tag

    ```
    CLONE <BDF5E846|4D494B52>
    @@ -158,11 +160,13 @@ CLONE <BDF5E846|4D494B52>

    The password used to clone the tag at the end depends on where you got the tag from. A new blank hitag2 tag should have the password 4D494B52. If a tag has been set up for Paxton readers previously it will have the password BDF5E846.

    The new tag should be the same as the old tags as far as the reader is concerned.

    ## Creating a DIY antenna for Paxton fobs

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. The original coil has an inductance at 374µH. With trial and error I created a similar inductance coil with diameter of 2.5cm roughly 140 turns.

    My top tip for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil and keep it in place.
    My top tip / life hack for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil and keep it in place.

    ![Antenna](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/paxton_antenna.jpg "Antenna")

    @@ -187,4 +191,4 @@ This is actually one of the harder steps especially with hitag2 cards in smaller

    Paxton fobs can be widely picked up in packs of 10 for about £30 but this is much more than a hitag2 card should cost which is less than half that.

    If you want to give this guide a go I have a small quantity of genuine Paxton fobs I purchased and would be willing to sell individually for around cost price. If you would like to buy one of these contact me via github.
    If you want to give this guide a go I have a small quantity of genuine Paxton fobs I purchased and would be willing to sell individually for around cost price. If you would like one of these contact me via github. Also happy to clone tags for research.
  13. Nathaniel McHugh revised this gist Aug 19, 2022. 1 changed file with 36 additions and 25 deletions.
    61 changes: 36 additions & 25 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,40 +1,40 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring. This guide should also work on other Paxton colours of fob used for the Switch2 system but I have not tested it on those.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/fob.jpg "Paxton Fob")

    Readers often look like this
    Paxton readers often look like this

    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/reader.jpg "Paxton Reader")


    This guide covers how to read an existing tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader to be the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.
    This guide covers how to read an existing tag and write data to another tag. If the original tag has been authorised with the reader the new tag will be seen by the reader as the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.

    ## Equipment
    * An RFIDLer available here from one of the tools authors http://rfidiot.org/
    * Enamelled copper wire I used 33swg or ~0.25 mm
    * Some Paxton fobs or hitag2 cards
    ## Equipment used
    * An RFIDLer, available here from one of the tools authors http://rfidiot.org/
    * Enamelled copper wire, I used 33swg or ~0.25 mm
    * Some hitag2 tags See notes [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#getting-hold-of-hitag2-tags).
    * (optional) a soldering iron but you my be able to get away without one

    These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fobs etc.
    These Paxton tags use hitag2 technology and so can be copied to any hitag2 cards, fobs or other tag form factor.

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).
    The RFIDler comes with a coil antenna that works well for reading cards and sniffing readers. It does not however work well with fobs. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).

    ## Connecting to your RFIDler

    This is done on the command line via a serial communication program. I used minicom which is available on a mac via brew or on Linux package managers. On windows PuTTY apparently has this functionality.
    This is done on the command line via a serial communication program. I used minicom which is available on a mac via homebrew or on Linux via a package manager. On windows PuTTY has this functionality.

    You need to find out what device the RFIDler was monuted as when you plugged it in via usb. In my case it was at `/dev/tty.usbmodem092426B340191` and I found it by looking for the most recent mounted device in /dev.
    You need to find out what device the RFIDler was mounted as when you plugged it in via usb. In my case it was at `/dev/tty.usbmodem092426B340191` and I found it by looking for the most recent mounted device in /dev.

    So to connect it was just
    So to connect it I used the command
    ```
    minicom -D /dev/tty.usbmodem092426B340191 -b 115200
    ```

    ## Reading a tag

    First we need to set the RFIDLer to hitag2 cards config
    Once you have connected to your RFIDLer you need to set the config to hitag2 tags
    ```
    RFIDler> set tag hitag2
    OK
    @@ -44,25 +44,27 @@ OK
    HITAG2>
    ```
    Next we need to try reading the tag serial number. This is readonly and cannot be changed but it is not used in identifying access. It can be read without knowing the password and logging into the tag and is also known as page 0.
    Next you can try reading the tag serial number. This is a read only number and cannot be changed but it is not used in access identification. It can be read without knowing the password for the tag and is also known as page 0.

