Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I would like to ask you help about a RFID tag that is expressly claimed to be a MIFARE key ISO14443A because I know you are REALLY GOOD at RFID, my interests are alogs and I am really not good in electronics...
I have a 13.56Mhz reader/writer bought form http://www.stronglink.cn/english/reader.htm (model SL500F) and it is REALLY good in read and also write ISO14443A/B e ISO15693 (regretfully, it is not able to sniff) but the strange thing is that is NOT able to access that mifare tag... my questions are 2:
1) Is it possible that is a Mifare 1K at 125Khz ? I don't think so because ISO 14443A+Mifare = 13.56Mhz but I ask you for confirmation...
2) Is it possible that I am NOT ABLE to use the software with Mifare ? I mean I only used my reader/writer for SRIX4K (ISO14443B 13.56Mhz) and works GRAT but I don't have other mifare spare tags. I attach you a screen of the reader/writer free software and I ask you to tell me what PURSE FUNCTION (top left of the image) is, maybe I set a wrong value there:
3) The latest possibility is that IT'S NOT a Mifare but an old model. I attach you the opened key contents:
The smaller one was a really old model with the antenna built externally (had been removed because damaged during opening operations)
Thank you very much for your help !
Last edited by asper (2013-04-28 10:14:07)
Offline
If anyone is interested I can send him the key to make some tests with, I will pay for all the shipping costs ! Is there anyone who can do me this favour ? THANK YOU EVERYBODY IN ADVANCE !
Offline
Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.
Last edited by asper (2011-10-16 07:45:41)
Offline
Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.
1) You can contact Laser21, he has some cheap Proxmark3. Tell him that I told you.
2) You can send me the tags. I'll try to read them using my Pmark3. Contact me using internal DM if you want.
cheers.
Offline
I answered you, check mail.
Offline
Maybe it is UHF tag?
Offline
Absolutely not, it probably is 95% a LF tag (4% HF tag or 1% custom frequency tag); 100% sure it is not a standard communication because it went in the market before RFID ISO standards come out.
Last edited by asper (2011-10-16 18:34:16)
Offline
Where this tags are used? What city, area, etc? Can you see any logos or numbers/symbols on it?
Offline
Laundry/vending, used almost worldwide (USA and Europe) before 2007.
Offline
Is someone of you good to understnad, from the turns number and from the capacitor value, the approximatetag frequency ?
You can use 5 euro-cents like lenght-referral (21.25 mm); thickness is under 1 mm and antenna is in double layer.
http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf (PAG.11 or PAG12 - I am not good at that...)
Anyway after some other tests it seems to react to 6.32 MHz, maybe some frequency under that (es. divided by 2 = 3.11 or similar).
EDIT: did some test with some 14a 14b and 15 commands... here are the results... any idea ?
(last command, hf 15 read, was followed by data hexsamples but no results)
Last edited by asper (2011-10-24 17:41:07)
Offline
Can someone tell me what ocmmand to send ? I can also access the official reader... any command to snoop ?
Does an "higet" command will help me determine what tag is it ?
Last edited by asper (2011-10-25 08:33:47)
Offline
I resume this post:
I did again some tests using HF and LF antennas to identify the working frequency of that tag:
I have a little voltage INCREMENT only at 13.56MHz (from 10.15v to 10.28); should that mean that the frequency is LOWER than 13.56 ? The chip is manufactured from EM Microelectronic in 2000-2002 and is not a common chip but a custom one called H4062 (H was used by EM Microelectronics before the introduction of the EM suffix before chip number so is an old chip with absolutely no documentation of it).
