iCopy-X / iCopy-XS — LF Tag Families in Scope

1. What this volume covers

This is the LF-side companion to Vol 3 (RFID/NFC primer) and the input to Vol 7 (Auto Clone, Read LF, Sniff) and Vol 9 (T5577 universal blanks). Vol 3 covers the physics of 125 kHz — the resonant air-coupled coil, the load-modulated downlink, the Manchester / biphase / PSK / FSK line codings, the absent-by-architecture cryptography in almost the entire band. This volume covers the families — the actual silicon, the bit formats, the access-control deployments, and what the iCopy-X firmware does when it sees each one.

Eighteen tag families are in scope, drawn directly from the icopyx.com product page LF feature list as of mid-2026. They sort cleanly into three tiers:

1. The universal blank. T5577 is not really an access-control technology — it is a programmable LF tag designed to emulate almost every other tag family in this volume. Anything the iCopy-X can read on the LF side, it can usually clone to a T5577. The T5577 section (§4) is therefore foundational and is presented first after EM4XX.
2. The high-volume incumbents. EM4100/EM4305, HID Prox (H10301 and Corporate 1000), Indala, AWID, HITAG family. These are the cards an operator in the field will see ninety-plus percent of the time on a North American or European corporate access-control engagement. The depth in this volume reflects that — each gets a multi-paragraph treatment with format internals, decode behaviour, and clone notes.
3. The legacy long tail. ioProx, Viking, FDX-B, KERI, VISA2000, Motorola FlexPass, Paradox, Presco, GProx, Securakey, PAC, Stanley, NexWatch. Each gets a tight one-or-two paragraph treatment covering what it is, where it is found, and what the iCopy-X does with it. Several of these are essentially obsolete in new installations but linger on doors that nobody has touched since the 1990s.

The reader is assumed to have read Vol 3 and to understand load modulation, Manchester encoding, the Proxmark3 ASK-demodulation pipeline, and what a “T55xx download trace” looks like on a logic analyser. Where format internals need bit-level precision, this volume gives them; where the family is essentially “another 64-bit Manchester ID with vendor-specific encoding”, it says so and moves on.

2. Master table — every LF family at a glance

The table below summarises all eighteen families. The “iCopy-X support” column is the level of support in the iCopy-X 2.0 firmware family as of mid-2026; the “Clones to” column is the blank-card stock the operator should reach for in the standard case.

Family	Carrier	Modulation	Data rate / bit period	Format	Crypto	iCopy-X support	Clones to
EM4100	125 kHz	ASK (load mod)	RF/64 (~64 µs/bit)	64-bit Manchester, 40-bit UID	None	Full read + decode + clone	T5577 (or EM4305)
EM4102 / 4200	125 kHz	ASK	RF/64	64-bit Manchester, same family as EM4100	None	Full	T5577
EM4205 / 4305	125 kHz	ASK / PSK	RF/32 or RF/64 (configurable)	Writable EM4100-compatible blank	Optional 32-bit password	Full read + write	EM4305 (native) or T5577
T5577	125 kHz	ASK / FSK / PSK (configurable)	RF/8 to RF/128 (configurable)	7-block × 32-bit user-configurable	Optional 32-bit password	Full read + write + config	T5577 (self)
HID Prox H10301 (26-bit)	125 kHz	FSK2a	RF/50 / RF/8 (10 baud)	26-bit Wiegand: 8-bit FC + 16-bit CN + 2 parity	None (open format)	Full decode (FC + CN) + clone	T5577
HID Prox Corporate 1000 (35-bit)	125 kHz	FSK2a	Same as 26-bit	35-bit: 12-bit company ID + 20-bit CN + parity	”Format-protected” customer code	Decode + clone (with caveats)	T5577
HID Prox 37-bit (H10302, H10304)	125 kHz	FSK2a	Same	37-bit variants, no facility code (H10302) or with (H10304)	None	Full decode + clone	T5577
Indala 26-bit	125 kHz	PSK1	RF/2	26-bit Wiegand-equivalent, Motorola/HID heritage	None	Full decode + clone	T5577
Indala 27/28/29-bit + Heden	125 kHz	PSK1	RF/2	Variant formats including the Heden 200 series	None	Full decode + clone	T5577
AWID 26-bit / 34-bit / 50-bit	125 kHz	FSK2a	RF/50 / RF/5	Wiegand-style facility code + card number	None	Full decode + clone	T5577
ioProx (Kantech XSF/26-bit)	125 kHz	FSK2a	RF/64 / RF/8	26-bit XSF (eXtended Serial Format)	None	Decode + clone	T5577
Viking	125 kHz	ASK Manchester	RF/32	64-bit, distinctive 0xF200 preamble	None	Read + clone	T5577
FDX-B (ISO 11784/11785 animal tag)	134.2 kHz (close to LF band; iCopy-X covers it)	ASK	DBP / biphase	128-bit, country code + 38-bit national ID	None	Read + decode (animal ID)	T5577 (limited — see §10)
KERI / NXT-2P	125 kHz	PSK2 (some PSK1 variants)	RF/2	26-bit Wiegand-equivalent	None	Read + clone	T5577
VISA2000	125 kHz	ASK Manchester	RF/64	64-bit	None	Read + clone	T5577
HITAG 1 / HITAG 2 / HITAG S	125 kHz	ASK / Manchester	RF/64 (HITAG 2 in CRC mode)	HITAG 2: 32-bit UID + 4 pages × 32-bit; CRY3 crypto	HITAG 2: yes; HITAG S: yes (lighter)	Read + (HITAG 2) crackable + clone	HITAG 2 blank or T5577 (mode-dependent)
Motorola FlexPass (Indala Motorola)	125 kHz	PSK1	RF/2	26-bit Indala-family, legacy Motorola branding	None	Read + clone	T5577
Paradox	125 kHz	FSK	RF/50	96-bit format; reader does proprietary post-processing	None on card; reader-side obfuscation	Read + (some) decode + clone	T5577 (may need format-correct write)
Presco	125 kHz	ASK Manchester	RF/64	32-bit serial	None	Read + clone	T5577
GProx (Guardall G-Prox-II)	125 kHz	FSK2a	RF/64	26/36-bit Wiegand variants	None	Read + clone	T5577
Securakey	125 kHz	ASK Manchester	RF/40	26-bit	None	Read + clone	T5577
PAC / Stanley	125 kHz	FSK	RF/50 / RF/5	PAC: 8-byte EM-like; Stanley: PAC-compatible	None	Read + clone	T5577
NexWatch (Honeywell NexKey / Quadrakey / Nexwatch)	125 kHz	PSK	RF/2	56-bit format	None on card	Read + clone	T5577

Notes on the table:

• “Carrier” is the air-interface carrier; the iCopy-X LF antenna is tuned at 125 kHz nominal and has acceptable margin to read 134.2 kHz FDX-B animal tags (§19) with reduced range. Verify against Proxmark3 forum wiki for the latest frequency-tolerance figures.
• “Modulation” describes the downlink (card-to-reader). The uplink (reader-to-card) is unmodulated carrier for most LF tags — load modulation is the only way the card talks back.
• “Data rate” is given as RF/N where N is the number of carrier cycles per bit. RF/64 at 125 kHz is ~512 µs per bit, or about 1.95 kb/s — slow by HF standards, fast enough for a 64-bit ID in 33 ms.
• “iCopy-X support” reflects what Auto Clone and Read LF mode do natively. Several families (HITAG 2, Paradox, some Indala variants) may require dropping to Proxmark Mode (Vol 8 §5) for full-depth work; the master table calls those out in §9 and §17.
• “Clones to” is the standard blank. T5577 is the universal answer because of its multi-modulation configurability (§4). Where a non-T5577 blank is preferred (HITAG 2 to a HITAG 2 blank for true crypto-pass-through, EM4305 to an EM4305 blank for password-protected reads), the section calls it out.