    ```
    HITAG2> reader
    12345678
    12345678
    12345678
    ```
    You should get the tag serial number being repeated continuously which means there is a good strong signal. If you don't then adjust the tag and coil position until you do.
    Hopefully you should see the tag serial number being repeated continuously. This means there is a good strong connection between the tag and antenna. If you don't see the number adjust the tag and coil position until you do.

    The next step is to login to the tag by supplying the password.
    The next step is to login to the tag by supplying the password. There is a common password for these Paxton tags.

    ```
    HITAG2> login BDF5E846
    06F907C2
    ```
    The response should be the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton tags I tested. If instead you get "Login failed!" don't give up just try again.
    A response like the one above means the login was successful. It shows the config bit and tag password held on page 2 of the tag. It is the same for all Paxton tags I tested. If instead you see "Login failed!" try again with a different position or no password (which will use the default blank tag password).

    Once you have logged in you can now read the 8 pages of data held on the tag. But first you will need to set the the VTag type to hitag2 as well.
    Once you have logged in successfully you can now read the 8 pages of data held on the tag. But first you will need to set the VTag type to hitag2 as well for reasons I'm unclear on.

    The VTag is a virtual tag representation held on the RFIDler and is where you need to load data before writing it out to a new tag.

    ```
    HITAG2> read 0
    @@ -81,18 +83,20 @@ HITAG2> read 0
    1: BDF5E846
    HITAG2> read 2
    2: 06F907C2
    ```

    repeat all the way up to page 7
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data on which the system identifies for access.
    Repeat the read commands all the way up to page 7.

    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data which the reader identifies for access.

    ## Can I Emulate a Paxton tag?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    ## Writing a Tag

    Despite not being able to emulate a hitag to write a tag you need to load your tag data into the virtual tag or vtag.
    Despite not being able to emulate a hitag to write a tag you need to load your tag data into the virtual tag or VTag.
    ```
    HITAG2> VWRITE 1 BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    @@ -101,7 +105,7 @@ BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT

    Where PAGE1DAT etc is the 8 hex digits you got by reading the original tag.

    Then check the contents of the VTAG
    Then check the contents of the VTag

    ```
    HITAG2> vtag
    @@ -139,7 +143,7 @@ HITAG2> vtag
    ```

    If you are happy with the data as shown in the VTAG then you can clone onto another tag
    If you are happy with the data as shown in the VTAG you can then clone it onto another tag

    ```
    CLONE <BDF5E846|4D494B52>
    @@ -156,9 +160,9 @@ The password used to clone the tag at the end depends on where you got the tag f

    ## Creating a DIY antenna for Paxton fobs

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. I estimated the inductance at 200µH. This suggested that with a coil diameter of 2cm roughly 120 turns would give a similar impedance.
    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. The original coil has an inductance at 374µH. With trial and error I created a similar inductance coil with diameter of 2.5cm roughly 140 turns.

    My top tip for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil.
    My top tip for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil and keep it in place.

    ![Antenna](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/paxton_antenna.jpg "Antenna")

    @@ -177,3 +181,10 @@ This sets the tag type as hitag2 and then asks the tag for its serial number bef

    Once you start getting good pulses that can be easily distinguished from the background noise you can attempt to use the antenna to read a fob.

    ## Getting hold of hitag2 tags

    This is actually one of the harder steps especially with hitag2 cards in smaller quantities. A lot of what are advertised as hitag2 cards when they arrive turn out to be a different card type such as EM4100. In the course of this research I ended up with a load of tags of many types.

    Paxton fobs can be widely picked up in packs of 10 for about £30 but this is much more than a hitag2 card should cost which is less than half that.