EM Microelectronic sheets (factsheets and/or datasheets) you can find on the web::
H4001 125 kHz Read only, 64 Bit
EM4102/H4102 125 kHz Read only, 64 Bit
H4003 125 kHz - 3.25 MHz Read only, 64 Bit
EM4005/EM4105 100~150 kHz Read only, 128 Bit ISO 11784/85 Compatible
EM4006/H4006 13.56 MHz Read only, 64 Bit
EM4022/P4022 Multifrequency NONE (64 Bit UID)
EM4025/EM4125 100~150 kHz Read only, 55 Bit
EM4026 125 kHz Read only, 64 Bit
EM4033 13.56 MHz Read only, 64 Bit ISO 15693
EM4034 13.56 MHz R/W, 448 Bit ISO 15693
EM4035 13.56 MHz R/W, 3.2K Bit ISO 15693
V4050 125 KHz R/W, 1024 Bit
V4070 125 kHz R/W, 160 Bit
V4082 ROM, 64 Bit
P4092 100~150 kHz Base Station
EM4055 125 kHz R/W, 1K Bit
EM4056/P4056 100~150 kHz R/W, 2K Bit
EM4069/EM4169 100~150 kHz R/W, 128 Bit
EM4083 115~140 kHz R/W, 512 Bit
EM4094 13.56 MHz Base Station ISO 15693-14443A/B
EM4095 125 kHz Booster Circuit
EM4100 100~150 kHz Read only, 64 Bit
EM4102 125 kHz Read only, 64 Bit
EM4105/EM4005 125 kHz Read only, 128 Bit
EM4122 860~960 MHz Read only, 64 Bit
EM4123 (replaces EM4122) 860~960 MHz Read only, 64 Bit
EM4124 860~960 MHz R/W, 176 Bits ISO18000
EM4126 860~960 MHz R/W, 224 Bits ISO18000
EM4133 13.56 MHz R/W, 512 Bit ISO 15693
EM4135 13.56 MHz R/W, 2432 Bit ISO 15693
EM4150/EM4350 100~150 kHz R/W, 1K Bit
EM4170 125 kHz R/W, 256 Bit
EM4200 (replaces EM4100/4102/4005/4105) 125~134.2 kHz Read only, 64 Bit ISO 11784/85 Compatible
EM4205/EM4305 125~134.2 kHz R/W, 512 Bit ISO 11784/85 Compatible
EM4222 300MHz~2GHz Read only, 64 Bit
EM4223 (replaces EM4035/EM4135) 800MHz Read only, 128 Bit
EM4233 SLIC 13.56 MHz R/W, 1K Bit ISO 15693
EM4233 2k 13.56 MHz R/W, 2K Bit ISO 15693
EM4269 125 kHz R/W, 512 Bit ISO FDX-B
EM4294 13.56 MHz Front End ISO 15693/ISO 14443A/B
EM4322 125kHz+6.8MHz Read only, 64 Bit
EM4324 860~960 MHz Read only, 1024 Bit ISO 18000
EM4325 860~960 MHz R/W, 4096 Bit ISO 18000
EM4333 13.56 MHz R/W, 1K System+4K User+64KCode ISO15693-ISO14443A
EM4350/EM4150 100~150 kHz R/W, 1K Bit
EM4369 125 kHz R/W, 512 Bit ISO FDX-B
EM4444 300MHz-2.4GHz R/W, 512 Bit
EM4450/EM4550 (replaces EM4150/EM4350) 125 kHz R/W, 1024 Bit
EM4469 100~150 KHz R/W, 512 Bit ISO 11785 Compatible
EM4522 125kHz+6.8MHz R/W, 640 Bit
EM4550/EM4450 (replaces EM4150/EM4350) 125 kHz R/W, 1024 Bit
Last edited by asper (2013-04-28 10:22:44)
Offline
Thank you for sharing all this information asper.
Offline
Well EM products are really a lot and datasheets are present for almost all of them (even if they are private you can find them on the net); if someone is interested in this project can contact me, I would like to add also this undocumented EM chip I found.
Last edited by asper (2012-03-11 19:08:53)
Offline
Well those datasheets are available in many PDFs sites, some are difficult to get but you can find tehm if you have patience; to save you some hard-searching time here is a link to the Datasheet and AN (Application Notes) of EM: http://www.sendspace.com/file/ec93ns
Maybe someone can add them to Proxmark because those PDFs are REALLY detailed !
