Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2016-01-08 02:38:13
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
EM4x50 writing
Hi,
Doing a lf search of a tag showed that it was a EM4x50 tag:
----------------
Found data at sample: 6535 - using clock: 40
Block 0: cbe154d3
Block 1: xxxxxxxx
Block 2: xxxxxxxx
Block 3: xxxxxxxx
Block 4: xxxxxxxx
Block 5: xxxxxxxx
Parities Passed
Valid EM4x50 ID Found!
----------------
I tried to clone this tag to a new tag with t55x7 commands but it doesn't seem to work. I have used t55x7 commands before to write some tags (eg pyramid) successfully.
I tried with both the latest 2.5 software and also an older r816 version.
I am not sure what could be wrong? Is the block 0 data correct?
lf t55xx writeblock xxxxxxxx 5
lf t55xx writeblock xxxxxxxx 4
lf t55xx writeblock xxxxxxxx 3
lf t55xx writeblock xxxxxxxx 2
lf t55xx writeblock xxxxxxxx 1
lf t55xx writeblock cbe154d3 0
lf t55xx wr b 0 d cbe154d3
lf t55xx wr b 1 d xxxxxxxx
lf t55xx wr b 2 d xxxxxxxx
lf t55xx wr b 3 d xxxxxxxx
lf t55xx wr b 4 d xxxxxxxx
lf t55xx wr b 5 d xxxxxxxx
Offline
#2 2016-01-08 08:31:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
have you tried the "lf em*" commands?
Offline
#3 2016-01-08 17:29:57
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: EM4x50 writing
t55xx chips cannot emulate the EM4x50 chips.
Offline
#4 2016-01-09 12:52:09
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: EM4x50 writing
t55xx chips cannot emulate the EM4x50 chips.
Thanks! I did not think of this. For em4x50 I can see that there is a read command but no write command.
But given we know the block data, can we write the blocks on a different chip in a similar way to writing t55xx chips?
Can Q5 chips emulate EM4x50 chips? Are there commands to write block data to Q5 chips?
Offline
#5 2016-01-14 11:01:00
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: EM4x50 writing
t55xx chips cannot emulate the EM4x50 chips.
Are there any chips that the Proxmark can write to that can emulate the EM4x50 chips?
Offline
#6 2016-01-14 15:40:10
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: EM4x50 writing
the proxmark itself might be able to emulate the tags, but to my knowledge there is not a chip currently supported by the pm3 firmware that can emulate those chips...
Offline
#7 2016-01-14 18:23:37
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: EM4x50 writing
Hello Crispy,
Please help on how you have been able clone pyramid type 
I have Keri format N that use pyramid demodulation.
Sorry about em4x50, I have not encounter such card before ,
Thanks
Offline
#8 2016-02-19 06:41:43
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: EM4x50 writing
the proxmark itself might be able to emulate the tags, but to my knowledge there is not a chip currently supported by the pm3 firmware that can emulate those chips...
Thanks again marshmellow for all your help. When Googling I have found other devices that mention they can read & write em4x50 cards. But when looking at em4x50 cards (eg. http://microcontrollershop.com/product_info.php?products_id=6072 ) it seems that they have a unique, read-only serial number and that I could only write to user data area. Is this correct?
You mention that there is no chip supported by the pm3 firmware that can emulate the em4x50 chips. Is there a chip that I should be looking at that may be supported by a different device?
Hello Crispy,
Please help on how you have been able clone pyramid type
I see that Apt-Get has answered your post.
Offline
#9 2016-02-26 05:16:52
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: EM4x50 writing
Is there a chip that I should be looking at that may be supported by a different device?
Anyone?
Offline
#10 2016-02-26 21:11:01
- Apt-Get
- Contributor
- Registered: 2015-12-23
- Posts: 111
Re: EM4x50 writing
maybe a sim command could be built?
Danz. I cloned your tag. took a Screenshot and posted the exact commands for your tag. Im not sure how much more you need bro.. lol
Offline
#11 2016-03-19 03:22:26
- crispy
- Contributor
- Registered: 2015-07-14
- Posts: 25
Re: EM4x50 writing
maybe a sim command could be built?
So by this do you mean that there is no chip or magic card etc that can edit the block 0 / serial number (regardless of whether or not this is supported by pm3)?