The remainder of this volume walks each family in the order most operationally useful — EM4XX first because it is the canonical low-end LF; T5577 next because it is the blank everything clones to; then the high-volume access-control families (HID, Indala, AWID, HITAG); then the long-tail families in roughly the order an operator would encounter them in the field.

3. EM4XX — the EM Marin family

EM Microelectronic-Marin SA is a Swiss semiconductor manufacturer founded in 1975 as a spinoff of the Swatch Group’s microelectronics arm. Their 125 kHz read-only and read-write LF tags — the EM4100 / EM4102 / EM4200 read-only line and the EM4205 / EM4305 writable line — are the canonical low-end LF tags worldwide. The price per unit at OEM volumes is in the single-digit cents range, the silicon has been in production for over thirty years, and the protocol is so simple that it is the first thing every RFID tutorial implements. EM4100 (and its read-only family members 4102 and 4200) are the access-control equivalent of a barcode: a 40-bit fixed serial number that the card transmits any time it is in a field strong enough to power it up.

3.1 EM4100 — the canonical low-end LF tag

The EM4100 chip stores a 40-bit unique identifier in factory-programmed ROM. When the card enters a 125 kHz field and accumulates enough rectified DC to power the digital logic, the chip clocks itself off the carrier and modulates the antenna load to transmit the 64-bit data packet at RF/64 — one bit per 64 carrier cycles. The 64-bit packet structure is:

Bit positions	Field	Notes
0-8	Header	Nine consecutive 1 bits — used by the reader to detect the start of a frame and synchronise
9-12	D00-D03	Customer / version code, low nibble
13	P0	Row 0 even parity over D00-D03
14-17	D10-D13	Customer / version code, high nibble
18	P1	Row 1 parity
19-22	D20-D23	Card number, byte 0 (most significant)
23	P2	Row 2 parity
24-27	D30-D33	Card number byte 0, low nibble
28	P3	Row 3 parity
29-32	D40-D43	Card number byte 1 high nibble
33	P4	Row 4 parity
34-37	D50-D53	Card number byte 1 low nibble
38	P5	Row 5 parity
39-42	D60-D63	Card number byte 2 high nibble
43	P6	Row 6 parity
44-47	D70-D73	Card number byte 2 low nibble
48	P7	Row 7 parity
49-52	D80-D83	Card number byte 3 high nibble
53	P8	Row 8 parity
54-57	D90-D93	Card number byte 3 low nibble
58	P9	Row 9 parity
59-62	PC0-PC3	Column parity (one per data column)
63	S	Stop bit (0)

The data is Manchester-encoded — each bit period is split into two half-bits, with 0 represented by a high-to-low transition mid-bit and 1 by low-to-high (the IEEE 802.3 convention; some references reverse this). The continuous stream of nine 1 bits in the header is what tells the reader where a packet starts, since Manchester-encoded data has at least one transition per bit and the header bits all force the same transition direction in the same place. The parity bits provide error detection across rows and columns, allowing single-bit-error detection but not correction.

The 40-bit identifier is conventionally rendered as a 10-character hexadecimal string — 0x1234567890 style — though it is also frequently rendered as a “facility code + card number” decomposition (8-bit FC : 16-bit CN) or as a fully decimal “8H10D” 13-digit format that some older access-control panels use. The iCopy-X handles the format conversions internally; the Read LF screen displays the raw hex and the common decompositions side by side.

iCopy-X behaviour with EM4100. Auto Clone mode identifies EM4100 from the packet structure (nine-bit header, RF/64, Manchester) in well under a second. The decoded 40-bit ID appears on the LCD. Holding a T5577 blank against the antenna and pressing the second key writes the EM4100-emulation configuration into T5577 block 0 and the ID bits into the appropriate user blocks. The total clone operation, head-to-tail, is typically five to eight seconds on the iCopy-X 2.0 firmware. The cloned T5577 is indistinguishable from a real EM4100 to every reader that accepts EM4100 — which is essentially every low-end LF reader sold in the past three decades.

The two failure modes worth knowing:

1. Reader-side EM4100 anti-clone heuristics. Some modern access-control panels (notably HID multiCLASS readers configured for “Legacy EM” with anti-clone enabled) check the modulation envelope timing against tight tolerances and reject T5577 clones whose modulation index is slightly different from a genuine EM4100. The iCopy-X 2.0 firmware writes the T5577 with carefully tuned modulation index parameters, but the cloned card may still fail at a few percent of high-end installations. The workaround is to clone to an EM4305 blank (§3.3), which is the original EM4100 silicon family in writable form, and is therefore visually and electrically identical to a genuine EM4100.
2. Locked / TTF-only EM4100s. Almost all EM4100s read freely with no auth. A small minority of EM4205-based “EM4100-compatible” cards have factory-set lock bits that prevent the read in certain modes. The iCopy-X handles these in Auto Clone by trying the EM4205 protocol second if the EM4100 read fails — usually transparent to the operator.

3.2 EM4102, EM4200 — the read-only family siblings

EM4102 is functionally identical to EM4100 for the purposes of access control — same 64-bit Manchester format, same 40-bit UID, same RF/64 rate. The differences are silicon — a smaller die, slightly different power-up time, marginally better noise immunity. From the iCopy-X side, EM4102 is auto-detected as EM4100 and cloned identically.

EM4200 is the modernised replacement for EM4100/EM4102, with a longer 128-bit identifier (often rendered as a 32-character hex string) and improved read range. Some access-control systems use the full 128-bit EM4200 ID; many use only the lower 64 bits and treat it as an EM4100. The iCopy-X auto-detects the EM4200 packet structure and decodes the full 128-bit identifier; when cloning to a T5577 (which has 7 × 32-bit user blocks = 224 bits available), the full EM4200 payload fits comfortably.

3.3 EM4205, EM4305 — the writable EM4100-compatible blank

EM4205 and EM4305 are the writable members of the EM Marin family — same air-interface family as EM4100 but with EEPROM blocks the reader can write to. They are sold both as access-control blank stock (vendor pre-programs the UID) and as user-programmable blanks (the buyer programs the UID via a writer tool).

