Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-01-08 02:38:13

crispy
Contributor
Registered: 2015-07-14
Posts: 25

EM4x50 writing

Hi,

Doing a lf search of a tag showed that it was a EM4x50 tag:

----------------
Found data at sample: 6535 - using clock: 40
Block 0: cbe154d3
Block 1: xxxxxxxx
Block 2: xxxxxxxx
Block 3: xxxxxxxx
Block 4: xxxxxxxx
Block 5: xxxxxxxx
Parities Passed

Valid EM4x50 ID Found!
----------------

I tried to clone this tag to a new tag with t55x7 commands but it doesn't seem to work.  I have used t55x7 commands before to write some tags (eg pyramid) successfully.

I tried with both the latest 2.5 software and also an older r816 version.

I am not sure what could be wrong? Is the block 0 data correct?

lf t55xx writeblock xxxxxxxx 5
lf t55xx writeblock xxxxxxxx 4
lf t55xx writeblock xxxxxxxx 3
lf t55xx writeblock xxxxxxxx 2
lf t55xx writeblock xxxxxxxx 1
lf t55xx writeblock cbe154d3 0


lf t55xx wr b 0 d cbe154d3
lf t55xx wr b 1 d xxxxxxxx
lf t55xx wr b 2 d xxxxxxxx
lf t55xx wr b 3 d xxxxxxxx
lf t55xx wr b 4 d xxxxxxxx
lf t55xx wr b 5 d xxxxxxxx

Offline

#2 2016-01-08 08:31:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

have you tried the "lf em*" commands?

Offline

#3 2016-01-08 17:29:57

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: EM4x50 writing

t55xx chips cannot emulate the EM4x50 chips.

Offline

#4 2016-01-09 12:52:09

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: EM4x50 writing

marshmellow wrote:

t55xx chips cannot emulate the EM4x50 chips.

Thanks! I did not think of this.  For em4x50 I can see that there is a read command but no write command.

But given we know the block data, can we write the blocks on a different chip in a similar way to writing t55xx chips? 

Can Q5 chips emulate EM4x50 chips? Are there commands to write block data to Q5 chips?

Offline

#5 2016-01-14 11:01:00

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: EM4x50 writing

marshmellow wrote:

t55xx chips cannot emulate the EM4x50 chips.

Are there any chips that the Proxmark can write to that can emulate the EM4x50 chips?

Offline

#6 2016-01-14 15:40:10

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: EM4x50 writing

the proxmark itself might be able to emulate the tags, but to my knowledge there is not a chip currently supported by the pm3 firmware that can emulate those chips...

Offline

#7 2016-01-14 18:23:37

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: EM4x50 writing

Hello Crispy,

Please help on how you have been able clone pyramid type  big_smile
I have Keri format N that use pyramid demodulation.

Sorry about em4x50, I have not encounter such card before ,

Thanks

Offline

#8 2016-02-19 06:41:43

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: EM4x50 writing

marshmellow wrote:

the proxmark itself might be able to emulate the tags, but to my knowledge there is not a chip currently supported by the pm3 firmware that can emulate those chips...

Thanks again marshmellow for all your help.  When Googling I have found other devices that mention they can read & write em4x50 cards.  But when looking at em4x50 cards (eg. http://microcontrollershop.com/product_info.php?products_id=6072 ) it seems that they have a unique, read-only serial number and that I could only write to user data area. Is this correct?

You mention that there is no chip supported by the pm3 firmware that can emulate the em4x50 chips. Is there a chip that I should be looking at that may be supported by a different device?


Danz wrote:

Hello Crispy,

Please help on how you have been able clone pyramid type  big_smile

I see that Apt-Get has answered your post.

Offline

#9 2016-02-26 05:16:52

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: EM4x50 writing

crispy wrote:

Is there a chip that I should be looking at that may be supported by a different device?

Anyone?

Offline

#10 2016-02-26 21:11:01

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: EM4x50 writing

maybe a sim command could be built?

Danz. I cloned your tag. took a Screenshot and posted the exact commands for your tag. Im not sure how much more you need bro.. lol

Offline

#11 2016-03-19 03:22:26

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: EM4x50 writing

Apt-Get wrote:

maybe a sim command could be built?

So by this do you mean that there is no chip or magic card etc that can edit the block 0 / serial number (regardless of whether or not this is supported by pm3)?

