New 125kHz tag - Help to identify.

asper · 2013-11-12 19:26:46

Here it is the file obtained with the following commands:

proxmark3> lf read 
#db# buffer samples: 40 44 46 4a b4 ff ff ff ...                 
proxmark3> 
proxmark3> data bitsamples
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data save test.txt
saved to 'test.txt'          
proxmark3>

Here it is a screenshot of the plot:

Here is the file obtained with the following commands:

proxmark3> lf read 
#db# buffer samples: 00 03 0a 11 18 1e 23 27 ...                 
proxmark3> 
proxmark3> data samples 4000
Reading 4000 samples
Done!
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data save test2.txt
saved to 'test2.txt'          
proxmark3>

Plot screenshot:

The tag has a series of numbers prited on it: 00077xxxxx 118,yyyyy (x and y are decimal values).

Producer seems to support only Wiegand format for 125kHz cards (I don't have producer data at the moment): can it be Wiegand ? It seems to be the same as this one.

Here the best Wiegand data format I was able to find; maybe it is a 83 bits...

Last edited by asper (2013-11-12 21:25:40)

asper · 2013-11-12 22:35:18

Solved: it is an EM4100, a very simple 64 bit read only id-chip.

Steps to decode:

1 - Read ID
2 - convert in binary
3 - remove 1st 17 bits
4 - take 7 bits and convert in decimal = 3-value code printed on card
5 - take next 16 bits and convert in decimal = 5-value code printed on card
6 - take bits of step 4 & 5 together, convert in decimal, and you will get the 10-value code printed on card

Example:

If card id (read with a reader, es. proxmark3) is 140156c3ef:

decode in binary: 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits)
remove 1st 17 bytes: 1010110(7) 1100001111101111(16) convert in decimal --> 86 50159
all together --> 10101101100001111101111(7+16bits) --> 5686255

so the final number printed on tag will be: 5686255 86,50159.

Maybe 1st 17 bits are used for some kind of checks.

Last edited by asper (2013-11-13 12:35:31)

app_o1 · 2014-01-24 05:26:57

It doesn't work in my case...

ID 0x0F008882
Card No. 0012641
---------
0x0F0076E0
0122381

Last edited by app_o1 (2015-06-06 10:16:27)

asper · 2014-01-24 19:49:53

Is it an EM4100 ? If so probably there is a different number generating "algo".

asper · 2014-01-25 11:33:46

Maybe I found a "scramble pattern" for your bits:

Columns = different tags
- 0F00887882 (hex) => 111100000000100010000111100010000010 (bin)
-- 002412641 (dec) => 001001001101000001100001 (bin)

- 0F00E376E0 = 111100000000111000110111011011100000
-- 012245381 = 101110101101100110000101

Lines = HEX ID (H), only 1st 24bits / DECIMAL VALUE WRITTEN ON TAG (D) both converted to binary

Green = same hex 0 between tags
Red = same hex 1 between tags
Orange = same dec 0 between tags
Blue = same dec 1 between tags

Anyway more examples (tags) are needed to know if I am right.

Last edited by asper (2014-01-25 11:43:33)

app_o1 · 2014-01-25 12:10:08

00823969 = 0x0F00B4A7 (190-58535)
00825460 = 0x0F00BE57 (190-65111)
---
00654518 = 0x0F009F3D (149-32573)

Last edited by app_o1 (2015-06-06 10:16:13)

asper · 2014-01-25 13:18:52

A working pattern for all data you provided (except 2 bits that are always 1 so I cannot determine where to put them but there are only 2 possibilities) is this:

So, if you have a decoded Hex ID to bin like:
0F00887882 (hex) => 0000111100000000-100010000111100010000010 (bin);

you need to remove 1st 16bis obtaining a 24-bits only value: 100010000111100010000010

Now label these 24 bits from b0 do b23:
b0 b1 b2 b3 - b4 b5 b6 b7 - b8 b9 b10 b11 - b12 b13 b14 b15 - b16 b17 b18 b19 - b20 b21 b22 b23

now scramble bits this way (I am not sure for x and y [b9-b10] but they can be easily switched):

b1 b3 b0 b2 - b6 b4 b7 b5 - b9 b11 b8 b10 - b18 b15 b23 b17 - b14 b12 b22 b21 - b19 b13 b20 b16

finally convert the scrambled bits to decimal and you should obtain the numebr printed on the card.