    If you want to give this guide a go I have a small quantity of genuine Paxton fobs I purchased and would be willing to sell individually for around cost price. If you would like to buy one of these contact me via github.
  14. natmchugh revised this gist Aug 5, 2022. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -25,7 +25,7 @@ The RFIDler comes with a coil antenna that is very good for reading cards and sn

    This is done on the command line via a serial communication program. I used minicom which is available on a mac via brew or on Linux package managers. On windows PuTTY apparently has this functionality.

    You need to find out what device the RFIDler was monuted as when you plugged it in via usb. In my case it was at `/dev/tty.usbmodem092426...` and I found it by looking for the most recent mounted device in /dev.
    You need to find out what device the RFIDler was monuted as when you plugged it in via usb. In my case it was at `/dev/tty.usbmodem092426B340191` and I found it by looking for the most recent mounted device in /dev.

    So to connect it was just
    ```
    @@ -168,7 +168,7 @@ To do this there is a python wrapper for rfidler that can call it via the api an

    ```
    cd python
    python rfidler.py /dev/tty.usbmodem... 'set tag hitag2' 'uid' plot 1500
    python rfidler.py /dev/tty.usbmodem092426B340191 'set tag hitag2' 'uid' plot 1500
    ```

    This sets the tag type as hitag2 and then asks the tag for its serial number before plotting the results.
  15. natmchugh revised this gist Aug 5, 2022. 1 changed file with 11 additions and 0 deletions.
    11 changes: 11 additions & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -21,6 +21,17 @@ These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fo
    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).

    ## Connecting to your RFIDler

    This is done on the command line via a serial communication program. I used minicom which is available on a mac via brew or on Linux package managers. On windows PuTTY apparently has this functionality.

    You need to find out what device the RFIDler was monuted as when you plugged it in via usb. In my case it was at `/dev/tty.usbmodem092426...` and I found it by looking for the most recent mounted device in /dev.

    So to connect it was just
    ```
    minicom -D /dev/tty.usbmodem092426B340191 -b 115200
    ```

    ## Reading a tag

    First we need to set the RFIDLer to hitag2 cards config
  16. natmchugh revised this gist Aug 5, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -19,7 +19,7 @@ This guide covers how to read an existing tag and write data to another tag. If
    These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fobs etc.

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#reading-a-card).
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#creating-a-diy-antenna-for-paxton-fobs).

    ## Reading a tag

  17. natmchugh revised this gist Aug 5, 2022. 1 changed file with 2 additions and 5 deletions.
    7 changes: 2 additions & 5 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,7 @@ Readers often look like this
    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/reader.jpg "Paxton Reader")


    This guide covers how to read an existing tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader to be the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. From now on both fobs and cards will be referred to as tags.
    This guide covers how to read an existing tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader to be the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. Hereafter both fobs and cards will be referred to as tags.

    ## Equipment
    * An RFIDLer available here from one of the tools authors http://rfidiot.org/
    @@ -19,7 +19,7 @@ This guide covers how to read an existing tag and write data to another tag. If
    These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fobs etc.

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here]/(natmchugh/18e82761dbce52fa284c87c190dc926f#reading-a-card).
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here](/natmchugh/18e82761dbce52fa284c87c190dc926f#reading-a-card).

    ## Reading a tag

    @@ -63,9 +63,6 @@ OK
    *HITAG2> save
    OK
    HITAG2> read 1
    1: BDF5E846
    HITAG2> read 0
    0: 12345678
  18. Nathaniel McHugh revised this gist Aug 5, 2022. 1 changed file with 72 additions and 14 deletions.
    86 changes: 72 additions & 14 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -25,16 +25,18 @@ The RFIDler comes with a coil antenna that is very good for reading cards and sn

    First we need to set the RFIDLer to hitag2 cards config
    ```
    set tag hitag2
    OK
    RFIDler> set tag hitag2
    OK
    *HITAG2> save
    OK
    HITAG2>
    HITAG2>
    ```
    Next we need to try reading the tag serial number. This is readonly and cannot be changed but it is not used in identifying access. It can be read without knowing the password and logging into the tag and is also known as page 0.

