Info and password for the ID-RW EM4100 cloner

gentilkiwi · 2017-11-25 06:24:44

Hello here

Just to share valuable information around another EM4100 chinese cloner software..., here: "ID-RW" (.NET program described as CardCopyV2).
It works with this kind of reader:

It relies on the C library "SRF32.dll" (some parts here: http://www.pudn.com/Download/item/id/3033464.html, but not the firmware)
> This library is used with other china softwares around readers.

When using the "Lock card operation" option in the software, it will push a hardcoded password in the card (here, a T5577, but password is the same for all supported cards).

For the T5577, we must set the configuration option, then change block 0 content to avoid the password:

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-94-g77aecdd-suspect 2017-10-06 13:03:33
os: master/v3.0.1-131-g75e42ef-suspect 2017-11-02 13:19:45
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/09/05 at 08:50:16

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 197928 bytes (38%). Free: 326360 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55xx config b 64 d ASK o 32
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 32
Seq. Term. : No
Block0     : 0x00000000

proxmark3> lf t55xx trace
-- T55x7 Trace Information ----------------------------------
-------------------------------------------------------------
 ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)
 MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x39 (57) - Silicon Craft Technology Thailand
 CID                                     : 0x00 (0) -
 ICR IC Revision                         : 0
 Manufactured
     Year/Quarter : 2013/0
     Lot ID       : 1394
     Wafer number : 20
     Die Number   : 25018
-------------------------------------------------------------
 Raw Data - Page 1
     Block 1  : 0xE03900D0  11100000001110010000000011010000
     Block 2  : 0x572A61BA  01010111001010100110000110111010
-------------------------------------------------------------
proxmark3> lf t55xx read b 0 p 1c0b5848 o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
  0 | 00148051 | 00000000000101001000000001010001
proxmark3> lf t55xx write b 0 d 00148041 p 1c0b5848
Writing page 0  block: 00  data: 0x00148041 pwd: 0x1C0B5848
proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00148041 | 00000000000101001000000001000001
  1 | FF8C6318 | 11111111100011000110001100011000
  2 | 6318C630 | 01100011000110001100011000110000
  3 | FFFFFFFF | 11111111111111111111111111111111
  4 | FFFFFFFF | 11111111111111111111111111111111
  5 | FFFFFFFF | 11111111111111111111111111111111
  6 | FFFFFFFF | 11111111111111111111111111111111
  7 | 1C0B5848 | 00011100000010110101100001001000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00148041 | 00000000000101001000000001000001
  1 | E03900D0 | 11100000001110010000000011010000
  2 | 2B9530DD | 00101011100101010011000011011101
  3 | 80500001 | 10000000010100000000000000000001

So here, the encoded password was: 1C0B5848

iceman · 2017-11-25 07:49:35

Nice done!

It looks like you could also just read out the pwd from block7, since you didn't supply the pwd for the dump command.

This thread might be under "125 khz" category instead.

gentilkiwi · 2017-11-25 12:18:09

Thank you iceman!

I could dump the password, but only after changing the block 0 configuration to a config without password:

lf t55xx write b 0 d 00148041 p 1c0b5848

Instead of the...

proxmark3> lf t55xx read b 0 p 1c0b5848 o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
  0 | 00148051 | 00000000000101001000000001010001

previously readed...

Configuration with password: 00148051
Configuration without password: 00148041

For thread localisation: yeah, I did hesitate... especially because it's not related to proxmark software...
As I did not want to pollute 125khz debates, the section "Non-proxmark Development" seemed to me the most appropriate

iceman · 2017-11-25 13:05:05

Well, the software part is not interesting for the proxmark3 but the LF t5577 findings is very interesting for 125Khz section.
So I understand the duality in it and I am thankful for your concern about keeping forum clean and to the matter.

This one I would deem to be 125khz section worthy. I'll move it.

gentilkiwi · 2017-11-26 01:50:37

It seems they lock the device by firmware:

Block 0 (config): OK
Block 1 ( data ): OK
Block 2 ( data ): OK
Block 3 ( data ): OK
Block 4 ( data ): KO :(
Block 5 ( data ): KO :(
Block 6 ( data ): KO :(
Block 7 ( data ): OK

... because cloning a EM4100 does not require all T5577 blocks... they prevent to write in block 4/5/6....
7 is OK because they can lock the card with a password...