The EM4305 memory layout is 16 blocks × 32 bits, organised as:

Block	Use
0	Configuration word — data rate, modulation, encoder type, lock bits
1	User identifier (the visible EM4100-equivalent UID lives here in EM4100-compat mode)
2	Password word (32-bit)
3	Protection word (read/write protection mask per block)
4-13	User EEPROM (the “free” data area)
14	UID — factory-programmed read-only
15	Test mode word — typically inaccessible

In EM4100-emulation mode, the configuration word in block 0 is set so that the card transmits the contents of block 1 in the 64-bit Manchester EM4100 format. The EM4305 is so widely used as an EM4100-compatible blank that “EM4305” and “writable EM4100” are essentially synonymous in the access-control trade.

iCopy-X handles EM4305 in both read and write modes. Reading an EM4305 in EM4100-compat mode is identical to reading a genuine EM4100. Reading an EM4305 in native mode (with the password set and protection bits enabled) is supported by the iCopy-X Read LF → EM4305 menu option, and the iCopy-X can also write a 32-bit password into a fresh EM4305 if the workflow requires it. Writing an EM4100-compatible UID into an EM4305 blank is straightforward; the iCopy-X writes the config word, the UID block, and verifies. The total time is similar to a T5577 clone — five to ten seconds.

When to prefer EM4305 over T5577: when cloning a card for a high-security installation where the reader-side anti-clone heuristics (§3.1) may reject T5577 emulation. EM4305 is the same silicon family as EM4100 and is electrically indistinguishable. When to prefer T5577: every other case — T5577 is cheaper, more widely available, and its multi-modulation configurability means a single T5577 blank can emulate EM4100 today and HID Prox tomorrow.

3.4 The “EM Marin” colloquialism

In the access-control trade, “EM Marin” or “EM” is shorthand for “any 125 kHz LF tag that looks like an EM4100” — including EM4102, EM4200, EM4205, EM4305, and a long list of EM4100-compatible silicon from other manufacturers (Atmel, NXP, Silicon Labs, Chinese fabs). All of these share the 64-bit Manchester EM4100 air-interface format. The iCopy-X identifies and clones any of them under the EM4100 / EM4XX label; the operator does not need to distinguish.

4. T5577 — the universal LF programmable blank

The T5577 (formerly Atmel ATA5577C, now Microchip after the Atmel acquisition) is the most important single chip in the LF cloning world. It is a 125 kHz read-write LF tag with a configuration word that lets the operator set:

• The modulation type — ASK, PSK1, PSK2, PSK3, FSK1, FSK2, FSK1a, FSK2a, biphase, Manchester direct
• The data rate — RF/8, RF/16, RF/32, RF/40, RF/50, RF/64, RF/100, RF/128 (eight options covering everything from very fast HID Prox to slow EM4100)
• The encoding — Manchester, biphase, direct
• The block count to transmit — 1 to 7 of the user blocks
• Sequence terminator — none, terminator word, or sequence-terminator + terminator word
• Various lock bits and password-protection options

The combination of these options means a T5577 can be configured to emulate essentially any 125 kHz tag in this volume — EM4100, HID Prox H10301, HID Prox Corporate 1000, Indala 26-bit, Indala 27-bit Heden, AWID, ioProx, Viking, Presco, KERI, PAC, NexWatch, and many more. This is why the T5577 is the universal blank — one blank, configured per-clone, emulates whatever the source card was.

4.1 Memory layout

The T5577 has 8 × 32-bit blocks, organised across two pages:

Page 0 (the “data” page):

Block	Use
0	Configuration word — modulation, data rate, encoding, block count, terminator
1	User data block 1 (typically the first 32 bits of the emulated card payload)
2	User data block 2
3	User data block 3
4	User data block 4
5	User data block 5
6	User data block 6
7	Password block (32-bit; optional, enabled by config word)

Page 1 (the “trace” page):

Block	Use
0-1	Trace data — manufacturer’s factory information
2	Reserved
3	Reserved

Page 1 is read-only and contains factory-set silicon trace information. For cloning operations, only page 0 matters. The configuration word in block 0 is the load-bearing element — get it right and the T5577 transmits exactly the bit pattern the original card transmitted; get it wrong and the reader sees nothing or garbage.

4.2 The configuration word

The 32-bit configuration word format (from the Atmel/Microchip T5577 datasheet) is:

Bits	Field	Description
31	Master key (bit 31)	Should be 0 (master key disabled in standard config)
30	Master key (bit 30)	0
29-28	X-mode	Reserved
27-24	Data bit rate	0000=RF/8, 0001=RF/16, 0010=RF/32, 0011=RF/40, 0100=RF/50, 0101=RF/64, 0110=RF/100, 0111=RF/128, 1xxx=reserved
23	Modulation [3]	Modulation type bit 3
22-20	Modulation [2:0]	Encoding 000=direct, 001=Manchester, 010=biphase, 100=PSK1, 101=PSK2, 110=PSK3, 1000=FSK1, 1001=FSK2, 1010=FSK1a, 1011=FSK2a, 1100=Manchester+inverted, etc.
19	PSK clock frequency	0=RF/2, 1=RF/4 (for PSK modes only)
18-15	AOR	Answer-on-request mode
14	OTP	One-time-programmable lock (do not set during cloning)
13-9	Max block	Maximum user block to transmit (5 = blocks 1-5 transmitted)
8	Password (PWD)	0=disabled, 1=enabled
7	Sequence terminator (ST)	0=disabled, 1=enabled
6	Fast write	Fast write mode
5	Inverse	Invert output
4	POR delay	Power-on-reset delay
3	TestMode disabled	Should be 1 for normal operation
2-0	Reserved	0

The exact bit layout has minor variations across the multiple T5577 datasheet revisions; verify against the Microchip ATA5577C datasheet (the post-acquisition reference) for any application requiring precision. The Proxmark3 source code at client/src/cmdlft55xx.c is the most accessible operational reference — it implements the config-word builder for every common tag family. Verify against Proxmark3 RRG repo for the latest.

For an EM4100 clone, the typical T5577 config word is 0x00148040:

• Data rate 0010 = RF/64
• Modulation 001 = Manchester
• Max block 0001 = block 1 transmitted
• Standard flags

For an HID Prox H10301 clone, the typical config word is 0x00107060:

• Data rate 0000 = RF/50 (HID’s preferred rate)
• Modulation 1011 = FSK2a
• Max block 0011 = blocks 1-3 transmitted (HID Prox is 96 bits = 3 blocks)
• Other flags appropriate to HID

For an Indala 26-bit clone, the config is different again — PSK1 modulation at RF/2 PSK clock, two blocks transmitted. The iCopy-X firmware has a complete table of these configurations and selects automatically based on the source-card auto-detection.

4.3 How iCopy-X writes the T5577

The iCopy-X Auto Clone workflow with a T5577 destination:

1. Source card is read; family is identified; the relevant data bits are extracted (40-bit EM UID, 26-bit HID FC+CN, 96-bit HID Corporate 1000 payload, etc.).
2. The iCopy-X firmware selects the correct T5577 config word for the source family from its internal table.
3. The destination T5577 is held against the antenna. The iCopy-X writes block 0 (config), then the user blocks 1-N (data), then verifies by re-reading.
4. If the destination T5577 had a non-default password set, the iCopy-X attempts the standard default passwords (0x00000000, 0x51243648, 0xAA55AA55, etc.) and, failing that, prompts the operator to enter a known password or to reset via the Proxmark-mode lf t55xx wipe operation.

The T5577 standard write command is the “opcode 10” Standard Write — 38 bits total: 2-bit opcode + 1-bit password flag + (32 bits of password if flagged) + 1-bit lock bit + 32 data bits + 3 address bits. The card writes the data block to the addressed location and the new value takes effect on the next field cycle. There is no acknowledgement from the card — the reader must read back to verify. The iCopy-X handles this transparently; the operator sees only “Clone OK” or an error message.

