Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
hello community,
i have a strange issue to share.
i have a pure em410x tag here. nothing special on it just the uid and the em410 tag id.
i can easily copy it with the xfpga cloner and dongle /thanks michael/
reader
it will be copied with both informations UID and 410x tag id
so, i just wanted to to the same thing with the proxmark with a brand new, never used tag (uid writable fob)
lf em410 em410xwatch with the original dongle gives me:
lf em410 em410xread gives me:
nothing. no output.
lf em410 em410xwrite UID 0 give me
blah blah writen to file.
In fact, its not writen
lf em410 em410xwrite UID 1 64 gives me
blah blah writen to file.
in fact, its not written
the dongle is empty as never used.
i believe something is wrong, because te proxmark option 410xread is not working, no output, nothing. only the 410xwatch command seems to work.
any idea what the problem is? doing it with the 410x cloner from xfpga solves it, it is copied 1:1 and working on my door.
thanks in advance
Offline
sometimes you need to kickstart the proxmark client with:
lf read
data samples 16000
then
lf em410 em410xwatch
lf em410 ex410xread
then i find it usually works
Offline
will try on monday and report then. how can i write the uid to the fob? i can write the tag id i think, but not the uid. how did the cloner handle it?
Offline
hello,
just my results. in fact you can use em410xwatch and a em410xread. so i tried like this:
em410xwatch: works. changing the tag, em401xread: old data from first tag.
writing doesnt work, never, so i assume there is a bug.
thanks
Offline
Strange, do you know the tag your trying to write to? I have a bunch of T5577's and I can write to them fine.
My understanding is that if your using a different writable tag (eg. Q5), the configuration block code may be different.
Offline
maybe i am doing it wrong. (wrong commands)
let me review it:
first i did:
proxmark3> lf em4x em410xwatch
#db# buffer samples: 00 00 12 1d 17 1f 36 3b ...
Reading 16000 samples
Done!
Auto-detected clock rate: 64
EM410x Tag ID: 01074082c0
Unique Tag ID: 080e201430
so, i want an exact copy of the em410x tag
it works with the cloner from xpga (both em410x TagID and UniqueTag ID where "cloned"
next i do
lf em4x em410xwrite 080e201439 1
Writing T55x7 tag with UID 0x080e201439 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff8220e940349a56
and: its NOT writen
proxmark3> lf em4x em410xwatch
#db# buffer samples: 00 00 00 00 10 1c 16 1e ...
Reading 16000 samples
Done!
Auto-detected clock rate: 64
EM410x Tag ID: 0000000000
Unique Tag ID: 0000000000
i am not sure what kind of empty token it is, i bought them at xfpga and it works with the em410 cloner device like a charm.
maybe my commands are wrong?
let me know what commands u use to clone an em410x tag.
thanks
Offline
I believe that your problem is related to the keyfobs that you are using.
Although those fobs are sold as "read/write" they are actually only writeable when using one of those Chinese cloners. Those cloners (and associated fobs) utilize the password feature such that they cannot be overwritten by another device (like the Proxmark).
I believe the solution would be for you to purchase unmodified "T55x7" Read/Write tags. If it specifically says "T55x7" then you can be sure that the password feature of the chip has not yet been enabled and it should be writeable using the Proxmark.
Here is an example of an unmodified T5577 fob:
http://www.ebay.com/itm/RFID-125KHz-Wri … 19d5eb0eab
Offline
i bought them at xfpga, and they look exactly like that shown at ebay. but i cannot be sure if there are compatible or whatever.
. i will order some T55x7 Cards (not fob) at xfpga. are they uid changable then? i simply need to clone the em410x card to a blank card
Offline
the EM410x card has only it's ID there isn't a separate UID. when emulating this with the T55x7 you are emulating the EM410x's ID so you do not need to change the T55x7 TID (tag ID) which is not possible.
Offline
thanks for clearing
Offline
Those cloners (and associated fobs) utilize the password feature such that they cannot be overwritten by another device (like the Proxmark).
