Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-07-01 06:09:32

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Now available: EM410x tag simulator AND cloner!

Hi guys,

So got my pm3 the other day and started a bunch of development. I should be getting access to the google code repo soon and will be submitting all of my changes, but I know some people are as eager as me to get their hands on new code!

So I've created various new functions for different things. Some of the more interesting functions are below.

Emulating EM410x tags. You can specify the 40 bit tag ID (in hex) you want your proxmark3 to behave as like so:
em410xsim [tagid]
Example:
em410xsim 12deadbeef

This begins simulating the ID you specified. You can then confirm with something like a Phidgets reader.

Cloning is also incredibly easy now...will post in new topic.

You can get these sources for now at http://samy.pl/proxmark3/current/winsrc/

I'll update this topic once it's in the SVN tree.

Offline

#2 2010-01-22 17:19:20

atrox
Contributor
Registered: 2010-01-08
Posts: 35

Re: Now available: EM410x tag simulator AND cloner!

I'm using svn-314 but can't get the simulator to work - I've tried to simulate a tag to a codatex-reader and another PM3. the other reader simply does not find any tag at all - so I hook up a scope: the PM3 does nothing - not even deactivating the 125khz generator (which it should, since as a tag you are passive and wait for the readers field, not generate your own)

but even when i reset the PM3 before, the other reader does not detect an ID.

in former (svn262) svn versions, i could abort the simulation by pressing the key on the pm3, since i've installed 314 this doesnt work either sad

Offline

#3 2010-01-25 20:47:25

Andreas
Member
Registered: 2010-01-25
Posts: 10

Re: Now available: EM410x tag simulator AND cloner!

I wanted to do some debugging on this issue and added two statements
which somehow solved problem :-/ ...

I guess the ARM crashes during the sample download (timing issue)
the attached patch is not a fix, its only a very ugly workaround.

Index: appmain.c
===================================================================
--- appmain.c   (revision 314)
+++ appmain.c   (working copy)
 #ifdef WITH_ISO15693
                case CMD_SIMTAG_ISO_15693:
                        SimTagIso15693(c->arg[0]);
@@ -718,12 +722,14 @@
                case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
                        BYTE *b = (BYTE *)BigBuf;
                        memcpy(b+c->arg[0], c->d.asBytes, 48);
+                        Dbprintf("position: %u", c->arg[0]);
                        break;
                }

 #ifdef WITH_LF
                case CMD_SIMULATE_TAG_125K:
                        LED_A_ON();
+                        Dbprintf("CMD_SIMULATE_TAG_125K");
                        SimulateTagLowFrequency(c->arg[0], 1);
                        LED_A_OFF();
                        break;

Offline

#4 2010-01-28 16:25:54

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Now available: EM410x tag simulator AND cloner!

Funny - I just had the same problem - I've put a debug message into the latest commit, but it's commented out because I wasn't sure if it was just my machine... It does definitely seem to be a USB timing thing though... Guess we need to look into this further!

Offline

#5 2010-01-29 10:30:06

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Now available: EM410x tag simulator AND cloner!

OK, I think I've fixed this by having the proxmark ACK the transfer of each block... r317...

Offline

#6 2010-01-29 14:48:37

proxcat
Contributor
Registered: 2008-11-28
Posts: 62
Website

Re: Now available: EM410x tag simulator AND cloner!

I was having the same problem when running in Linux. Did anyone observe the same behavior under Windows?

After updating to r317 things are now working for me under Linux. Thanks for the fix!

Offline

#7 2010-02-01 05:00:05

Ground Loop
Member
Registered: 2010-01-25
Posts: 15

Re: Now available: EM410x tag simulator AND cloner!

SVN 317 here, and EM410x sim works great.  It has better range than the real card, in fact.

I found that I did have to put leading zeros on the ID value.. 000018618F instead of 18618F.  Odd?

Offline

#8 2010-02-01 23:20:17

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Now available: EM410x tag simulator AND cloner!

EM410x IDs are 10 HEX digits, so it's not unreasonable that you needed to put the leading zeros... Or the code could be tweaked of course...

Offline

#9 2010-02-02 20:01:20

atrox
Contributor
Registered: 2010-01-08
Posts: 35

Re: Now available: EM410x tag simulator AND cloner!

thanks for response - will test it soon.