4.4 Why T5577 is the universal answer

The T5577 succeeds as the universal LF blank because:

• Configurability: the configuration word covers nearly the full design space of LF tag modulations and rates.
• Availability: Microchip ships the chip in volume; T5577 cards in standard credit-card form factor are available at $0.30-$1.00 each from Chinese fabs (Lab401’s “Genuine” packs are $2-$3 each but with consistent batch quality — see Vol 9 §3).
• Tool support: every serious RFID tool (Proxmark3, iCopy-X, Flipper Zero, ChameleonMini, the cheap AliExpress duplicators) has a T5577 write-support implementation that has been polished over many firmware revisions.
• Recoverability: if the T5577 is misconfigured (wrong config word, wrong data), the iCopy-X can re-write it. There is no irrecoverable error state short of setting the OTP (one-time-programmable) lock bit, which the iCopy-X firmware deliberately avoids.

The single thing T5577 cannot do is pass through cryptography — it cannot emulate a HITAG 2 card because HITAG 2 has a cipher state that responds to challenge-response, and T5577 has no programmable state machine. For HITAG 2 cloning, an actual HITAG 2 blank is required (§9).

5. HID Prox — the dominant US access-control LF

HID Global (originally Hughes Identification Devices, founded 1991 as a spinoff of Hughes Aircraft; acquired by Assa Abloy in 2000) is the dominant manufacturer of access-control cards in North America. Their “Prox” line — the 125 kHz proximity card family — has been the default corporate access card across most of the US since the mid-1990s. If an operator walks into a random US office building and looks at the security guard’s badge, the most likely technology is HID Prox.

The Prox family is a Wiegand-format card system: the card transmits a fixed-length Wiegand bit string that the reader passes to the access-control panel, which decodes the facility code and card number and consults its access-list. The Wiegand format is fundamentally open — the bit assignments are published, the parity is documented, and any tool with the right LF radio can read and decode any standard Prox card. The “security” of HID Prox depends entirely on the secrecy of the card numbers in use at a given facility, which is an extraordinarily weak security model that has been the subject of physical-pentest demonstrations for thirty years.

5.1 H10301 — the 26-bit standard format

The 26-bit Wiegand format (HID format code H10301) is the most common Prox card in the world. The bit layout is:

Bits	Field	Notes
0	Parity P1	Even parity over bits 1-12
1-8	Facility code (FC)	8 bits — 0 to 255
9-24	Card number (CN)	16 bits — 0 to 65535
25	Parity P2	Odd parity over bits 13-24

The facility code is the per-customer identifier — every site licensed with HID has one or more assigned facility codes. The card number is a sequential identifier within that facility code; HID issues card numbers in ranges to customers, and a customer with 10,000 employees gets card numbers 1-10000 within their facility code(s). The 16-bit card number space caps a facility at 65,536 unique cards before the customer needs a second facility code — which is why large enterprises (universities, hospital networks, large corporations) typically have multiple facility codes active simultaneously.

The card transmits the 26-bit Wiegand string preceded by a 20-bit preamble (0001110000000000000) and followed by repetition — the typical Prox card transmits the full 26+20 = 46-bit message continuously, with a new transmission every ~25-30 ms while the card is in the field. The modulation is FSK2a — frequency-shift keying with two carrier frequencies, RF/8 (15.625 kHz subcarrier — 1 bit) and RF/10 (12.5 kHz subcarrier — 0 bit), at RF/50 baud (one bit every 50 carrier cycles = ~400 µs/bit = 2.5 kb/s).

iCopy-X behaviour with H10301. Auto Clone identifies HID Prox H10301 from the preamble and FSK2a modulation in well under a second. The decoded facility code and card number both appear on the LCD — the iCopy-X firmware does the Wiegand decoding automatically, so the operator sees HID Prox · FC 123 · CN 45678 rather than the raw 26-bit hex. Cloning to T5577 takes about 8-12 seconds; the iCopy-X writes the T5577 config for FSK2a / RF/50 / 3 blocks and the 96-bit Prox payload (preamble + 26-bit Wiegand + parity, packed into three 32-bit blocks). The cloned T5577 is accepted by every standard HID Prox reader (multiCLASS in “Legacy Prox” mode, ProxPro, ProxPoint, R10, RP10, RP15, RP40, RPK40, RPKCL40, and the many third-party Prox-compatible readers).

The H10301 26-bit Wiegand format is the single most-encountered card in US physical-pentest engagements. Operators should be able to recognise it on sight from the card front (HID Prox cards typically have an HID logo and a “Prox” or “ProxCard II” or “ISOProx” series name printed on them), and the iCopy-X cheatsheet (Vol 12 §4) calls it out as the headline target for Auto Clone work.

5.2 Corporate 1000 — the 35-bit format

HID Corporate 1000 (format H10302 in some legacy references, though the more common HID code is “C1k” or “Corporate 1000”) is a 35-bit Wiegand format introduced in the late 1990s to address the 16-bit card-number cap on H10301. The bit layout is:

Bits	Field	Notes
0	Parity P1	Odd parity over bits 1-34 (full-length parity)
1	Parity P2	Even parity over odd bits 2-32
2-13	Company ID (CC)	12 bits — 0 to 4095 (the “corporate” identifier)
14-33	Card number (CN)	20 bits — 0 to 1,048,575
34	Parity P3	Odd parity over even bits 2-33

The “Corporate 1000” name refers to the original 1,000-format-codes that HID issued for the customer-specific company ID field. The format is not strictly open in the way H10301 is — HID licenses Corporate 1000 format codes to specific customers, and the customer is supposed to keep their company-ID number confidential. In practice, the format is published, the bit layout is well-known, and the only “security” is the obscurity of which company ID a given facility uses.

iCopy-X behaviour with Corporate 1000. Auto Clone identifies Corporate 1000 from the 35-bit Wiegand length and decodes the company ID and card number. Cloning to T5577 is mechanically identical to H10301 — same FSK2a modulation, same RF/50 rate, slightly different block payload (the 35-bit Wiegand plus preamble plus parity fits into the same three T5577 blocks). The iCopy-X cheatsheet (Vol 12 §4) flags Corporate 1000 as a “license-protected” format — the legal posture for cloning a Corporate 1000 card is exactly the same as for any other access-control card (authorisation required), but the operator should know that the corporate ID field has more contractual weight than the H10301 facility code.

5.3 H10302, H10304, and other HID variants

HID has issued many variant Prox formats over the years. The most operationally relevant after H10301 and Corporate 1000 are:

• H10302 — 37-bit format with no facility code (just a 35-bit card number plus parity). Used in some large installations where the facility code field is not useful.
• H10304 — 37-bit format with a 16-bit facility code and a 19-bit card number (plus parity). Higher capacity than H10301 while keeping the FC+CN structure.
• HID iCLASS Prox legacy mode — physical iCLASS cards configured to also emit a Prox signal on the LF antenna. The iCopy-X reads the LF Prox layer in the standard way; the HF iCLASS layer is covered in Vol 6.
• OEM-rebranded HID Prox — HID licenses the Prox silicon to many OEM rebadgers. Lenel, Honeywell, Bosch, GE, Tyco — all have at one point sold a “ProxCard” that is mechanically an HID Prox card under the OEM’s logo. The iCopy-X reads them identically.

