LF_PROXBRUTE — HID ProxII Bruteforce

Author: Brad Antoniewicz Frequency: LF (125 kHz) Hardware: Generic Proxmark3

Back to Standalone Modes Index | Source Code | Development Guide

What

Reads an HID ProxII tag, then brute forces all card numbers downward from the captured value, keeping the same facility code.

Why

HID ProxII is one of the most widely deployed access control card formats. If you have one valid card, you can enumerate other valid card numbers by brute forcing downward (most organizations assign card numbers sequentially, so badges with lower numbers often belong to employees with longer tenure or higher access).

How

READ: Capture an HID ProxII card to learn the facility code and starting card number
BRUTE: Simulate the card with decrementing card numbers, pausing briefly at each one
The facilty code is preserved from the original capture
Hold button during brute to exit back to READ

LED Indicators

LED	Meaning
A (solid)	Reading / simulation active
C (solid)	Brute force mode
A+B+C+D (flash)	Error or exiting

Button Controls

Action	Effect
Hold 280ms	Advance state (READ → BRUTE)
Hold during brute	Exit brute → back to READ
USB command	Exit standalone mode

State Machine

mermaid

stateDiagram-v2
    [*] --> READ : Startup

    READ --> BRUTE : Button hold\n(card captured)
    READ --> READ : Button hold\n(no card)
    
    BRUTE --> BRUTE : Decrement card number\nand simulate
    BRUTE --> READ : Button hold\n(exit brute)
    
    READ --> [*] : USB data received
    BRUTE --> [*] : USB data received

Compilation

make clean
make STANDALONE=LF_PROXBRUTE -j
./pm3-flash-fullimage

Prox2Brute — Faster, configurable ProxII brute force v2
HID Corporate Brute — Corporate 1000 brute force
SamyRun — HID26 read/clone/sim
HID FC Brute — Facility code brute force

LF_PROXBRUTE — HID ProxII Bruteforce

LF_PROXBRUTE — HID ProxII Bruteforce

What

Why

How

LED Indicators

Button Controls

State Machine

Compilation

Related