I noticed a similar bug (?) in the hi15reader, which hangs/crashes if a card is in vicinity, but continues without a card. i will post this in the appropriate forum anyway.

Offline

#10 2011-12-05 01:22:40

Raymond
Contributor
Registered: 2011-09-14
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

Hi Samy, does the EM cloner feature still work?

Will the command be like,

Lf EM clone (the data of the EM card you are cloning)?

Offline

#11 2012-02-14 21:51:55

ghaber
Member
Registered: 2008-10-26
Posts: 11

Re: Now available: EM410x tag simulator AND cloner!

Hi guys,

I have a EM card that I need to clone on a T5567 and I am wondering if that function is already implemented or not?? At the beginning of this post, it is said that there is a cloner but I do not see the function.

Regards

Offline

#12 2012-02-17 15:42:28

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: Now available: EM410x tag simulator AND cloner!

ghaber wrote:

Hi guys,

I have a EM card that I need to clone on a T5567 and I am wondering if that function is already implemented or not?? At the beginning of this post, it is said that there is a cloner but I do not see the function.

Regards

Read the posts by Cex. He has developed the PM3 code to write to the T5567 cards. I've tried it many times and it works great! The code is on the Wiki......

Offline

#13 2012-03-02 20:10:06

Raymond
Contributor
Registered: 2011-09-14
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

Hi ghaber,

I was able to to clone HID tags to T5567 card, using Cex r499.

Don think r499 is able to clone EM card yet.

Regards

Offline

#14 2012-05-16 13:40:11

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Now available: EM410x tag simulator AND cloner!

Raymond wrote:

Hi ghaber,

I was able to to clone HID tags to T5567 card, using Cex r499.

Don think r499 is able to clone EM card yet.

Regards

EM cloning feature was added in r528.

Offline

#15 2012-07-02 15:08:23

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

I found a problem that seems to be around for a while.

For example, I'm trying to write ID 010AABCDEF to my T55x7-card.
After when I read the tag-id it says 000AABCDEF.

It seems to be the first two chars always is set to 00. Is there a fix for this?

Offline

#16 2012-07-04 07:26:25

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Now available: EM410x tag simulator AND cloner!

urkis wrote:

I found a problem that seems to be around for a while.

For example, I'm trying to write ID 010AABCDEF to my T55x7-card.
After when I read the tag-id it says 000AABCDEF.

It seems to be the first two chars always is set to 00. Is there a fix for this?

Maybe the problem is the sscanf in cmdlfem4x.c in the client. I think that the   sscanf(Cmd, "%lx %d", &id, &card); at line 406 may be reading only 32 bits due to the L modifier.

Try this dirty hack to check if this fix the problem (then I'll try to make a little bit more elegant):

int CmdEM410xWrite(const char *Cmd)
{
  uint64_t id = 0;
  unsigned int card;
////////////////
  int i;
///////////////

  sscanf(Cmd, "%lx %d", &id, &card);
  
///////////////////////////////////
  id = 0;
  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
    id = (id << 4) | (n & 0xf);
  }
///////////////////////////////////

  if (id >= 0x10000000000) {
    PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
    return 0;
  }

The rest of the file shall remain the same (just add the code between the ////////////// lines).

Please post if this solves the issue.

Last edited by Cex (2012-07-04 07:27:37)

Offline

#17 2012-07-04 07:44:46

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Now available: EM410x tag simulator AND cloner!

For the following code:

  uint64_t id = 0;
  unsigned int card;

  sscanf(Cmd, "%lx %d", &id, &card);

I would indeed suggest to use the "long long" directive:

  sscanf(Cmd, "%llx %d", &id, &card);

Offline

#18 2012-07-04 08:35:12

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Now available: EM410x tag simulator AND cloner!

roel wrote:

For the following code:

  uint64_t id = 0;
  unsigned int card;

  sscanf(Cmd, "%lx %d", &id, &card);

I would indeed suggest to use the "long long" directive:

  sscanf(Cmd, "%llx %d", &id, &card);

Much better... I'm not a C programmer, so I didn't know of that directive and did it the dirty way.
Thank you.