    ```
    HITAG2> READER
    HITAG2> reader
    12345678
    12345678
    12345678
    @@ -47,19 +49,34 @@ The next step is to login to the tag by supplying the password.
    HITAG2> login BDF5E846
    06F907C2
    ```
    The response is the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton tags I tested.
    The response should be the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton tags I tested. If instead you get "Login failed!" don't give up just try again.

    Once you have logged in you can now read the 8 pages of data held on the tag.
    Once you have logged in you can now read the 8 pages of data held on the tag. But first you will need to set the the VTag type to hitag2 as well.

    ```
    HITAG2> read 0
    0: 12345678
    VTag not compatible!
    HITAG2> set vtag hitag2
    OK
    *HITAG2> save
    OK
    HITAG2> read 1
    1: BDF5E846
    HITAG2> read 0
    0: 12345678
    *HITAG2> read 1
    1: BDF5E846
    HITAG2> read 2
    ```

    repeat up to page 7
    repeat all the way up to page 7
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data on which the system identifies for access.

    ## Can I Emulate a Paxton tag?
    @@ -69,21 +86,62 @@ Not currently with an RFIDler. The data flow is more complicated than some other

    Despite not being able to emulate a hitag to write a tag you need to load your tag data into the virtual tag or vtag.
    ```
    set tag hitag2
    VWRITE 1 BDF5E846PAGE2DATAPAGE3DATA......
    HITAG2> VWRITE 1 BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    BDF5E846PAGE2DATPAGE3DATPAGE4DATPAGE5DATPAGE6DATPAGE7DAT
    ```

    Check the contents of the VTAG
    Where PAGE1DAT etc is the 8 hex digits you got by reading the original tag.

    Then check the contents of the VTAG

    ```
    VTAG
    HITAG2> vtag
    Type: HITAG2
    Emulating: NONE
    Raw UID:
    UID:
    PWD Block (1): BDF5E846 ...F
    Key Block (2): PAGE2DAT ..-.
    Config Block (3): PAGE3DAT
    Page 1 & 2: 0 = Read / Write
    Page 3: 0 = Read / Write
    Page 4 & 5: 0 = Read / Write
    Page 6 & 7: 0 = Read / Write
    Security: 0 = Password
    Mode: 0 = Public Mode B
    Modulation: 0 = Manchester
    PWD Block (3): GE3DAT .=.
    Data:
    0: 12345678
    1: BDF5E846
    2: PAGE2DAT
    3: PAGE3DAT
    4: PAGE4DAT
    5: PAGE5DAT
    6: PAGE6DAT
    7: PAGE7DAT
    ```

    If you are happy with the data as shown in the VTAG then you can clone onto another tag

    ```
    CLONE <BDF5E846|4D494B52 >
    CLONE <BDF5E846|4D494B52>
    1: BDF5E846
    2: PAGE2DAT
    4: PAGE4DAT
    5: PAGE5DAT
    6: PAGE6DAT
    7: PAGE7DAT
    ```

    The password used to clone the tag at the end depends on where you got the tag from. A new blank hitag2 tag should have the password 4D494B52. If a tag has been set up for Paxton readers previously it will have the password BDF5E846.
    @@ -107,7 +165,7 @@ python rfidler.py /dev/tty.usbmodem... 'set tag hitag2' 'uid' plot 1500

    This sets the tag type as hitag2 and then asks the tag for its serial number before plotting the results.

    ![Plot](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/plot.jpg "Plot")
    ![Plot](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/plot.png "Plot")

    Once you start getting good pulses that can be easily distinguished from the background noise you can attempt to use the antenna to read a fob.

  19. Nathaniel McHugh revised this gist Aug 5, 2022. 3 changed files with 35 additions and 19 deletions.
    54 changes: 35 additions & 19 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -8,20 +8,20 @@ Readers often look like this
    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/reader.jpg "Paxton Reader")


    This how to covers how to read an exisiting tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader be the same tag effetively a clone. You can copy cards to fobs and fobs to cards.
    This guide covers how to read an existing tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader to be the same tag, effectively a clone. You can copy cards to fobs and fobs to cards. From now on both fobs and cards will be referred to as tags.