I too bought a cloner for quick and easy cloning of EM fobs for when it would be inconvenient to carry my Proxmark3.
As carl55 mentions - when it clones the ID to (in my case a T55x7 card) it sets the password bit. This means that card, from that point onwards, is only useable with the cloner and can no longer be programmed by the Proxmark.
I was wondering if it'd be possible to reset the Password bit in the configuration block so I connected a logic analyser across the resistor that drives the cloner's coil with the following results:
>> Hand-held standalone cloner programming EM tag with EM410x Tag ID: 307e3cf61c, Unique Tag ID: c0e7c3f683
Result: 5 x 70bit sequences are transmitted during the programming
[1+Page select] [Password 1-32] [Lock Bit] [Data 1-32] [Addr 2-0]
10 01010001001001000011011001001000 0 01010001001001000011011001001000 111 = block 7
10 01010001001001000011011001001000 0 01010001001001000011011001001000 111 = block 7
10 01010001001001000011011001001000 0 11111111100110000000111111101001 001 = block 1
10 01010001001001000011011001001000 0 10110001111001100000111100000010 010 = block 2
10 01010001001001000011011001001000 0 00000000000101001000000001010001 000 = block 0
From the card datasheet if the PWD bit is set then 32 bit password is transmitted first (following the initial '10' opcode) and is compared with the password in block 7.
The first of the two 70-bit programming transmission sequences send the opcode, password, lock bit = 0, and then set the same password in block 7:
01010001001001000011011001001000 = Password bits (1-32) = hex 51 24 36 48
The datasheet mentions that the bits are sent in the order that they're read, so the password should be (hex) 51243648
(If the password were to be reversed to natural bit-order: 00010010011011000010010010001010 = Password bits (32-1) = Hex 12 6C 24 8A )
Block [1] is then written:
11111111 10011000 00001111 11101001 = FF 98 0F E9
Block [2] is then written:
10110001 11100110 00001111 00000010 = B1 E6 0F 02
Then finally Block [0] is written:
Safer Reserved Data Bit Rate, etc. etc.
0000 0000000 1010 01000 00 0 0 010 [1] 0 0 0 1 = 00 14 80 51
The PWD set bit is indeed set to 1 (shown in [] above)
Setting this to zero would give Block 0 hex = 00148041
(The block Hex align with the values given by the EM4100 blocks calculator xls someone kindly invested time to write and share so I'm confident the data I grabbed from the logic analyser is accurate).
My question - should it be possible to use the Proxmark command lf em4x writewordPWD <Data> <Word> <Password> where word = 0, data is 00148041 and password is 51243648 to reset PWD bit in the configuration block, and therefore make the card once again programmable by Proxmark?
Incidently the command writewordPWD is missing from the Proxmark Tool settings.xml so I added the following:
<section title="EM4xxxWriteWordWithPassword" tooltip="Write EM4xxx word data" uniqueId="writewordpwd">
<item type="drop-down" defaultValue="" values="0:15" tooltip="Select word to write" uniqueId="modeTextbox" label="Word to Write:" width="30"/>
<item type="textbox" defaultValue="00000000" tooltip="Password value: 8 hex characters" uniqueId="em4xxxpass" label="Password:" width="80" />
<item type="textbox" defaultValue="01020304" tooltip="Data to be written" uniqueId="em4xxxdata" label="Data:" width="80" />
<item type="button" text="WRITE WORD" tooltip="Press button to write EM4xxx word" action0="lf em4x writewordPWD $em4xxxdata $modeTextbox $em4xxxpass" />
</section>
I've tried several permutations of password (normal, reversed etc). I've also tried the command lf em4x readwordPWD 0 51243648 which should theoretically read and show the data in block 0 in password mode? but nothing is returned.
Any help and guidance in clearing the PWD bit given the above would be appreciated.
Thanks
Offline
If you are working with a t55x7(as it appears you are) then you will need the command for the t55x7 write block with password. Though I believe you are confusing the locking bit with the password protection mode. If the lock bit is set for a block it cannot ever be written to again by any writer.