A lots of software limitations !

iceman · 2017-11-26 06:33:43

Now, you would need to test if the t5577 can be reset with the "-t" testmode option.

The info output?

lf t55 info

gentilkiwi · 2017-11-26 16:00:11

Ho, it seems I did not use correct wording around it

The firmware in the chinese device prevents T5577 :

reading
writing in blocks 4/5/6

On my (home made program) output, I deal with a normal B0 value, so no problem with test mode or not
Fun fact: it seems their firmware allow a flag to put the LockBit on the T5577... hopefully not used in the program I have

gentilkiwi · 2017-11-27 23:33:43

if maybe you know what's the main component in this reader:
DPq76QAX4AEsk22.jpg:large

SR1898U / MU011650 (U for USB ?), 28 pins

Maybe firmware can be altered

iceman · 2017-11-28 04:13:21

Not good at hardware

I was more curious if a t5577 used with the cloner, could be "saved" by using the t testmode parameter
It should wipe the whole tag..

lf t55xx write b 0 d 00148041 t

0xFFFF · 2017-11-28 12:07:42

I could not find any information on the SR1898U. Can you send a clear shot of the entire PCB?

gentilkiwi · 2017-11-28 22:44:32

Yep, in more or less good quality

No IC on the back.

As the LM358 is know to be 2x AmpliOp, they seem to have embed USB / (De)Mod / Progam in the strange MU011650...

0xFFFF · 2017-11-28 23:18:21

Still can't find any information on it.
Unless someone else can identify the IC?
If they are cheap and you are comfortable sacrificing one, you could send one to me. I can decap the IC and see if there is anything of interest.

gentilkiwi · 2017-11-29 00:41:12

For a "locked" T5577 of an EM (password protected)

proxmark3> lf t55xx info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 4
 Data bit rate             : 4 - RF/10
 eXtended mode             : Yes - Warning
 Modulation                : 0x0A (Unknown)
 PSK clock frequency       : 1
 AOR - Answer on Request   : No
 OTP - One Time Pad        : Yes - Warning
 Max block                 : 1
 Password mode             : No
 Sequence Start Terminator : Yes
 Fast Write                : Yes
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x0092A52C  00000000100100101010010100101100
-------------------------------------------------------------

=> Seems very invalid.

proxmark3> lf t55xx write b 0 d 00148041 t
Writing page 0  block: 00  data: 0x00148041
#db# TestMODE

=> changes nothing (seems logical ? even in test mode, writing requires a password)

iceman · 2017-11-29 07:08:40

... might need to edit configblock to testmode first...
what I'm looking for is a total wipe of card when you do it. Something @marshmellow42 looked into.
I was thinking to use it as a way to "recover" locked-down card. @marshmellow42 posted about his findings. testmode doesn't follow specs very well

marshmellow · 2017-11-30 15:20:58

They must have learned and disabled the test mode in the configuration

Proxmark3 community

Announcement

#1 2017-11-25 06:24:44

Info and password for the ID-RW EM4100 cloner

#2 2017-11-25 07:49:35

Re: Info and password for the ID-RW EM4100 cloner

#3 2017-11-25 12:18:09

Re: Info and password for the ID-RW EM4100 cloner

#4 2017-11-25 13:05:05

Re: Info and password for the ID-RW EM4100 cloner

#5 2017-11-26 01:50:37

Re: Info and password for the ID-RW EM4100 cloner

#6 2017-11-26 06:33:43

Re: Info and password for the ID-RW EM4100 cloner

#7 2017-11-26 16:00:11

Re: Info and password for the ID-RW EM4100 cloner

#8 2017-11-27 23:33:43

Re: Info and password for the ID-RW EM4100 cloner

#9 2017-11-28 04:13:21

Re: Info and password for the ID-RW EM4100 cloner

#10 2017-11-28 12:07:42

Re: Info and password for the ID-RW EM4100 cloner

#11 2017-11-28 22:44:32

Re: Info and password for the ID-RW EM4100 cloner

#12 2017-11-28 23:18:21

Re: Info and password for the ID-RW EM4100 cloner

#13 2017-11-29 00:41:12

Re: Info and password for the ID-RW EM4100 cloner

#14 2017-11-29 07:08:40

Re: Info and password for the ID-RW EM4100 cloner

#15 2017-11-30 15:20:58

Re: Info and password for the ID-RW EM4100 cloner

Board footer