a re-visit of AWID tag

ntk · 2015-06-03 12:09:30

Tonight I am going to start to understand what is related to AWID fob from perspective of a cloner..

Could some one who has AWID trace please give one, or better get me a real trace from an AWID to work with, so I can do some theoretical work with? Thanks so much in advance.

I have no way to do the final confirmative test that my calculation, configuration is correct. Could some one who has a AWID tag, and reader and a PM3, pls. give me a shout.

OR

Do you have any other ways? what is your way, if you don't have AWID reader to reach final confirmation that the whole work you have done is correct and AWID door will open on your entry?
(Is it forbidden to ask so, please let me know how to formulate differently?)

ntk · 2015-06-03 12:13:26

Looking through the forum post I have found these information I put together

In one of the old example thread I see the command "lf indalademod", in current PM version I see only in sector Tags/ indala/ the commands "AZID, WITH Z=W, demodulate". Interesting, nothing else we can do with this fob type no siulation, no cloning???

Reading further I found an other thread where procedure as following were performed
Lf ead
Data samples 20000
Data plot data grid 50
Data fskAzID, with z=W,demod hummm

I can’t see any “fskAzID, with z=W,demod” command in sector data… aha, in GUI it call Demodulation, when pressed it send a “data fskAzID, with z=W,demod”
And this is only in the compiled code not even listed up in data section to see

ntk · 2015-06-03 12:15:59

In another AZID, WITH Z=W, thread the investigation work has been or could also be carried out in a different way

Lf read
Data samples 40000
Data dec
Data dec
Data dec (to form the data more regular view)
Data mandemod using clock rat e40, 64bit Manchester demodulation

Hummm interesting tag
Here is also no further command for simulation, writing for this type of tag! Perhaps because we have enough demodulated infos to use basic lf write or lf simulation, in the LF basic commands section, to perform these tasks

Is it really so that even today May 2015, still no more work implement further for AZID, WITH Z=W, tags ... Because of which reason? Because this tag does not exist anymore on the market?

ntk · 2015-06-03 12:17:12

In an other the place is to read:” HID AZID, WITH Z=W, use same protocols, use same fsk modulation and transmit 3 blocks of data … but format of data in binary is different” How is it to be understood?

The 3 blocks of data were in hex form obviously, when demodulated we get the binary, but the binary even if look the same they would mean different things, because their format to be constructed are different …. Is that so?

Similar to the configuration block of Q5 is 32bits long, equal long as a configuration block of T55x7, but because the masks are different so at same position X, the binary bit 1 or 0 means something different between them tags … Is it like that to be understood?

Is there anything I miss during this project studying indala fobs that could come back sometime to haunt me?

app_o1 · 2015-06-03 13:27:17

Just say AWID. What is wrong with telling the real name of what you are "studying".

Now you want to "study" something that you don't own/have in your hand... That is not a good start.
You have recently asked for so many different information for many different types of cards. You have no way to confirm if what you are doing is working or not; because you have no access to a door reader. Are you working with envelopes...?

1 useless post + 3 comments for one thing that has been talked and re-talked about plenty of times. That is just annoying. You are not on howto.com

Buy yourself an AWID reader and some cards. Ebay.com

ntk · 2015-06-03 15:30:40

thank for your straight comment app-o1.

you indirectly answer one of my question which has tortured me since I started to understand some topics "how can one get the final affirmative test, that what he/she is trying to do is correct". I have sent on the forum and teased people to answer to share experience what to do without success ...

for me studying is collecting, gathering, working in mind on paper, doing practical construction of necessary thing using knowledge you have gathered and most importantly let your colleague see waht you produce and judge you, correct you.
I do not have a Q5, but I learn t make mistake configure a Q5, T55x& to see what would happen, better on the paper then in real life, is it not? Is that studying not worth?

I am sorry that my comments have annoyed you. That is true I don't know what AAWID card/tag/key look like, by your advice I go on ebay and find the 3 items
http://www.ebay.co.uk/sch/i.html?_odkw=lens+m42+wide&_osacat=78997&_from=R40&_trksid=p2045573.m570.l1313.TR2.TRC1.A0.H0.Xawid.TRS0&_nkw=awid&_sacat=78997

and still have no way to get a card with real useful data for my studying, unless I move in a housing block where this AWID is at the door.

I know it is annoying, but learning without possessing a certain subject/object means too: Using imagination, prepare yourself to follow, to understand what right or wrong, to join if necessary, if a problem/discussion concerning AWID or even similarity to AWID data

Studying means help me to come further from where I was. I do not have to have a mercedes slk 230, to studying how to drive automatic or making mistake. But if I read in newspaper " a SLK 230 Mercedes driver has caussed graved acccident in a hospital car park. She/he was distract by a sick chil crying on the back sit, and in distress has stepped down both break and gas pedal." I don't own a Mecedes, don't have a crying child but through general studying driving automatic by imagination, read some construction doc about driver room on SLK 230, I could know the report talks non-sence, no other cause, clearly it's a basic driver's fault

I wish I have AWID, I wish I have indala, have FLEXpass, have Mifare have have and have to know about them but I can't have them all to know how to deal with them ... Having none of them on the table yet should not stop one studying about indala, mifare, RFID bank card, about understanding RFID entry access card.

