Cloned card is not working (EM410x -> LF t55xx) - need a hint

[rookie4711]

Hi All Together,

I am a newbie and I am looking for a hint.

I bought a new Proxmark3 (Easy) a few days ago. Under Win11 I installed the latest Iceman firmware. Everything is looking fine (no fw mismatch or something strange shown when starting). LF- and HF TUNE are showing the expected results.

Objective: I want to learn and so I thought I try to clone my own gym card

LF TUNE is showing the voltage going down to 8V when I put the card on the LF antenna and moved it a bit for getting the lowest possible result. (HF TUNE + HF SEARCH is showing nothing)

LF SEARCH is showing data: EM 410x detected with the UID, also Honeywell etc. is mentioned and that I should try "LF t55xx DETECT" next for getting more details.

But when using LF t55xx DETECT it always says that it can not detect any information automatically and that I should try LF t55xx CONFIG.

LF t55xx CONFIG is showing some information but I am not sure if this is really helping or giving me any good hints and I am not sure if this is the real information from the gym card. For example I see that my gym card is not password protected, block 0 has the value 00000000 and is N/A (in red color).

Nevertheless then I am trying to clone the gym card data to a new t5577 clone card (did LF t55xx WIPE before each try, also tried that with several clone cards) with the comand "LF EM 410x clone --id 123456789 (in reality I use the UID which is shown as EM 410X TAG ID when using LF SEARCH) and that comand seems to work - it says writing .... + done. Then I type LF em 410x READER for checking the cloned card and it shows the correct UID of the original gym card and LF SEARCH is showing also the same information.

BUT this clone card is not working when testing it in the gym - nothing is happening (no LED reaction from the reader, nothing is opening / locking or unlocking).

Now I am feeling a bit lost but I ASSUME the root cause of my problem is that the gym card is password protected so the DETECT comand is not working - block 0 (config block) therefore unaccessable -> could that be correct or any other ideas how I can reach my objective? Looks like for a newbie I am not bad but obviously I am not good enough ;-)

Currently I am trying to find the password with the BRUTEFORCE comand but now that task is running for more than 4 hours and it's still trying. + trying.....

Thanks + BR

[rookie4711]

A password was found over night and with that info I was able to read out block 0 information. Then I wrote block 0 with the shown HEX data etc to the clone card which seemed to work. But afterwards I was confused because the value when reading block 0 out is different than the value I have used. Any ideas why? On top I am wondering why the BRUTE command, tried it again with the gym card, is no longer finding this password when using the HEX value directly (without a range). Should I give up?