    ## Equipment
    * An RFIDLer avialable here from one of the tools authors http://rfidiot.org/
    * An RFIDLer available here from one of the tools authors http://rfidiot.org/
    * Enamelled copper wire I used 33swg or ~0.25 mm
    * Some Paxton fobs or hitag2 cards
    * (optional) a soldering iron but you my be able to get away without one

    These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fobs etc.

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further down.
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further [here]/(natmchugh/18e82761dbce52fa284c87c190dc926f#reading-a-card).

    ## Reading a card
    ## Reading a tag

    First we need to set the RFIDLer to hitag2 cards config
    ```
    @@ -31,25 +31,25 @@ OK
    OK
    HITAG2>
    ```
    Next we need to try reading the tag serial number. This is readonly and cannot be changed but it is not used in identifying access. It can be read without knowing the password and logining into the tag and is also known as page 0.
    Next we need to try reading the tag serial number. This is readonly and cannot be changed but it is not used in identifying access. It can be read without knowing the password and logging into the tag and is also known as page 0.

    ```
    HITAG2> READER
    12345678
    12345678
    12345678
    ```
    You should get the tag serial number being repeated continously which means there is a good strong signal. If you don't then adjust the tag coil position until you do.
    You should get the tag serial number being repeated continuously which means there is a good strong signal. If you don't then adjust the tag and coil position until you do.

    The next step is to login to the tag that is get passed the tags auth.
    The next step is to login to the tag by supplying the password.

    ```
    HITAG2> login BDF5E846
    06F907C2
    ```
    The response is the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton fobs I tested.
    The response is the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton tags I tested.

    Once you have logged in you can now read the 8 pages of data.
    Once you have logged in you can now read the 8 pages of data held on the tag.

    ```
    HITAG2> read 0
    @@ -60,17 +60,17 @@ HITAG2> read 1
    ```

    repeat up to page 7
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data on which the system identifes for access.
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data on which the system identifies for access.

    ## Can I Emulate a Paxton fob?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 cards handle these commands really well. Why not just use one of those i.e. clone to a hitag2 card.
    ## Can I Emulate a Paxton tag?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 tags handle these commands really well. So why not just use one of those i.e. clone to a hitag2 tag.

    ## Writing a Fob
    ## Writing a Tag

    To write a fob you need to load your fob data into the virtual tag or vtag.
    Despite not being able to emulate a hitag to write a tag you need to load your tag data into the virtual tag or vtag.
    ```
    set tag hitag2
    VWRITE 1 BDF5E846......
    VWRITE 1 BDF5E846PAGE2DATAPAGE3DATA......
    ```

    @@ -86,12 +86,28 @@ If you are happy with the data as shown in the VTAG then you can clone onto anot
    CLONE <BDF5E846|4D494B52 >
    ```

    The password used to clone the card at the end depends on where you got the card from. A new blank hitag2 card should have the password 4D494B52. If a tag has been set up for Paxton readers previously it will have the password BDF5E846.
    The password used to clone the tag at the end depends on where you got the tag from. A new blank hitag2 tag should have the password 4D494B52. If a tag has been set up for Paxton readers previously it will have the password BDF5E846.

    ## Creating a DIY antenna for Paxton fobs

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to placed inside. I estimated the inductuctance at 200µH. This suggested that with a coil diameter of 2cm roughly 120 turns would give similar impedance.
    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to be placed inside. I estimated the inductance at 200µH. This suggested that with a coil diameter of 2cm roughly 120 turns would give a similar impedance.

    My top tip for winding the antenna would be to use super glue to get the intial loops on and secure them at the correct height.
    My top tip for winding the antenna would be to use super glue to get the initial loops on and secure them at the correct height and then electrical insulation tape to protect the coil.

    ![Antenna](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/paxton_antenna.jpg "Antenna")

    To test your antenna, putting a tag in and viewing the data as a graph vs time can help in fine tuning your antenna design.

