Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi everyone, and happy new year!
Has anyone of you ever managed to write the UID on an EM4305 tag?
lf em4x em410xwrite command returns a correct message, but nothing is really written on the tag.
Any ideas? Thanks in advance!
Offline
'em410xwrite' writes a uid to a T55x7 tag, which in turn emulates em410x when read.
Offline
Iceman is correct. No EM4305 cmds have been written in the firmware yet. Feel free to add it in.
Offline
Thank both of you for the answer! I hadn't understood the use of em410xwrite...
Offline
Hello again, still working with EM4305 tags.
When using lf search, the card finds an EM410x pattern,
EM410x pattern found:
EM TAG ID : 4305FAA555
Unique TAG ID : C2A05FA5AA
(...)
When trying to get the same information by myself, once ASK/Manchester demodulated, I get the following sequence:
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
111111
That once rearranged gives the following values:
111111111
0100 1 x4
0011 0 x3
0000 0 x0
0101 0 x5
1111 0 xF
1010 0 xA
1010 0 xA
0101 0 x5
0101 0 x5
0101 0 x5
1000 0
This corresponds to the EM Tag ID found by lf search. My question is: where does the Unique TAG ID comes from? In this case is C2A05FA5AA. Shouldn't it be also contained in the demodulated data?
Thanks in advance!
Offline
the uniq id is a scrambled version of EM TAG ID.
Offline
as with the other ID's listed below the EM ID it is a subset of the EM ID as read by some commercial readers.
Offline
Good information. Thanks again!
Offline
to correct some information i said before:
actually the lf em readword and lf em writeword is such that it might work with an em4305 tag. seems to have been built for em4469/em4569 tags which share the same read/write commands as the em4305.
it appears the timings may need adjustment for some antenna's/pm3 hardware though as i was not able to get any commands to work without adjusting these for my em tags. (had to adjust the zero bit send off period to 20 and on to 12, from 23 and 9.)
you also would have to fully understand the memory map and datasheet of this tag as it can be a bit challenging to understand all the bit order stuff before attempting to write to it.
Offline
Excellent!
Do you have some EM4469/EM4569 tags also to test with? Or maybe someone else has?
Offline
i do not have any of the em4x69 tags. (that i am aware of at least. i do have some tags that don't seem to match either datasheet but respond to the read/write commands)
Offline
My fork now has a preliminary fully functioning readword and dump for the em4x05/em4x69. (Also the write cmd now will read back the verification msg from the card to validate it took)
I renamed the 'lf em readword' and 'lf em writeword' to
lf em 4x05readword
lf em 4x05writeword
And added
lf em 4x05dump
After some further testing and maybe a few other cmds for this chip I'll issue a pull request to the master repo.
Offline
Note also I renamed the other em chip commands to drop the redundant em in them. Like:
lf em em410xdemod
to:
lf em 410xdemod
Offline
Great job @Marshmellow!
May I suggest dropping the word part in the commands aswell. Make it more similar with all other read commands.
lf em 4x50read
lf em 4x50write
Offline
Great job @Marshmellow!
May I suggest dropping the word part in the commands aswell. Make it more similar with all other read commands.
We still need to separate it from default read mode. You don't have to type the whole thing out as the cmds work with only part of it typed in.
We aren't just reading the tag, we are reading the memory words on the chip.
Offline
Yes, we do need to separate it from default readmode indeed, just like t55xx commands which still follows easy short "read/write" command I think em would need something similar.
lf em read
lf em info
would give default read mode, and some kind of identification on current tag.
-- 4x50
lf em 4x50 read
lf em 4x50 write
lf em 4x50 dump
would give command mod, and rewritting em tags.
Offline
I've just created the pull request to bring the rebuild of the EM4x05/EM4x69 read and write commands that i've been working on to the master repo.
NOTE: ALL the lf em command structure has changed.
the old `lf em4x em4...` style was very redundant so it has been changed to `lf em 4...`
i also renamed the readword and writeword to more clearly be `lf em 4x05readword` and `lf em 4x05writeword` (and iceman was so kind to provide the merge of the pwd options into the main commands.)
also with this rewrite the new 4x05readword will automatically attempt to demod the response from the tag and output the results. this is much easier to do accurately on these chips over the t55xx chips due to the response protocol the chip follows.
the 4x05writeword will also attempt to read the chip response to validate the write was successful.
to summarize the new or re-written commands:
lf em 4x05readword [address] (pwd)
lf em 4x05writeword [address] [data] (pwd)
lf em 4x05info (pwd)
lf em 4x05dump (pwd)
Please note: em4x05 and em4x69 chips are compatible with these commands but other chips (like em4x50) are NOT and were never designed to be.
you may also notice the lf search now may sometimes indicate it found a valid em4x05 chip, after indicating the format and ID of the tag. (yes it is possible to find a valid HID tag and a valid EM4x05 chip.)
Offline
Pages: 1