Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I'm trying to clone a EM4x05 card to an EM4305 fob. Here's what I know about the card:
HID Mifare/Prox dual card
Indala
I think the model is HID 1431
When I run lf search u on the card I want to clone I get:
BitLen: 224
Indala UID=1000000000000000
0000000000000011
0000100101010001
1101011011100110
1011110010011101
0100111110100111
1101111100001010
1110010011101100
1010100101111111
1001111000101101
1001100110100110
0011010111001010
0110101100111101
0101000010010000
(800000030951d6e6bc9d4fa7df0ae4eca97f9e2d99a635ca6b3d5090)
Valid Indala ID Found!
Valid EM4x05/EM4x69 Chip Found
lf em 4x05dump gives me:
Got Address 00 | 00040072
Got Address 01 | 3A7D0612
PWD Address 02 | cannot read
Got Address 03 | 00000F0F
Got Address 04 | 0002C10F
Got Address 05 | 80000001
Got Address 06 | BA4D0CE0
Got Address 07 | 46A32E29
Got Address 08 | DA3A60AD
Got Address 09 | 27AEAB19
Got Address 10 | 9D37B911
Got Address 11 | F1F3289B
Got Address 12 | 00000000
Got Address 13 | 00000000
Lock Address 14 | 00008002
Lock Address 15 | 00000000
From what I have gathered if I write each of those words onto the EM4305 fob, I will have cloned the card. Is this correct?
Reading around the forums, I gathered that there is no password since I was able to read the card. Is this correct?
I ran lf em 4x05writeword for each of the words and wrote them onto the fob. However, it fails writing Address 01. Why is that failing?
Here's the dump from the fob:
Got Address 00 | 00040072
Got Address 01 | 380EBD16
PWD Address 02 | cannot read
Got Address 03 | 00000F0F
Got Address 04 | 0002C10F
Got Address 05 | 80000001
Got Address 06 | BA4D0CE0
Got Address 07 | 46A32E29
Got Address 08 | DA3A60AD
Got Address 09 | 27AEAB19
Got Address 10 | 9D37B911
Got Address 11 | F1F3289B
Got Address 12 | 00000000
Got Address 13 | 00000000
Lock Address 14 | 00008002
Lock Address 15 | 00000000
I'm at a loss. I've been reading the forums the last few weeks going back and forth testing stuff out and I'm here as last resort.
A few questions:
Anyone know how to copy a 4x05 card?
Will writing all the words from the dump onto the fob clone the card or am I missing something?
Why am I unable to write to Address 01?
What is this string from the "lf search u" 800000030951d6e6bc9d4fa7df0ae4eca97f9e2d99a635ca6b3d5090?
Thanks in advance for any help
Last edited by roybot (2019-06-11 02:42:43)
Offline
The tech sheet for the em4205/4305 says that block 1 "UID Number" is RA (read only).
So, while I have note used these, it seems that a real EM4x05 card cant change the UID.
RA: access using Read Word command only
Word 1 contains the IC unique identification number (UID)
programmed at the factory. It can be accessed by a Read
command.
That said, try setting block 14 and 15 to all 00
Then try to update block 1
Currently block 14 shows
00000000 00000000 10000000 00000010
Which seems to say block 1 (2nd last bit) is write protected.
Last edited by mwalker (2019-06-11 00:12:31)
Offline
Thanks for the info! Looking at the tech sheet was a good idea. I'm skimming it now.
It's still not working.
I tried writing to 14 and got this:
proxmark3> lf em 4x05writeword a 14 d 00000000
Writing address 14 data 00000000
Write could not be verified
When I run lf em 4x05dump I am still getting Lock Address 14 | 00008002
So am I correct to conclude it's not possible to write to 14 on the EM4305?
Is there another chip I can use?
Offline
I don't have any of those cards (so just ordered some to play with).
Some more reading of the tech sheet states you need to use the protect command to change those two blocks. The opcode is different from the normal write. I think what it does (not verified) is writes the new protection bits to the non-active block then makes it active.
If this is the case then we will need some additions to the software to support the protect command. I will have a good look when the cards arrive and if needed see if I can get some code working.
Happy if someone points out that its already there and I missed it .
Offline
the protect command has not been added yet (yes it is to write the protection bits)
but it wouldn't be hard to add.
afaik the uid block is not writable.
but you shouldn't need to write it to clone an indala tag. (readers don't care what the chip uid is afaik)
another thing to note is your tag is a genuine HID/Indala tag, meaning they are using a custom chip like the EM4305 but it is NOT the same.
there are no datasheets available for that exact chip.
they are close, HID's just have more features
so cloning one to an actual EM4305 may have unexpected results.
also interesting to note, your chip is configured in PSK1 whereas the lf search command output is for PSK2. thus the difference.
i've seen a few long format indala chips configured with PSK1 and many with PSK2, it seems they made a change at some point or switch for certain formats. in the end either will work.
Last edited by marshmellow (2019-06-11 05:08:34)
Offline
i just pushed up an untested em4x05 protect command to my fork.
also included is a lf config option to skip samples (also untested)
i will try to get to testing tomorrow. (but it compiles.. and should work...)
Offline
Thanks marshmellow. I hope me 4305 order will arrive in the next week.
Offline
This is very interesting. Thank you!
I find it pretty cool that there are so many unknowns and things to discover/figure out with RFID tech.
Offline
I am staring to think the Protect Block(s) are write once. The tech sheet seems to indicate you can change it.
i.e.
"...When set to 0, the corresponding EEPROM word can be
modified through the Write Word command...."
So i sent
lf em 4x05protect d 00000004
And it change to 6 (2+4)
I then tried
lf em 4x05protect d 00008006 (toggle) and 00000000 (non set) and 00008000 (just in case) and 000080002 (default) and (00000002) with and with out password.
I then sent a 00000001 and it updated to 7, so again just a new set and no clear of the others.
The 8 will be set by the chip to tag the active block, so not needed.
The active block changes, but the flag is never cleared.
But just to confirm that they should be able to be change.
"...the double buffer scheme ensures that no unwanted
"0"-Protection Bits (i.e unprotected words) are introduced..."
Last edited by mwalker (2019-06-25 14:57:27)
Offline
While I still cant find any official information on if the write protection bits can be cleared, this user guide for a 125khz module states
"... Only bits 0-15 are valid, the rest are don't care. Once you set a bit in the protection register it can't be cleared...."
src : http://www.priority1design.com.au/rfidread-mrw.pdf (page 17)
So if the bits can be cleared they did not support it.
Offline