For any HID Prox variant the iCopy-X does not recognise by name, Read LF mode displays the raw Wiegand-style bit string and the operator can identify the format manually. The Proxmark3 wiki maintains a comprehensive table of HID format codes — verify against the proxmark.org wiki for the latest.

5.4 Why HID Prox dominates US physical pentests

The HID Prox dominance is a function of three things:

1. Installed base. Tens of millions of Prox cards are in circulation in North America. Many corporate access systems date from the early 2000s when HID Prox was the obvious choice, and the cards have been re-issued continuously since.
2. Reader compatibility. Almost every commercial access-control reader supports HID Prox in “legacy” mode, even modern multi-technology readers (HID multiCLASS, HID Signo) that prefer iCLASS or SEOS. Customers do not have to replace every card when they upgrade the reader infrastructure.
3. Zero cryptography. HID Prox has no authentication. A card that radiates the right Wiegand bit string opens the door — period. The card cannot prove it is genuine; the reader cannot prove the card is genuine; the only test is “do the bits match the panel’s access list.”

The physical-pentest implication is straightforward: any HID Prox card the operator can read for one second is a card the operator can clone in one minute. The iCopy-X turns this from a 30-minute Proxmark3-on-laptop operation into a 30-second handheld operation, which is the reason the iCopy-X exists.

6. Indala — the Motorola legacy

Indala Corporation (acquired by Motorola in the late 1990s, then by HID Global in 2003) was a separate access-control card manufacturer in the 1990s with its own 125 kHz tag family. The Indala silicon and air-interface are distinct from HID Prox — Indala uses PSK1 modulation (phase-shift keying with one phase change per bit) rather than HID’s FSK2a, and the Indala data rate is RF/2 (one bit every two carrier cycles = ~62.5 kb/s, much faster than HID Prox).

After HID acquired Indala, the Indala product line continued in parallel with HID Prox for several years, then was gradually retired through the 2010s. New installations of Indala are essentially zero in 2026; existing installations are widespread and have not all been replaced.

6.1 Indala 26-bit — the standard format

The Indala 26-bit format is a Wiegand-equivalent 26-bit payload with a different bit allocation than HID H10301:

Bits	Field
0	Parity (vendor-specific)
1-8	Facility code (8 bits)
9-24	Card number (16 bits)
25	Parity

The card transmits a 64-bit total payload (26-bit Wiegand + 38-bit preamble/framing) using PSK1 modulation. The iCopy-X auto-detects Indala from the PSK1 modulation signature and the framing pattern; the 26-bit Wiegand decoding happens automatically.

Cloning to T5577: the iCopy-X configures the T5577 for PSK1 modulation, RF/2 PSK clock, two-block transmission. The clone is electrically identical to the source and is accepted by every Indala-compatible reader. Total clone time is about 8 seconds.

6.2 Indala variants — 27-bit, 28-bit, 29-bit, Heden 200

Indala issued several variant formats over its product life:

• 27-bit Indala — adds one extra bit, used in some specific OEM rebadges
• 28-bit Indala — a longer card-number variant
• 29-bit Indala — yet another variant
• Indala Heden 200 — a parking-lot / gate-access variant with a distinct Wiegand structure

The iCopy-X auto-detects all of these from the PSK1 modulation and the framing; the specific format is displayed in Read LF mode. Cloning works identically across all the variants — the T5577 config word is the same (PSK1 / RF/2), only the block count and the payload bits differ.

6.3 ASK-Indala — the ASK variant

A subset of Indala cards (sometimes called “Indala ASK” or “Indala legacy”) use ASK modulation instead of PSK1. These are mechanically EM4100-style cards with Indala formatting. The iCopy-X auto-detects them and clones to T5577 in EM4100-emulation mode with the Indala-Wiegand payload.

6.4 Indala in physical pentests

Operators encountering Indala in 2026 are usually looking at:

• A 1990s or early-2000s installation that has not been upgraded
• A campus environment (universities especially) where partial upgrades have left Indala readers in some buildings and HID Prox readers in others
• A parking-lot or gate-access deployment that has been static for decades

The relevant physical-pentest implication is that Indala has the same zero-crypto posture as HID Prox — the card transmits a Wiegand string, the reader accepts it, no authentication occurs. Cloning is just as straightforward as HID Prox. The iCopy-X cheatsheet (Vol 12 §4) puts Indala in the same “trivial-clone” category as HID H10301.

7. AWID — American Wireless ID

American Wireless Identification Devices Inc. (AWID, founded 1992, based in California; acquired by Assa Abloy in 2017 and now under HID Global ownership but operated as a separate brand) is an access-control card manufacturer that competed with HID Prox in the 1990s and 2000s. Their 125 kHz cards use FSK modulation similar to HID but with different framing.

The icopyx.com product page lists “AWOD” in the LF feature list — this is a typo / transliteration; the correct name is AWID (American Wireless Identification Devices). The Proxmark3 codebase, the HID acquisition documentation, and every other authoritative reference use “AWID”. The iCopy-X firmware identifies it as “AWID” in the LCD readouts.

7.1 AWID 26-bit — the standard format

The AWID 26-bit format is structurally a Wiegand-equivalent format very similar to HID H10301:

Bits	Field
0	Parity
1-8	Facility code (8 bits)
9-24	Card number (16 bits)
25	Parity

The bit layout is identical to HID H10301 in fields and ordering; the difference is the air-interface — AWID uses a slightly different FSK pattern and different framing preamble. The iCopy-X distinguishes AWID from HID Prox automatically based on the modulation envelope.

Cloning to T5577 is the standard FSK2a / RF/50 / multi-block configuration. The total clone operation is similar to HID Prox — 8-12 seconds.

7.2 AWID 34-bit and 50-bit variants

AWID issued a 34-bit format for higher-capacity installations and a 50-bit format for the largest customers. The iCopy-X handles both; the format is auto-detected and the decoded facility code + card number (or the equivalent fields for the 50-bit variant) appear in Read LF mode.

7.3 AWID’s market position

AWID was a meaningful HID Prox competitor in the 1990s-2000s, with significant share in certain regional markets (notably the western US and some Asian deployments). The Assa Abloy / HID acquisition in 2017 has gradually consolidated the AWID product line under the HID umbrella; new installations of AWID in 2026 are essentially zero, but the installed base remains substantial. Operators in the field will see AWID at a noticeably lower rate than HID Prox — perhaps 5-10% the frequency — but it is far from rare.

8. T55xx-family configuration deep dive — when Auto Clone needs hand-tuning

Most of the time, the iCopy-X Auto Clone selects the correct T5577 configuration automatically from the auto-detected source family. When it does not — when the Read LF mode identifies a card with an unusual modulation or framing, or when the operator is dealing with a non-standard card family the iCopy-X firmware does not yet handle — the operator can drop to Proxmark Mode (Vol 8 §5) and configure the T5577 by hand using the lf t55xx commands. The relevant commands are:

• lf t55xx detect — read the configuration word of a T5577 in the field
• lf t55xx config — set the modulation, data rate, and other parameters on the host-side decoder
• lf t55xx write -b N -d HEX — write a 32-bit data block N with HEX value
• lf t55xx wipe — reset a T5577 to factory defaults (useful if a previous misconfiguration left the card unreadable)
• lf search — scan all known modulations to identify what the card actually is

These are Proxmark3-client commands, exposed through the iCopy-X’s Expert / Proxmark Mode escape hatch. The full reference is in the Proxmark3 RRG wiki. For day-to-day cloning the iCopy-X Auto Clone handles everything; the manual t55xx commands are for the long tail of edge cases.

