Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-09-20 23:45:00

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Formatting needed to write to a EM4305?

So purchased some RFIDs from China and when I try to lf search, it doesn't return any data nor can I write to it.  I have to wait until Monday to talk to the supplier so the last message I have from them is that I needed to format the EM4305 before I can write to it.

Wanted to check with the this group if this makes sense.  If so, would someone be able to point me to the commands, wiki, documentation on how to format a EM4305 so I can write to it?  Chips have 512 mem.

Offline

#2 2019-09-21 04:59:49

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

Not sure what they mean by format.  Maybe they mean write the data to the card to emulate a card (e.g. EM4100)

Have you tried the lf em 4x05 commands ?
From memory the default password will be 00000000 which if not supplied should be the default.

try something like this

lf em 4x05_read 7
-> read block 7 (should be 00000000 on a new card)
lf em 4x05_write 7 12345678
-> will write 12345678 to block 7
now, read back
lf em 4x05_read 7
-> read block 7 (should new be 12345678)

Offline

#3 2019-09-21 18:26:49

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

Thank for the reply mwalker.

I tried and get a Read Address 07 | failed

Offline

#4 2019-09-21 19:17:06

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Formatting needed to write to a EM4305?

lf read
If you can see data, then "needed to format"=needed password... China..

Offline

#5 2019-09-22 14:48:05

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

@anybody

lf read outputs:
proxmark3> lf read
#db# LF Sampling config:           
#db#   [q] divisor:           95           
#db#   [b.] bps:               8           
#db#   [d] decimation:        1           
#db#   [a] averaging:         1           
#db#   [t] trigger threshold: 0           
#db#   [s.] samples to skip:   0           
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample         
#db# buffer samples: 9f a3 a3 a4 a3 a3 a0 9f ...         
Reading 39999 bytes from device memory
         
Data fetched         
Samples @ 8 bits/smpl, decimation 1:1

Does that mean it can "see" data?  Needs a password?

Offline

#6 2019-09-23 03:48:24

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

gcfiend wrote:

Thank for the reply mwalker.

I tried and get a Read Address 07 | failed

On a new card the "use password" flags in the config should not be set, thus no need for a password.

You could try with the default password.

e.g.
    lf em 4x05_read 7 00000000

Did you supplier come back with anything ?

Side note: I have seen amazon suppliers just sell cards calling them X but sending Y (I am sure they dont know what they are).
e.g. I ordered 20 EM4305 and they come "setup" as EM4100 tags and were T5200 (T5577 almost) chips (so not even close).

As such, just to check, try
    lf t55 detect
And see if anything comes back.

Offline

#7 2019-09-23 05:16:03

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

@mwalker

I have a meeting with the supplier tomorrow.  She's supposed to send me a video.

Here's my results:

proxmark3>  lf em 4x05read 7 00000000
Reading address 07 | password 00000000         
Read Address 07 | failed 

Tried the t55 and got this:

proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Not familiar with that command so not sure what manual config to put.

Appreciate the replies!

Offline

#8 2019-09-23 05:40:21

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Formatting needed to write to a EM4305?

For new cards, usually no passwords are needed. These are new cards, but .. "checked" by the seller ..
I received cards with a set password from Chinese sellers .. "Everything is checked, everything works. You need our duplicator." In my case it was 51243648.
I agree, maybe T5200.

Last edited by anybody (2019-09-23 05:59:59)

Offline

#9 2019-09-23 18:36:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Formatting needed to write to a EM4305?

ha,  checked with a blue / white gun. That made me laugh.

Offline

#10 2019-09-24 04:23:48

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

So I spoke with the person in China and they said because it's not formatted I need a writer like this one:  https://www.newegg.com/p/2ZM-0112-002X5

Is this valid?

Offline

#11 2019-09-24 05:57:31

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

Without knowing what you really have its all a little weird.

A real EM4305 would not need formatting.  Its a card with a fixed block layout, no password set, ready to read and write.
A real T55xx same as, no formatting needed.

Of course you do need to write the config and data to the cards in order for them to "emulate" real cards like the HID Proxcard II, EM4100 etc, but that can be done with the pm3 no problems.