Offline

#12 2016-09-15 20:59:09

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: EM4x50 writing

got the same problem with a car park / garage company card for entrance.
did you find any solution until now?

they use skidata cards - model keycard125 here.
sounds like the same problem in this thread: http://www.proxmark.org/forum/viewtopic.php?id=2020

mine states with lf search following result

Checking for known tags:
          
Found data at sample: 7706 - using clock: 40          
Block 0: 00010003          
Block 1: 00000000          
Block 2: 50363040          
Block 3: 00000000          
Block 4: 00000000          
Block 5: 00000000          
Parities Passed          

Valid EM4x50 ID Found!  

pm3 --> lf em em4x50read
gives me following results

pm3 --> lf em em4x50read

Note: one block = 50 bits (32 data, 12 parity, 6 marker)          

Block 0:          
00000000 0 -> 0x00          
00000001 1 -> 0x01          
00000000 0 -> 0x00          
00000011 0 -> 0x03          
          
00000010 0 -> 0x02          
Parity Passed          

Block 1:          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
          
00000000 0 -> 0x00          
Parity Passed          

Block 2:          
01010000 0 -> 0x50          
00110110 0 -> 0x36          
00110000 0 -> 0x30          
01000000 1 -> 0x40          
          
00010110 0 -> 0x16          
Parity Passed          

Block 3:          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
          
00000000 0 -> 0x00          
Parity Passed          

Block 4:          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
          
00000000 0 -> 0x00          
Parity Passed          

Block 5:          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
00000000 0 -> 0x00          
          
00000000 0 -> 0x00          
Parity Passed          
Found data at sample: 5822 - using clock: 40          
Block 0: 00010003          
Block 1: 00000000          
Block 2: 50363040          
Block 3: 00000000          
Block 4: 00000000          
Block 5: 00000000          
Parities Passed        

tried like you, earlier before I read this, to clone it on a t5577 without success.
guess as lf t5 read b 0 (or what block so ever) does not show any data when I read the skidata card, and only when Iread a t5577 chip, it wont work to clone it to this type hof tag to a t5577, cause their reader wont accept it?

I just tried your block based write, did you set the password for block 0? a confirm with read did not show the data until i wrote it with p 0x0000000



btw: what is lf t5 special showing here?

original card:

pm3 --> lf t5 special
OFFSET | DATA  | BINARY          
----------------------------------------------------          
00 | 0x00000000 | 0000000000000000000000000000000          
01 | 0x00000000 | 0000000000000000000000000000000          
02 | 0x00000000 | 0000000000000000000000000000000          
03 | 0x00000000 | 0000000000000000000000000000000          
04 | 0x00000000 | 0000000000000000000000000000000          
05 | 0x00000000 | 0000000000000000000000000000000          
06 | 0x00000000 | 0000000000000000000000000000000          
07 | 0x00000000 | 0000000000000000000000000000000          
08 | 0x00000000 | 0000000000000000000000000000000          
09 | 0x00000000 | 0000000000000000000000000000000          
10 | 0x00000000 | 0000000000000000000000000000000          
11 | 0x00000000 | 0000000000000000000000000000000          
12 | 0x00000000 | 0000000000000000000000000000000          
13 | 0x00000000 | 0000000000000000000000000000000          
14 | 0x00000001 | 0000000000000000000000000000000          
15 | 0x00000003 | 0000000000000000000000000000001          
16 | 0x00000007 | 0000000000000000000000000000011          
17 | 0x0000000F | 0000000000000000000000000000111          
18 | 0x0000001F | 0000000000000000000000000001111          
19 | 0x0000003F | 0000000000000000000000000011111          
20 | 0x0000007F | 0000000000000000000000000111111          
21 | 0x000000FF | 0000000000000000000000001111111          
22 | 0x000001FF | 0000000000000000000000011111111          
23 | 0x000003FF | 0000000000000000000000111111111          
24 | 0x000007FF | 0000000000000000000001111111111          
25 | 0x00000FFF | 0000000000000000000011111111111          
26 | 0x00001FFF | 0000000000000000000111111111111          
27 | 0x00003FFF | 0000000000000000001111111111111          
28 | 0x00007FFF | 0000000000000000011111111111111          
29 | 0x0000FFFF | 0000000000000000111111111111111          
30 | 0x0001FFFF | 0000000000000001111111111111111          
31 | 0x0003FFFF | 0000000000000011111111111111111          
32 | 0x0007FFFF | 0000000000000111111111111111111          
33 | 0x000FFFFF | 0000000000001111111111111111111          
34 | 0x001FFFFF | 0000000000011111111111111111111          
35 | 0x003FFFFF | 0000000000111111111111111111111          
36 | 0x007FFFFF | 0000000001111111111111111111111          
37 | 0x00FFFFFF | 0000000011111111111111111111111          
38 | 0x01FFFFFF | 0000000111111111111111111111111          
39 | 0x03FFFFFF | 0000001111111111111111111111111          
40 | 0x07FFFFFF | 0000011111111111111111111111111          
41 | 0x0FFFFFFF | 0000111111111111111111111111111          
42 | 0x1FFFFFFF | 0001111111111111111111111111111          
43 | 0x3FFFFFFF | 0011111111111111111111111111111          
44 | 0x7FFFFFFF | 0111111111111111111111111111111          
45 | 0xFFFFFFFF | 1111111111111111111111111111111          
46 | 0xFFFFFFFF | 1111111111111111111111111111111          
47 | 0xFFFFFFFF | 1111111111111111111111111111111          
48 | 0xFFFFFFFF | 1111111111111111111111111111111          
49 | 0xFFFFFFFF | 1111111111111111111111111111111          
50 | 0xFFFFFFFF | 1111111111111111111111111111117          
51 | 0xFFFFFFFF | 1111111111111111111111111111177          
52 | 0xFFFFFFFE | 1111111111111111111111111111777          
53 | 0xFFFFFFFC | 1111111111111111111111111117770          
54 | 0xFFFFFFF8 | 1111111111111111111111111177700          
55 | 0xFFFFFFF0 | 1111111111111111111111111777000          
56 | 0xFFFFFFE0 | 1111111111111111111111117770000          
57 | 0xFFFFFFC0 | 1111111111111111111111177700000          
58 | 0xFFFFFF80 | 1111111111111111111111777000000          
59 | 0xFFFFFF00 | 1111111111111111111117770000000          
60 | 0xFFFFFE00 | 1111111111111111111177700000000          
61 | 0xFFFFFC00 | 1111111111111111111777000000000          
62 | 0xFFFFF800 | 1111111111111111117770000000000          
63 | 0xFFFFF000 | 1111111111111111177700000000000          
pm3 --> 