9. HITAG family — HITAG 1, HITAG 2, HITAG S

The HITAG family is NXP Semiconductors’ (formerly Philips) 125 kHz tag family with actual cryptography, distinguishing it from every other family in this volume. HITAG was developed in the mid-1990s primarily for industrial and automotive applications — and the automotive use case is the one that matters operationally: HITAG 2 is the silicon inside the immobilizer transponders for many European and Asian car keys from the late 1990s to the mid-2010s. If an operator clones a car key fob, the HITAG 2 is what the operator is cloning.

9.1 HITAG 1 — the original

HITAG 1 is the original family member, with a 32-bit UID and basic challenge-response authentication using a proprietary cipher. It was used in industrial access control and early ski-resort lift systems. By 2026 it is essentially obsolete in new installations; existing installations are rare but exist.

The iCopy-X reads HITAG 1 in Read LF mode; the UID extraction works fine. The authentication is rarely actually used by the readers HITAG 1 was deployed against, so cloning the UID alone often produces a working clone.

9.2 HITAG 2 — the immobilizer

HITAG 2 is the heart of the matter. It implements a 48-bit cipher called CRY3 (the marketing name; the cryptographic literature calls it “HITAG 2” or the “HITAG 2 cipher”) with a 32-bit UID, four 32-bit memory pages, and a 48-bit secret key. The card and reader authenticate via a challenge-response protocol:

1. Reader sends a 32-bit random challenge
2. Card computes the cipher output using the key + UID + challenge
3. Card transmits the response
4. Reader verifies; if correct, the card is authenticated and the reader can read the page contents

CRY3 is cryptographically weak by modern standards — the 48-bit key space is too small (~280 trillion keys, brute-forceable in days on modern GPUs) and the cipher itself has cryptanalytic attacks that recover the key in minutes. The relevant attacks are:

• Gone in 360 Seconds (Verdult, Garcia, Balasch, 2012) — recovers the HITAG 2 key in about 6 minutes by exploiting a weakness in the cipher’s state transition.
• Crypto1 / HITAG 2 nested attack — adaptation of MIFARE Classic nested techniques to HITAG 2.

The Proxmark3 RRG firmware implements these attacks as lf hitag crack2 (the original attack) and lf hitag crack (variants). The iCopy-X inherits these via the Proxmark3 protocol layer and exposes them through the Sniff for HITAG keys mode (Vol 7 §6) and the Expert / Proxmark Mode (Vol 8 §5). The on-device key recovery takes longer than on a tethered Proxmark3 RDV4 because the NanoPi NEO H3 has less compute than a laptop, but it works — typically 10-30 minutes per HITAG 2 key on the iCopy-X versus 1-5 minutes on a Proxmark3 RDV4 with a fast laptop.

iCopy-X behaviour with HITAG 2:

• Read LF / Read HITAG 2 — extracts the UID with no authentication. The UID alone is sometimes enough for very weak access systems that check only the UID; usually it is not enough for an automotive immobilizer.
• Sniff for HITAG keys — captures a legitimate reader-and-card authentication exchange, extracts the key from the captured nonces using the Gone-in-360-Seconds attack. Requires the operator to position the iCopy-X near a real reader-card interaction (a car owner starting their car, for example).
• Clone with key — once the key is known, the iCopy-X can write a HITAG 2 blank with the same UID + key + memory pages, producing a functional clone.

The cloning target for HITAG 2 is a HITAG 2 blank, not a T5577. T5577 cannot implement the CRY3 challenge-response — it is purely a load-modulation tag with no state machine for cryptographic protocols. Lab401 sells HITAG 2 blanks as part of the Advanced tier blank-card pack; specific compatible blanks include HITAG 2 stock that supports the standard HITAG 2 read/write protocol.

The legal envelope for HITAG 2 work is sharper than for the other LF families because the most common operational target — cloning a car key — sits inside vehicle-theft statutes regardless of the operator’s intent. The legitimate use cases are: cloning your own car key (own-hardware test), an authorised car-key replacement service operating with the vehicle owner’s written consent, or a security research engagement specifically scoped to immobilizer assessment. Vol 12 §3 covers the posture in detail.

9.3 HITAG S — the successor

HITAG S (1S, 2S, 8S variants depending on memory size) is the post-HITAG 2 silicon with slightly stronger cryptography (a different cipher, larger key space) and improved memory architecture. It is used in industrial access control and some automotive applications. HITAG S is less broken than HITAG 2 cryptographically but still has known weaknesses; the Proxmark3 codebase has partial HITAG S key recovery support.

The iCopy-X reads HITAG S UIDs and supports basic cloning operations; full key recovery on HITAG S requires more recent firmware than the iCopy-X 2.0 baseline and may need to be done via the Proxmark Mode escape hatch with the latest PM3 firmware. Verify against the Proxmark3 RRG repo for current HITAG S support status.

9.4 The HITAG family is the LF crypto outlier

Every other family in this volume is uncrypto’d — the card transmits a fixed identifier and the reader trusts it. HITAG 2 specifically is the one LF family where the card actually authenticates with cryptography, and the cryptography is broken but not trivially so. The HITAG situation is closer to MIFARE Classic on the HF side (Vol 5) than to anything else in the 125 kHz band.

10. The long tail — ioProx, Viking, FDX-B, KERI, VISA2000

This section covers the next tier of LF families — less common than HID/Indala/AWID/HITAG, but still encountered regularly in field engagements. Each gets a tight treatment.

10.1 ioProx (Kantech XSF)

ioProx is Kantech’s (Tyco Security Products / Johnson Controls) 125 kHz access-control card family. The Kantech ioProx format is also called “XSF” (eXtended Serial Format), a 26-bit Wiegand-style format with Kantech-specific framing. The modulation is FSK2a similar to HID Prox but with different timing and a distinct preamble.

The iCopy-X auto-detects ioProx and decodes the facility code + card number. Cloning to T5577 is straightforward — FSK2a configuration, three-block payload. Total clone time is about 10 seconds. ioProx is encountered most in Canadian installations (Kantech is a Canadian company; their market share in Canada is comparable to HID’s market share in the US) and in some US installations where Kantech access-control panels are deployed.

10.2 Viking

Viking is a 125 kHz access-control card family with a distinctive 0xF200 preamble byte followed by a 64-bit Manchester-encoded payload. The vendor associated with Viking is less prominent than HID or Kantech; the format appears in a number of OEM-rebranded access systems, particularly older installations.

The iCopy-X identifies Viking from the preamble and clones to T5577 in ASK Manchester mode. Read and clone work as standard. Viking is encountered occasionally in field engagements, usually in older installations.