A quick look at the unit in your link, that just looks like a programmer OF the 4305 etc.

So I am guessing there is some sort of password on the card.
The EM4305 should allow reading of block 0/1 even if a password is set.

So lets try
lf em 4x05_read 0
lf em 4x05_read 1

what firmware are you running on the proxmark ?  some of the T55xx is a little different between the rrg and official repos.

Offline

#12 2019-09-25 14:40:02

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

Prox/RFID mark3 RFID instrument         
bootrom: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:08
os: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:09
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available
         
uC: AT91SAM7S256 Rev C         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 210815 bytes (80). Free: 51329 bytes (20).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3> lf em 4x05readword 0
Reading address 00         
Read Address 00 | failed         
proxmark3> lf em 4x05readword 1
Reading address 01         
Read Address 01 | failed         
proxmark3>


I'll see if I can get more detail on the RFID.  The detail that they gave me was that these chips are blank and need to be formatted with a writer like the link that was posted.

Offline

#13 2019-09-25 15:01:10

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Formatting needed to write to a EM4305?

Try pwd 05D73B9F
And..

Would be nice to get a trace file.  Share it?

lf read
data save em4305.pm3

Last edited by anybody (2019-09-25 15:11:52)

Offline

#14 2019-09-25 21:50:20

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

Quick update.  I purchased this RFID writer\reader to validate what the tech said from China.  https://www.amazon.com/HFeng-125Khz-Handheld-Duplicator-Programmer/dp/B07DQR7GW9/ref=asc_df_B07DQR7GW9/?tag=hyprod-20&linkCode=df0&hvadid=242012522334&hvpos=1o2&hvnetw=g&hvrand=4312849785567228141&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9030098&hvtargid=pla-489511983358&psc=1

To my surprise, I was able clone a good em4305 (another one I had that works with Proxmark) to the "blank" rfid.  lf search finally works.  I'm trying to edit line 6 =  lf em 4x05write a 6 d 5A003000, but it won't allow me to edit it.  Wierd...

Does this site have the ability to share files?  If not, I'll have to dropbox or something.  Here's a snip it . (not sure if the snip it even helps.. way past my skill level)

-25
-25
-24
-23
-23
-23
-22
-21
-14
-7
-3
1
3
6
6
8
8
8
7
6
6
6
5
5
3
2
1
0
-1
-2
-3
-3
-4
-5
-6
-7
-8
-7
-8
-8
-10
-14
-18
-22
-26
-31
-35
-38
-40
-41
-42
-41
-41
-40
-38
-36
-35
-34
-33
-31
-30
-29
-28
-27
-26
-25
-24
-23
-23
-22
-23
-21
-14
-7
-3
1
4
6
7
9
9
8
6
7
8
8
5
4
2
2
1
0
-1
-1
-3
-3
-4
-5
-6
-7
-6
-7
-7
-7
-9
-12
-17
-21
-26
-31
-35
-38
-40
-41
-42
-41
-40
-39
-38
-37
-35
-32
-32
-31
-29
-28
-28
-27
-26
-25
-24
-23
-23
-23
-22
-21
-13
-7
-3
1
4
7
8
9
9
10
9
7
6
6
5
5
4
3
2
1
-1
-1
-2
-3
-5
-5
-7
-7
-6
-7
-7
-8
-9
-12
-17
-21
-25
-29
-34
-38
-41
-41
-41
-41
-40
-39
-38
-36
-35
-34
-32
-31
-30
-29
-28
-26
-25
-24
-24
-23
-23
-21
-21
-20
-13
-7
-4
0
4
7
8
9
8
9
8
8
7
6
5
6
4
2
1
0
-1
-1
-3
-3
-5
-5
-4
-5
-6
-7
-8
-8
-10
-13
-17
-21
-26
-31
-35
-38
-41
-42
-41
-40
-3

Offline

#15 2019-09-25 22:23:55

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

Do the lf em 4x05 commands work now?
Can you post the output of the lf search that showed it was a 4x05.

Offline

#16 2019-09-26 05:40:00

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Formatting needed to write to a EM4305?

@gcfiend, can you share traces from your Chinese device?