cloned t5577 tag

OFFSET | DATA  | BINARY          
----------------------------------------------------          
00 | 0xAAB55575 | 1010101010110101010101010111010          
01 | 0x556AAAEA | 0101010101101010101010101110101          
02 | 0xAAD555D5 | 1010101011010101010101011101010          
03 | 0x55AAABAA | 0101010110101010101010111010101          
04 | 0xAB555755 | 1010101101010101010101110101010          
05 | 0x56AAAEAA | 0101011010101010101011101010101          
06 | 0xAD555D55 | 1010110101010101010111010101010          
07 | 0x5AAABAAA | 0101101010101010101110101010101          
08 | 0xB5557555 | 1011010101010101011101010101010          
09 | 0x6AAAEAAA | 0110101010101010111010101010101          
10 | 0xD555D555 | 1101010101010101110101010101010          
11 | 0xAAABAAAA | 1010101010101011101010101010101          
12 | 0x55575554 | 0101010101010111010101010101010          
13 | 0xAAAEAAA9 | 1010101010101110101010101010100          
14 | 0x555D5552 | 0101010101011101010101010101001          
15 | 0xAABAAAA5 | 1010101010111010101010101010010          
16 | 0x5575554A | 0101010101110101010101010100101          
17 | 0xAAEAAA95 | 1010101011101010101010101001010          
18 | 0x55D5552A | 0101010111010101010101010010101          
19 | 0xABAAAA55 | 1010101110101010101010100101010          
20 | 0x575554AA | 0101011101010101010101001010101          
21 | 0xAEAAA955 | 1010111010101010101010010101010          
22 | 0x5D5552AA | 0101110101010101010100101010101          
23 | 0xBAAAA555 | 1011101010101010101001010101010          
24 | 0x75554AAA | 0111010101010101010010101010101          
25 | 0xEAAA9555 | 1110101010101010100101010101010          
26 | 0xD5552AAA | 1101010101010101001010101010101          
27 | 0xAAAA5554 | 1010101010101010010101010101010          
28 | 0x5554AAA8 | 0101010101010100101010101010100          
29 | 0xAAA95551 | 1010101010101001010101010101000          
30 | 0x5552AAA2 | 0101010101010010101010101010001          
31 | 0xAAA55545 | 1010101010100101010101010100010          
32 | 0x554AAA8A | 0101010101001010101010101000101          
33 | 0xAA955515 | 1010101010010101010101010001010          
34 | 0x552AAA2A | 0101010100101010101010100010101          
35 | 0xAA555455 | 1010101001010101010101000101010          
36 | 0x54AAA8AA | 0101010010101010101010001010101          
37 | 0xA9555155 | 1010100101010101010100010101010          
38 | 0x52AAA2AA | 0101001010101010101000101010101          
39 | 0xA5554555 | 1010010101010101010001010101010          
40 | 0x4AAA8AAA | 0100101010101010100010101010101          
41 | 0x95551555 | 1001010101010101000101010101010          
42 | 0x2AAA2AAA | 0010101010101010001010101010101          
43 | 0x55545555 | 0101010101010100010101010101010          
44 | 0xAAA8AAAB | 1010101010101000101010101010101          
45 | 0x55515556 | 0101010101010001010101010101011          
46 | 0xAAA2AAAD | 1010101010100010101010101010110          
47 | 0x5545555A | 0101010101000101010101010101101          
48 | 0xAA8AAAB5 | 1010101010001010101010101011010          
49 | 0x5515556A | 0101010100010101010101010110101          
50 | 0xAA2AAAD5 | 1010101000101010101010101101010          
51 | 0x545555AA | 0101010001010101010101011010101          
52 | 0xA8AAAB55 | 1010100010101010101010110101010          
53 | 0x515556AA | 0101000101010101010101101010101          
54 | 0xA2AAAD55 | 1010001010101010101011010101010          
55 | 0x45555AAA | 0100010101010101010110101010101          
56 | 0x8AAAB555 | 1000101010101010101101010101010          
57 | 0x15556AAA | 0001010101010101011010101010101          
58 | 0x2AAAD555 | 0010101010101010110101010101010          
59 | 0x5555AAAB | 0101010101010101101010101010101          
60 | 0xAAAB5557 | 1010101010101011010101010101011          
61 | 0x5556AAAE | 0101010101010110101010101010111          
62 | 0xAAAD555D | 1010101010101101010101010101110          
63 | 0x555AAABA | 0101010101011010101010101011101 