Offline

#19 2012-07-04 14:56:56

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

Got some errors when compiling, something about undeclaired variable "n", so I modified the code but it still doesn't work as intended.

int CmdEM410xWrite(const char *Cmd)
{
  uint64_t id = 0;
  unsigned int card;
  int i;
  int n = 0;

   sscanf(Cmd, "%llx %d", &id, &card);
   
     id = 0;
  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
    id = (id << 4) | (n & 0xf);
  }


  if (id >= 0x10000000000) {
    PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
    return 0;
  }

  if (card > 1) {
    PrintAndLog("Error! Bad card type selected.\n");
    return 0;
  }

  PrintAndLog("Writing %s tag with UID 0x%010lx", card ? "T55x7":"T5555", id);
  UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
  SendCommand(&c);

  return 0;
}

I tried this:

proxmark3> lf em4x em410xwrite 0100ABCDEF 1
Error! Given EM410x ID is longer than 40 bits.



And when I remove the last F:

proxmark3> lf em4x em410xwrite 0100ABCDE 1
Writing T55x7 tag with UID 0x000abcde11
#db# Started writing T55x7 tag ...
#db# Tag T55x7 written with 0xff8c00a5f1be8c7e


Reading the T55x7:
Auto-detected clock rate: 64
Thought we had a valid tag but failed at word 1 (i=42)
Thought we had a valid tag but failed at word 1 (i=106)
EM410x Tag ID: 100abcde11



There must be some other error in the code?
I'm not that good at C, but can it be the uint32_t that is the problem on this line?

UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};

Last edited by urkis (2012-07-04 15:23:09)

Offline

#20 2012-07-05 07:09:52

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Now available: EM410x tag simulator AND cloner!

Don't know exactly, but looking at the code, you should of course also change:

PrintAndLog("Writing %s tag with UID 0x%010lx", card ? "T55x7":"T5555", id);

To the long long notation for printing:

PrintAndLog("Writing %s tag with UID 0x%010llx", card ? "T55x7":"T5555", id);

Offline

#21 2012-07-05 07:19:33

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Now available: EM410x tag simulator AND cloner!

Urkis,

You have mixed Roel's code and mine.

Use only the Roel suggestion ( ''ll' instead on 'l' ).

If this still fails I'll try to test myself and upload the patch once it works.

Offline

#22 2012-07-05 15:37:27

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

Tried restoring the original code and only used
sscanf(Cmd, "%llx %d", &id, &card);

But it stills write 00 on the first chars to the T55x7

The compiler gives a warning on this line:
cmdlfem4x.c:406: warning: unknown conversion type character 'l' in format

Offline

#23 2012-07-07 10:07:46

t0m4
Contributor
Registered: 2012-07-07
Posts: 9

Re: Now available: EM410x tag simulator AND cloner!

Here is the fix :

In client/cmdlfem4x.c,

  • add line 13 :

    #include <inttypes.h>
  • edit line 407 :

    sscanf(Cmd, "%" PRIx64 " %d", &id, &card);
  • edit line 419 :

    PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, card ? "T55x7":"T5555", id);

compile (no more warning), and now :

proxmark3> lf em4x em410xwrite ffffffffff 1
Writing T55x7 tag with UID 0xffffffffff
#db# Started writing T55x7 tag ...
#db# Tag T55x7 written with 0xfffbdef7bdef7bc0

proxmark3> lf em4x em410xwatch
#db# buffer samples: 00 00 00 00 16 1d 15 1b ...
Reading 2000 samples

Done!

Auto-detected clock rate: 64
EM410x Tag ID: ffffffffff

Hope this helps.

I'll try to commit it on SVN as soon as I'm a member...

Offline

#24 2012-07-07 10:29:53

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Now available: EM410x tag simulator AND cloner!

It works, thank you very much!

Offline

#25 2014-11-02 10:21:37

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: Now available: EM410x tag simulator AND cloner!

rfidshop wrote:

Hello,

I have two kinds of readers that can do clone for the EM410 cards or tags on T5557,T5567 or T5577 cards or tags .
http://www.rfidshop.net/EM4100--ATA5577-LF-Passive-RFID-Desktop-Reader-Writer_p205.html
http://www.rfidshop.net/Portable-RFID-Copier-Kit--125KHz-Handheld-Reader_p388.html

Any questions ,please let me know.

Market@d-think.net

This is the PM3 forum, please post that kind of AD on ebay or payment ecommerce sites!

Offline

#26 2015-06-26 01:45:12

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Now available: EM410x tag simulator AND cloner!

You should just ask your question...I could have read it by now!

Offline

Board footer

Powered by FluxBB