10.3 FDX-B / ISO 11784-11785 — animal identification tags

FDX-B is the animal identification standard — ISO 11784 and 11785 — used for veterinary microchipping (cats, dogs, livestock), pet identification, and fisheries / wildlife tracking. The carrier is 134.2 kHz, slightly higher than the 125 kHz LF band, and the modulation is ASK with biphase encoding (also called “differential biphase” or “DBP”).

The 128-bit FDX-B payload structure:

Bits	Field
0-37	National ID code (38-bit)
38-47	Country code (10-bit, ISO 3166 numeric)
48	Data block flag
49-63	Reserved
64-79	Animal indicator + reserved
80-95	CRC-16
96-127	Trailer / reserved

The iCopy-X’s LF antenna is tuned to 125 kHz but has acceptable margin to read 134.2 kHz FDX-B tags with reduced range. The iCopy-X 2.0 firmware decodes FDX-B and displays the country code, national ID, and CRC validity in Read LF mode. Cloning FDX-B to T5577 is partial — T5577 cannot transmit at 134.2 kHz, only at 125 kHz, so the cloned tag will not be readable by standard veterinary readers. For legitimate FDX-B work (lost-pet recovery, veterinary verification), the iCopy-X’s role is read-and-display, not clone.

The legal envelope for FDX-B work is generally permissive — animal-identification tags are not access-control tokens. The exception is regulated wildlife tagging (national park animal-tracking, fisheries enforcement), where the tags may carry regulatory significance and tampering would be a wildlife-regulation violation.

10.4 KERI / NXT-2P

KERI Systems is a 125 kHz access-control card manufacturer. Their PSK-modulated cards (PSK2 variant, sometimes PSK1) carry a 26-bit Wiegand-equivalent payload. The KERI format is auto-detected by the iCopy-X and clones to T5577 in PSK mode. KERI is encountered in commercial real-estate access systems and some specialised facility installations.

10.5 VISA2000

VISA2000 is a 125 kHz LF family with a 64-bit ASK Manchester payload. The naming has no relationship to Visa Inc. (the payment company); VISA2000 is an access-control vendor name. The iCopy-X reads VISA2000 and clones to T5577 in ASK Manchester mode. VISA2000 is uncommon in 2026 but exists in legacy installations.

11. The long-tail continued — Motorola FlexPass, Paradox, Presco, GProx, Securakey, PAC, Stanley, NexWatch

This section continues the long-tail walk-through. Each family is tight by design — these are encountered occasionally rather than routinely.

11.1 Motorola FlexPass

Motorola FlexPass is the Indala-family card line sold under Motorola branding before the HID acquisition consolidated everything. Electrically and protocol-wise, FlexPass is Indala — same PSK1 modulation, same 26-bit Wiegand format, same T5577 clone configuration (§6). The iCopy-X labels it as “Indala” in Read LF mode regardless of the OEM badge on the card.

11.2 Paradox

Paradox Security Systems is a Canadian access-control vendor with a proprietary 125 kHz card format. The card transmits a 96-bit FSK payload at RF/50; the reader-side firmware does proprietary post-processing to derive the facility code and card number. The iCopy-X reads the raw 96-bit payload; full format-correct decoding may require dropping to Proxmark Mode and using the lf paradox family of commands.

Cloning to T5577 in FSK mode with the full 96-bit payload works for many Paradox reader installations but is not universal — some Paradox readers have anti-clone heuristics that reject T5577 emulation. The workaround in those cases is a Paradox-specific blank if available, or a Proxmark Mode operation to fine-tune the FSK timing.

11.3 Presco

Presco is a 125 kHz card family with a 32-bit serial number in ASK Manchester. It is encountered in older industrial and educational installations. The iCopy-X reads Presco and clones to T5577 routinely.

11.4 GProx (Guardall G-Prox-II)

Guardall’s G-Prox-II (commonly just “GProx”) is a 125 kHz FSK2a card with 26-bit or 36-bit Wiegand-equivalent payload. Guardall is a UK-based access-control vendor; GProx is encountered in UK and European installations. The iCopy-X reads and clones GProx as a standard FSK Wiegand format.

11.5 Securakey

Securakey is a US-based access-control vendor with a 125 kHz ASK Manchester card family at RF/40 rate (note: faster than the typical RF/64 of EM4100, slower than HID’s RF/50). The 26-bit Wiegand-equivalent payload is the standard format. The iCopy-X handles Securakey at the RF/40 data rate without manual configuration.

11.6 PAC

PAC (originally “Personal Access Card” or “PAC-21”) is a 125 kHz FSK card family used primarily in UK and European access-control installations. The PAC format is an 8-byte EM-like payload with the PAC vendor’s framing. The iCopy-X reads PAC and clones to T5577 routinely.

11.7 Stanley

Stanley access-control cards (Stanley Security, the broader Stanley Black & Decker brand) use a PAC-compatible format — Stanley acquired PAC’s parent at some point in the 2010s and harmonised the formats. From the iCopy-X side, Stanley and PAC are effectively the same family. The iCopy-X labels them according to the framing it detects.

11.8 NexWatch (Honeywell NexKey / Quadrakey)

NexWatch is Honeywell’s 125 kHz card family, marketed as “NexKey” and “Quadrakey” depending on the era. The format is a 56-bit PSK-modulated payload. NexWatch is encountered in Honeywell-installed access-control systems, particularly mid-2000s to mid-2010s installations.

The iCopy-X auto-detects NexWatch and clones to T5577 in PSK configuration. The 56-bit format requires careful block-count configuration on the T5577 (two blocks plus partial third block); the iCopy-X handles this internally.

12. The “iCopy-X → T5577 in one Auto Clone” summary

For the supermajority of LF cards an operator encounters, the workflow is identical:

1. Hold the source card against the iCopy-X LF antenna face.
2. Press the Auto Clone key sequence (Vol 7 §2).
3. Wait for the LCD to display the identified family and the decoded payload (typically 1-3 seconds).
4. Remove the source card; hold a T5577 blank against the same antenna face.
5. Press the second Auto Clone key. The iCopy-X writes the T5577 config word and the data blocks (typically 5-10 seconds).
6. Verify by re-reading the T5577 — the LCD should display the same identified family and decoded payload.

Total operator time: 15-30 seconds for a typical EM4100 / HID Prox / Indala / AWID / ioProx clone.

The families that do not fit this one-Auto-Clone workflow:

• HITAG 2 — requires key recovery first (Sniff mode, several minutes to several hours), then clone-with-key to a HITAG 2 blank rather than T5577.
• Paradox — may need Proxmark Mode for format-correct cloning.
• FDX-B — read-and-decode only; not cloneable to T5577 due to the 134.2 kHz carrier mismatch.
• EM4305 with password protection — requires the password before reading; the iCopy-X tries default passwords first, then prompts.
• iCLASS Legacy / SE / SEOS — these are HF, not LF, and are covered in Vol 6. Mentioned here only because some operators mistakenly look for them in the LF section.

For the other 90+ percent of cards in this volume, Auto Clone to T5577 is the entire workflow. The iCopy-X cheatsheet (Vol 12 §4) reinforces this — the LF section of the cheatsheet is essentially “use Auto Clone, use T5577, you are done.”