Offline
#12 2016-09-15 20:59:09
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: EM4x50 writing
got the same problem with a car park / garage company card for entrance.
did you find any solution until now?
they use skidata cards - model keycard125 here.
sounds like the same problem in this thread: http://www.proxmark.org/forum/viewtopic.php?id=2020
mine states with lf search following result
Checking for known tags:
Found data at sample: 7706 - using clock: 40
Block 0: 00010003
Block 1: 00000000
Block 2: 50363040
Block 3: 00000000
Block 4: 00000000
Block 5: 00000000
Parities Passed
Valid EM4x50 ID Found! pm3 --> lf em em4x50read
gives me following results
pm3 --> lf em em4x50read
Note: one block = 50 bits (32 data, 12 parity, 6 marker)
Block 0:
00000000 0 -> 0x00
00000001 1 -> 0x01
00000000 0 -> 0x00
00000011 0 -> 0x03
00000010 0 -> 0x02
Parity Passed
Block 1:
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
Parity Passed
Block 2:
01010000 0 -> 0x50
00110110 0 -> 0x36
00110000 0 -> 0x30
01000000 1 -> 0x40
00010110 0 -> 0x16
Parity Passed
Block 3:
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
Parity Passed
Block 4:
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
Parity Passed
Block 5:
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
00000000 0 -> 0x00
Parity Passed
Found data at sample: 5822 - using clock: 40
Block 0: 00010003
Block 1: 00000000
Block 2: 50363040
Block 3: 00000000
Block 4: 00000000
Block 5: 00000000
Parities Passed tried like you, earlier before I read this, to clone it on a t5577 without success.
guess as lf t5 read b 0 (or what block so ever) does not show any data when I read the skidata card, and only when Iread a t5577 chip, it wont work to clone it to this type hof tag to a t5577, cause their reader wont accept it?
I just tried your block based write, did you set the password for block 0? a confirm with read did not show the data until i wrote it with p 0x0000000
btw: what is lf t5 special showing here?
original card:
pm3 --> lf t5 special
OFFSET | DATA | BINARY
----------------------------------------------------
00 | 0x00000000 | 0000000000000000000000000000000
01 | 0x00000000 | 0000000000000000000000000000000
02 | 0x00000000 | 0000000000000000000000000000000
03 | 0x00000000 | 0000000000000000000000000000000
04 | 0x00000000 | 0000000000000000000000000000000
05 | 0x00000000 | 0000000000000000000000000000000
06 | 0x00000000 | 0000000000000000000000000000000
07 | 0x00000000 | 0000000000000000000000000000000
08 | 0x00000000 | 0000000000000000000000000000000
09 | 0x00000000 | 0000000000000000000000000000000
10 | 0x00000000 | 0000000000000000000000000000000
11 | 0x00000000 | 0000000000000000000000000000000
12 | 0x00000000 | 0000000000000000000000000000000
13 | 0x00000000 | 0000000000000000000000000000000
14 | 0x00000001 | 0000000000000000000000000000000
15 | 0x00000003 | 0000000000000000000000000000001
16 | 0x00000007 | 0000000000000000000000000000011
17 | 0x0000000F | 0000000000000000000000000000111
18 | 0x0000001F | 0000000000000000000000000001111
19 | 0x0000003F | 0000000000000000000000000011111
20 | 0x0000007F | 0000000000000000000000000111111
21 | 0x000000FF | 0000000000000000000000001111111
22 | 0x000001FF | 0000000000000000000000011111111
23 | 0x000003FF | 0000000000000000000000111111111
24 | 0x000007FF | 0000000000000000000001111111111
25 | 0x00000FFF | 0000000000000000000011111111111
26 | 0x00001FFF | 0000000000000000000111111111111
27 | 0x00003FFF | 0000000000000000001111111111111
28 | 0x00007FFF | 0000000000000000011111111111111
29 | 0x0000FFFF | 0000000000000000111111111111111
30 | 0x0001FFFF | 0000000000000001111111111111111
31 | 0x0003FFFF | 0000000000000011111111111111111
32 | 0x0007FFFF | 0000000000000111111111111111111
33 | 0x000FFFFF | 0000000000001111111111111111111
34 | 0x001FFFFF | 0000000000011111111111111111111
35 | 0x003FFFFF | 0000000000111111111111111111111
36 | 0x007FFFFF | 0000000001111111111111111111111
37 | 0x00FFFFFF | 0000000011111111111111111111111
38 | 0x01FFFFFF | 0000000111111111111111111111111
39 | 0x03FFFFFF | 0000001111111111111111111111111
40 | 0x07FFFFFF | 0000011111111111111111111111111
41 | 0x0FFFFFFF | 0000111111111111111111111111111
42 | 0x1FFFFFFF | 0001111111111111111111111111111