Offline
The em4x commands only work with an em4x chip not a t55x7 chip emulating a em410x chip.
Offline
then you will need the command for the t55x7 write block with password
Thanks - of course! - it almost seems obvious when you point it out. I'll continue to experiment along those lines.
No confusion over the locking bit. As the output from the logic analyser shows these are not set when the cloning device writes to blocks 7, 1, 2 and 0. I'm hoping for a way to reset the PWD bit (bit 28 of configuration block 0).
Offline
i. For a *non* PWD bit-set card the output is:
proxmark3> lf t55xx readblock 0
Reading block 0
proxmark3>
proxmark3> #db# DONE!
How can any data that was read (if anything) be displayed?
ii. For a PWD bit-set card the output is:
proxmark3> lf t55xx readblockPWD 0 51243648
Reading block 0 with password 51243648
proxmark3>
No confirmation of the read and, likewise - is it possible to show any data read?
iii. Attempting to write to block 0 gives:
proxmark3> lf t55xx writeblockPWD 00148051 0 51243648
Writting block 0 with data 00148051 and password 51243648
proxmark3>
The PWD bit isn't reset so something's still not quite working. Seeing how the block 0 block reads go, if possible, would help troubleshoot...
I'm using 0.0.2. which I believe is the latest.
Thanks for your guidance.
Offline
Success - it works!
I'd accidently used the original block-0 data of 00148051 in my first test, not the modified block-0 of 00148041 which resets the PWD bit.
Using command lf t55xx writeblockPWD 00148041 0 51243648 resets the PWD bit to zero and the T55xx card is now programmable again by Proxmark.
Hope this helps anyone who's used the cloner and therefore 'tied' their cards to it. Hopefully all cloners (as pictured by hheile above) have set the same generic password.
I'll likely purchase the standalone HID version of the cloner, for convenience, now that I'm confident I can reverse engineer its password too.
Offline
I forgot to add - thanks marshmellow for pointing me to the right command!
Now I guess I need to dig deeper into the code to figure out how to show the data read from the readblock command...
Offline
There might be a need to have a lf t55xx cmd that resets the pwd-bit.. Something to put in a wish list I guess.
Offline
gbhuk,
out of curiosity what logic analyser did you use?
Offline
out of curiosity what logic analyser did you use?
https://www.saleae.com/logic
An updated version that includes analog channels and faster sampling rates is due out shortly.
Offline
Have a ? In stand alone mode will the
PM3 open just about and HID LF reader
Offline
*****
I've never used the PM3 in stand-alone HID simulator mode but there's a thread on using it here: http://www.proxmark.org/forum/viewtopic.php?id=96.
Perhaps it would be better to follow up and ask this new question there.
*****
This thread is about the Chinese cloner (shown at the photo in the top of the thread) setting the password protect bit on a card (or tag) when it programs them, effectively rendering them non-programmable by a PM3 unless the password is known. It's possible to reset the password protect bit on the tags and allow them to be written by the PM3 (assuming all cloners have the same password of 51243648 set in their firmware) by issuing the command:
lf t55xx writeblockPWD 00148041 0 51243648
Offline
There might be a need to have a lf t55xx cmd that resets the pwd-bit.. Something to put in a wish list I guess.
El Gaucho's Proxmark client does the job:
I've added the following section to my copy and can now reset the PWD bit with a single click.
<section title="T55XX RESET PWD BIT" tooltip="Reset T55xx PWD configuration bit in block 0" uniqueId="t55xxpwdreset" >
<item type="textbox" defaultValue="00148041" tooltip="8 hex characters" uniqueId="t55xxdata" label="Data to Write:" width="60" />
<item type="drop-down" defaultValue="0" values="0:0" uniqueId="t55xxblock" label="Block:" width="30" />
<item type="textbox" defaultValue="51243648" tooltip="8 hex characters" uniqueId="t55xxpwd" label="Password:" width="60" />
<item type="button" text="RESET PWD BIT" tooltip="Reset PWD configuration bit in block 0" action0="lf t55xx writeblockPWD $t55xxdata $t55xxblock $t55xxpwd" />
</section>
Last edited by gbhuk (2014-10-11 14:17:01)
Offline
i have an exact chinese FOB which i purchased from aliexpress.
