doc/standalone/lf_prox2brute.md
Author: Yann Gascuel Frequency: LF (125 kHz) Hardware: Generic Proxmark3
Back to Standalone Modes Index | Source Code | Development Guide
An improved version of ProxBrute that brute forces HID ProxII H10301 26-bit card numbers over a configurable range with compile-time settings for facility code, start number, and end number.
The original ProxBrute requires reading a card first and only goes downward. Prox2Brute lets you pre-configure the exact facility code and card number range to test — no need to capture a card first. It's faster because it's purpose-built for the H10301 26-bit format with optimized timing between attempts.
Use this when:
#define directives: FACILITY_CODE, CARDNUM_START, CARDNUM_END| LED | Meaning |
|---|---|
| A | Inverts every attempt — fast blink = running |
| B | Inverts every 8 attempts |
| C | Inverts every 16 attempts |
| D | Inverts every 32 attempts — slow blink = progress |
| D (initial) | Waiting for button press to start |
| C (initial) | Ready indicator |
The LED pattern creates a visual binary counter showing brute force progress at a glance.
| Action | Effect |
|---|---|
| Hold 200ms | Start brute force |
| Hold ≥ 1 second (during brute) | Exit brute force |
| USB command | Exit standalone mode |
stateDiagram-v2
[*] --> WaitStart : Startup\nLED_D on
WaitStart --> BruteLoop : Button hold 200ms\nLED_C on (ready)
BruteLoop --> BruteLoop : Simulate CN++\nLEDs show binary progress
BruteLoop --> Complete : CN > CARDNUM_END
BruteLoop --> [*] : Button hold ≥ 1s
Complete --> [*] : All numbers tested
note right of BruteLoop
FC = FACILITY_CODE (compile-time)
CN iterates CARDNUM_START → CARDNUM_END
LEDs A/B/C/D show binary counter
end note
Edit the #define values in the source code before compiling:
#define FACILITY_CODE 111 // Target facility code
#define CARDNUM_START 1 // First card number to try
#define CARDNUM_END 65535 // Last card number to try
make clean
make STANDALONE=LF_PROX2BRUTE -j
./pm3-flash-fullimage