Proxmark3 community

AndrewMac

Member

Registered: 2011-08-16

Posts: 3

EM41x Tags

Hi Guys,

I've been playing around with some EM410x tags that are used on various entry systems and just thought I'd post an update here:

* Your antenna shape matters ALOT between reading and writing
   - I can read it with almost any shape, but transmitting it works best when my wire antenna is in a square ( like http://store.qkits.com/images/AN0301lrg.jpg )

* lf em4x em41xwatch / lf em4x em41xread
  - Antenna shape here generally means you get less errors

* lf em4x em41xsim <uid>
- This works most of the time with the tags, however I did notice in testing that various systems actually INVERT the tag

When using it this was my general approach:
- Read tag using:
-- lf read (dont know why, but i seem to HAVE to do this)
-- data samples 2000 (more is better, but 2K seems to consistently work)
-- data askdemod
-- data mandemod 0 (0 is important, but not for how I do it)

Once I have the data from mandemod I generally throw it into a webapp I built over at http://andrewmohawk.com/EM41X/ (i'll improve this in the next few days to have it actually show the parities and so on).  From here I can just hit Decode (if you have the number on the badge, throw that in too as its nice to see which match the badge)

After this I take the ones that have matched on the tag and parity and copy the binary for this string. Then to replay the tag I simply run lf simman 64 111111111<binary_that_i_copied> 10

Lastly on some tags this had to be reversed, so it would be something like: lf simman 64 0000000<inverted_binary_that_i_copied> 10

I suspect that if this is commonly found elsewhere both lfsimman and em41xsim should have reverse options to reverse the binary.

</2c>
-Andrew