I also faced issues writting into it using PM3. I tried using the code:
lf t55xx writeblockPWD 00148041 0 51243648
to reset the password and rewrite the FOB. However it doesn't work.
I guess mine is from a different source. Is there any other things that i could try to crack this FOB?
Offline
Perhaps the fob is EM4x based rather than t55x based, in which case the command
lf em4x writewordPWD 00148041 0 51243648
may work.
Offline
Just tried, doesn't work.
Just to understand, this command will remove the password requirement from the fob?
Or do i still need to include password when i write into the fob?
In the past i write with this command to duplicate my card:
lf t55xx writeblock FF000000 2
lf t55xx writeblock 01402949 1
lf t55xx writeblock 000c8040 0
do i need to include password into it now?
Offline
A bit of background.
My Chinese cloner sets the PWD bit in block 0 on any t55xx card I clone with it, and at the same time stores the password 51243648 in block 7.
From that point onward, to re-program it the card it expects see the same password being sent with the write command.
If the password isn't sent by the Proxmark then the card ignores any further write commands and the data on the card remains unchanged.
What the command "lf t55xx writeblockPWD 00148041 0 51243648" does is to reset the PWD bit to zero, at the same time as supplying the card with the password it expects to see. The card accepts the write command because the password is correct and from that point onward I can use normal writeblock commands without sending the password any more.
Unfortunately if the PWD bit has been set on your fob and the above command doesn't work for you then it's probably because a different password has been set on your fob by whatever device last programmed it. Without knowing that password then I don't think it's possible to re-program the fob.
Offline
A couple of further thoughts - though they may be long-shots.
If the PWD bit has been set in block 0 but the password itself hasn't been set in block 7 then the password could be all zeros or all ones.
Try:
lf t55xx writeblockPWD 00148041 0 00000000 - which will reset the PWD bit IF the password is all zeros.
lf t55xx writeblockPWD 00148041 0 FFFFFFFF - which will reset the PWD bit IF the password is all ones.
If you get lucky then your standard writeblock commands would then work.
Offline
Hey thanks for the info. I tried with using zeros and ones as the password but still doesn't work.
I have emailed the source of the fobs if they have the password, lets see if they give it to me.
Offline
Just an update, the chinese source reassured me that none of their fobs are password protected. I replied her tell her to check it again.
Offline
after much trying and purchasing more fobs from different china source retailers, none of the fobs work.
Is there a way i can try to extract the password from the fob if any?
Source of fob: http://www.aliexpress.com/snapshot/6182078200.html
Offline
Sounds more likely that there may be an issue with your proxmark or antenna. Write commands tend to require a stronger connection than a read command, and with the small key fob your antenna has to be very good to make it work. You Might have better luck either with a better antenna or a full card instead of a fob.
Offline
Hey Marshmellow, i thought so too in the beginning. But what i did was to make sure that the data plot showed that the peaks are tapered off. I'll use the lf em4x em410xwatch and postition the FOB to a position where the peaks are maxed/tapered. Do you think this is enough?
I'm using a custom Antenna that measures 3" by 3". I cannot remember how many turns of the copper wire i used. Do you suggest that i should make an antenna specially for the fobs?
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 29.00 V @ 125.00 kHz
# LF antenna: 37.19 V @ 134.00 kHz
# LF optimal: 41.36 V @ 127.66 kHz
# HF antenna: 0.16 V @ 13.56 MHz
# Your HF antenna is unusable.
proxmark3>
Offline
I'm certainly no expert on antennas, but I've read large antennas have difficulty with small tags. (Tho 3x3 isn't that big). I also thought the anntena is considered tuned when the 125kHz voltage was about the same as the optimal. Yours looks a little off. But again I'm just going by what I've read here as I have very little experience making antennas.