    To do this there is a python wrapper for rfidler that can call it via the api and plot the results

    ```
    cd python
    python rfidler.py /dev/tty.usbmodem... 'set tag hitag2' 'uid' plot 1500
    ```

    This sets the tag type as hitag2 and then asks the tag for its serial number before plotting the results.

    ![Plot](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/plot.jpg "Plot")

    Once you start getting good pulses that can be easily distinguished from the background noise you can attempt to use the antenna to read a fob.

    ![Antenna](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/antenna/fob.jpg "Antenna")
    0 antenna.jpg → paxton_antenna.jpg
    View file
    File renamed without changes
    0 exciting.png → plot.png
    View file
    File renamed without changes
  20. Nathaniel McHugh revised this gist Aug 5, 2022. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,11 +1,11 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/main/fob.jpg "Paxton Fob")
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/fob.jpg "Paxton Fob")

    Readers often look like this

    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/main/reader.jpg "Paxton Reader")
    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/reader.jpg "Paxton Reader")


    This how to covers how to read an exisiting tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader be the same tag effetively a clone. You can copy cards to fobs and fobs to cards.
  21. Nathaniel McHugh revised this gist Aug 5, 2022. 3 changed files with 32 additions and 1 deletion.
    Binary file added antenna.jpg
    View file
    Loading
    Sorry, something went wrong. Reload?
    Sorry, we cannot display this file.
    Sorry, this file is invalid so it cannot be displayed.
    33 changes: 32 additions & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,10 +1,12 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/e107b53f4a6a4ad1747690544b244b3497e1738d/fob.jpg "Paxton Fob")
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/main/fob.jpg "Paxton Fob")

    Readers often look like this

    ![Paxton Reader](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/main/reader.jpg "Paxton Reader")


    This how to covers how to read an exisiting tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader be the same tag effetively a clone. You can copy cards to fobs and fobs to cards.

    @@ -63,4 +65,33 @@ Once you have this data you have all the info you need to clone the tag. The imp
    ## Can I Emulate a Paxton fob?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 cards handle these commands really well. Why not just use one of those i.e. clone to a hitag2 card.

    ## Writing a Fob

    To write a fob you need to load your fob data into the virtual tag or vtag.
    ```
    set tag hitag2
    VWRITE 1 BDF5E846......
    ```

    Check the contents of the VTAG

    ```
    VTAG
    ```

    If you are happy with the data as shown in the VTAG then you can clone onto another tag

    ```
    CLONE <BDF5E846|4D494B52 >
    ```

    The password used to clone the card at the end depends on where you got the card from. A new blank hitag2 card should have the password 4D494B52. If a tag has been set up for Paxton readers previously it will have the password BDF5E846.

    ## Creating a DIY antenna for Paxton fobs

    I was able to read and write genuine Paxton fobs by creating a coil antenna that allowed the fob to placed inside. I estimated the inductuctance at 200µH. This suggested that with a coil diameter of 2cm roughly 120 turns would give similar impedance.

    My top tip for winding the antenna would be to use super glue to get the intial loops on and secure them at the correct height.

    ![Antenna](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/antenna/fob.jpg "Antenna")
    Binary file modified fob.jpg
    View file

    Unable to render rich display

    Invalid image source.
  22. Nathaniel McHugh revised this gist Aug 4, 2022. 2 changed files with 0 additions and 0 deletions.
    Binary file added exciting.png
    View file

    Unable to render rich display

    Invalid image source.
    Binary file added reader.jpg
    View file

    Unable to render rich display

    Invalid image source.
  23. natmchugh revised this gist Aug 4, 2022. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -5,6 +5,7 @@ Paxton fobs and readers are popular in the UK especially the Net2 system where t

    Readers often look like this


    This how to covers how to read an exisiting tag and write data to another tag. If that tag has been authorised for entry the new tag will be able to gain entry and will be seen by the reader be the same tag effetively a clone. You can copy cards to fobs and fobs to cards.