Plase don't be upset, you are one of the good poster I am looking out to learn from your experience. I dont want to upset you.

If you don't like this sort of "studying" please ignore ntk' post. But if you are good, seeing what technically I did is wrong/right and correct me or advice me. I accept all corrections. I do not post to pull attention.

I post and show even mistake here because I hope to learn

Last edited by ntk (2015-06-03 15:42:32)

iceman · 2015-06-03 15:40:45

Ntk, if you look in your sourcecode folders.. You will find a folder called: traces
inside is alot of working traces from lots of different LF tags.
You only need to "data load" / "data plot" to get started with them.

asper · 2015-06-03 15:42:23

ntk I would like to ask you a thing: use the following days focusing on 1 ITEM/TAG/DEVICE ONLY and only after good searches on this forum (and maybe google) ask specific questions in the appropriate forum thread without "flooding" with multiple message.

I really, REALLY appreciate your enthusiasm but remember that people coming here spent lot of time in searching/reading/testing/buying stuff so if you avoid to make "torrent" sentences (that results in a boring reading just before the reding itself starts!!) and if you try to be more synthetic people will surely appreciate you the way you deserve

Welcome to the forum !

ntk · 2015-06-03 16:13:16

@app-o1, I will take your advice, thanks

To be honest I lied when I said "Tonight I am going..." Yesterday night I studied Q5, AWID, indala and flexpass via related posts on the forum, googled and searched in the forum up and down ... and I have about 25 to 30 open questions ... what should I do ... that what i mean it tortures me .. not one question but too many .. .

Last edited by ntk (2015-06-03 16:25:57)

ntk · 2015-06-03 16:28:50

@iceman,

thank you that the place I look around this forum but could not see it.

Could you answer one more question: why we learn to clone on Q5 and T55x7 only? Very much appreciated

iceman · 2015-06-03 17:26:09

because old Q5 and T55x7 is very good at emulating all different kind of LF tags.

You only need one t55x7 tag to be able to test a lot of different systems.. If you find a read/write em4350 tag, it can still only be used with em4350 systems.

ntk · 2015-06-03 18:27:22

@iceman

"Q5 and T55x7 is very good at emulating all different kind of LF tags" that is true and reasonable. But at 10 the cost of an EM chip is it not taking a canon to kill an ant?

Second, before we came develop lf t55xx wr, we had development of lf em410xwrite coincidentally also with option only to use Q5 or T55x7, I am perplex it looks like forced into, not a natural growth, if natural growth, we would have first the primitive write function to EM chip implemented, "with limitation we can not emulating all different kind of tags", then realise the limitation we develop the writing as next step u to Q5 than to T55x7. What bother me is how a cheap chinese $8 writer can write to EM411 but the PM3 can not do it

further it confuse me the definition RO/RW that is not the question "if we could find a WRITEABLE EM4305 ...", if we look on
http://www.rfidshop.com.hk/125.html

we see 125K-RW-USB-D1 reader/writer/programmer

Reader function :
Support EM4100/EM4001/EM4102 or compatible ISO card
Writer function :
program the R/W card to EM4100/EM4001/EM4102 format
program the R/W card to ISO11784 /ISO11785 format"

and if you check the picture on my thread
http://www.proxmark.org/forum/viewtopic.php?id=2493

I have bought that reader, I have run "lf search" demod on those blue chips and they are EM4100. That £5 chinese writer can write and write and write to those blue chips so those blue chip are RW or am I wrong with this classification? I hardly know Q5 or T55x7 until I came to PM3 but I am surounded with those EM4100 chip, and cheap writer on ebay.

If one day I tell my son,
"Son, you inherit from me this wonderful piece of proxmark, it does all kind of wonderful things on RFID chips...".
" Can it write some thing like this blue chip here?" he interupts.
So I would "Erm, our proxmark is very wonderful but it has no function to write to your blue chip, and also your blue chip is not read/write..."
He then " Don't B.S. me dad, Give me £5 I go China and prove you're wrong in 5min"
What would you say ... he is wrong or I?

iceman · 2015-06-03 18:49:12

Feel free to contribute to the sourcecode on github,

ntk · 2015-06-03 19:06:15

@iceman, thank you to answer three of my 30 questions
- EM4100 is WR
- cloning does not necessary happening only on Q5 and T55x7
- a write function direct to EM chip is not a non-sense

please dont be cross with me, I have only questions and ideas ... if I am a programmer I would start coding 5 days ago ....

marshmellow · 2015-06-03 19:21:22

the em4x05/em4x69 chips can be written to and block read with the pm3, and can emulate many formats. (they just aren't easy to use.) a lot of inverting / parities / big endian -> little endian conversion / tlc needed...

marshmellow · 2015-06-03 19:27:25

TRUE EM4100 chips are Read ONLY 100% of the time.