Last edited by marshmellow (2014-08-24 13:17:31)
Offline
http://www.proxmark.org/forum/viewtopic.php?id=1992
Talks about large antennas and small tags.
Offline
29v is an ok value, everything above 20v should work fine.
Offline
Stayed up late but finally got a process in place and reset a bunch of T5557 I purchased from China online supplier to be reset back to T55x7 default emulation thanks to the work above - thanks all especially gbhuk and genexis.
Here is what I did: 1) Proxmark3 - latest verision 0.0.2 - updated firmware 2) Used Proxmark Client by El Gaucho PM3/LF/T55XX/T55XX WRITE BLOCK (PWD) Datat to write: 000880E8 / Block 0 / Password 51243648
This will put the card to the initial setup if password matches (luckly for me) ALL my FABS from different suppliers were set to EM4100 emulation with the same password.
4) Now you can use the T5557 to emulate HID/EM4100 etc...
I found the following hex value by using P1D uRFID as it has an "SCB" command - Setup T5557 and it resets block 0 to 00880E8 so I guessed its a good starting point.
Hope this helps a few of you - good luck.
Offline
Hey diaconom,
I tried your suggestions:
lf t55xx writeblockPWD 000880E8 0 51243648
on all my tags... i have like 4 different ones from various sources, all didn't work for me.
I even tried updating my bootloader,os,fpga ... but not working.
If you like, you can PM me your address, i'll send some of these fobs over for you to try.
Offline
Are you sure they are not EM4100 Fabs - I fell for "cheap" once when I ordered from alixxxxx without checking the description - they ended up being EM4100 and are read only.
I sacrificed a few fabs and opened them up to check the IC (Burte force ) Once open you can normally see a tag on the IC, I found 57, 4100, AH, YP.
The 57 batch are obviously T5777 chips, same with the 4100 are read only E4100 chips. The AH has same size as T5557 and operate like the T5557 but I'm not 100% sure. YP still not sure any one has a document with the chips identifications ?
@Genexis --- how does one send a PM on this board ?? Can you PM me and I'll respond with my address
Offline
hmm, i can't too. send your address to c h y e nw @ g e n e x i s (dot) net
Offline
Allow me to suggest we create a database with the password of these Chinese RFID handheld devices ?
A friend passed me one of the new "fancy" handheld multi freq IC cloner which even speaks out the UID's in Mandarin .... you can get it from aliexpress /item/Upgrade-Handheld-125Khz-13-56MHZ-9-frequecny-RFID-Duplicator-Copier-Writer-10pcs-125KHZ-cards-10pcs-13/1915941057.html
Unfortunately the password is not 51243648
Other than buying a new logic analyzer or gbhuk getting one of the above "fancy" handhelds and doing all the hardwork of decoding the password anyone knows of any other way we can read the password from block 7 ?
I've asked the supplier for the password but at the moment no word....
Offline
If you can snoop the LF trafic from the card and the reader, the password will be sent in clear text according to the datasheet. Should be a good thing to have in the PM3 client...
Offline
Snooping seems to be readily available on HF but not LF traffic
Offline
If you look at the PM3 sourcecode on Github, there is a "lf snoop" ...
Offline
I have been trying to ask for the password from all my sources, but all of them swears that there isn't any password set.
Offline
Hey did you send me your address? i didn't see it in my email, i may have missed it.
Offline
I have just resent you my address.... pls check.
Offline
getting one of the above "fancy" handhelds
Hi diaconom,
Do you happen to know if the 'fancy' handheld you mention can clone HID cards?
Offline
diaconom wrote:getting one of the above "fancy" handhelds
Hi diaconom,
Do you happen to know if the 'fancy' handheld you mention can clone HID cards?
i think the better question is "is it worked ?"
Offline
i think the better question is "is it worked?"
The specifications for the unit show that it should clone EM cards but makes no mention of supporting HID cards. Hence my question to diaconom - does he/she know if it can clone HID cards.
Last edited by gbhuk (2014-10-11 14:24:14)
Offline