If someone is able to do a small software to elaborate bytes that way we can have a confirmation.

@app_o1: If you have other tags please test

Last edited by asper (2014-02-17 09:45:56)

app_o1 · 2014-01-26 03:19:07

Nice ! if I have other examples I will test them and let you know !

app_o1 · 2014-02-12 14:01:16

0144389 -> 0x0F0074DB or 0x0F00DC01
0152032 -> 0x0F007EDB or 0x0F00DC01

0x0F007EDB (gives 145235 ??)
0x0F020C01 (gives 24641 ??)

I do not know which hex ID goes with which card no... sorry

Last edited by app_o1 (2015-06-06 10:16:46)

app_o1 · 2014-02-17 06:07:30

0x0F00AEAF94 1010 1110 1010 1111 1001 0100
004010207 0011 1101 0011 0000 1101 1111

Last edited by app_o1 (2014-02-17 06:07:40)

asper · 2014-02-17 09:49:15

This seems to be the final correct pattern (found b19 and b10 position and reverted b15 with b20):

b1 b3 b0 b2 - b6 b4 b7 b5 - b9 b11 b8 b10 - b18 b20 b23 b17 - b14 b12 b22 b21 - b19 b13 b15 b16

It works with your latest posted value also, so F00D20C01 = 015204932.

Last edited by asper (2014-02-17 11:46:27)

eskizle · 2014-06-11 07:33:29

asper wrote:

Solved: it is an EM4100, a very simple 64 bit read only id-chip.
Steps to decode:
1 - Read ID
2 - convert in binary
3 - remove 1st 17 bits
4 - take 7 bits and convert in decimal = 3-value code printed on card
5 - take next 16 bits and convert in decimal = 5-value code printed on card
6 - take bits of step 4 & 5 together, convert in decimal, and you will get the 10-value code printed on card
Example:
If card id (read with a reader, es. proxmark3) is 140156c3ef:
decode in binary: 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits)
remove 1st 17 bytes: 1010110(7) 1100001111101111(16) convert in decimal --> 86 50159
all together --> 10101101100001111101111(7+16bits) --> 5686255
so the final number printed on tag will be: 5686255 86,50159.
Maybe 1st 17 bits are used for some kind of checks.

did you manage to get the binary == 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits) == with the data bitsamples (or data bitstream) command ?

Last edited by eskizle (2014-06-11 07:34:25)

asper · 2014-06-29 15:26:31

Just reading the id with the correspondant command and converted it to bin.

slayercho · 2014-12-05 06:21:03

Help me to identify my card. 125khz card with normal keyboard emulated reader uid is 747B00DE936080FF but in access control system card is converted in this number 0007799037. What kind of converting is that? I thing they use something like wiegand reader but not shure, and the question is how to convert 747B00DE936080FF -> 0007799037. I have over 1000 cards...

slayercho · 2014-12-05 07:17:26

Examples of card - converted number

9c8d01de936080ff -> 7799062
fe8d01de936080ff -> 7799063
208e01de936080ff -> 7799064

Maybe its need to reverse hex bytes

ff806093de01d8c9 ..