EM4100 has also now become known as a programming format as it can be emulated on all the standard R/W multi purpose chips. (t55xx, em4x05, em4x69 ... and more...)

the format is often misrepresented as the chip, or visa versa.

all descriptions of writing EM4100 are referring to writing the format of an em4100 ID to a t55xx. ALWAYS.

the reason most ppl use the t55xx chips is ease of use, availability, cost is low, and they are reliable. (they were the original chips HID used to use.)

iceman · 2015-06-03 20:08:43

I'm not crossed, but if something isn't in the PM3 codebase it is because noone ever put it in there. The reason for that I can only guess. This is an opensource project, where people contribute with what they want themself. There is more interesting things to put in the PM3 source then a write command for EM4305 for me to do.

marshmellow · 2015-06-03 20:25:51

especially when there already is a write and read command for em4x05...

iceman · 2015-06-03 20:28:35

especially when you can buy a 5£ chinese cloner that can do it...

ntk · 2015-06-04 15:05:07

marshmellow wrote:

TRUE EM4100 chips are Read ONLY 100% of the time.
EM4100 has also now become known as a programming format as it can be emulated on all the standard R/W multi purpose chips. (t55xx, em4x05, em4x69 ... and more...)
the format is often misrepresented as the chip, or visa versa.
all descriptions of writing EM4100 are referring to writing the format of an em4100 ID to a t55xx. ALWAYS.
the reason most ppl use the t55xx chips is ease of use, availability, cost is low, and they are reliable. (they were the original chips HID used to use.)

"often misrepresented ... vice and versa" that is very true, no big problem for professional, but for us newbies very confusing.

I have ordered already 60x magnify glass when I have it I will open one of those those blue chip, and get the chip name. Then we know more. or has someone done that already

google combination of " proxmark dissect open inside blue chip EM4 +RFID" give me no infos.

Last edited by ntk (2015-06-04 15:06:42)

asper · 2015-06-04 22:58:38

They are 99% EM4100 (I have some of them used for a door lock).
To see the chip name you will probably need a microscope (60x USB microscope IS NOT like a real 60x microscope, I can guaranteed that) and some chemicals to remove the hard epoxy resin (this "art" is called "decapping" and it can be dangerous&expensive&hard to achieve). Try with pm3 specific commands first.

Last edited by asper (2015-06-04 23:38:11)

ntk · 2015-06-05 00:12:15

"Art of decapping" link brought me to somewhere else.... unless... No I am not that 1/1000000 dangerous or as good as Tarnovsky at all. I wish ...

"Try with pm3 specific commands first." pls give me some hints

asper · 2015-06-05 00:20:45

- 1st: get the tags
- 2nd: use pm3 em4100 specific commands to try to read them

KernelJay · 2015-07-30 20:39:13

As an FYI, the 'lf awid' context is now available in GitHub. This includes code for simulating and cloning AWID tags from the facility code and card number generally printed on the tag. The relevant commit is here: https://github.com/Proxmark/proxmark3/commit/dbf6e824f932b0d5e88fbd0c24de529511fb5c05

ntk · 2015-10-07 00:39:54

Thank you for your informations KernelJay.

Proxmark3 community

Announcement

#1 2015-06-03 12:09:30

a re-visit of AWID tag

#2 2015-06-03 12:13:26

Re: a re-visit of AWID tag

#3 2015-06-03 12:15:59

Re: a re-visit of AWID tag

#4 2015-06-03 12:17:12

Re: a re-visit of AWID tag

#5 2015-06-03 13:27:17

Re: a re-visit of AWID tag

#6 2015-06-03 15:30:40

Re: a re-visit of AWID tag

#7 2015-06-03 15:40:45

Re: a re-visit of AWID tag

#8 2015-06-03 15:42:23

Re: a re-visit of AWID tag

#9 2015-06-03 16:13:16

Re: a re-visit of AWID tag

#10 2015-06-03 16:28:50

Re: a re-visit of AWID tag

#11 2015-06-03 17:26:09

Re: a re-visit of AWID tag

#12 2015-06-03 18:27:22

Re: a re-visit of AWID tag

#13 2015-06-03 18:49:12

Re: a re-visit of AWID tag

#14 2015-06-03 19:06:15

Re: a re-visit of AWID tag

#15 2015-06-03 19:21:22

Re: a re-visit of AWID tag

#16 2015-06-03 19:27:25

Re: a re-visit of AWID tag

#17 2015-06-03 20:08:43

Re: a re-visit of AWID tag

#18 2015-06-03 20:25:51

Re: a re-visit of AWID tag

#19 2015-06-03 20:28:35

Re: a re-visit of AWID tag

#20 2015-06-04 15:05:07

Re: a re-visit of AWID tag

#21 2015-06-04 22:58:38

Re: a re-visit of AWID tag

#22 2015-06-05 00:12:15

Re: a re-visit of AWID tag

#23 2015-06-05 00:20:45

Re: a re-visit of AWID tag

#24 2015-07-30 20:39:13

Re: a re-visit of AWID tag

#25 2015-10-07 00:39:54

Re: a re-visit of AWID tag

Board footer