Offline

#13 2016-10-18 16:21:00

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: EM4x50 writing

I was looking for some documents regarding writing


http://pub.ucpros.com/download/28440-RFID-Read-Write-Documentation-v1.0.pdf
there is also a link to a sample app for writing together with this reader/writer: https://www.parallax.com/product/28440
here the sample app: http://playground.arduino.cc/Learning/ParallaxRFIDreadwritemodule
it shows how to read em4x50 and when you scroll on a little it talks about writing too.

and as this is not good enough maybe, I found this sample code on their site which is coming in C and covers passwords too, with em4x50 reading and writing: https://www.parallax.com/downloads/rfid-readwrite-module-arduino-code-example


too bad that I am not that good in programming, but maybe someone else is and can provide the code, so iceman doesnt have to do all the work smile


ps: here are cards available too: http://microcontrollershop.com/product_info.php?products_id=6072
but UID seems not to be changeable from what I can read there. aliexpress doesnt offer anything when I search for em4x50

Offline

#14 2016-10-18 16:38:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

there is a PR for PM3 Master https://github.com/Proxmark/proxmark3/pull/171 which deals with EM4x50

I know that my tick-timers changes might have screwed up the em4x50 part.  Think I fixed it one week ago.
But it still needs checking.  Would you mind doing some tests again?

Offline

#15 2016-10-18 16:40:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

We would also need a "em4x50 info" command.  Which gives more details to the current configuration of the tag read.

Offline

#16 2016-10-18 17:22:10

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: EM4x50 writing

Reading was always fine in the last builds of yours
I rebuilt today with your last one.
Wanted to see if i get other stuff with data commands but seems to be all legit. Was just wondering as all the digits printed on the card seem not to be part of the data read from the card.

So I can read the blocks.. But what then?
Cant emulate it nor write it somewhere.
So i did a search for how others write stuff

i thought an emu or writer could be possible maybe

Offline

#17 2016-10-18 17:25:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

If EM4x50 only have five datablocks then you should be able to make a clone onto a t55x7.

Look in the current cmdlfem4x.c code.

lf sim should work..

Offline

#18 2016-10-18 17:54:17

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: EM4x50 writing

Would you do it as described in my previous posts?
Cause both of us, thread starter and me, have the same issue that lf search after writinz doesnt recognize the token, aswell as the normal reader does not accept the card.

I'm gonna post maybe tomorrow my findings when I can test it infront of the real reader.


*edit*

Ah ok.. Maybe lf sim did not work due to it only works with the main build.
Gonna test that tomorrow too

Last edited by HighPressure (2016-10-18 17:55:09)

Offline

#19 2016-10-18 18:25:49

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: EM4x50 writing

t55x7 cannot be used to clone the tag as they output in a different sequence protocol

Last edited by marshmellow (2016-10-18 18:27:56)

Offline

#20 2016-10-18 18:33:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

I stand corrected. Good to have you back, @marshmellow.

Question is there some equvialent to T55x7 that can output EM4x50 ?

Offline

#21 2016-10-18 20:55:07

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: EM4x50 writing

only a EM4x50 as far as i know.  (they are writable.)

ps. been very busy lately.  sorry that i haven't kept up with the coding...

Offline

#22 2016-10-18 20:58:08

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: EM4x50 writing

unfortunately there are some custom versions that output with non-standard bit rates that can be very hard to source.  (they aren't as flexible or customizable as the t55x7s)

Offline

#23 2017-02-18 19:49:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: EM4x50 writing

Good for us that you got some time over then smile   The enhanced em commands looking good so far.

Offline

Board footer

Powered by FluxBB