Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi guys,
I am currently looking at simulating a EM41x fob for that are used as an entry system for a door. The system is a Proxlock PSR 630 which uses FOBs that appear to be EM4102's, having a look at the data I got out for a tag it was as follows:
(I run the following):
lf read (I believe this lets it now i want LF tags -- I am not sure on this)
data samples 10000 (collect 10K samples, more is more!)
data askdemod (demodulate ASK)
data mandemod (manchester demod)
And I get the following:
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 1
1 1 1 0 0 0 0 0 1 0 1 1 1 0 0 1
1 1 0 0 1 1 0 1 1 1 0 1 1 1 0 0
0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1
The decimal value on the tag is "8021633"
If I reverse the stream and try the EM41x format it works out okay to "0f007a6681" which corresponds to the hex value for my tag (7a6681).
I built a small webapp to try take the stream and forward/reverse/invert/invert+reverse to decode it to check it works at http://www.andrewmohawk.com/EM41X/, defaulted it to this code so you can see it works. This also decodes via lf em4x em410xwatch.
My proxmark is running fpga/os/bootrom 622 from the SVN.
So next I went to the door to try and open it, I attempted to do:
lf em4x em410x 0f007a6681
lf em4x em410x f007a6681
lf em4x em410x 007a6681
lf em4x em410x 07a6681
lf em4x em410x 7a6681
These didn't seem to work so i attempted to do it manually:
lf simman 64 1111111110000011110000000000001111101000110001100100010001110110
lf simman 64 0000011110000000000001111101000110001100100010001110110
However this also failed
I next tried replaying the tag from my buffer with:
lf sim
Still no win on the door. I am running this all on a netbook (mini 1012) and since updating to 622 it seems a tad more unstable (often have to replug the proxmark). When holding the antenna and proxmark directly against the reader no other tags work at opening the door (I assume due to interference) - so I think that its transmitting okay. I also assume transmission should be okay because I can easily read the tags so the antenna should be tuned okay.
If anyone can help me in debugging this (I do not have a second proxmark so its difficult to know exactly what is being transmitted) or why it didnt work.
Really appreciate it.
Regards,
Andrew
Offline
I think there is some trouble since the firmware r619. As you can see some of the code was removed:
https://code.google.com/p/proxmark3/source/diff?spec=svn619&r=619&format=side&path=/trunk/armsrc/lfops.c
Sometimes I can simulate EM-tags / manchester coding with the latest firmware, but only when the antenna are very close to the reader.
Flashed to an old firmware (r595) and the simulation range of my antenna become 4-5 times better.
Would be nice if someone could take a look at the code and maybe revert back or adjust it in upcoming firmware releases?
Offline
Hi,
I didn't actually have any problems simulating the tags once I had inverted the binary (0s to 1s, 1s to 0s), as the reader I was testing for some reason Manchester decoded in the opposite way (I presume).
The biggest problem I had however was during transmission if my antenna was not a nice square I could seldom get TX working, after I had changed it to be a nice square I could reliably do it from about the same distance as the tags worked.
-AM
Offline
Pages: 1