43 | 0x3FFFFFFF | 0011111111111111111111111111111
44 | 0x7FFFFFFF | 0111111111111111111111111111111
45 | 0xFFFFFFFF | 1111111111111111111111111111111
46 | 0xFFFFFFFF | 1111111111111111111111111111111
47 | 0xFFFFFFFF | 1111111111111111111111111111111
48 | 0xFFFFFFFF | 1111111111111111111111111111111
49 | 0xFFFFFFFF | 1111111111111111111111111111111
50 | 0xFFFFFFFF | 1111111111111111111111111111117
51 | 0xFFFFFFFF | 1111111111111111111111111111177
52 | 0xFFFFFFFE | 1111111111111111111111111111777
53 | 0xFFFFFFFC | 1111111111111111111111111117770
54 | 0xFFFFFFF8 | 1111111111111111111111111177700
55 | 0xFFFFFFF0 | 1111111111111111111111111777000
56 | 0xFFFFFFE0 | 1111111111111111111111117770000
57 | 0xFFFFFFC0 | 1111111111111111111111177700000
58 | 0xFFFFFF80 | 1111111111111111111111777000000
59 | 0xFFFFFF00 | 1111111111111111111117770000000
60 | 0xFFFFFE00 | 1111111111111111111177700000000
61 | 0xFFFFFC00 | 1111111111111111111777000000000
62 | 0xFFFFF800 | 1111111111111111117770000000000
63 | 0xFFFFF000 | 1111111111111111177700000000000
pm3 --> cloned t5577 tag
OFFSET | DATA | BINARY
----------------------------------------------------
00 | 0xAAB55575 | 1010101010110101010101010111010
01 | 0x556AAAEA | 0101010101101010101010101110101
02 | 0xAAD555D5 | 1010101011010101010101011101010
03 | 0x55AAABAA | 0101010110101010101010111010101
04 | 0xAB555755 | 1010101101010101010101110101010
05 | 0x56AAAEAA | 0101011010101010101011101010101
06 | 0xAD555D55 | 1010110101010101010111010101010
07 | 0x5AAABAAA | 0101101010101010101110101010101
08 | 0xB5557555 | 1011010101010101011101010101010
09 | 0x6AAAEAAA | 0110101010101010111010101010101
10 | 0xD555D555 | 1101010101010101110101010101010
11 | 0xAAABAAAA | 1010101010101011101010101010101
12 | 0x55575554 | 0101010101010111010101010101010
13 | 0xAAAEAAA9 | 1010101010101110101010101010100
14 | 0x555D5552 | 0101010101011101010101010101001
15 | 0xAABAAAA5 | 1010101010111010101010101010010
16 | 0x5575554A | 0101010101110101010101010100101
17 | 0xAAEAAA95 | 1010101011101010101010101001010
18 | 0x55D5552A | 0101010111010101010101010010101
19 | 0xABAAAA55 | 1010101110101010101010100101010
20 | 0x575554AA | 0101011101010101010101001010101
21 | 0xAEAAA955 | 1010111010101010101010010101010
22 | 0x5D5552AA | 0101110101010101010100101010101
23 | 0xBAAAA555 | 1011101010101010101001010101010
24 | 0x75554AAA | 0111010101010101010010101010101
25 | 0xEAAA9555 | 1110101010101010100101010101010
26 | 0xD5552AAA | 1101010101010101001010101010101
27 | 0xAAAA5554 | 1010101010101010010101010101010
28 | 0x5554AAA8 | 0101010101010100101010101010100
29 | 0xAAA95551 | 1010101010101001010101010101000
30 | 0x5552AAA2 | 0101010101010010101010101010001
31 | 0xAAA55545 | 1010101010100101010101010100010
32 | 0x554AAA8A | 0101010101001010101010101000101
33 | 0xAA955515 | 1010101010010101010101010001010
34 | 0x552AAA2A | 0101010100101010101010100010101
35 | 0xAA555455 | 1010101001010101010101000101010
36 | 0x54AAA8AA | 0101010010101010101010001010101
37 | 0xA9555155 | 1010100101010101010100010101010
38 | 0x52AAA2AA | 0101001010101010101000101010101
39 | 0xA5554555 | 1010010101010101010001010101010
40 | 0x4AAA8AAA | 0100101010101010100010101010101
41 | 0x95551555 | 1001010101010101000101010101010
42 | 0x2AAA2AAA | 0010101010101010001010101010101
43 | 0x55545555 | 0101010101010100010101010101010
44 | 0xAAA8AAAB | 1010101010101000101010101010101
45 | 0x55515556 | 0101010101010001010101010101011
46 | 0xAAA2AAAD | 1010101010100010101010101010110
47 | 0x5545555A | 0101010101000101010101010101101
48 | 0xAA8AAAB5 | 1010101010001010101010101011010
49 | 0x5515556A | 0101010100010101010101010110101
50 | 0xAA2AAAD5 | 1010101000101010101010101101010
51 | 0x545555AA | 0101010001010101010101011010101
52 | 0xA8AAAB55 | 1010100010101010101010110101010
53 | 0x515556AA | 0101000101010101010101101010101
54 | 0xA2AAAD55 | 1010001010101010101011010101010
55 | 0x45555AAA | 0100010101010101010110101010101
56 | 0x8AAAB555 | 1000101010101010101101010101010
57 | 0x15556AAA | 0001010101010101011010101010101
58 | 0x2AAAD555 | 0010101010101010110101010101010
59 | 0x5555AAAB | 0101010101010101101010101010101
60 | 0xAAAB5557 | 1010101010101011010101010101011
61 | 0x5556AAAE | 0101010101010110101010101010111
62 | 0xAAAD555D | 1010101010101101010101010101110