Offline

#17 2019-09-26 15:12:22

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

em command work.

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
         

Checking for known tags:
         
EM410x pattern found:           

EM TAG ID      : 0000000C31         

Possible de-scramble patterns         
Unique TAG ID  : 000000308C         
HoneyWell IdentKey {         
DEZ 8          : 00003121         
DEZ 10         : 0000003121         
DEZ 5.5        : 00000.03121         
DEZ 3.5A       : 000.03121         
DEZ 3.5B       : 000.03121         
DEZ 3.5C       : 000.03121         
DEZ 14/IK2     : 00000000003121         
DEZ 15/IK3     : 000000000012428         
DEZ 20/ZK      : 00000000000003000812         
}
Other          : 03121_000_00003121         
Pattern Paxton : 1329713 [0x144A31]         
Pattern 1      : 2636 [0xA4C]         
Pattern Sebury : 3121 0 3121  [0xC31 0x0 0xC31]         

Valid EM410x ID Found!         

Valid EM4x05/EM4x69 Chip Found
Try lf em 4x05... commands

Although once i zap the thing with the Handheld RFID reader, I can't use the Proxmark to edit, for example, address 7.

@anybody - when you say "share traces from you Chinese device", can you elaborate?

Offline

#18 2019-09-26 18:39:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Formatting needed to write to a EM4305?

most likely your handheld chinese cloner configures your card with password protection.   You would need to figure out which password it uses in order to "liberate" your cards once again. 
In order to sort that, you will need to master the art of sniffing the traffic between cloner / tag with your proxmark when you run the cloner...

Offline

#19 2019-09-27 01:48:51

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

Its sounding more like a EM4x69 then the EM4x05
A quick scan of the EM4169 data sheet

EEPROM organization
The EEPROM is organized in 8 words of 16 bits. EEPROM words are counted from 0 to 7. Bits in an EEPROM word are counted
from 0 to 15. When EEPROM readout is initiated (after POR or after return from command to read mode) read out is started from
word 0 and increments to word 7. Readout in a word is started by bit 0 and then increments up to bit 15. After word 7 bit 15 is
read readout continues with word 0 bit 0 without any pause. So it is very important to organize data written in EEPROM in a way
that reader can detect the position of bits in data stream. For Manchester encoding Word 0 and word 4 are factory programmed
and locked (see figure 7a), for BI-phase encoding the 8 words are user free (see figure 7b and 7c). Following tables show how
standard versions are factory programmed.

src : https://www.digchip.com/datasheets/parts/datasheet/147/EM4169-pdf.php

The way it reads, it tends to match with the sellers comment about "formatting" the card.
Also explain why the em4x05 commands don't work (even when blank)

Next step would be to as per @anybody request.  Use the PM3 to capture what the "format/programmer" is sending.
I would try a capture without a card and one with the card (between the PM3 and programmer)

Offline

#20 2019-09-27 17:25:55

gcfiend
Contributor
Registered: 2019-07-22
Posts: 15

Re: Formatting needed to write to a EM4305?

Ok, thank you.  I'll capture a trace and upload to a file share.

@iceman - I ordered another "writer" that I can connect to a PC.  There appears to be software that would allow more flexibility so I'll probably end up just returning handheld.... although this would be a great opportunity to learn how to sniff traffic since a use case does present itself smile

Last edited by gcfiend (2019-09-27 18:02:39)

Offline

#21 2019-09-28 10:10:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Formatting needed to write to a EM4305?

You should definitly learn to sniff it.  Mrwalker is quite good at it.

Offline

#22 2019-09-29 02:29:49

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Formatting needed to write to a EM4305?

@gcfiend

To start the sniffing process.  note there are some little difference between the rrg repo and the official repo.  I think you are on the official?

To get started try this.
pm3> data plot
This should bring up the wave form window.
pm3> lf config t 64
This will tell the proxmark to wait until i sample is > 64 (else it will just return lots of 0 samples)
pm3> lf snoop
then place the programmer over proxmark lf antenna and press the program button on the programmer/cloner.

All going well you should see a wave form on the screen.
You can then save that with
pm3> data save <filename>

Offline

Board footer

Powered by FluxBB