Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi,
I have an implant 4305
I can read write by the white multi frequency china cloner.
I need to change the uid by proxmark3
I can read the implant by lf read and get valid data.
I tried to write uni by:
lf em 410xwrite abffcc2021 1
Also tried with p 19920427 (the cloner uses this pass on t55xx)
But it doesn't write
I tried also lf em 4x05write a 1 d abffcc2021
Also no success
Anyone know how to clone the uid to 4305?
Offline
I have the impression that EM4305 only supports the factory-set unique ID. Despite the name, I think those commands are for cloning EM tags onto T5577 target tags.
Offline
But i can write the uid by china cloner...
I don't know what block number die uid is
Offline
We have started to add supporting "clone" to EM4305/4469/ but only a few card tech / formats is available and Work-in-progress
Offline
what fork exactly?
What is the command for it?
Offline
RRG/Iceman repo https://github.com/rfidresearchgroup/proxmark3
Offline
That's what I use, but i cannot find a command for clone to 4x05
Can you please give me a hint?
Offline
Start with reading the helptext for the clone command. However its WIP, so don't consider it all to work. Massive pain in the butt to add all the different configurations and detecting the correct EM card type...
Offline
Seems like my white china cloner set a pass to my implant.
Seems to be non of the pass listet in the pass lists.
I wrote a 5577 card, copied it with the white cloner to my implan, OK
read back the implant, copy to a new 5577 card, cannot read it and chk also cannot find pass.
If i clone the first 5577 to a 3th new 5577 i can read it with pm3 and pass 19920427
Any idea how i can get my 4305 implant to be read/write by PM3?
Unfortunately it seems there is almost no infos about the 4305 on the internet.
Offline
if you know the EM-4100 ID used, you can use
lf t55 chk -h
to find a specific solution for the white cloner.
Offline
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID ABFFCC2021
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : D5FF330484
[=] HoneyWell IdentKey
[+] DEZ 8 : 13377569
[+] DEZ 10 : 4291567649
[+] DEZ 5.5 : 65484.08225
[+] DEZ 3.5A : 171.08225
[+] DEZ 3.5B : 255.08225
[+] DEZ 3.5C : 204.08225
[+] DEZ 14/IK2 : 00738730975265
[+] DEZ 15/IK3 : 000919109567620
[+] DEZ 20/ZK : 13051515030300040804
[=]
[+] Other : 08225_204_13377569
[+] Pattern Paxton : 2883608097 [0xABE05E21]
[+] Pattern 1 : 10820096 [0xA51A00]
[+] Pattern Sebury : 8225 76 4988961 [0x2021 0x4C 0x4C2021]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
Couldn't identify a chipset
[usb] pm3 --> lf t5 chk --em ABFFCC2021
[=] press 'enter' to cancel the command
[=] testing 86CDA923 generated
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : Yes
[=] Offset : 63
[=] Seq. Term. : Yes
[=] Block0 : 0x80168084 (Auto detect)
[=] Downlink Mode : default/fixed bit length
[=] Password Set : Yes
[=] Password : 86CDA923
[+] found valid password : [ 86CDA923 ]
[+] time in check pwd 0 seconds
[usb] pm3 --> lf em 4x05 write --addr 3 --pwd 86CDA923 --data 11223344
[=] Writing address 3 data 11223344 using password 86CDA923
[!!] Tag denied Write operation
[?] Hint: try `lf em 4x05 read` to verify
lf em 4x05 dump and lf em 5x05 info just do nothing
Offline
with another antenna i cn at least use the 4x05 commands
[usb] pm3 --> lf em 4x05 dump -p 11223344
[=] Found a EM4305 tag
[!] Password is incorrect, will try without password
[=] Addr | data | ascii |lck| info
[=] -----+----------+-------+---+-----
[=] 00 | 00040072 | ...r | ? | Info/User
[=] 01 | 41FA0515 | A... | ? | UID
[=] 02 | | | | Password write only
[=] 03 | | | | User read denied
[=] 04 | | | | Config read denied
[=] 05 | | | | User read denied
[=] 06 | | | | User read denied
[=] 07 | | | | User read denied
[=] 08 | | | | User read denied
[=] 09 | | | | User read denied
[=] 10 | | | | User read denied
[=] 11 | | | | User read denied
[=] 12 | | | | User read denied
[=] 13 | | | | User read denied
[=] 14 | | | | Lock read denied
[=] 15 | | | | Lock read denied
Offline
Anyone have more information about the lf em 4x05 unlock command?
I found this side, https://blog.quarkslab.com/rfid-new-pro … dings.html
But it is not helping me.
when i run lf em 4x05 unlock
it fails almost immediately.
[usb] pm3 --> lf em 4x05 unlock
[=] --------------- EM4x05 tear-off : target PROTECT -----------------------
[=] initial prot 14&15 [ 11B7B3DF, 00000000 ]
[=] automatic mode [ enabled ]
[=] target stepping [ 2000 ]
[=] target delay range [ 2000 ... 6000 ]
[=] search value [ 11B7B3DF ]
[=] write value [ 00000000 ]
[=] ----------------------------------------------------------------------------
[=] press 'enter' to cancel the command
[=] --------------- start -----------------------
[#] Tear-off triggered!
[!] failed unlock write
[usb] pm3 -->
Offline
Pages: 1