13. Common gotchas and field troubleshooting

The most common problems an operator hits on the LF side, and how to resolve them on the iCopy-X:

• “Card not detected” with a card visibly in the field. The card may be a HF-only card (MIFARE, iCLASS) being held against the LF antenna face. Confirm the card type — try the HF face. The iCopy-X LF and HF antennas are on the same PCB but optimised for different carrier frequencies; misalignment significantly reduces read range.
• “Unknown LF family” on a card that ought to be supported. The card may be a regional variant the iCopy-X firmware does not have built-in detection for. Drop to Read LF mode and check the raw modulation envelope; if it looks like a recognisable family with non-standard framing, use Proxmark Mode lf search to identify it. If it is genuinely a novel format, the iCopy-X cannot clone it without a firmware update.
• Clone succeeds but the door does not open. Several possible causes: (1) the reader has anti-clone heuristics that reject T5577 emulation — try cloning to a different blank type (EM4305 for EM4100, HITAG 2 blank for HITAG 2). (2) The decoded facility code or card number is wrong — re-read the source and verify. (3) The reader uses a non-LF additional layer (multi-tech reader checking both LF and HF) — investigate further.
• T5577 clone reads as a different family than the source. The T5577 config word may have been corrupted. Re-clone, and if the problem persists, lf t55xx wipe the T5577 first and then re-clone.
• EM4305 clone refuses to write. The EM4305 may have a non-default password set. Try lf em 4x05_dump or the iCopy-X’s EM4305 password-guess workflow.
• HITAG 2 key recovery seems stuck. The on-device key recovery takes 10-30 minutes per HITAG 2 key on the NanoPi NEO. If it is genuinely stalled, drop to Proxmark Mode and run the recovery via the laptop-tethered PM3 client for faster results.
• “Out of memory” or “no T5577 blank detected” with a T5577 visibly held to the antenna. The T5577 may be a counterfeit or low-quality batch — the iCopy-X writes may be failing silently. Try a known-good Lab401 “Genuine” T5577 from the included pack (Vol 9 §3).

14. Looking ahead — what cards to expect, and what is changing

The LF tag families covered in this volume are mature technologies. New installations of pure-LF access control are rare in 2026; the industry direction is clearly toward HF technologies (iCLASS SE, SEOS, MIFARE DESFire, BLE-based “mobile credentials”) that have actual cryptography. The installed base of LF cards, however, will not disappear quickly — corporate access-control systems have 15-25 year replacement cycles, and the cards in circulation now will still be in service through the 2030s and into the 2040s.

The trends an operator should track:

1. HID multiCLASS and Signo readers. HID’s current reader line supports both LF (Prox / iCLASS Legacy) and HF (iCLASS SE / SEOS / MIFARE) on the same reader. Many corporate accounts are migrating to multiCLASS readers but keeping their Prox cards in service. The iCopy-X clone of a Prox card will continue to work against a multiCLASS reader configured for Prox compatibility — but only as long as the reader is configured that way. Site-level decisions to disable Prox compatibility are increasingly common.
2. Anti-clone heuristics in modern readers. Some HID multiCLASS, Signo, and third-party readers have configurable anti-clone modes that reject T5577 emulation. The percentage of installations with anti-clone enabled is growing slowly. Operators should expect to encounter readers that reject T5577 clones at a rate of 5-15% in 2026, rising over time. The fallback is EM4305 for EM4100 clones and the corresponding “native silicon” blank for other families (Vol 9).
3. iCLASS Legacy LF deprecation. Some HID iCLASS cards also emit a Prox-equivalent LF signal for backwards compatibility. HID is gradually deprecating this LF layer on new cards. Operators may see iCLASS cards that read fine on the HF side but show no LF signal at all — these are post-2020 iCLASS cards with the LF layer disabled at the factory.
4. HITAG 2 in automotive. HITAG 2 is being replaced in new car designs by stronger immobilizer chips (HITAG AES, Megamos AES, NXP NCx). Existing HITAG 2 cars will be on the road for decades, but new-car immobilizer cloning will require techniques outside the iCopy-X’s current capability set.
5. EU-driven access-control standards. The EU’s eIDAS regulation and some related directives are pushing toward standardised access tokens with actual cryptography. This is HF-focused (SEOS, MIFARE Plus / DESFire) and will not affect LF tag installations directly.

For an operator updating their mental model of the field: expect LF to remain a substantial fraction of the working environment for the next decade, expect anti-clone heuristics to gradually erode the universal-T5577 strategy, and expect HITAG 2 to remain the LF-side crypto target until the automotive installed base finally retires.

15. Cross-references and onward reading

• Vol 1 — Overview — the decision graph that put the iCopy-X in the bag in the first place.
• Vol 3 — RFID / NFC primer — the physics layer: load modulation, Manchester encoding, the resonant air-coil. The “why” beneath every “what” in this volume.
• Vol 5 — HF tag families Part 1 (MIFARE) — the high-frequency side of the cloning story, including the MIFARE Classic key-recovery attacks that have no LF analogue except for HITAG 2.
• Vol 6 — HF tag families Part 2 (iCLASS, SEOS, ISO 15693, FeliCa) — the high-end HF families and the iCS Decoder Tool.
• Vol 7 — Operating modes Part 1 (Auto Clone, Read LF, Sniff) — the LF workflows in operational detail. This volume’s families plus that volume’s modes is the field-ready combination.
• Vol 8 — Operating modes Part 2 (Emulation, Proxmark Mode) — when Auto Clone falls short, this is where to go.
• Vol 9 — Card-stock ecosystem (T5577, EM4305, HITAG 2 blanks, MIFARE Magic) — the blanks themselves, in detail.
• Vol 11 — Side-by-side comparisons — how the iCopy-X’s LF capability stacks against Proxmark3 RDV4, Flipper Zero, and cheap handheld duplicators.
• Vol 12 — Legal, posture, cheatsheet — the legal envelope for LF cloning work, especially HITAG 2 and corporate HID Prox engagements.

External authoritative references:

• Proxmark3 RRG repository and wiki — https://github.com/RfidResearchGroup/proxmark3 — the canonical implementation of every LF family decoder and the T5577 / EM4305 / HITAG 2 attack code.
• EM Microelectronic-Marin datasheets — https://www.emmicroelectronic.com/ — the EM4100, EM4102, EM4200, EM4205, EM4305 datasheets are the primary reference for the EM family.
• Microchip ATA5577C datasheet — the canonical T5577 reference post the Atmel acquisition; available from Microchip’s product page.
• HID Global format reference — HID publishes the H10301, H10302, H10304, and Corporate 1000 bit layouts in their integrator documentation. Some are publicly available via the HID developer site; others require an integrator account.
• “Gone in 360 Seconds” paper — Verdult, Garcia, Balasch (2012), the foundational HITAG 2 cryptanalysis. Available from the authors’ academic pages.
• Iceman’s Proxmark3 fork documentation — historically the most aggressive LF-attack development source; the work is now upstreamed into RRG mainline.

The next volumes (Vols 5 and 6) cover the HF side — MIFARE, iCLASS, SEOS, ISO 15693. The operational-mode volumes (Vols 7 and 8) tie this technology-family knowledge to the actual iCopy-X workflows. The blank-card volume (Vol 9) goes deep on the T5577 / EM4305 / HITAG 2 blank stock that this volume’s clone operations depend on.