    ## Equipment
  24. natmchugh revised this gist Aug 4, 2022. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,7 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/7b7fd8ee2695f9f9c056fe2bd96a2d59b8ab0af4/fob.jpg "Paxton Fob")
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/e107b53f4a6a4ad1747690544b244b3497e1738d/fob.jpg "Paxton Fob")

    Readers often look like this

  25. Nathaniel McHugh revised this gist Aug 4, 2022. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,7 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/7b7fd8ee2695f9f9c056fe2bd96a2d59b8ab0af4/fob.jpg "Paxton Fob")

    Readers often look like this

  26. Nathaniel McHugh revised this gist Aug 4, 2022. 1 changed file with 0 additions and 0 deletions.
    Binary file modified fob.jpg
    View file

    Unable to render rich display

    Invalid image source.
  27. natmchugh revised this gist Aug 4, 2022. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,7 @@
    # How to copy, read and write Paxton fobs and cards with an RFIDler

    Paxton fobs and readers are popular in the UK especially the Net2 system where the fobs look like this with a blue ring.
    ![Paxton Fob](https://gist.githubusercontent.com/natmchugh/18e82761dbce52fa284c87c190dc926f/raw/7b7fd8ee2695f9f9c056fe2bd96a2d59b8ab0af4/fob.jpg "Paxton Fob")

    Readers often look like this

  28. Nathaniel McHugh revised this gist Aug 4, 2022. 1 changed file with 0 additions and 0 deletions.
    Binary file added fob.jpg
    View file

    Unable to render rich display

    Invalid image source.
  29. natmchugh revised this gist Aug 4, 2022. 1 changed file with 24 additions and 1 deletion.
    25 changes: 24 additions & 1 deletion copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ This how to covers how to read an exisiting tag and write data to another tag. I
    * Some Paxton fobs or hitag2 cards
    * (optional) a soldering iron but you my be able to get away without one

    These Paxton fobs use hitag2 technology and
    These Paxton fobs use hitag2 technology and can be copied to hitag2 cards and fobs etc.

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further down.
    @@ -35,6 +35,29 @@ HITAG2> READER
    12345678
    12345678
    ```
    You should get the tag serial number being repeated continously which means there is a good strong signal. If you don't then adjust the tag coil position until you do.

    The next step is to login to the tag that is get passed the tags auth.

    ```
    HITAG2> login BDF5E846
    06F907C2
    ```
    The response is the config bit and tag password. This is held on page 2 of the tag and is the same for all Paxton fobs I tested.

    Once you have logged in you can now read the 8 pages of data.

    ```
    HITAG2> read 0
    0: 12345678
    HITAG2> read 1
    1: BDF5E846
    ```

    repeat up to page 7
    Once you have this data you have all the info you need to clone the tag. The important pages are 4-7 these contain the data on which the system identifes for access.

    ## Can I Emulate a Paxton fob?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 cards handle these commands really well. Why not just use one of those i.e. clone to a hitag2 card.

  30. natmchugh revised this gist Aug 4, 2022. 1 changed file with 7 additions and 3 deletions.
    10 changes: 7 additions & 3 deletions copying-Paxton-fobs.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,22 +15,26 @@ This how to covers how to read an exisiting tag and write data to another tag. I
    These Paxton fobs use hitag2 technology and

    ## Antennas
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however struggle with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further down.
    The RFIDler comes with a coil antenna that is very good for reading cards and sniffing readers. It does not however do well with other tag form factors. In order to read and write to a Paxton fob I had to wind my own antenna. This is covered further down.

    ## Reading a card

    First we need to set the RFIDLer to hitag2 cards config
    ```
    set tag hitag2
    OK
    *HITAG2> save
    OK
    HITAG2>

    ```
    Next we need to try reading the tag serial number. This is readonly and cannot be changed but it is not used in identifying access. It can be read without knowing the password and logining into the tag and is also known as page 0.

    ```
    HITAG2> READER
    12345678

    12345678
    12345678
    ```
    ## Can I Emulate a Paxton fob?
    Not currently with an RFIDler. The data flow is more complicated than some other tags involving a back and forth of commands the reader could send. The chips in hitag2 cards handle these commands really well. Why not just use one of those i.e. clone to a hitag2 card.