Last edited by slayercho (2014-12-05 11:46:25)

Sentinel · 2014-12-05 11:55:13

747B00DE936080FF
rearrange the sequence from right to left:
FF806093DE007B74

F F 8 0 6 0 9 3 D E 0 0 7 B 7 4
1111 1111 1000 0000 0110 0000 1001 0011 1101 1110 0000 0000 0111 1011 0111 0100

divide the sequence according to the protocol EM4100:
111111111 00000 00011 00000 10010 01111 01111 00000 00000 11110 11011 10100

111111111 - 9 header bits
0000 0 0
0001 1 1
0000 0 0
1001 0 6
0111 1 7
0111 1 7
0000 0 0
0000 0 0
1111 0 F
1101 1 D
1010 0 A - XOR

7700FD(HEX) = 0007799037(DEC)

slayercho · 2014-12-08 18:13:42

Thank you very much!

111111111 - 9 header bits
0000 0 0
0001 1 1
0000 0 0
1001 0 6 - here is 9
0111 1 7
0111 1 7
0000 0 0
0000 0 0
1111 0 F
1101 1 D
1010 0 A - XOR

01097700FDA

I found 01 is customer ID information, but what is 09 if not using in hex to dec converting?

Is there a method to get back full hex FF806093DE007B74 if i know only 0007799037?

iceman · 2014-12-09 00:21:47

There was someone on the forum, who made a webbased em4100 decoder to just online. I got inspired from that and build something in dotnet.

You can throw sniffed data to it, it is not very picky. Either hex values or the output from "data mandemod"
It tries to reverse,inverse, endianswap, on the binarystring. If it find something that is 55bits long and have 9 '1''s it trieds to decode it.

As you see from the pic below, it takes your sniffed data and found 2 different intepretations.

holiman · 2014-12-09 16:32:39

iceman wrote:

There was someone on the forum, who made a webbased em4100 decoder to just online.

Some context here http://andrewmohawk.com/2013/01/27/bypa … y-systems/ and the tool is here http://andrewmohawk.com/EM41X/.

iceman · 2014-12-10 12:46:55

Just for the fun of it.

I built a WebService which you can call to decode a Em41xx tag, either you call it with sniffed hexvalues or the command "data mandemod" output (binary string)

http://www.icesql.se/Services/Em41xxDec … ervice.svc

why? If someone wants to build in a decode into a mobile-app perhaps?

Proxmark3 community

Announcement

#1 2013-11-12 19:26:46

New 125kHz tag - Help to identify.

#2 2013-11-12 22:35:18

Re: New 125kHz tag - Help to identify.

#3 2014-01-24 05:26:57

Re: New 125kHz tag - Help to identify.

#4 2014-01-24 19:49:53

Re: New 125kHz tag - Help to identify.

#5 2014-01-25 11:33:46

Re: New 125kHz tag - Help to identify.

#6 2014-01-25 12:10:08

Re: New 125kHz tag - Help to identify.

#7 2014-01-25 13:18:52

Re: New 125kHz tag - Help to identify.

#8 2014-01-26 03:19:07

Re: New 125kHz tag - Help to identify.

#9 2014-02-12 14:01:16

Re: New 125kHz tag - Help to identify.

#10 2014-02-17 06:07:30

Re: New 125kHz tag - Help to identify.

#11 2014-02-17 09:49:15

Re: New 125kHz tag - Help to identify.

#12 2014-06-11 07:33:29

Re: New 125kHz tag - Help to identify.

#13 2014-06-29 15:26:31

Re: New 125kHz tag - Help to identify.

#14 2014-12-05 06:21:03

Re: New 125kHz tag - Help to identify.

#15 2014-12-05 07:17:26

Re: New 125kHz tag - Help to identify.

#16 2014-12-05 11:55:13

Re: New 125kHz tag - Help to identify.

#17 2014-12-08 18:13:42

Re: New 125kHz tag - Help to identify.

#18 2014-12-09 00:21:47

Re: New 125kHz tag - Help to identify.

#19 2014-12-09 16:32:39

Re: New 125kHz tag - Help to identify.

#20 2014-12-10 12:46:55

Re: New 125kHz tag - Help to identify.

Board footer