63 | 0x555AAABA | 0101010101011010101010101011101 Offline
#13 2016-10-18 16:21:00
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: EM4x50 writing
I was looking for some documents regarding writing
http://pub.ucpros.com/download/28440-RFID-Read-Write-Documentation-v1.0.pdf
there is also a link to a sample app for writing together with this reader/writer: https://www.parallax.com/product/28440
here the sample app: http://playground.arduino.cc/Learning/ParallaxRFIDreadwritemodule
it shows how to read em4x50 and when you scroll on a little it talks about writing too.
and as this is not good enough maybe, I found this sample code on their site which is coming in C and covers passwords too, with em4x50 reading and writing: https://www.parallax.com/downloads/rfid-readwrite-module-arduino-code-example
too bad that I am not that good in programming, but maybe someone else is and can provide the code, so iceman doesnt have to do all the work 
ps: here are cards available too: http://microcontrollershop.com/product_info.php?products_id=6072
but UID seems not to be changeable from what I can read there. aliexpress doesnt offer anything when I search for em4x50
Offline
#14 2016-10-18 16:38:41
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
there is a PR for PM3 Master https://github.com/Proxmark/proxmark3/pull/171 which deals with EM4x50
I know that my tick-timers changes might have screwed up the em4x50 part. Think I fixed it one week ago.
But it still needs checking. Would you mind doing some tests again?
Offline
#15 2016-10-18 16:40:00
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
We would also need a "em4x50 info" command. Which gives more details to the current configuration of the tag read.
Offline
#16 2016-10-18 17:22:10
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: EM4x50 writing
Reading was always fine in the last builds of yours
I rebuilt today with your last one.
Wanted to see if i get other stuff with data commands but seems to be all legit. Was just wondering as all the digits printed on the card seem not to be part of the data read from the card.
So I can read the blocks.. But what then?
Cant emulate it nor write it somewhere.
So i did a search for how others write stuff
i thought an emu or writer could be possible maybe
Offline
#17 2016-10-18 17:25:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
If EM4x50 only have five datablocks then you should be able to make a clone onto a t55x7.
Look in the current cmdlfem4x.c code.
lf sim should work..
Offline
#18 2016-10-18 17:54:17
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: EM4x50 writing
Would you do it as described in my previous posts?
Cause both of us, thread starter and me, have the same issue that lf search after writinz doesnt recognize the token, aswell as the normal reader does not accept the card.
I'm gonna post maybe tomorrow my findings when I can test it infront of the real reader.
*edit*
Ah ok.. Maybe lf sim did not work due to it only works with the main build.
Gonna test that tomorrow too
Last edited by HighPressure (2016-10-18 17:55:09)
Offline
#19 2016-10-18 18:25:49
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: EM4x50 writing
t55x7 cannot be used to clone the tag as they output in a different sequence protocol
Last edited by marshmellow (2016-10-18 18:27:56)
Offline
#20 2016-10-18 18:33:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
I stand corrected. Good to have you back, @marshmellow.
Question is there some equvialent to T55x7 that can output EM4x50 ?
Offline
#21 2016-10-18 20:55:07
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: EM4x50 writing
only a EM4x50 as far as i know. (they are writable.)
ps. been very busy lately. sorry that i haven't kept up with the coding...
Offline
#22 2016-10-18 20:58:08
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: EM4x50 writing
unfortunately there are some custom versions that output with non-standard bit rates that can be very hard to source. (they aren't as flexible or customizable as the t55x7s)
Offline
#23 2017-02-18 19:49:31
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: EM4x50 writing
Good for us that you got some time over then The enhanced em commands looking good so far.
Offline
Pages: 1