Last edited by asper (2013-04-28 10:25:02)
Offline
It very well can use a proprietary modulation, algorithm and commands, but it is not likely it will use a different frequency. Those bands are often regulated by law in (almost) all countries. This means they can only sell them in a specific country where they acquired a special license for a certain frequency band (and should be publicly available, since those transaction have to be transparent). If they use the open frequencies though (125-134 kHz / 13.56MHz) then they are free to do what they want.
Maybe it uses the open UHF bands (433 MHz, 900 MHz, 2.45 GHz), but otherwise I think it is safe to assume it uses the "standard" frequency. Can you measure more precise (maybe with a spectrum analyzer?)
Offline
The tag, under proxmark antennas, show NO modifcation at 125KHz, and 0.2volt increment (not decrement) at 13.56MHz.
The chip was manufactured in 1999-early 2000, maybe there was no standard at that time.
I don't think in 2000 there where 433 or 900 or 2500 MHz tags... don't you think ?
I hope to bring with me an oscilloscope to test that frequency (mine is max 20MHz capable if someone can lend me one portable I will renstitute it as soon as I can).
Reading an411.pdf it shows most used frequency (pag.3):
0...135kHz,
400kHz,
6.78MHz,
13.56MHz,
27.125MHz,
40.68MHz,
433.29MHz,
869MHz,
915MHz,
2.45GHz,
5.8GHz
24.125GHz
PS connecting directly to the tag antenna the oscilloscope measured only 1.4KHz but I think this is an error dued to the internal tag circuitry (this cannot be the real frequency, it is too low in my opinion); I also recorded waves from the tag but I did not test a free copper coil inside the reader to test the real possible frequency.
The wav I recorded shows waves but they are too low to be understood (no specific line code can be identified): if someone is interested I can attach them.
Last edited by asper (2012-03-13 13:10:15)
Offline
What was the voltage on the O-scope? If the freq is not supposed to be 1400 Hz then, you most likely hit one of its multiples.
Offline
You can see the logs there: http://www.sendspace.com/file/5in1it
The oscilloscope behaved in a weired way... it identified different frequencies but no one of them (tested only 125KHz and 13.56MHz) seem to resonate using tag and PM3 antenna. I repeat, logs were made connecting directly the 2-tag-antenna-extremities to the oscilloscope probe... someone suggests me to use a free copper coil without connecting directly to the antenna. Pass is proxmark3
Any clues ? I also have Audacity recordings using a netbook audio-in "sniffer" (in theory tuned for 125KHz).
PS 1400Hz (1.4KHz) are in the range of ULF... too "ultra-low" I think for that kind of device... don't you think ? Maybe a sub-multiple...
Last edited by asper (2013-06-01 09:20:12)
Offline
Does this mean you expect automatic modulation will appear? Simple LF tags use this kind of operation, they immediately start sending their identifier and keep on repeating it with only a delay or separator in between. If you look at more "sophisticated" LF tags, like the NXP hitag series for example (produced from 1996). They only respond on a reader field after a certain "hello" command modulated by the reader (unless the tag is configured to operate in "public" mode, which is a broadcasting just a simple identifier).
It could very well this tag needs a "trigger" command before it starts responding. You can try to look at the datasheets of similar products from EM and send the simple "select" commands to figure out on which it will respond.
Offline
The logs were made connecting directly to the tag antenna and the tag was inserted in the reader so it was surely "triggered" ! I can see waveforms changing during wav recordings but they have a non-common pattern so probably the frequncy recorded was not right.
Offline
This are 2 recordings (WAVs) made one with 125KHz filter and the other one without the filter; if someone is able to understand how it works it can be useful (what kind of line code it can be) ! http://www.sendspace.com/file/jdfcdw
Last edited by asper (2012-03-14 19:41:50)
Offline
Can you post the waveforms here? I'm not sure I want to execute the www.sendspce.com download file. Sounds like trojans to me.
Offline
No file to execute, you probably clicked the wrong link, you should get a .rar archive (243.07KB), not an .exe; click on "Click here to start download from sendspace"; maybe you are not familiar with sendspace pages ?
Offline
No file to execute, you probably clicked the wrong link, you should get a .rar archive (243.07KB), not an .exe; click on "Click here to start download from sendspace"; maybe you are not familiar with sendspace pages ?
No, I am not familiar with it and do not have an account but, you cannot click on anything on that link without an invitation to download iLivid.exe file.........no thank you.
Offline
Worked OK for me, but don't click on the first 'click here to start download..' link with the CD next to it!
Look for:
Desktop.rar
File Size: 243.07KB
Upgrade for Fast & Ad-free file transfers - See Plans and pricing
Click here to start download from sendspace
Offline
Sorry Bugman1400, maybe it is not immediate but, again, like YoungJules shows, there is no need to install iLivid.exe. If you can have a look at waveforms it will be useful for me, thank you
Offline
I resume this post:
I did again some tests using HF and LF antennas to identify the working frequency of that tag:
I have a little voltage INCREMENT only at 13.56MHz (from 10.15v to 10.28); should that mean that the frequency is LOWER than 13.56 ? The chip is manufactured from EM Microelectronic in 2000-2002 and is not a common chip but a custom one called H4062 (H was used by EM Microelectronics before the introduction of the EM suffix before chip number so is an old chip with absolutely no documentation of it).
If someone is interested I also found lot of EM Microelectronic datasheets (not factsheest) files for many EM products, here is the list:
H4001 125 KHz Read only, 64 Bit
EM4102/H4102 125 KHz Read only, 64 Bit
H4003 125 KHz - 3.25 MHz Read only, 64 Bit
EM4005/EM4105 100~150 KHz Read only, 128 Bit ISO 11784/85 Compatible
EM4006/H4006 13.56 MHz Read only, 64 Bit
EM4022/P4022 Multifrequency NONE (64 Bit UID)
EM4025/EM4125 100~150 KHz Read only, 55 Bit
EM4033 13.56 MHz Read only, 64 Bit ISO 15693
EM4034 13.56 MHz R/W, 448 Bit ISO 15693
EM4035 13.56 MHz R/W, 3.2K Bit ISO 15693
V4050 125 KHz R/W, 1024 Bit
EM4055 125 KHz R/W, 1K Bit
EM4056/P4056 100~150 KHz R/W, 2K Bit
EM4069/EM4169 100~150 KHz R/W, 128 Bit
V4070 115~135 R/W, 160 Bit
P4092 100~150 KHz Base Station
EM4094 13.56 MHz Base Station ISO 15693-14443A/B
EM4095 125 KHz Booster Circuit
EM4100 100~150 KHz Read only, 64 Bit
EM4102 125 KHz Read only, 64 Bit
EM4105 125 KHz Read only, 128 Bit
EM4033 13.56 MHz Read only, 64 Bit (UID) ISO 15693
EM4122 860~960 MHz Read only, 64 Bit
EM4123 (replaces EM4122) 860~960 MHz Read only, 64 Bit
EM4133 13.56 MHz R/W, 512 Bit ISO 15693
EM4135 13.56 MHz R/W, 2432 Bit ISO 15693
EM4150/EM4350 100~150 KHz R/W, 1K Bit
EM4170 125 KHz R/W, 256 Bit
EM4200 (replace EM4100/4102/4005/4105) 125~134.2 KHz Read only, 64 Bit ISO 11784/85 Compatible
EM4205/EM4305 125~134.2 KHz R/W, 512 Bit ISO 11784/85 Compatible
EM4233 13.56 MHz R/W, 2K Bit ISO 15693
EM4294 13.56 MHz Front End ISO 15693/ISO 14443A/B
EM4324 860~960 MHz Read only, 1024 Bit ISO 18000 6C
EM4450/EM4550 125 KHz R/W, 1024 Bit
EM4469 100~150 KHz R/W, 512 Bit ISO 11785 Compatible
asper, I'm interested in the datasheets. Is there any way to download them?
Offline
http://www.proxmark.org/files/
Offline
http://www.proxmark.org/files/
Where do I have to look? Can't find EM4233 for example...
Offline
Well you are right, probably they had been removed. They were there at least 2 month ago.
Offline
Offline